惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

宝玉的分享
宝玉的分享
T
Threat Research - Cisco Blogs
H
Hacker News: Front Page
N
News and Events Feed by Topic
Know Your Adversary
Know Your Adversary
Cisco Talos Blog
Cisco Talos Blog
SecWiki News
SecWiki News
C
Cisco Blogs
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Tor Project blog
K
Kaspersky official blog
Forbes - Security
Forbes - Security
Webroot Blog
Webroot Blog
Schneier on Security
Schneier on Security
P
Privacy & Cybersecurity Law Blog
H
Heimdal Security Blog
Y
Y Combinator Blog
The GitHub Blog
The GitHub Blog
S
SegmentFault 最新的问题
V
Vulnerabilities – Threatpost
T
Tenable Blog
T
Tailwind CSS Blog
P
Privacy International News Feed
WordPress大学
WordPress大学
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
博客园 - Franky
Hacker News: Ask HN
Hacker News: Ask HN
Jina AI
Jina AI
C
Cybersecurity and Infrastructure Security Agency CISA
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
雷峰网
雷峰网
Vercel News
Vercel News
A
About on SuperTechFans
爱范儿
爱范儿
Simon Willison's Weblog
Simon Willison's Weblog
AWS News Blog
AWS News Blog
The Last Watchdog
The Last Watchdog
Engineering at Meta
Engineering at Meta
Spread Privacy
Spread Privacy
Security Archives - TechRepublic
Security Archives - TechRepublic
博客园 - 司徒正美
量子位
博客园 - 三生石上(FineUI控件)
J
Java Code Geeks
Hacker News - Newest:
Hacker News - Newest: "LLM"
Recorded Future
Recorded Future
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Martin Fowler
Martin Fowler
Project Zero
Project Zero

The Register - Security: Cyber-crime

Election interlopers register 5K+ domains, hope to catch some voting phish Palo Alto VPN bug graduates from advisory to active exploitation ShinyHunters adds Charter to trophy shelf after 4.9M customer records leak Carnival confirms ShinyHunters cruised off with 6M customer records after April breach CrowdStrike, Google shatter Glassworm botnet MyPillow must decide whether to be firm or soft as ransomware crims demand pay A Russian speaker and jailbroken Gemini went on a hacking spree and emptied at least one MAGA victim's crypto wallets Shai-Hulud copycat worm infects yet another npm package Grafana Labs admits all its codebase are belong to someone who popped its GitHub account Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student data Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub Foxconn confirms cyberattack after ransomware crew claims it stole confidential Apple, Nvidia files Cache-poisoning caper turns TanStack npm packages toxic 'CopyFail' attackers start cashing in on Linux flaw Cushman & Wakefield confirms vishing cyberattack ShinyHunters claims dump puts 119K Vimeo emails in the wild ShinyHunters claims 119K Vimeo emails in the wild Critical cPanel exploited: 'Millions' of sites could be hit Pro-Iran group turns Ubuntu DDoS into shakedown French prosecutors link 15-year-old to gov mega-breach UK business breach rate stuck at 43%... blame the phishing What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia Chinese spy group caught lurking in Poland, Asia networks Don’t pay VECT a ransom - your big files are likely gone Pitney Bowes the latest victim of ShinyHunters’ breach-spree Ongoing supply-chain attack targets security, dev tools Medical and utility tech companies admit digital breakins Burglar alarm biz gets burgled, ShinyHunters pursues ransom Crime crew impersonates help desk, abuses Teams chats ShinyHunters claim they have cruise giant Carnival’s booty CISA, NCSC issue Firestarter backdoor warning 500k Biobank volunteers' data listed for sale on Alibaba Another npm supply chain worm hits dev environments France's 'Secure' ID agency probes breach as crooks claim 19M records France's 'Secure' ID agency probes claimed 19M record breach macOS ClickFix attacks deliver AppleScript stealers to snarf credentials, wallets macOS ClickFix attacks deliver AppleScript stealers Yet another ex-ransomware negotiator admits turning rogue after payoff from crimelords Third ransomware pro pleads guilty to cybercrime U-turn AI-assisted intruders pwned Vercel via OAuth abuse and a pilfered employee account AI-pwned: Vercel breach traced to stolen employee creds Crook claims to leak 'video surveillance footage' of companies Crook claims to leak 'video surveillance footage' of firms Adaptavist Group breach spawns imposter emails as ransomware crew claims mega-haul Adaptavist Group breach: Ransomware crew claims mega-haul Scot becomes second Scattered Spider-linked crook to plead guilty in US US gets second Scattered Spider-linked guilty plea North Korea targets macOS users in latest heist McGraw Hill linked to 13.5M-record data leak McGraw Hill linked to 13.5M-record data leak Autovista blames ransomware for service disruption Autovista blames ransomware for service disruption No honor among thieves as 0APT threatens rival ransomware gang Krybit 0APT ransomware gang extorts Krybit amid doxxing threat Fake Linux leader using Slack to con devs into giving up their secrets Fake Linux Foundation leader using Slack to phish devs Booking.com warns of possible reservation data exposure Booking.com warns of possible reservation data exposure Gym giant Basic-Fit breached with at least 1M affected US, UK, Canadian cops disrupt $45M global crypto scam www.theregister.com Old Adobe Reader zero-day uses PDFs to size up targets Zephyr Energy loses £700K to contractor payment fraud Russia's Fancy Bear still attacking routers to boost fake sites, NCSC warns Russia's APT28 behind latest wave of router, DNS attacks AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack Mercor says it was 'one of thousands' hit in LiteLLM attack Telnyx package latest hit in PyPI supply-chain compromise Telnyx package latest hit in PyPI supply-chain compromise European Commission admits breach of public web systems European Commission admits breach of public web systems AFC Ajax drops ball as hackers transfer tickets, lift bans AFC Ajax drops ball as hackers transfer tickets, lift bans HackerOne slams supplier for delayed breach notice after staff data exposed HackerOne slams supplier over delayed breach notice Russian initial access broker jailed for 81 months in US Russian initial access broker jailed for 81 months in US Smooth criminals talking their way into cloud environments, Google says Chip tester shrugged off ransomware – then came the leak Chip tester shrugged off ransomware – then came the leak Russians posing as Signal support to launch phishing raids JLR cyber bailout risks dangerous precedent, watchdog warns Unknown attackers exploit yet another critical SharePoint bug Microsoft Intune: Lock it down, warn feds after Stryker Ransomware crims abused Cisco 0-day weeks before disclosure North Korea's 100,000-strong fake IT worker army rake in $500M a year for Kim Jong Un Robotics surgical biz Intuitive discloses phishing attack Cybercrime up 245% since the start of the Iran war AI-driven fraud far more profitable, Interpol warns Credential-stealing crew spoofs Ivanti, Fortinet, Cisco VPNs Interpol sinkholes 45,000 IPs linked to global cybercrime SocksEscort fraud-enabling proxy service taken down CISA warns max-severity n8n bug is being exploited in the wild Iran-linked cyber crew claims hit on US med-tech firm Meta, cops deploy AI and handcuffs in scam crackdown Dutch police collar teen over string of bank card frauds Cybercrime isn't just a cover for Iran's government goons Crooks compromise WordPress sites, spread infostealers Ericsson breach blamed on third party vendor vishing attack Polish cyber police busts gang of alleged teen DDoS peddlers
EU law advisor wants cybercrime protections fast-tracked
Connor Jones Connor Jones · 2026-03-11 · via The Register - Security: Cyber-crime

Security

EU legal eagle says banks should refund cybercrime victims first, argue later

Advocate General urges rethink of PSD2 to speed compensation after scams

ANALYSIS One of the European Union's top legal advisors is trying to change how banks treat cybercrime victims – meaning they could enjoy greater financial protections sooner than expected.

In a recently published legal opinion, Advocate General Athanasios Rantos urged lawmakers to alter their interpretation of the Second Payment Services Directive (PSD2), which would require banks to reimburse victims of financial fraud before proving wrongdoing.

Crucial to this is the treatment of gross negligence under PSD2. Should Rantos's opinion be adopted, victims of crimes such as bank impersonation scams would be reimbursed immediately, regardless of whether, under EU law, their money was lost through their own gross negligence.

Under the current PSD2, banks hold the power. If a victim of online fraud reports the crime to their bank, the institution then undergoes a review of the case to decide whether they should be reimbursed.

The current model can often leave victims in an uncertain and potentially perilous financial position until the bank determines whether or not to repay them.

Banks often use the gross negligence defense to delay reimbursement. Rantos's opinion, which is not yet legally binding, looks to flip this on its head, forcing banks to pay victims immediately, regardless of whether gross negligence led to the fraud's success, and then reclaim the money after the case is reviewed.

Under the EU's payment processing regulations, gross negligence can be argued in cases where victims are tricked into handing attackers a one-time passcode or their login details, which the criminal then uses to enrich themselves by making unauthorized payments.

Rantos's hypothetical

The Advocate General provided a fictional example [PDF] of a case in which the victim would benefit from a legislative tweak.

For example, a customer of a bank in the EU is phished by a criminal who listed an item for sale on an online marketplace. They agree to purchase the item, and the criminal sends the victim a link that leads to a web page imitating the victim's bank.

Convinced the web page is legitimate and not under the attacker's control, the unwitting victim enters their bank details to approve a transaction, but the attacker steals those credentials and uses them to make a payment from the victim's account.

The victim reports the scam to their bank, but it claims gross negligence led to the fraudulent transaction (not spotting that the web page was a phishing site). The bank refuses to issue an immediate refund, forcing the victim to pursue a recovery through the courts, likely while in a position of limited resources due to the attacker's theft.

Rantos's opinion would require the bank to cough up money to the victim immediately and allow it to reclaim the funds if gross negligence is proven later, providing the victim greater financial security in the short term.

Jonathan Frost, director of global advisory for EMEA at cyber and fraud detection biz BioCatch, said: "The Advocate General's opinion indicates a major shift in the liability for fraud in European payments. If the Court concurs, banks may have to promptly reimburse customers for unauthorized transactions and then pursue negligence claims. This shifts the initial financial risk to banks, heightening the need to detect account takeover and credential compromise before processing payments."

"This reflects a key principle of the Revised Payment Services Directive (PSD2): customers should be promptly refunded for unauthorized payments, unless the bank can clearly prove fraud or gross negligence. UK banks already reimburse about 98 percent of unauthorized fraud losses, whereas European banks have often refused to reimburse customers unless they pursue legal action."

The overhaul to PSD2's interpretation, per Rantos's opinion, will almost certainly come soon in the form of the updated PSD3 and brand-new Payment Services Regulation (PSR). 

Unlike with PSD2, this specific scenario is explicitly codified in both the proposed new regulations, as they are currently worded.

However, a protracted legislative process could mean the protections are not formally introduced and enforced for some time, despite first being proposed in 2024, which is why the Advocate General wants it fast-tracked as part of a reinterpretation of PSD2.

PSD3/PSR will bring a bunch of changes to the EU's payments regulations. Aside from the more finance-related parts, payment services providers (PSPs) will need to implement more robust Strong Customer Authentication (SCA) – one of the more influential changes lawmakers hope will curb the rising number of financial fraud cases. If PSPs fail to implement SCA properly, regulators could prosecute them.

Merchants also have a role to play. They will need to share more data with the PSPs, which can then make better-informed decisions about whether to approve or deny transactions. User locations, session data, device IP addresses, and more will work to provide PSPs with a clearer picture of who exactly authorized the payment: the genuine cardholder or a malicious third party.

SCA is already a requirement under the existing PSD2, although PSD3 will bring improvements, with the PSR enforcing them. Given that the PSR is a regulation and not a directive - which requires member states to transpose requirements into domestic law, another lengthy process - the EU can immediately enforce it across all member states.

The types of data that inform SCA will remain largely unchanged, but PSD3 will more clearly define liability in cases of failure.

SCA under PSD2 is also usually enforced through means only accessible via smartphone, and PSD3/PSR will force PSPs to broaden these methods of authentication, offering greater protection to those without access to a smartphone, for example, or those with disabilities. ®