Haku

FINE-053680

Tulosta

Asianumero: FINE-053680 (2023)

Asiaryhmä: Tilinkäyttö ja maksaminen

Ratkaisu annettu: 24.03.2023

How are the responsibilities divided between the customer and the bank in the case of card payments done online and confirmed with the bank’s mobile application? Unauthorised use of a payment instrument. Gross negligence of the card owner.

Information about the event

The customer received the following text message in the name of the bank on 1 August 2022 at 7:09 p.m.:

Tilisi on lukittu epäilyttävän toiminnan vuoksi, käytä seuraavaa linkkiä: https://[the Bank]-tilin-vahvista.com aktivoidaksesi tilisi uudelleen. 

It appeared that the message was sent by the bank as it appeared to come from the same number as the bank's previous messages. The customer used his banking credentials and entered his card information on pages that appeared to be the bank's website opened through the link in the text message.

On 1 August 2022 at 7:31 p.m., the bank sent the customer a text message containing the confirmation code required to activate the mobile application:

Hei! Tällä numerolla ollaan ottamassa käyttöön [the bank´s mobile application]-sovellusta. Jos olet ottamassa [the bank´s mobile application] käyttöön, anna vahvistuskoodi 4868 [on the bank´s mobile application]. Älä ikinä anna tässä viestissä olevaa koodia toiseen sovellukseen tai verkkosivulle. Jos et ole ottamassa [the bank´s mobile application] käyttöön, ota yhteyttä [to the Bank]. Terveisin [the Bank].

The mobile application in the name of the customer was activated on that same day at 7:31 p.m. using the customer´s online bank username, password and access code list as well as a confirmation code sent by the bank via SMS to the customer´s mobile phone number.

Three unauthorized card payments were made from the customer´s account on 1 August 2022 at 7:42-7:47 p.m. The payments were confirmed with the bank´s mobile application. As a result of the customer receiving two unfounded payments, the final amount of damage incurred to the customer was 3,579.27 euros. The card in question was deactivated the next day at 4:24 p.m. and the customer’s personal online banking credentials at 4.13 p.m.

Customer’s complaint

The customer demands that the bank return the lost money and compensate the damage. The customer’s demand amounts to 3,718 euros.

In his complaint, the customer explains that the bank stole his money. Somebody hacked the bank and stole 4,000 euros from the customer’s account.

In the customer’s view, the incident was caused by the bank’s poor security measures. The customer did not give his banking details to anyone; instead, the bank sent him a link and told him to log in. The text message came from the bank’s number, and the bank asked for the customer’s banking details, so the customer logged in through the link. The bank claims that the message was a false one. The bank took advantage of the customer’s poor Finnish skills and confiscated his money. The bank sent the customer some questions in Finnish, but the customer does not speak Finnish and he misunderstood the questions. Based on this, the bank confiscated the customer’s money.

The customer finds the bank responsible for what happened. The customer received no warnings from the bank in advance. As a result of an information leak from the bank, the customer’s personal details ended up in the hands of criminals. Because of the incident, the customer is in a lot of debt and will become homeless. All this was caused by the bank’s security system.

Bank’s reply

The Bank states that it is not liable for refunding or reimbursing the amounts claimed by the customer.

The damage is 3 579,27 euros. According to bank’s records it has sent a confirmation code that was used to authorize the installation of the mobile application on a new mobile device via SMS to the customer’s mobile phone number.

The bank’s electronic records indicate that the bank’s mobile application was activated on a TCL 5003D_EEA device on 01.08.2022 at 19.31. The payments were confirmed with the aforementioned mobile application. According to electronic records, the customer has ordinarily used a OnePlus ONEPLUS A6013 device for his personal banking activities. To download and install the mobile application on a new device, a user needs to have the customer’s personal online banking username, password, access code table and a confirmation code via SMS.

The confirmation code SMS clearly states that “Älä ikinä anna tässä viestissä olevaa koodia toiseen sovellukseen tai verkkosivulle. Jos et ole ottamassa [the bank´s mobile application] käyttöön, ota yhteyttä [to the Bank]. Terveisin [the Bank]”. The essence of the SMS is that the recipient should not divulge the code included in the SMS to a third party application or website, and in case the recipient is not in the process of installing the mobile application he should take contact with the bank. However, the client admits that he gave the SMS confirmation code to a fraudulent third party website.

The bank considers that the customer actions constitute grossly negligent conduct in accordance with the Finnish Payment Services Act Section 62. This follows from the fact that the customer has provided the credentials to a third party. Bank’s SMS for authorizing the installation of the mobile application states that the code should not be given to any third-party applications or websites, special care, according to the SMS, should be taken in the event whereby the customer is not installing a new instance of mobile application to a mobile phone. The customer disregarded instructions provided by the bank.

Finally, the mobile application in question was activated using the customer’s strong electronic identification (eID) credentials. Pursuant to the Finnish Act on Strong Electronic Identification and Electronic Trust Services Section 27 (laki vahvasta sähköisestä tunnistamisesta ja sähköisistä luottamuspalveluista) the customer is liable for any and all unauthorized use of strong electronic identification credentials if the said credentials are lost, stolen or misappropriated due to the user’s negligent conduct.

The customer’s card was deactivated on 02.08.2022 at 4.24 pm and personal online banking credentials at 4.13 pm.

The bank did not leak any information about the customer and the bank has not confiscated any of the customer’s money.

According to the bank’s card terms and conditions clause: The agreement is made in Finnish or Swedish. You can use our services in Finnish or Swedish. If you wish to use a language other than Finnish or Swedish, you shall be liable for the costs of acquiring and using the interpretation services that you may need.

Therefore, it is the customer’s legal responsibility to make sure, that he understands all the messages, that the bank may send to him.

Pursuant to bank’s digital services terms and conditions: You may not in any circumstances divulge your online banking credentials or confirmation code, sent by us in an SMS, verbally by answering to a phone call, email or similar message asking such details. You may not use your online banking credentials to log in to online banking services, authenticate your identity or handle other banking business, if the link to the login page was sent to you by email or other electronic means.

Therefore the costumer was also provided with prior information about the possibility of fraud messages and the protocol related to using the online banking credentials.

Much Information about phishing has also been available all over the public media.

Further clarifications acquired

In addition to the communications between the parties, FINE was provided with the following documents:
- Bank’s Terms and Conditions for Digital Services, effective 7 October, 2021.
- Bank’s Card Terms and Conditions, effective 22 February, 2021.
- Screenshot of the fraudulent text message received by the customer on 1 August at 7:09 p.m.
- Screenshot of the text message that the customer received from the bank on 1 August at 7:31 p.m.

Legislation and policy terms

The provisions applicable in this case are Sections 9, 53, 54, 62, 63 and 85 c of the Payment Services Act. In addition to the Payment Services Act, the bank’s general terms and conditions of the bank’s Digital Services and Card Terms are applicable.

Recommended Solution

Formulation of the question
In order to resolve the division of responsibilities between the customer and the bank, FINE needs to determine whether the unauthorised use of an instrument of payment can be considered to have been caused by the customer’s negligence in failing to follow Section 53, Subsection 1 of the Payment Services Act, and what was the degree of the negligence, if any, showed by the customer.

The course of events
On the basis of the documents presented in the case (screenshots of the text messages received by the customer on 1 August 2022, the report on the events that the customer gave to the bank on 1 September 2022, the bank’s report on 1 September 2022, the bank’s response on 17 November 2022), FINE finds that it has been established that the customer received a text message sent in the bank’s name and containing a link that led to a fake website created by criminals, on which the customer entered his online banking codes and payment card details in the belief that he was in contact with his bank. With the customer’s banking codes thus acquired, the criminals started to take use the bank’s mobile application in the customer’s name with their own TCL 5003D_EEA device. Because of this, on 1 August at 7:31 p.m., the bank sent the customer a text message containing the confirmation code required in order to start using the mobile application. The contents of the text message were as follows:

Hei! Tällä numerolla ollaan ottamassa käyttöön [the bank´s mobile application]-sovellusta. Jos olet ottamassa [the bank´s mobile application] käyttöön, anna vahvistuskoodi 4868 [on the bank´s mobile application]. Älä ikinä anna tässä viestissä olevaa koodia toiseen sovellukseen tai verkkosivulle. Jos et ole ottamassa [the bank´s mobile application] käyttöön, ota yhteyttä [to the Bank]. Terveisin [the Bank].

FINE considers it established in the case that the customer also entered the code he received in the text message on the website opened through the aforementioned link. Once the criminals received the code, they were able to activate the bank’s mobile application on their own device in the customer’s name. The unauthorised payment transactions in question were made by the criminals, who confirmed them through the aforementioned mobile application of the bank.

Evaluation of cautiousness
The terms of the banking codes prohibit the use of online banking codes for logging in on the bank’s website, for identifying oneself or for doing any other business with the bank in cases where the link to the login page was sent through email or any other electronic means. Since the customer used his online banking codes for logging in on the website that opened from a link he received in a text message, FINE considers that the customer neglected his duties under the terms of the banking codes.

However, many different operators, from delivery services to healthcare services and grocery stores – including operators within the same group with a bank – nowadays send their customers text messages concerning their relationship and containing links with very diverse domain names, which has made communications of this kind quite common and may have contributed to the fact that even a cautious bank customer may not think to question the appropriateness of a text message arriving in the name of a bank and a link in the text message. In addition, since the use of banking codes for e.g. authentication purposes is very common and it occasionally takes place through a link received by electronic means, it can be difficult to comply with the bank’s aforementioned condition without exception.

In the case at hand, FINE takes particular notice of the fact that on the customer’s phone, the text message sent by the criminals looks as if it came from the bank, based on the sender details, and is located in the same message thread as the messages sent by the bank. It has not been demonstrated in this case that the bank had warned the customer about such scams, and no other elements of the case suggest that the customer should have known to question the authenticity of a message arriving in the same message thread. FINE finds that it cannot be required that the customer should have understood that the text message was not sent by the bank because of its formatting and contents or the domain name/network ID of the link in the message.

Considering also the fact that in this case, the link in the text message led to a website looking like the bank’s website and so the customer had the impression he was dealing with the bank and used his banking codes for this purpose, FINE finds that the customer’s failure to follow the terms of the banking codes only shows slight negligence as far as the elements mentioned above are concerned.

However, contrary to ordinary online banking or authentication situations, the customer also entered his card details on the fraudulent website and received a text message from the bank containing an activation code for the mobile application. In this respect, FINE considers that – especially in view of the contents of the text message – the customer should have known to question the appropriateness and purpose of the communication he received, to interrupt the contact and to not enter the card details and the activation code he received on the fraudulent website. At that point, if the customer had contacted the bank himself, for example, as recommended in the message, and asked whether the action was appropriate, the damage caused by the unauthorised use of the customer’s instrument of payment could have been avoided.

In its resolution practice, the Banking Complaints Board has considered that the basic caution required of a holder of banking codes includes the requirement that when the customer uses the banking codes, he/she reads the messages received from the bank in the course of his/her customer contacts and acts accordingly. The bank, in turn, has the responsibility to ensure that the messages it sends to the customer are comprehensible in their content. If the customer, however, does not understand the language that is used by mutual agreement in his/her interactions with the bank, it is his/her responsibility to verify what the bank is communicating to him/her in the course of the interactions.

In the case at hand, the bank sent the customer a text message in the language agreed in the agreement, containing the confirmation code for activating the mobile application. The message explained appropriately where to enter the code and warned against entering the code in any other application or on any other web page. Since the customer entered the code contained in the bank’s text message on the website opened through the link and did not take into account the contents of the text message, FINE considers that the customer’s actions as a whole constitute serious carelessness.

In the resolution FINE-051121, concerning a similar case (resolution on 31 January 2023), the Banking Complaints Board considered that, in particular with regard to the contents of the text message containing the confirmation code, the customer’s actions show a clearly negligent attitude towards the security risks related to the control and use of his banking codes, used also as an instrument of payment, and differ clearly and essentially from the careful action that is required of a holder of banking codes. In the aforementioned case, the text message containing the activation code had the same contents as in the case at hand. FINE has no reason to assess the case at hand in a different way, especially since in this case, the customer entered not only his banking codes but also his card details on the fraudulent website. FINE thus finds that the customer’s actions constitute grossly negligent conduct in accordance with the Payment Services Act and that in the customer-bank relationship, it is thus the customer who is fully responsible for the damage caused by the unauthorised use of the card and the banking codes.

Final outcome

FINE does not recommend compensation.

FINE
The Finnish Financial Ombudsman Bureau FINE

Head of Division Hidén
Presenting official Tykkä

Tulosta

Pystyäksesi käyttämään chattia on teidän hyväksyttävä markkinointievästeet

Muuta evästeasetuksia