you've been warned: consumer liability in internet banking fraud
TRANSCRIPT
ww.sciencedirect.com
c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 7 1 3e7 1 8
Available online at w
www.compseconl ine.com/publ icat ions/prodclaw.htm
Comment
You’ve been warned: Consumer liability in Internetbanking fraud
Nicole S. van der Meulen 1
VU University Amsterdam, Faculty of Law, Department of Transnational Legal Studies, The Netherlands
Keywords:
Internet banking
Banking fraud
Online crime
Hacking attacks
Online banking security
Consumer liability
1 Nicole S. van der Meulen is presently worTransnational Legal Studies. Previously, sheLaw from Tilburg University.0267-3649/$ e see front matter ª 2013 Nicolhttp://dx.doi.org/10.1016/j.clsr.2013.09.007
a b s t r a c t
This contribution provides a critical analysis of the treatment of consumer liability in cases
of Internet banking fraud. Whereas generally banks refund the financial losses associated
with Internet banking fraud to the individual victim, exceptions do occur, at least in certain
EU jurisdictions. These, however, are rarely spoken about, but do indicate a number of
(legal) problems. The main problems are lack of clarity and lack of consistency as to when a
consumer can be held liable. These problems also maintain potential negative conse-
quences such as increase in perceived risk, loss of trust and demands for better security,
which may be suboptimal from an economical perspective. This article concludes by
reflecting on the potential benefits of the introduction of zero liability as an alternative.
ª 2013 Nicole S. van der Meulen. Published by Elsevier Ltd. All rights reserved.
1. Introduction This has understandably increased the financial burden on
Internet banking fraud is among the most lucrative types of
cybercrime in contemporary society. Assessments of financial
damages are difficult to come by, especially since financial
service providers demonstrate a considerable dislike for
transparency on the issue. Even when they do offer such
transparency, questions about the reliability of such figures
remain. Measurements of any type of online crime are prob-
lematic in general (Anderson et al., 2012). There is, however,
little doubt among those involved that the problem as a whole
is on the rise (see for example Gostev, 2012). Especially the
continuously rising number of (successful) phishing attacks is
a reliable indicator (APWG, 2013). The growth is mainly due to
the evolution of methods used by perpetrators to carry out
their attacks (van der Meulen, 2011). The increased sophisti-
cation of attacks has complicated prevention and detection
efforts, which in turn has allowed their success to proliferate.
king as Assistant Professoworked as an information
e S. van der Meulen. Pub
both financial service providers as well as consumers. The
latter, in particular, are running an increased legal risk of
being exposed to financial losses. Yet, this topic is rarely
touched upon in academic discussions. The general assump-
tion is that, as Florencio and Herley (2012, p. 63) state, “con-
sumers are not held liable for emptied accounts.” This
assumption is largely based on the regulatory framework in
the United States (through US Regulation E) and the European
Union (through EU directive 2007/64/EC), which limits con-
sumer liability to $50 and 150 Euros respectively. Even so,
exceptions do occur, especially in the European Union and
more particular in the Netherlands. This comment focuses on
those rarely discussed exceptions in an effort to lay bare some
of the problems with the present manner of dealing with
victims who fail to receive a refund after perpetrators have
managed to drain their accounts through fraudulent
transactions.
r at the VU University Amsterdam, Faculty of Law, Department ofsecurity advisor for the Dutch government and she holds a PhD in
lished by Elsevier Ltd. All rights reserved.
c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 7 1 3e7 1 8714
The paper also discusses the available cases which have
been presented in the media, and in case law, where the
consumer found herself liable for the losses incurred as a
result of Internet banking fraud. Based on these cases, the
associated problems will be discussed such as lack of clarity
and lack of consistency. In the subsequent section, the article
reviews some potential negative consequences of holding
consumers liable, especially under unclear and inconsistent
circumstances. The final part of the article reflects on the
benefits of zero liability as a potential ‘solution’ to the
problem.
2 The use of the telephone to carry out internet banking fraudalso occurs in other countries. The UK Cards Association (2013),for example, describes: “Evidence shows that online bankingcustomers are also being tricked into divulging their login details,passwords and other personal data over the phone to someonethey believe is from their bank but is actually a fraudster.”
2. Liability
In general, as noted in the introduction, the common
conception is that banks refund the financial losses of victims
of Internet banking fraud. Some even consider banks as the
victims since they suffer the financial penalty of the incidents.
In the Netherlands, the practice of Dutch banks has in prin-
ciple always been to refund the financial losses of victims of
Internet banking fraud. This decision is based on the EU
Directive 2007/64/EC on payment services in the internal
market, specifically article 61, which limits consumer liability
to 150 Euros. However, as stated in article 61, “[t]he payer shall
bear all the losses relating to any unauthorised payment trans-
actions if he incurred them by acting fraudulently or by failing to
fulfil one or more of his obligations under Article 56 with intent or
gross negligence.” The obligations listed in article 56 are:
(a) to use the payment instrument in accordance with the terms
governing the issue and use of the payment instrument; and
(b) to notify the payment service provider, or the entity specified
by the latter, without undue delay on becoming aware of loss,
theft or misappropriation of the payment instrument or of its
unauthorised use.
Generally, the provisions of the Payment Services Directive
led banks to refund in all cases. Consequently, the liability
front remained quiet. Even the rising number of cases and lost
euros did not alter that state of tranquillity. This was until a
television programme in the Netherlands, Kassa!, focused on
consumer affairs, provided a platform for victims of Internet
banking fraud who had not received a refund of their stolen
funds. The show devoted considerable attention to the first
hand stories of victims who fell into the small category of
victims whom did not receive their refund. Through show-
casing these incidents, Kassa!managed to expose a number of
challenges associated with the decisionmaking process of the
banks in question.
Presently, banks expect more from consumers. After years
of awareness campaigns, they count on a certain level of
awareness on the side of the consumer. This expectation
might also be used as a vehicle to transfer the liability from the
side of the bank to the side of the consumer. This leads to the
question: to what extent can consumers be held liable for the
financial losses of Internet banking fraud? To answer this
question, we have to at least determine the issue of causality
and reasonableness. The latter concerns the issue whether
the victim has acted negligently, which is a challenging issue
in light of Internet banking fraud. Banks have always retained
the right to refuse refunding victims, in cases of gross negli-
gence. Yet, what exactly entails gross negligence is quite
ambiguous since it lacks a clear definition in the present
context. As Gijs Boudewijn from the Dutch Banking Associa-
tion confirms: ‘The terms “careless” and “negligent” differ per
case, per client and per bank.’ This leads to the two main
challenges associated with the present state of affairs: lack of
clarity and lack of consistency.
2.1. Lack of clarity and consistency
The lack of clarity about the qualification of gross negligence
and care is particularly problematic since consumers lack a
framework they can rely on. Since the terms are open to
interpretation, decisions made by different banks can even be
conflicting despite a similar set of circumstances. The lack of
clarity can lead to a lack of consistency, which makes the
decisionmaking process vulnerable to arbitrary decisions that
can subsequently be justified through the fluidity of the terms.
The lack of transparency often offered by banks about the
decision making process in individual cases also fails to illu-
minate the situation. Especially since banks generally refuse
to elaborate on individual cases.
The lack of consistency as a result of the lack of clarity
became evident through the following cases. In the episode of
Kassa! on September 15, two victims received the opportunity
to tell their story. The first victim, a client of the ABN Amro
bank, received a phishing email. After having opened the
email, she received a phone call from ‘Vanessa’ who claimed
to be a banking representative from the ABN Amro. A second
victim, a client of the Rabobank, received the same email and
phone call. But he spoke to ‘Kimberly.’ In both telephone
conversations, the fraudsters referred to the email they sent.2
They claimed how due to the phishing email, the accounts of
the clients had to be checked and verified for potential ‘errors.’
To carry out this verification, the clients had to provide the
banking employees, or rather the fraudsters, with their
e.identifier or random reader codes. By providing these codes,
the fraudsters managed to drain the accounts of the victims.
They had already obtained the victims’ credentials through
the phishing emails and with the randomly generated codes
they could also carry out the necessary transactions. Both
victims found themselves with empty accounts.
The subsequent decisions made by the banks demonstrate
the potential arbitrariness. The ABN Amro decides to refund
its client, whereas the Rabobank refuses to do so. The Rabo-
bank considers the provision of random reader codes to
another person as negligent behaviour, even if clients believe
they are communicating with the bank. To support and justify
this decision, the Rabobank describes how it posted a warning
on the Internet banking screen which specifically warned
clients for this type of attack. According to the Rabobank,
c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 7 1 3e7 1 8 715
ignoring this warning is negligent behaviour. Consumer
awareness therefore can be used as a means to transfer lia-
bility from the bank to consumer. In particular, the specificity
of awarning allows for such transfer.Whilst the available case
law on the topic is particularly limited, preliminary indicators
demonstrate how the judiciary could support the argument
set forth by the Rabobank.
In Germany, a court case early in 2012 did address precisely
the issue of liability and the value of specific warnings
(Farivar, 2012). In that case, a victim of Internet banking fraud
who had not received a refund for his financial losses pressed
charges against his bank, Sparda. The court ruled in favour of
the bank. The client did not have a right to a refund, according
to the German court, since he had ignored specific warnings,
about the submission of multiple TAN-codes.3
This provides us at leastwith one indicator as to howbanks
determine whether they can hold clients liable for the finan-
cial losses suffered as a result of Internet banking fraud. If
perpetrators use a ‘known’ attack, which clients have been
warned for, and are successful, then the client has acted
negligently. This, however, still leads to the problem of
inconsistency when the circumstances presented are similar.
The problem escalates when banks increase the number of
circumstances under which consumers can be held liable. The
pool of cases expanded during a Kassa! episode aired on 13
October 2012. Whilst in the just described example, the ABN
Amro did refund its client several weeks later another case
surfaced where the bank refused to do just that. Contrary to
the previously discussed cases, where the victimsmaintained
some sense of participation, albeit involuntarily, the Moret
case illustrates how the consumer can be entirely sidelined
during a successful attack.
Any form of social engineering was absent. This is an
important fact considering the liability of consumers is often
connected to social engineering, as witnessed above. With
malicious software, due to the limited detection possibilities,
it is more difficult to justify liability by claiming negligence. In
this case, however, the bank detected the first attempt made
by the fraudsters to drain the account of the victim. The bank
phoned its client as a means to verify the suspicious trans-
action. There was a transaction of 10.000 euros going to a
Polish account, which turned out to be fraudulent. The bank
informed Moret that his computer must be infected and
advised him to let his computer be professionally cleaned, and
to install anti-virus software. Moret responded by saying he
already used anti-virus software. He also had his computer
cleaned by a professional corporation, according to his testi-
mony. A couple of weeks later, during another transaction,
Moret’s computer froze. The next day he had lost 9.500 euros,
which went to an account in Poland. As he contacted the ABN
Amro, the bank requested receipts from the company who
cleaned his computer. Moret refused to hand over the
3 In German the message is: “Derzeit sind vermehrt Schad-programme und sogenannte Phishing-Mails in Umlauf, die Sieauffordern, mehrere Transaktionsnummern oder gar Kre-ditkartendaten in ein Formular einzugeben. Wir fordern Sie nie-mals auf, mehrere TAN gleichzeitig preiszugeben! Auch werdenwir Sie niemals per E-Mail zu einer Anmeldung im.Net-Bankingauffordern!”
receipts, since he was originally told he would receive his
money back, no questions asked. Eventually, the company
itself forwarded a testimony of its work on Moret’s computer.
The bank however refused to refund the lost funds, because
he supposedly neglected to follow the instructions of the
bank. Moreover, the bank also claimed to have insufficient
insight into the way his computer was disinfected. This raises
the question whether Moret acted negligently. The ABN Amro
refused to answer this question during the airing of the pro-
gramme, which enhances the obscurity surrounding this
issue. Gross negligence remains a concept plagued by its lack
of clarity in this context.
The question of negligence left aside, the range of reasons
used to hold consumers liable for financial losses as a result of
Internet banking fraud appear to be expanding. This problem
has not entirely gone unnoticed in the Netherlands. The Dutch
office of consumer affairs has also called upon the banks to
remove the lack of clarity of the present situation. And to be
clearer about where they draw the lines of liability
(Consumentenbond, 2012). Members of the Dutch parliament
have also enquired to the Minister of Finance about the burden
ofproof forconsumersandbankswhenafraudulenttransaction
occurs. According to the Minister, the burden of proof remains
with the banks. They have to prove whether a consumer has
actednegligently.Yet,whatdoesthatmean?Sincethere isa lack
of clarity aboutadmissible reasons, consumersarevulnerable to
unpleasant surprises, which in turn can have negative conse-
quences for the perception of Internet banking and its usage.
3. Locking in liability
Before going into the negative consequences of holding con-
sumers liable, especially under unclear and inconsistent cir-
cumstances, this section shall briefly reflect on how banks try
to lock liability into the terms of use offered to their clients.
The ABN Amro bank, for example, has altered its terms of use
for clients as of January 1, 2013. Its terms of use presently
contain instructions as to how to improve the information
security of client computers. These for example state how
clients need at least anti-virus software on their computers
and how they must have installed all updates. By placing
these instructions in the general terms of use, their status
becomes contractually binding. Clients, after all, agree to the
terms of use by opening and subsequently using the account.
This could consequently mean that if victims do not adhere to
these instructions, they might be vulnerable for liability
claims if they fall victim to Internet banking fraud.
A similar development also occurred in Ireland with the
revision of the Banking code, which occurred in 2008. In the
Code, Clause 12. 11 specifically states:
If you act fraudulently, you will be responsible for all losses on
your account. If you act without reasonable care, and this causes
losses, you may be responsible for them. (This may apply, for
example, if you do not follow section 12.5 or 12.9 or you do not
keep to your account’s terms and conditions.)
According to Murdoch (2008), “Clauses 12.5 and 12.9
include some debatable advice about anti-virus software and
c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 7 1 3e7 1 8716
clicking on links in email. While malware and phishing
emails are a serious fraud threat, it is unrealistic to suggest
that home users’ computers can be adequately secured to
defeat attacks.” The same has been argued by other sources
(see for example van der Meulen, 2011).
Even so, the inclusion of more specific terms of use can
potentially reduce the lack of clarity and consistency, since
banks are more transparent about their expectations.
The potential challenge remains for consumers to act-
ually read and follow the terms as a means to protect
themselves, arguably both from the criminals as well as the
banks.
4. Potential consequences
The actions taken by banks, at least in the Netherlands, to
hold consumers liable could have possible negative conse-
quences for Internet banking usage in general, which could
have a costly impact for banks. These consequences can
include impact on perceived risk, loss of trust and demand for
better security.
4.1. Perceived risk
Perceived risk is a recurring factor in studies focused on user
acceptance and likelihood of adoption of Internet banking (see
for example Chiou and Chishen, 2012; Clemes et al., 2012; Lee,
2009). Lee (2009) breaks the notion of perceived risk down into
five categories. These are:
� Security/privacy risk
� Financial risk
� Social risk
� Time/convenience risk
� Performance risk
For the issue discussed within this article, the most appli-
cable categories are security/privacy risk and financial risk.
Lee (2009) defines these as:
� Security/privacy risk: This is defined as a potential loss due to
fraud or a hacker compromising the security of an online
bank user.
� Financial risk: It is defined as the potential for monetary loss
due to transaction error or bank account misuse.
Both categories demonstrate considerable overlap, espe-
cially since the focus is on loss. In that sense both categories
are applicable to the present situation with respect to the
issue of consumer liability.
By refusing to refund financial losses, even of a very small
number of clients, the publicity granted to these cases could
lead to a heightened perception of risk. As Chiou and Shen
(2012, p. 863) note, “[w]hen negative outcomes are likely or
when uncertainty is high, the perception of risk increases.”
The previously identified lack of clarity and lack of consis-
tency arguably lead to a high sense of uncertainty which has
previously been proven to lead to an increased perception of
risk.
4.2. Loss of trust
Closely connected to the increase of the perceived risk of
Internet banking, is the potential loss of trust from con-
sumers. According to Suh and Han (2003), trust is one of the
most important factors for clients to accept Internet banking.
Trust in an online banking environment is even more
important than in offline banking. Suh and Han (2003) write,
“[c]ustomers’ trust will increase if a supplier has behaved
previously as expected.” The latter indicates a level of reli-
ability which is absent due to the fluidity of termswith respect
to negligence and reasonable care.
The question that arises is, how likely are clients to alter
participation or lose trust in online banking?While this has so
far not been researched, other indicators can be used to
approximate an answer to this question. According to Bohme
and Moore (2012), several factors can reduce online partici-
pation for online banking. These include falling victim to
cybercrime as well as exposure to cybercrime in the news
media. Bohme and Moore (2012, p. 8) even conclude that
“concern about cybercrime inhibits online participation more
than direct experience with cybercrime does.” How these
concerns arise are difficult to isolate, but the media attention
granted to the caseswhere consumers did not receive a refund
for the financial losses might be such a factor influencing the
level of concern for consumers.
4.3. Demand for better security
The last consequence is the potential for a call from clients for
better security. This is, from an economics of information
security perspective, an undesirable development. The cur-
rent system strikes the necessary balance between conve-
nience and security considering the figures available with
respect to financial damage caused by Internet banking fraud.
This would make the introduction of additional means of se-
curity in an effort to enhance prevention irrational. Even so,
pressure from the public as well as the political arena may
eventually force such an introduction, which ismostly likely a
costly investment. Such an investment would, for example, be
the usage of biometrics as an additional authentication factor.
According to Tassabehji and Kamala (2012), “[t]o date, there
has been no commercialised development of biometric
banking services.”
These consequences, both the loss of trust and the intro-
duction of additional security measures, can lead to more
costs for the banks. If the costs of denying the refunds are
compared to the consequences associated with such denial,
the question then becomes how much is this liberty of
determining liability issues on a case-by-case basis worth for
banks? The monetary value of the refund is most likely not
worth this negative attention.
5. Moving forward
The primary focus of this comment article is on the situation
in the Netherlands, which operates within the EU legal
framework based on the payment directive. The situation in
the United States is, arguably, radically different, at least for
c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 7 1 3e7 1 8 717
consumer accounts.4 In the United States, Regulation E of the
Federal Reserve, more specifically the Electronic Funds
Transfer Act, limits consumer liability to $50. However, as
Florencio and Herley (2012, p. 63) note, “[i]n the US banks,
brokerages, and credit unions are governed by this regulation
and most go beyond it and offer a zero liability policy to con-
sumers.” Zero liability can be considered the norm in the
United States. The guarantee provided to consumers in the
United States through this zero liability policy potentially di-
minishes the previously identified risks. For without the fear
of a potential financial loss, the perception of increased risk,
loss of trust and demand for better security are relatively
unlikely.
Zero liability as an alternative to the present situation
could potentially eliminate the uncertainty felt by consumers.
In India, where no consumer protection in this area exists,
zero liability has also been mentioned as an option. The
Damodaran Committee5 (Reserve Bank of India, 2011)
emphasised the need for zero liability for Internet banking. As
the Committee noted in its report,
[t]here should be a secure total protection policy/zero-liability
against loss for any customer induced transaction utilising
technology through ATMs/ PoS/Online banking etc. A customer
should not be made to be out of funds when any loss is suffered on
account of Net/ATM banking transactions. All the rules in respect
of Internet banking should be so designed as to encourage con-
sumers to feel safe about electronic transactions.
A similar idea was brought up in the United Kingdom,
where the House of Lords Science and Technology Committee
(2007) actually set forth a recommendation, stating the
following:
[w]e therefore recommend that the Government introduce legis-
lation, consistent with the principles enshrined in common law
and, with regard to cheques, in the Bills of Exchange Act 1882, to
establish the principle that banks should be held liable for losses
incurred as a result of electronic fraud.
Zero liability provides a number of benefits; since it takes
away the uncertainty for consumers that they might be held
liable for financial losses. With zero liability many of the dis-
cussions about clarity on definitions of concepts such as gross
negligence no longer need to be addressed. Nor do banks have
to justify the selection of security measures taken, or ignored.
In the Netherlands, the issue of liability has recently also
entered policy discussions. The lower house has accepted a
motion that obliges banks to refund the financial losses of
consumers who fall victim to Internet banking fraud. Whilst
this is a significant development, the motion once again
4 In fact, the treatment of business accounts has drawn signif-icant attention especially since businesses have been held liablefor their financial losses.
5 The Reserve Bank of India has decided to constitute a Com-mittee to look into banking services rendered to retail and smallcustomers, including pensioners and also to look into the systemof grievance redressal mechanism prevalent in banks, its struc-ture and efficacy and suggest measures for expeditious resolutionof complaints.
provides a back door escape for banks through the identifi-
cation of the exception of such an obligation when gross
negligence on the side of the consumer is involved. This ren-
ders the motion of little use considering the problems dis-
cussed above, including the lack of conceptual clarity and
interbank consistency. Through pressure from the office of
consumer affairs, discussions between the banks, the Dutch
Banking Association, the Societal Platform for Payment
Transactions (in Dutch: Maatschappelijk Overleg Beta-
lingsverkeer (MOB)) and the office of consumer affairs are
presently taking place. The latter has demanded a list of
specific cases in which consumers can be considered to have
acted with gross negligence. This would force banks to be
clear and to be more transparent about the internal decision
making processes concerning liability.
At the EU level, changes are also introduced. In the pro-
posal on payment services in the internal market, issued by
the European Parliament and the Council, amending Di-
rectives 2002/65/EC, 2013/36/EU and 2009/110/EC and repeal-
ing Directive 2007/64/EC, the amount consumers are held
liable for, as long as they are not considered to have behaved
gross negligently, is reduced from 150 euros to 50. Further-
more, the proposal states the following on the matter,
“.proposedmodifications will streamline and further harmonise the
liability rules in case of unauthorised transactions, ensuring
enhanced protection of the legitimate interests of payment users.”
Perhaps the aim to harmonise liability rules can also enhance
clarity and consistency between banks and in turn help avoid
unpleasant surprises on the side of the consumer.
6. Conclusion
The boundary of liability with respect to Internet banking
fraud is starting to occasionally shift from the bank to the
consumer. This development has been a long time in the
making as consumer awareness campaigns are being used by
banks as an instrument to introduce such a shift. In his tes-
timony to the United States House of Representatives,
Woodhill (2012, p. 1) calls the doctrine of ‘shared re-
sponsibility’ “bankrupt as security policy” and “politically
illegitimate.” Whilst he specifically speaks of small business,
which have, after being held liable for financial losses of fraud,
been forced to file for bankruptcy, his remarks can also be
carried over to consumers in general. As van derMeulen (2011)
has previously argued, the options available to consumers,
despite an increase in awareness, are limited as the sophis-
tication of attacks increases and consumers are subject to
‘involuntary facilitation’ of fraud.
The liberty afforded to banks in the Netherlands by
continuously emphasising how they judge Internet banking
fraud incidents on a case-by-case basis has provided them
with the ability to deny refunds of clients. This development,
however, is not without the necessary risks. The dominating
lack of clarity about when precisely clients have acted negli-
gently so as to be denied their refund is problematic and leads
to many questions and also causes for concern. This can lead
to a loss of consumer trust in banking and Internet banking in
particular, along with an increase in risk perception as well as
demands for better security. The introduction of a genuine
c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 7 1 3e7 1 8718
zero liability policy can negate these potentially negative
consequences, by taking away the uncertainty for consumers
and simultaneously making discussions on clarity and con-
sistency obsolete.
Nicole S. van der Meulen ([email protected]) Assistant
Professor, VU University Amsterdam, Faculty of Law, Department of
Transnational Legal Studies.
r e f e r e n c e s
Anderson R, Barton C, Bohme R, Clayton R, van Eeten MJ, Levi M,et al. Measuring the cost of cybercrime. Workshop on theEconomics of Information Security (WEIS); 2012.
Anti-Phishing Working Group (APWG). Global phishing survey:trends and domain name use in 2H2012; 2013.
Bohme R, Moore T. How do consumers react to cybercrime?. In:eCrime researchers summit (eCrime). IEEE; 2012. p. 1e12.
Chiou JS, Shen CC. The antecedents of online financial serviceadoption: the impact of physical banking services on internetbanking acceptance. Behav Inf Technol 2012;31(9):859e71.
Clemes MD, Gan C, Du J. The factors impacting on customers’decisions to adopt internet banking. Bank Bank Syst 2012;7(3).
Consumentenbond. Banken onduidelijk aansprakelijkheid.Available at: http://www.consumentenbond.nl/actueel/nieuws/nieuwsoverzicht-2012/banken-onduidelijk-aansprakelijkheid/; 2012 [last accessed 29.07.13].
Farivar C. Clients, not banks, liable for losses in phishing scams,court rules. Available at: http://arstechnica.com/business/2012/04/clients-not-banks-liable-for-losses-in-phishing-scams-court-rules/; 2012 [last accessed 29.07.13].
Florencio D, Herley C. Is everything we know about passwordstealing wrong? IEEE Secur Priv 2012:63e9.
Gostev A. Cyber-threat evolution: the year ahead. ComputerFraud Secur 2012;3:9e12.
House of Lords Science and Technology Committee. Fifth report.Available at: http://www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/16502.htm; 2007.
Lee MC. Factors influencing the adoption of internet banking: anintegration of TAM and TPB with perceived risk and perceivedbenefit. Electr Commer Res Appl 2009;8(3):130e41.
van der Meulen NS. Between awareness and ability: consumersand financial identity theft. Commun Strateg 2011;FirstQuarter 2011:23e44.
Murdoch S. New banking code shifts more liability to customers.Available at: http://www.lightbluetouchpaper.org/2008/04/09/new-banking-code-shifts-more-liability-to-customers/; 2008[last accessed 29.07.13].
Reserve Bank of India. Report of the committee on customerservice in banks. Available at: http://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/RCCSB030811.pdf; 2011.
Suh B, Han I. Effect of trust on customer acceptanceof internet banking. Electr Commer Res Appl2003;1(3):247e63.
Tassabehji R, KamalaMA. Evaluating biometrics for online banking:the case for usability. Int J Inf Manag 2012;32(5):489e94.
UK Cards Association. Decline in fraud losses stalled by rise indeception crimes aimed at consumers. Available at: http://www.theukcardsassociation.org.uk/news/FYFF2012.asp; 2013[last accessed 29.07.13].
Woodhill JR. Testimony before the U.S. House of RepresentativesCommittee on Financial Services. Committee onCapitalMarketsand Government Sponsored Enterprises; June 1, 2012. p. 1e20.