Self-Service Shifts Legal Risks, May Let Customers Off The Hook

Written by Mark Rasch
August 1st, 2013

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today is a lawyer in Bethesda, Md., specializing in privacy and security law.

One of the great things about the Internet and computer technologies is that they can empower consumers and businesses to do things that ordinarily require a middleman. Consumers can purchase their own insurance, engage in banking transactions, deposit checks, make purchases, etc. They can do this both online and in the brick and mortar environment.

But this means that when the technology fails, it is the consumer who must suffer the consequences, when ordinarily the risk of loss would have remained with the merchant.

For example, a few weeks ago I went with the family to a nice bistro, and sat outside. I got a parking space right across the street. My wife told me that she had quarters to pay the meter, but I said, “No problem, I can pay with my iPhone.” I whipped out my device and invoked an app to pay for parking. I input the parking space number, the amount of time I wanted to park (an hour and a half seemed enough for dinner) and enabled the feature to send me an SMS message when the meter was about to expire.

After a pleasant dinner of pizza and chicken parmesan, I returned to find a ticket on the car. I checked the app, and it was blank. I logged into the app’s website which showed that I had paid for parking—but had only paid for about two minutes.

I figured out what happened: After I paid for parking and enabled the SMS notification, I placed the phone in my pocket. By default, the app had a link to a command “Stop Parking.” Putting the phone in my pocket invoked this command. When I pointed this out to the parking hearing officer, he was unpersuaded. You see, the meter wasn’t broken. The app was poorly designed.

Similar results occur when an online banking app is hacked. While consumers may have no liability for the misuse of their credit and debit cards, online banking apps effectively put an ATM machine in the consumer’s pocket. While ATMs are the property and responsibility of the bank, which are patrolled by and secured by the bank, the apps, smartphones and devices on which they sit (as well as the connections themselves) are not always the responsibility of the financial institution.

Thus, if a cyberthief hacks a business’s computer, network or device, and through that gets into the company’s bank account, the bank may have no liability. It is as if the bank installed an ATM at their customers’ location and then said, “here – you take care of it.”


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.