Telecom security scrutinised in France after court ruling

French telecoms companies have changed the way calls are identified after France’s highest court sided with the victim of a telephone banking scam who was conned out of €54,500.

Telephone operators are now required to authenticate the origin of calls to stop fraudsters from being able to ‘fake’ numbers; a practice sometimes called ‘spoofing’ or ‘phishing’.

And consultations are continuing to see if there should be more regulation to make phone companies responsible for helping to compensate victims of scams carried out in this way.

“This will help reduce the amount of spoofing where a fraudster takes the identity of a legitimate telephone number, such as that of a bank or government administration, to gain the trust of the victim,” said Banque de France’s Observatoire de la sécurité des moyens de paiements, a body which gathers statistics on payment methods and amounts.

Read more: Identities of 12 million people in France potentially leaked in cyberattack: how to protect yourself

Using the new Mécanisme d’Authentification des Numéros system, telecoms operators will now automatically check that numbers have not been spoofed by crooks, and block suspect calls.

Supreme Court ruling

It follows a recent case at the Cour de cassation (supreme court) in which a victim conned out of €54,500 in just a couple of minutes by a fake bank employee successfully claimed the amount back from their bank.

Contacted by telephone, with the bank’s name and number showing on the screen, the victim was told by a woman pretending to be an assistant of his usual bank contact that the branch was worried his accounts had been hacked. 

Pretending to carry out security checks, she asked the victim to delete five people from a list he had previously registered with the bank for direct payments. He was then instructed to register them again via SMS links over the mobile telephone, using his confidential codes.

The caller said that as a result of the attempted hacking the victim would not be able to check his bank balance for a couple of days.

After the call the victim telephoned his bank and was informed that no security checks had taken place. Two days later, debits of €54,500 appeared on his accounts.

Read more: Scam alert: Watch out for fake text messages from French banks

Bank fraud issue

He asked BNP Paribas to repay him – under French law clients must be repaid if they are victims of bank fraud – but the bank refused. 

It argued that by giving his confidential codes, the client had committed ‘négligence grave’ (gross negligence) absolving the bank of responsibility.

When the case reached the supreme court, judges ruled that it is always the bank’s responsibility to prove that the client was negligent and in this instance, given the circumstances of the fraud, the bank could not prove its case.

In particular, the fact the crooks were able to spoof the real number of the bank, and that the fake bank employee assured the victim that carrying out the procedure over the telephone would be safe, meant the client was not in the wrong. 

As well as being ordered to repay the €54,500, the bank was told to pay €3,000 in damages to the victim.