The unknown fraudsters managed to withdraw a total of about CHF 150’000 from two of the client’s accounts via e-banking in about a dozen transactions within five days. Afterwards, the bank blocked the client’s accounts because it had noticed the transactions as unusual. The client was of the opinion that there was a security gap in the bank’s e-banking system and that the bank should have noticed the intrusion of fraudsters into her accounts and the fraudulent triggering of payments much earlier than only after five days.
In a letter of reply to the client’s complaint, the bank expressed the suspicion that the computer, which the client also used for e-banking transactions, had been infected by a so-called Trojan and that this infection had enabled an unknown perpetrator to initiate the damaging transactions. The bank denied that it was responsible, but nevertheless offered to pay the client the sum of CHF 39’000 as a gesture of goodwill and without acknowledging any legal obligation to pay the balance of all claims. The client considered this amount, which corresponded to about a quarter of her loss, to be insufficient.
The question of when the bank is liable for unauthorised transactions by third parties in such a situation is usually regulated by contract. The contracts known to the Ombudsman usually follow a so-called sphere of risk theory. According to this, in principle, each party bears responsibility for the sphere that it can influence with due diligence. A bank is responsible for ensuring that the e-banking system it operates complies with current security standards. The responsibility for the security of the terminal devices with which a client accesses the e-banking system, on the other hand, is in principle incumbent on the client.
After the client contacted the Ombudsman, the Ombudsman first asked the bank to describe in more detail how the individual transactions had been initiated and to explain the security concept of its e-banking system in principle. It was no longer possible to establish what exactly had happened on the client’s terminals, as they had not been examined either by the bank or by the authorities to which the client had filed a criminal complaint. It was also no longer possible to establish which IP addresses the client had used to log into the e-banking system before the fraud. The bank used a so-called 2-factor authentication with an mTAN for logging into its e-banking system and for certain transactions, such as payments to new recipients, as well as for changing address details and telephone number. This means that customers have to confirm such transactions with a code that is sent to them by SMS to a second end device that was registered with the bank in advance, typically a mobile phone. In the present case, the bank was able to prove that the client had logged into the e-banking system with the help of an mTAN sent to her registered mobile phone number. Afterwards, someone registered a new mobile phone number. For this, again an mTAN was used, which was sent to the customer’s previously registered mobile phone number. The change of the mobile phone number was confirmed by the bank via SMS to the same number. Shortly afterwards, the first transactions not authorised by the customer were triggered by means of an mTAN sent by the bank to the new mobile phone number, which probably had to be assigned to the unknown fraudsters. The IP address used to initiate the unauthorised transactions remained registered with the bank, unlike the previous IP addresses used by the customer.
It is therefore reasonable to assume, or it at least appeared so, that the customer was a victim of the well-known and probably dominant fraud scheme in the field of online banking, the so-called phishing attack. In this case, the fraudsters succeed in luring the bank customer to a website or simulating one that looks deceptively similar to the real website of his bank. If the customer then tries to log in and enters the required data, the fraudsters intercept it and log into the customer’s account on the bank’s real website using this data. It is also possible that the fraudsters install malware, such as a so-called Trojan, on the customer’s device and in this way can spy out data or take control of their device.
It goes without saying that the bank could not control what was happening on the client’s device or that it had been infected by a Trojan. On the other hand, it was obvious that the client herself had entered the login data and the SMS codes she had received, which made it possible for the fraudsters to change the mobile phone. The Ombudsman considered it particularly important that the wording of the SMS code used for changing the mobile phone number was apparently different from the wording for logging in, and that it was recognisable as such if due care had been taken. The Ombudsman acknowledged to the bank that the use of an mTAN system was in principle a strong authorisation for e-banking transactions. On the other hand, he expressed the suspicion that the fraud scheme, which is known per se and which is regularly associated with a change of the IP address used for access to e-banking shortly after the change of the mobile phone number, could have been recognised by a further security hurdle for such a change.
The bank then informed the Ombudsman that the e-banking system had been adapted accordingly in the meantime and increased the settlement offer to the client to 50% of the amount of the loss. In view of the overall circumstances of the case, he recommended that the client accept this settlement offer. The client finally followed his recommendation.