Who should be responsible in a security breach of an on-line banking account?
There is an ongoing case of a couple suing a bank (Citizens Financial) saying the bank did not have strong enough protection to secure their account. The user name and password were hacked and eventually $26,000 dollars was stolen from the couple. The couple is claiming that the bank should have offered token authentication to protect them or some form of multi factor authentication.
Without knowing the details of how the account was actually compromised I can't comment on this particular case but it does bring up a very interesting debate. Who should be responsible if an online account gets hacked and money is lost?
The bank's are heavily regulated and whether they offer tokens (which don't guarantee anything) or some other extra protection behind the scenes the government agencies make sure that they meet the latest FFIEC guidelines for protecting customers. However, some banks do more than others in going above and beyond to try and protect the online customer.
On the other hand, the bank can put many protections in place but if the customer gives out all their information or at least does not take some basic steps to protect themselves it makes it hard to stop. In the end, it is a partnership between the financial institution and the customer to work together as a team to ensure the safety.
The bank should have advanced protection and monitoring to do all that they can to have the best security possible while the customer should become educated on the basics and protect themselves against hackers with up to date anti-virus, spyware and many other simple steps to improve their security. For example, should the customer be logging in to financial sites on the same computer that their kids are using which increases the chance of virus and malware significantly?
In the end, I think consumers can vote with their money to make sure that banks do all that they can to protect their clients. Find out about the security your bank has in place to protect you before depositing your money. The banks that don't take security seriously will be forced to change or go out of business. Keep in mind though that the banks, financial institutions or any other web site you use will not be secure unless the consumer does their part too to protect themselves.
What do you think? Who should be responsible to pay in a breach?
