Fraudulent e-banking payment with disputed two-factor authentication
The client contacted the Banking Ombudsman after a fraud incident in which an amount of just under CHF 22,000 was transferred to a new recipient via his e-banking. He argued that the bank had breached its duties of care because he had not had to confirm the payment to the new recipient on a separate device and concluded from this that there was a security gap in the e-banking system. The bank took the position that the client had disclosed his e-banking login information to the fraudsters during a phishing attack. They would then have installed a new device for receiving security-related messages, which the client would have had to confirm on the previously registered device. This would have given the fraudsters the opportunity to initiate the payment and also confirm it on the new device without the client noticing. The Ombudsman reviewed the arguments of both parties and obtained a detailed statement from the bank regarding the course of events. Based on the explanation of the technical processes, he concluded that the cause of the damage was attributable to the sphere of influence and risk of the client and that, therefore, the damage had to be borne by the client in accordance with the contractual liability provisions. Further mediation efforts seemed futile, and the proceedings were closed with an explanatory notice.
The client had maintained a business relationship with the bank for a long time and used its e-banking system for payment transactions. The starting point of the case was a phishing incident in which the client responded to a deceptively genuine-looking email that requested him to re-register his e-banking. Assuming it was a legitimate message from the bank, he entered his access data on a fake website.
The client was subsequently unable to log in to e-banking. Shortly afterwards, an amount of CHF 21,800 was debited from his account with the note of a vehicle purchase. The client was of the opinion that such a payment to a new recipient should not have been executed without his explicit confirmation given on his registered device, and considered this a security gap in the e-banking system. He demanded that the bank reimburse the damage.
The bank rejected the claim. She explained that by disclosing his login details and confirming the device registration, the client had given the fraudsters the necessary freedom of action to enter and also confirm the payment. According to the log data, the process was carried out correctly from a technical point of view.
The Ombudsman examined the matter in depth and requested a clarifying statement from the bank regarding the incident, as the technical process had not initially been described clearly. The bank stated that the unknown perpetrators, after having obtained the access data during the phishing incident described by the client, had used this data in the background to gain access to the client’s e-banking. Afterwards, they / the fraudsters would have registered a new device for receiving security-related messages, such as messages for the two-factor authorization of transactions. The activation of the new device required confirmation from the client on the originally registered device. The client gave this confirmation, possibly under false impressions that had been presented to him by the fraudsters.
After a new device was activated, the fraudsters independently activated another, second new device. They were now able to provide the necessary confirmation on the first newly registered device without the client’s involvement. The two-factor authentication intended for new recipients was carried out by the fraudsters on the second newly registered device, again without the client noticing anything. In its view, there was therefore no misconduct on the part of the bank or breach of contractual obligations.
Liability for damages arising from such incidents is contractually regulated. The corresponding contracts are usually based on a “sphere of risk” theory. According to this, in principle, each party bears those risks that it can influence itself. The disclosure of e-banking access data and the subsequent confirmation of the registration of a new device for receiving security-related notifications are attributable to the client’s sphere of influence and are contractually classified as a breach of due diligence, which excludes the bank’s liability.
From the Ombudsman’s point of view, the decisive factor was that the fraudsters were only able to control the further payment process because the client had enabled the activation of a third-party device by confirming it in the first step. Even though the actual payment was no longer authorised on his own device afterwards, this first step enabled the damage. The registration of the new device required 2-factor authorisation on the client’s original device. It was only possible because the client – albeit unconsciously and under false assumptions – had overcome this security hurdle in favor of the perpetrators. Since the bank had operated its systems in accordance with the contract and executed the payment order using the agreed means of identification and the required confirmation, the Ombudsman saw no valid basis for the bank’s liability under the applicable contractual provisions.
In view of the bank’s firm stance and the contractual arrangement, the Ombudsman therefore considered further mediation efforts to be futile and closed the file. He regretted the loss incurred, but pointed out that the responsible perpetrators in such cases cannot, by their very nature, be included in the liability arrangement, as they cannot be apprehended. The loss must be attributed either to the client or to the account-holding bank. Such cases can therefore usually not be resolved to the satisfaction of the parties involved.