Scammed and pointed to by your bank as chickens. Until now, with online scams it had almost always gone like this: “Did you communicate your details to the scammer? Your problem “. But a recent ruling by the financial banking arbitrator could reverse the trend: if the bank did not provide for strong double authentication – as required by EU regulations – it must compensate the customer for the money he lost. The news was given by Confconsumatori of Bologna, which followed the case of one of its associates who were victims of vishing.
This is the name given to vocal phishing. Emanuela Ferri, president of Confconsumatori Bologna, explains how things went: “The victim received a phone call from a number he had saved as the customer service of his bank. A self-styled employee told him he had noticed a suspicious movement, so he first asked him for confirmation of the personal data, then asked the victim to dictate the code he had just sent him. In fact, it was the code to confirm a transfer ”. But the customer, who was convinced at first, became suspicious and communicated only the first two digits of the OTP (one time password, the code that the banks send to the customer’s mobile phone to confirm the paternity of an operation).
Despite this, the scammers still managed to start a 1200 euro transfer using only the static data of the card, i.e. 16-digit code and CVV on the back. The bank rejected the customer’s complaint claiming his “extraordinary and inexcusable imprudence or negligence, failing to observe not only the average diligence of a good father, but also that minimal and elementary degree of diligence generally observed by all”.
But according to the ABF, this is not exactly the case. The Arbitrator cites an “opinion” of the European Banking Authority of June 2019, according to which “the details printed on the payment card are neither an element of possession nor an element of knowledge, for the purposes of the Sca” whereas the ” Sca ”is“ strong customer authentication ”, the safest authentication possible.
But there is more, Ferri points out: “The Referee would have agreed with the customer even if he had communicated the entire OTP code. However, the OTP code alone is not sufficient to guarantee online safety. The fault therefore lies not with the victim but with the bank, which should have updated its security mechanisms ”.
In fact, in its ruling, the ABF notes “the lack of a second dynamic element, different and additional to the OTP sent to the appellant, which, combined with the first, would make it possible to consider that secure strong authentication methods have been correctly adopted”. The first element is often the username and password of the home banking or app, while the second can be the Otp code but also biometric data such as the fingerprint.
In the absence of this double step, says the ABF, “an adequately protected authentication system” is lacking, resulting in “gross negligence” on the part of the bank, which was required to return the 1200 euros to the victim. Abf’s pronouncements are not binding, but the bank has nevertheless adapted.
“This ruling changes the orientation of the Arbitrator, who in the absence of double authentication agrees with the customer even if he communicated the data to the scammer – comments the president of Confconsumatori Bologna – and this provision makes us more optimistic for future appeals to the Abf, the outcome of which will more likely be in favor of the victims of fraud ”.
.