So we've seen this cheery little news item from ComputerWorld NZ.

It turns out the top end of town in NZ has introduced a new banking code of practice... quoting from the article:

Under the terms of a new banking Code of Practice, banks may request access in the event of a disputed transaction to see if security protection in is place and up to date.

The code, issued by the Bankers’ Association last week after lengthy drafting and consultation, now has a new section dealing with internet banking.

Liability for any loss resulting from unauthorised internet banking transactions rests with the customer if they have "used a computer or device that does not have appropriate protective software and operating system installed and up-to-date, [or] failed to take reasonable steps to ensure that the protective systems, such as virus scanning, firewall, antispyware, operating system and anti-spam software on [the] computer, are up-to-date."

Wow. Forensic analysis of customers' machines. The stooging of victims.

Until now, online fraud losses have been covered by the bank.

Aside from giving the trough-feeding, jack-booted TV current affairs types something legitimate to whine about when hard working "battlers" are fleeced of their savings by crooks from Kajikahmadesistahn, this ball-tearingly controversial new code actually has some method to its madness, despite it's insurmountable flaws.

Word on the rumour mill is the same code very nearly got up here, for one simple reason: suspiciously repetitive victimisation patterns. I.e. Bob's computer keeps getting pwned by the bad guys and he still won't patch his OS.

In fact, Bob's deliberately made his computer insecure, so when he siphons his own funds out of his account and wires them to himself through an intermediary in some former Soviet shit-hole, the bank will happily replenish his funds. It's free money! Yay!

Personally, I think the code is objectionable -- it gives the banks too much freedom in determining when they will cover losses and when they won't. Sure, they've realised they can no longer just wear hits from fraud without question, but there has to be a better way than this. One saving grace to consider is the cost of the type of forensic examination they propose.

Forensic analysis is expensive -- any fraud the bank wished to dispute would have to be hefty to make their investigation worthwhile.

Perhaps the most troubling thing about all of this is the privacy angle. I don't want some private-eye with all the sensibility of an 1850s Pinkterton getting his grubby paws all over my hard drive, thank you very much. I'm glad I bank here, and I'm really glad my bank uses out-of-band, SMS-based authentication for risky transactions.

My most recent podcast features an interview with the CEO of Fair Isaac, makers of the Falcon anti-fraud software used by banks. Check it out here.