Passing the buck: who will bear the financial transaction losses from consumer device insecurity?

Internet-connected devices offer convenience and flexibility to consumers to perform tasks online, ranging from shopping to streaming videos to banking. Such activities are increasingly becoming an integral part of many people's lives. Consumers rely on connected devices, in particular personal computers and mobile phones, to transact online. Unfortunately, there has been a surge of unauthorised banking transactions, some through the proliferation of computer malware (malicious software) making online transactions less secure. Many of these transactions are financially risky, particularly those that involve payment. Many jurisdictions, including Australia and New Zealand, are amending their banking codes to provide a new allocation of liability for unauthorised online transactions, in particular where computer devices are used in a transaction. The new liability regimes shift liability from the bank to the consumer where computer devices are insufficiently secure. The financial institutions' argument is predicated on the assumption that consumers are capable of taking responsibility for the security of the devices that they use. The nature of consumer devices is such that it is entirely infeasible to impose responsibility on consumers in the manner that banks desire. Indeed, many eCommerce and even eBanking services only work because they exploit vulnerabilities on consumer devices. This paper surveys security threats and vulnerabilities of consumer devices. It assesses the effectiveness of available technical safeguards and the practicability of imposing responsibilities on consumers to understand the risks involved, to install relevant software, to configure it appropriately, and to manage it on an ongoing basis. It then explores a subset of legal safeguards looking at the inadequacies of Australian law, and the legal system to protect consumers who bank online with Internet-connected devices. The authors argue that there should not be a shift in the allocation of liability for unauthorized banking transactions. Emphasis should, instead, be placed on more practical approaches to the problem.