That might sound like a stupid thing to ask. If your account is emptied, you surely did something wrong. You were careless with your password, didn’t update your virus scanner, clicked some links in a spam message that happened to install malware, et cetera. Right?
So what happens when that’s not what happend? What if your computer is fully up-to-date with all patches for all your software (which is unlikely; even Microsoft’s Chief Security Advisor uses unpatched software). And you only visit safe sites, such as those belonging to your university or the manufacturer of your PC. Your firewall is running. Your AV scanner is up-to-date.
Here’s a newsflash: you can still get infected by malware that will steal your login information, credit card information and who knows what else. There will always be unpatched vulnerabilities such as the recent one for Internet Explorer. And the latest malware will generally not be detected; it takes some time before new virus definitions are generated and pushed out.
Now let’s turn this around; even if you are careful and do everything you can to keep your PC safe, you can get hacked. I think everyone can agree that, in this case, a client that has taken the necessary steps to protect his computer should be reimbursed if money is stolen from his account. After all, he is not to blame. He has followed his bank’s instructions, but still lost money.
The real question is where to draw the line. At what point can a bank refuse to refund stolen money, and how can either the bank or the customer prove they did or did not protect their account information? Remember that question, because it’s going to become very relevant in the next years. Cybercriminals are getting smarter, and are increasingly targeting bank account information. With full control over the channel used to communicate with the bank (your PC), even two-factor authentication is not guaranteed to be safe.