Friendly Fraud is anything but friendly: It is a malicious Online Payment and Online Banking scheme in which the bank customer is the fraudster - this explains the naming.
Friendly Fraud for Online Banking goes like this:
The fraudster has an account at bank X. He makes sure that there is money on the account, say 2000 Euro. Then he transfers the 2000 Euro via a non-trojansecure authentication method like SMS-TAN or App-TAN on his smartphone to an account abroad. A few days later he contacts the bank X claiming that there was a money transfer he did not know of and for which he is not responsible, asking the bank to reimburse the 2000 Euro. In case the bank reimburses the fraudster is already successful. In case the bank refutes to reimburse, the fraudster will sue the bank at court. A court-appointed Computer Science expert will confirm that it is technically conceivable that a trojan on the smartphone has executed the money-transfer secretly without any involvement of the bank customer. This shifts the burden of proof to the bank: the bank has to prove that it was not a smartphone trojan which has executed the money transfer - what is kind of impossible. Therefore, the court will have no other way than to come to the decision that the bank has to reimburse the money to the fraudster. This means, the fraudster will have doubled the money (the transfered money went to his accomplice abroad).
The fraudster barely needs any IT/hacking know-how. The following prerequisits for a fraud are relatively easy to prepare: The account abroad is administered by an accomplice for whom there should be no tracable connection to the fraudster. The frauster needs to possess the money to be transfered, and some more money for the potential court costs.
There is only a low detection risk for the fraudster because his fraud can hardly be proven. Even a forensic investigation of the smartphone is not promising: A well written trojan virus will after his action dissappear from the smartphone - without any traces - by resetting the smartphone into the state before the infection. Therefore, even if no traces of a trojan virus are found on the smartphone, it still is conceivable that is was a trojan virus having executed the money transfer.
The financial risk reduces to the courts costs, for the unlikely case that the court will decide in favor of the bank (the transfered money is not lost!).
Friendly Fraud is well known in the Online Payment business (also called ''Chargeback Fraud''): It is about goods which are received by the customer but the ordering of the good is disputed by the customer at the same time via a cancellation of the payment, having a reimbursement of the payment as consequence. Result is that the customer gets the good without paying for it.
Friendly Fraud is reported to be one of the most widespread frauds in E-Commerce, and notorious for Internet sellers because the dispute with the credit card bank about the liability is preprogrammed. With Friendly Fraud in Online Payment it is ''only'' the good which is wangled by the fraudster, not money, and the good is usually of small value.
With Friendly Fraud in Online Banking the fraudster obtaines money, and sometimes large amounts. In Germany there was a case of a 238,000 Euro money transfer executed with SMS authentication, see link below for the verdict of the highest German court. The bank suspected that it was a case of Friendly Fraud but could not prove it. The bank had to reimburse that sum to the customer.
Yes, because the bank knows and can prove in a plausible way that the money transfer data were shown to and confirmed by the customer on the Display-TAN bank card: Therefore the customer can not credibly claim that he was not involved in the money transfer.
Because also a fraudster will consider the above conclusion in advance, Display-TAN protects preventivly against Friendly Fraud, i.e., even before it happens.
Wikipedia (engl.): Chargeback Fraud
Verifi: What is Friendly Fraud?
Jan. 2016, BGH: Urteil XI ZR 91/14