This is a tense situation experienced by many LCL bank customers. Since the end of 2021, some of them have seen external transfers between €1,000 and €80,000 for the most serious cases. In all, to date, hackers have stolen more than €300,000 from LCL customers. Transfers go mainly to eastern countries.
But what seems quite frustrating, for now, is the bank’s reaction. Indeed, most of the customers concerned claim to have been very careful with their bank connection information, and claim to have never communicated anything to third parties. A speech repeated recently in an episode of It can happen to you (Julien Courbet) on M6 around the case.
LCL claims victims were negligent
However, LCL points out that the victims had to provide the famous data authorizing these transfers in spite of themselves. So who to believe? According to Zataz, everything actually indicates that hackers may have been in possession of a series of 0-day security flaws around several banking applications, and that the LCL application is directly affected.
One of Zataz’s sources claims that these flaws can allow (the person would have made the demo on an application other than the LCL application) to access customer data by exploiting one of these flaws. Hackers would then have no customer data to access accounts and thus improperly make transfers.
Still, it is heartbreaking that the bank does not clearly characterize the negligence of which it accuses its customers. The latter are indeed likely in this case to support “all losses caused by unauthorized payment transactions if these losses result from a fraudulent act on his part or if he has not intentionally or grossly negligently fulfilled the obligations mentioned in Articles L. 133-16 and L .133-17”according to the Monetary and Financial Code.
Which is very convenient for LCL. But what is the recourse of the customers concerned in this case, if they were really not imprudent? How can they actually prove that they were not negligent? Conversely, how can the bank prove that sensitive data was collected by hackers by deceiving the victims? Or put another way: who should pay for the broken pots?