Some experts say it is not a good idea to ask people to regularly change passwords as it forces them to write them down.

Ever left your cellphone unattended, not changed your internet banking password for while, or failed to keep anti-virus software on your computer up to date?

Or perhaps you have downloaded an app that wasn't from the Google Play Store to your Android smartphone, or included some sequential letters or numbers in your internet banking password or Pin?

If so – depending on your bank – it is no longer safe to assume your bank will reimburse you if you lose money to an internet fraud and it is judged you have contributed to the loss.

For years, New Zealand banks routinely shelled out, to protect consumer confidence in online banking.

READ MORE

* Banks axe 'guiding principle' on internet fraud

* Your rights as a bank customer are currently being debated

* Banks under fire from Consumer NZ

But in May, they ditched a "guiding principle" that they would continue reimbursing genuine victims of internet banking fraud.

A new code of banking practice makes it clear consumers may not be covered if they have breached their individual bank's terms and conditions. Banks are free to change them at any time.

The only other consumer protection is a general requirement – enforced by the Banking Ombudsman – for banks to be "fair and reasonable".

Different banks appear to have different views on what being "fair and reasonable" might mean.

ANZ Bank states customers breach its terms and conditions and so could be liable for fraud losses if they bank from devices that don't have an up to date operating system and up to date anti-virus software.

It does not say say exactly what it means by "up to date".

The head of Victoria University's computer science department, Stuart Marshall, agreed that would appear to rule out people banking from computers running Windows Vista, which is now out-of-support.

It also raised doubts over whether people would be covered if they banked from work computers that they didn't control, he agreed.

"Many businesses don't automatically install updates because they can contain bugs and could be incompatible with a core piece of software – they wait to see how things play out and go from there."

Marshall said he could see ANZ's point of view "which is that customers should be taking due care and only interacting with the bank using systems they had reason to trust".

"But it conflicts with the general sense that people want ultimate convenience and access from anywhere."

DAVID WHITE/STUFF ANZ is alone among the major banks in requiring customers to use devices with up-to-date operating and anti-virus software, though it says it considers fraud liability on a "case by case" basis.

​ANZ spokesman Stefan Herrick said that while it "asked" customers use the latest version of operating systems and software, and "recommended" they did not access internet banking from shared networks, it would consider fraud reimbursements on a "case-by-case basis".

It would consider whether customers had taken "reasonable steps to ensure their computer or device was as secure as possible", he said.

If in doubt about work computers, "customers should talk to their employer's technology team", he said.

BNZ's fine print means customers could be liable for fraud losses if they included sequential numbers or letters in their internet banking username or password.

The bank gives the examples of "123" or "ABC"..

But a strict reading of the condition would appear to mean customers would also be putting themselves at the bank's mercy if they included just two sequential letters or numbers, say, "KL" or "56", anywhere in their username or Pin and were defrauded.

Marshall said that if banks were to argue Pins or passwords breached their conditions, then they should not allow them to be used in the first place.

"If they are going to reject a password they should do so at the point at which it is created. From a personal perspective I think it would be deeply unfair for a bank to accept a password and then reject it afterwards as being insecure."

BNZ's Pins and passwords mustn't be even "similar" to any others that customers use for any other services and, like other banks, BNZ stipulates they mustn't be written down or stored electronically on any device.

At least some banks appear to be rigidly enforcing the latter rule.

Banking Ombudsman Nicola Sladden – whose office is funded by the banks – published details of a case in which a customer of an unnamed bank saved his phone banking registration number and Pin in a disguised form as a "contact" on his laptop.

He didn't realise the updated file would be automatically synched to the contact list on a cellphone that he had lost months earlier, when he synched a new cellphone to his laptop.

A thief who had his old phone saw through the disguised credentials and used them to steal "a significant sum" from his bank account, according to her report.

Sladden declined to uphold a complaint from the victim that his bank should have covered the loss.

The fairness of many of the other terms and conditions imposed by banks have yet to be put to the test.

The Banking Ombudsman Scheme observed a 37 per cent rise in reported banking scams over the year to the end of June, many of which involved internet banking.

But Sladden said she hadn't so far seen any complaints about banks declining liability on the basis that a customer did not have an up-to-date operating system and/or anti-virus software.

Nor had she seen a situation where one had declined liability on the basis of sequential letters or numbers.

Importantly, when considering complaints, her office would consider what was "fair in all the circumstances" and a breach of a banks' terms and conditions by a consumer would only matter if it had if fact contributed to the loss being considered, she said.

"For example, where a customer chose a Pin based on their year of birth, but the fraudster obtained the Pin by other means that did not involve a customer's breach of the terms and conditions, we would not consider the breach caused the loss."

Even so, customers of some banks would arguably be doing well to stay completely on the safe side.

Westpac and ANZ's terms and conditions both require that users of its banking apps only install software approved by "the relevant operating system provider" – such as Apple or Google.

ANZ requires people "don't leave their mobiles unattended" and regularly change their Pins and passwords, including the Pin numbers they use for phone banking, while still making them hard to guess, always memorising them and – of course – never writing them down.

Herrick said "a good rule of thumb" was that passwords should be changed every 90 days, but said there were no "hard-and-fast requirements". That was even though "regularly" changing passwords is one of the bank's conditions.

Nor would ANZ be specific about exactly what it meant by requiring customers not to leave their mobiles unattended, though Herrick accepted "keeping a phone in sight 24/7 clearly isn't realistic".

ROSS GIBLIN/STUFF Some expectations imposed on customers by banks have yet to be tested by Banking Ombudsman Nicola Sladden.

He denied ANZ was wording its terms and conditions in a way it knew was unrealistic in order to maximise the discretion it had over how to handle claims.

But Victoria University cyber security expert Professor Ian Welch said requiring people to regularly change passwords was no longer considered "best practice" because it did force people to write them down.

"I don't think it is a good idea. It is better to encourage people to use good passwords in the first place," he said.

Welch also queried whether some of ANZ's fine print might be incompatible with the use of password managers, which are favoured by some more organised internet users as a way to securely manage a variety of online credentials using a single "master" password.

Marshall said internet banking security had improved as a result of the widespread available of two-factor authentication.

If consumers wanted to have secure internet banking then they had their "part to play", he said.

But he didn't believe it was enough for banks just to say people should have read the terms and conditions if they were going to penalise people.

"That is probably putting too much of an onus on the user."