Forgot your password?
typodupeerror
The Courts Government Security The Almighty Buck News

Who's Really Responsible In Online Banking Fraud? 463

Posted by timothy
from the firefox-did-it dept.
TheRealStyro writes "According to this article a Miami businessman is suing a bank because of a fraudulent fund transfer possibly caused by the coreflood virus/trojan. He claims the bank is responsible because the bank failed to protect him from known online banking risks. It is obvious that this guy should have had an anti-virus package active, but shouldn't the bank have questioned such a large transfer to a republic of the former Soviet Union (these republics having gained the unfortunate notoriety of being dens of villainy and hackerdom)?"
This discussion has been archived. No new comments can be posted.

Who's Really Responsible In Online Banking Fraud?

Comments Filter:
  • by Rodrin (729362) <chris AT coggburn DOT us> on Sunday February 06, 2005 @07:37PM (#11592719) Homepage Journal
    I told you not to lock them in a room with computers. This is EXACTLY what I said would happen. *shrugs and walks off*
  • virus software? (Score:2, Insightful)

    by Anonymous Coward
    How could virus software prevent something like this anyway?
    • Re:virus software? (Score:5, Insightful)

      by SilentChris (452960) on Sunday February 06, 2005 @07:41PM (#11592759) Homepage
      Good point. If someone tricks me into giving them my ATM card, how is it the bank's fault? It's essentially the same thing.
      • by cOdEgUru (181536) * <cherian.abraham@nOSPaM.gmail.com> on Sunday February 06, 2005 @08:36PM (#11593043) Homepage Journal
        An ATM limits you by preventing the amount you can withdraw from the account (upto 300).

        A Wire transfer of 90,000 to a country which is known in Financial circles to be a haven to cybercriminals should have sent up some flags.

        Heck, I spent over a grand on a credit card transaction, Discover used to call me up and "harass" me. Why? Because they stand to lose money if its a fraudulent transaction.

        Why didnt BOA do the same? Coz it aint their money? Safeguards are only built in when its your ass on the line.
        • by alexo (9335) on Sunday February 06, 2005 @11:04PM (#11593775) Journal

          > Heck, I spent over a grand on a credit card transaction, Discover used to call me up and "harass" me.

          Several years ago, I drove to the states to visit relatives.
          When I came back, there was a voice message from Visa waiting for me.
          I called them back to ask what the problem was.
          Well, somebody (that would be me...) used my credit card to purchase gas in a US gas station and "it did not fit my usage profile".

          Couple of years later, we went on vacation to Muskoka.
          I wanted to arrange a dog-sled ride for the kids. Problem is, outside the GTAMy Fido cell phone turns into a pumpkin. I'm also out of quarters so I use the Visa card at a pay phone.
          Whan I get back, you guessed it, another chat with Visa telling them not to worry, the transaction is legit, "usage patterns" notwithstanding.

          Customer protection or privacy invasion?
          You decide.

          Next, flying abroad to visit relatives.
          This time, I call them preemptively. I will be out of country approximately between xxx and yyy, the card will be used in the following countries, don't give me any troubles.

          > Why? Because they stand to lose money if its a fraudulent transaction.

          Zigackly!
          • This time, I call them preemptively. I will be out of country approximately between xxx and yyy, the card will be used in the following countries, don't give me any troubles.

            At least your transactions were not rejected.

            A couple of years back, I tried to pay for gas with a Visa and was rejected. When I called the bank to see what was going on, they told me that they block transactions at certain "high risk locales" by default unless the customer calls ahead. I asked them not to reject but to call and co
        • fscking BoA... (Score:4, Interesting)

          by quarkscat (697644) on Monday February 07, 2005 @04:23AM (#11594815)
          Preface:
          Ever since 9/11/2001, the states have taken
          some righteous blame for the ease with which
          fraudulent driver's licenses have been issued.
          Here in the Commonwealth of Virginia, the DMV
          (Dept. of Motor Vehicles) now requires proof
          of occupancy in the state before issuing new
          driver's licenses.

          Tale of BoA Ineptness:
          I was surprised to find correspondence from
          BoA in my mailbox addressed to a person I do
          not know, and who has never lived at my street
          address. It appeared to contain a booklet of
          either "starter" checks or else a loan payment
          book. Within days, a second package arrived
          that was just like the first one. I returned
          both back to my local US Post Office with the
          complaint that the party that the mail was
          addressed to did not reside at my home. With
          typical USPS aplomb, this mail was re-delivered
          to me. (WTF?)

          In the same mail, yet another letter from BoA
          arrived. By the feel of it, it contained a
          credit card, debit card, or ATM card. I wrote
          a letter of explanation and complaint and then
          mailed the entire lot back to BoA's originating
          address. No news back from BoA. Then 2 weeks
          later, a CS letter and another "credit/debit/ATM"
          card arrived, from Dallas, TX this time instead
          of Houston, TX. Again, I wrote a second letter
          of explanation and complaint to BoA's 2nd
          originating address, along with the new letters
          addressed to my phantom room mate. No news
          back from BoA -- no letter, email, or phone call.
          The next correspondence that I received from
          BoA was their CS department in North Carolina.
          I sent yet another cover letter to BoA, along
          with their latest correspondence. BoA never,
          ever tried to contact me (no thanks, let alone
          any mere acknowledgement of receipt).

          The final letter I received from them came
          nearly a month later, also from BoA CS, also
          addressed to my phantom room mate. My last
          cover letter back with their CS letter was,
          shall we say, somewhat rude. Nonetheless,
          perhaps it was my rudeness that actually got
          some attention from these flaming idiots.

          Identity theft has been (IMHO) partially
          usurped by "Address Theft" in an attempt
          by illegal aliens to establish residency
          required to obtain driver's licenses. I would
          advise readers of this prose to never leave
          mail out for pickup by the postman -- drop
          outgoing mail at the post office or postal box.
          Also, it wouldn't be a bad idea to purchase
          a secure (approved) mailbox for your mail.
          Times have changed, and not for the better.

          My personal opinion of BoA dropped into the
          basement with this exchange of correspondence,
          and with BoA's totally clueless behavior. I
          wouldn't do business with this bunch of clowns,
          ever, any more than I would respond to an urgent
          "419" letter from Nigeria.
      • Re:virus software? (Score:3, Informative)

        by QuantumG (50515)
        maybe you're british, where an ATM card can buy you anything you want with just a poorly forged signature. Here in Australia you have to have the pin number for an ATM card to be of any use to you, and even then you'll only get $500 a day from it.
        • The PIN number is no Problem for the inventive criminal. We had ATM's modified with a thin card reader in front of the card slot and a hidden wireless camera over the keyboard. The customers didn't notice the (well done) modifications, plugged in their cards and typed the PIN.

          After a couple of hours the equipment was collected and the criminals made fake cards with the same magnetic information. The card, together with the PIN, allows you to withdraw the daily maximum until the account owner notices, which

    • Antivirus software (Score:4, Interesting)

      by ecalkin (468811) on Sunday February 06, 2005 @07:53PM (#11592821)
      might have detected Coreflood. I went to symantec and their AV seems to know about it (and several variants), so in *theory*, it would have been caught/removed.

      Coreflood seems to allow remote access, so a *firewall* might have helped.

      now, the *real* question: If it was indeed coreflood, did someone (a real person) surf his files looking for account info, did all (most, alot, ect) of his files get downloaded, or did coreflood have enough smarts to look for the account info.

      I can't see how this is the fault of his bank except that maybe 'fraud detection' didn't work too well, but I don't know what it looks for. I see idiots like this guy all the time. 'No I don't want to pay for Antiviral, Antispyware, Firewall, Backups, etc'

      eric
      • by Almost-Retired (637760) on Monday February 07, 2005 @01:53AM (#11594335)
        I see idiots like this guy all the time. 'No I don't want to pay for Antiviral, Antispyware, Firewall, Backups, etc'

        With all due respect for the windows sheeple (not too much mind you), anyone who gets caught in such a sorry web and loses their collective asses in such a deal is only really proving the old adage that PT Barnum was fond of quoteing.

        "there's one born every minute"

        Well, I don't pay for AntiViral, AntiSpyWare stuff. I don't need them, (generally speaking) with linux. In 8 years of running linux, I've seen one box rootkitted, we rebooted it, installed the fix, and cleaned it up, its next reboot was 9 months later when a power outage outlasted the ups. And I do use a firewall, and I do make backups every night.

        This small 2 to 3 machine home system has only had 2 access attempts that actually got thru the router to my firewall, to get logged and shut down in the last 2 years!. And guess what? Both attempts came from my assigned dns server, owned by verizon and presumably running some sort of windows dns server. Because that address was known, it got past the router & its NAT. And thats as far as it got, stopped dead with one line in the log to indicate it happened.

        And I do tend to stay up with security fixes unlike the windows sheeple who's probably running a windows box with a generated serial number that would probably bounce if he tried to dl the latest patches from Redmond. That actually doesn't seem to make a hell of a lot of difference, I was reading a message from someone yesterday that had just got thru re-imaging the drive on his sisters computer because it was full of crap and it was infected again less than 45 seconds after completing the boot sequence with the network cable plugged in. There's no way in hell a windows box can survive long enough to grab and install all the fixes when its been re-imaged by the distribution cd that came with the machine.

        So when are all the diehard M$ fans finally going to get the message, and start a class action suit to recover their piece of the estimated 22 billion dollars a year that the M$ poor security was estimated to cost the public?

        Seems like a hell of a good question to me.

        That said, I don't want to hear about how good M$ is, or field any flames, they'll be deleted from my mailbox after I read enough here to get the tone of the message.

        BUT, I will drive up to 20 miles one way with a kit of cd's and install linux on your box & spend a couple of hours afterwards drinking (& recycling) your beer, and answering as many questions as I have the knowledge to answer. And I'll leave my phone number in case something else needs an answer. That isn't saying I've got the answer, but chances are I know a place to go looking for the answer.

        Hows that for a deal?

        --
        Cheers, Gene
        • "So when are all the diehard M$ fans finally going to get the message"

          About the time there will be a real alternative to it.

          Fact is, most people aren't really "fans" of any one OS. Noone except the Linux fanboys (been one myself, believe it or not) actually gives a damn about the _OS_. It's like having a flame war about whether brown seat covers are more evil than blue seat covers in a car. It's that stupid.

          The OS is just a necessary evil you need to load the _applications_. _That_'s what matters. Most o
  • Woah (Score:2, Interesting)

    by Anonymous Coward
    That text in bold really caught my attention. How did an editor miss that?
  • by jez9999 (618189) on Sunday February 06, 2005 @07:39PM (#11592736) Homepage Journal
    ... Slashdot is making a bold new move in its use of story formatting.
    • Slashdot is making a bold new move in its use of story formatting.

      I also "suggest" the liberal use of bold and italics in user posts as well. While I have been actively lobbying Slashdot to support scroll and blink as a way to improve the level of communications in user posts, we are still with only the bold and italic tags (and good use of lists, now and then...)

  • dens of villainy and hackerdom

    ROFLMAO

  • PayPal (Score:5, Funny)

    by chaffed (672859) on Sunday February 06, 2005 @07:40PM (#11592747) Homepage
    Maybe paypal should be incharge.

    Me: Hello paypal someone cracked your systems and stole my balance.

    PayPal: Oh really? Tough Titties! *click*

    Me: WTF Mate?

    • Re:PayPal (Score:3, Informative)

      by WarPresident (754535)
      Maybe paypal should be incharge.
      Me: Hello paypal someone cracked your systems and stole my balance.
      PayPal: Oh really? Tough Titties! *click*


      That's not what PayPa1 would do. They'd suspend your account and the accounts of anyone who has ever transferred funds to, or received funds from your account. There would be no way to talk to a representative, as they do not publish telephone numbers and only autoresponders are "manning" the email server. Should a human-like creature ever interact with you at any p
      • by ravenspear (756059) on Monday February 07, 2005 @12:16AM (#11593977)
        They'd suspend your account and the accounts of anyone who has ever transferred funds to, or received funds from your account.

        What utter nonsense. If Paypal suspended the accounts of everyone who ever interacted with a fradulent account, they would be killing off a lot of perfectly good customers. I have never seen any evidence of any kind that this kind of thing takes place. If they feel another account is closely related (like an alias used by the same person) then they may kill it, but otherwise this would be an insanely stupid thing to do. Some people conducting fradulent activity with Paypal transact with thousands of people before they are caught. In most of these cases the buyers did nothing wrong except by letting themselves be duped. If Paypal killed all of those accounts, their business model would die fairly quickly.

        There would be no way to talk to a representative, as they do not publish telephone numbers

        If you actually took the time to visit their contact page [paypal.com] instead of spewing more uninformed rubbish, you would have found that their contact number is 402-935-2050.

        I'm not saying Paypal is without problems. Clearly they have their share. But at least make some kind of minor effort to get your facts straight.
        • by WarPresident (754535) on Monday February 07, 2005 @02:07AM (#11594382) Homepage Journal
          I'm not saying Paypal is without problems. Clearly they have their share. But at least make some kind of minor effort to get your facts straight.

          Yes, of course... Paypal would never wrongfully suspend accounts!

          MSNBC Article fragment:
          Millions of PayPal users received an e-mail this week offering them a chance to receive a little money just for filling out an online form -- and for once, the e-mail wasn't a fake.

          The notice tells PayPal customers that they may be eligible to receive payment as part of a class-action lawsuit settlement the eBay-owned Web signed last month. The suit alleged that, beginning in 1999, PayPal unfairly froze thousands of user accounts, preventing consumers from getting access to their money.

          In the settlement, PayPal agreed to set aside $9.25 million to compensate users who feel they were treated unfairly. The company admits no wrongdoing.


          The last time I used Paypal, there was no easy, or even relatively hard to find published number to reach anyone. From Paypalsucks.com (wielding an axe to grind):

          PayPal has so many unhappy customers, that they make it very difficult to find and use their telephone system for support. You have to ask yourself just what kind of company has such a huge service load that it has to resort to such tactics. You should also know that PayPal's hiding of it's phone number and deleting customer's emails was one of the principle issues why they agreed to pay $9.1million dollars to settle the class auction lawsuit brought on EFTA (Electronic Funds Transfer Act) violations.

          I also recall there was a WSJ or NYT interview with the founder of Paypal and he touted the limited ability of people to contact the company as a cost saving benefit.

          If you don't think I'm stating the facts, look at my moniker. These are known facts! Besides, I was shooting for funny.
    • Re:PayPal (Score:5, Interesting)

      by LadyLucky (546115) on Sunday February 06, 2005 @09:32PM (#11593334) Homepage
      You can actually listen to this happen. Someone recorded their conversation with them. Read about it here:

      http://paypal.ctyme.com/paypal/paypalsucks.htm [ctyme.com]

      The best bit is how PayPal allows you to record their conversations :-)

  • by DoorFrame (22108) on Sunday February 06, 2005 @07:41PM (#11592754) Homepage
    I went to my bank the other day to see if I could put a hold on all transfers of money coming out of my account with the exception of those going to two (and only two) credit card companies. Specifically I wanted to block all money going OUT to my paypal account (I only use the account to receive funds). They said they were not able to stop companies from transferring money out of my account if they had the proper information to do so.

    What the hell?

    Why not demand pre-verfication on this sort of thing? Why not give the option to request a phone call confirmation of fund transfers, especially when the funds aren't simply going to Visa or the gas company? Or just allow me to set up a list of comanies/websites that are permitted to transfer funds out of my account. There's no reason the banks can't set this up, it's not very difficult. If anyone knows of a national bank that has an option for something like this, I'd be glad to hear about it.

    Bank of America does not.
    • I know it's not quite the same, but...

      Bank of America's fraud detection group called me to verify a balance transfer from my Discover account... a $2100 transaction.

      I wonder if this behavior was prompted by this lawsuit or what.
      • by Teclis (772299) on Sunday February 06, 2005 @08:13PM (#11592929) Homepage
        That is quite normal. A few years ago, a friend of mines mother is a Doctor with her own practice. She uses her visa for buisness purchases, mainly large transactions $1000+ and had been doing that for over a year. One time my friend needed some money for gas so his mom just gave him her credit card. He went to safeway, bought gas and then went in to the store and bought some snacks for his trip. The same day, his mother got a phone call form the credit card company asking if she was missing her credit card. They noticed that my friends purchaces were out of pattern and thought that someone stole the card.

        When thieves steal a card, they usually make a few small purchases first to test it out before sucking the card dry. Visa was quick to act on this to prevent theft. It is in their best interest to do this. That kind of action is very normal.

    • A possible solution: Open a second account. Keep all your money in an account you NEVER give out the details about, and specifically make sure you don't have an overdraft facility on the account you do give out details for. Then you transfer money from the account you keep most your money in only as needed.
    • by Znork (31774) on Sunday February 06, 2005 @08:11PM (#11592923)
      Any online bank that doesnt use offline one-time keys as transaction verification is insecure and vulnerable to client computer hacking.

      The technology to solve the problem is available, and many banks use it, so frankly I'd say any bank which does not offer such an option should be held at least partially responsible for losses incurred through lax security policies.
    • such as 'netbank.com' refuse to allow SPECIFICALLY paypal to transfer money out.

      My paypal/netbank account is confirmed, did it a long time ago, not sure if that's still possible via paypals current policies.

    • by cosmic_0x526179 (209008) on Sunday February 06, 2005 @08:28PM (#11592997)
      You are confusing two different systems here...

      The electronic payments within the US (possibly CA also) are handled via a system called ACH (automated clearing house). With ACH they could indeed hit your account such as that. But the ability to inject ACH debits usually requires a cooperating bank in the US (who recognizes the organization generating the electronic debits). Typical examples are mortgage payments, insurance companies and PayPal.

      For foreign transfers (such as the one talked about here), this most likely happened via SWIFT-wire. With SWIFT-wire I do not believe it is possible to pull money (i.e. via an electronic debit). The transfer has to be pushed from the sender. So my guess would be that the cybercrook here gained access to the computer (owned by the person who lost the 90K) and faked an online transfer request. Maybe the guy has always on DSL or cable and leaves his system powered up 24/7.

      At least thats my perception of what happened here. In the case of ACH fraud, I think the FBI could come down hard on the receiving bank, and who ever generated the fraudulant debits. With SWIFT-wire, its a whole different set of rules when crossing national boundries.

    • by Sycraft-fu (314770) on Sunday February 06, 2005 @09:12PM (#11593252)
      What happened to this guy is wire fraud, someone pretended to be him and authorized a wire transfer from his account. Wire transfers are sender iniated only. Nobody can contact bank and take money by wire, you contact the bank and send money by wire.

      What you are thinking of with PayPal is direct debit, probably via ACH. This is a US only thing and works differently. It's a network of banks, employers and merchants that is watched over by the federal reserve. Using this yes, someone can pull money from your account. However as per their ACH contract, and federal law, they must have permission to do so. If they don't, you file a fraud complaint and contest it.

      Just such a thing happened to my friend. He had been with a hosting company for some time, one with an actual signed contract. When it was up, he cancled it via fax notification. All was fine until a few months later, when they automitaclly withdrew all the cancled months worth of payments. They had a bunch of BS claims about the contract not being cancled and autorenewing and so on. So he contacted his bank and filed a fraud complaint. They put the money back in his acocunt immedatly as a temporary thing while they investigated. He sent them a copy of the contract, and of the letter he sent canceling. After a bit more investigation, the bank decided he was right, made the credit to his account perminant, and went after the hosting company for the money.

      So with ACH, there's really very little to worry about. Yes, a company you've never heard of on the network could technically clean out your bank account for no reason. However you'd have the money back in less than 24 hours of filing a complain, and a few months later they'd all be doing time in federal prison.

      The reason in this case the bank is refusing to help the guy is because it wasn't ACH, it was a wire transfer. Wire transfers are very different. A wire transfer would be what you do at Western Union: You pay a company to make funds immediatly available to another party of your designation. They company then worries about actually shuffiling funds later, your designee can get the money immediatly. With large ones, it can be done directly bank-bank.

      So that's what happened here, someone broke in to his computer, and authorized a wire transfer from his account to another one. From the bank's perspective, they did everything correct. They recieved proper authorization for the transfer and made it. It would not have been iniated had someone with the proper credentials not requested it.

      So the bank believes they've done what they should do. That his computer got hacked isn't their problem. Now we'll see if the courts agree.
      • by bitingduck (810730) on Monday February 07, 2005 @12:26AM (#11594011) Homepage
        Wire transfers are sender iniated only. Nobody can contact bank and take money by wire, you contact the bank and send money by wire....

        (lots of other interesting text cut for space)


        All good points about different kinds of transfers.

        I had to make some large transfers (to another country, of all things) recently and can add a little more:
        At my bank, unless I do a bunch of (fairly involved) paperwork in advance, the only way I can do a wire transfer is to show up in person at the bank, fill out the paperwork, show a picture ID (that they then photocopy) and sign the form. They don't ask a lot of questions, but they definitely document it carefully, and they do look like they check the signature cards (because it was large amounts, I made sure to use the branch where my account is). If you submit it before a particular time (4 pm or something) they are pretty good about the money being available at the receiving end by 10am or so the next day.

        I also looked into setting things up for being able to do wire transfers by phone (they don't seem to offer online, though their online banking is pretty good), and there are a lot of variations on how you can set things up. You have to specify what account the money will come from, and you can set things up so that you can only wire money into particular other accounts (what I was going to do), or allow transfer into any account at all. You can also specify things like the currency that they'll send it in (foreign banks tend to give better rates than US ones, so it was better to send dollars), what kind of limits you want on how much can be moved, who can authorize, etc. At any rate, it turned out to be more trouble (and potential risk) than it was worth, and we use a joint account for smaller transfers that are less time critical.
  • No one cares about Mr. Lopez, because as he himself said, "It's peanuts." But if a whole bunch of people get together and sue, then we're talking multiple peanuts! But don't worry, here comes the U.S. Senate to the rescue [dailykos.com]! (Bank of America's rescue, that is...)
    • Re:zerg (Score:2, Insightful)

      by ScrewMaster (602015)
      The U.S. Senate, huh ... speaking of wretched hives of scum and villainy. I wonder if some of these people actually believe what they are doing is in the best interests of the nation as a whole, or are just in it for the money and power. Beats me, but it's truly pathological in any case.
  • I wonder if anybody has successfully sued a hotel because they got mugged in the hotel by someone who wasn't connected with the hotel? That sort of case would probably serve as a good precedent for this one.
    • Shouldn't the front desk question things when a guy wearing a leather jacket, sunglasses and carrying a baseball bat walks past?
    • There is precedent for foreseeability of criminal intervention not cutting off the causal chain between negligence and damages. For instance, a train negligently goes past a girl's stop and she has to walk 1 mile back to the stop as a result. On the way, she gets raped two times. The railroad is liable even though intentional criminal activity intervened, because it was foreseeable that she might get raped walking a mile alone at night along a railroad track.

      I didn't read TFA, because I don't have TFT
    • YES - Why do you think they now will not tell a guest's room number? Also some floors are key access only.
  • by chalkoutline (854917) <matt DOT slashdot AT gmail DOT com> on Sunday February 06, 2005 @07:44PM (#11592773) Homepage
    I await the "In Soviet Russia, banks overdraft you!" comments.
  • Wow (Score:2, Insightful)

    by T0t0r0_fan (658111)
    these republics having gained the unfortunate notoriety of being dens of villainy and hackerdom

    Wow, two pieces of pure flame BS in one sentence, AND not even in the article text. Worst of all, the author appears to not even know the meaning of the word "hacker" (hello? Is this /. or what?).

    Yeah, if $90K were being transferred to the US that would have made it look so much more legitimate than to Latvia (which is, btw, probably the last country I'd think of when someone says "ex-USSR"). Notice that the re
  • by Doomie (696580) on Sunday February 06, 2005 @07:47PM (#11592791) Homepage
    Have you people ever been to Latvia (the country in question)? It is by no means a country of "villainy and hackerdom", it is a member of the European Union, for God's sake! I sometimes have the feeling that many /. readers are still in the Cold War era with their mindsets. Even the article mentions how Latvia is "known" for its "cybercriminals" (and Latvia, mind you, is a very small country, compared to behemoths like Russia or Ukraine, where the real bulk of "cybercriminals" from the ex-USSR resides).

    PS: And, yes, if you're wondering, I come from one of those "notorious" ex-URSS republics (Moldova [moldova.org] to be more precise).
    • Maybe you should look up "notoriety". It doesn't mean this is true, it simply means that is the way people think. If you want to change the reputation these countries have, maybe you should encourage their government to take out the garbage and promote their strengths.
      • by Doomie (696580) on Sunday February 06, 2005 @08:40PM (#11593067) Homepage
        If you want to change the reputation these countries have, maybe you should encourage their government to take out the garbage and promote their strengths.

        I think that you still didn't get my point -- Latvia is in the EU and is not, therefore, marred by rampant corruption or a careless government. Other ex-URSS countries -- Ukraine, Moldova, Russia, Belarus -- and so on have a loooong way until they reach the standards of Latvia (or the Baltic countries in general) in terms of quality of life, (lack of) corruption, etc. To be fair, Latvia has a long way until reaching the standards of the Scandinavian countries, for instance, but that's another discussion.

        What I was "protesting" against is simply the automatic labeling of all possible "dens" for "cybercriminals" as such. Some countries are different than what your local newspaper -- or ignorance -- might imply.
    • That's probably why the text said "unfortunate notoriety". And your point is well made -- in terms of total losses, I would be surprised if the US isn't number one for fraud. Certainly it's been shown many times that the bulk of all spam originates in the US.
    • by @madeus (24818) <slashdot_24818@mac.com> on Monday February 07, 2005 @12:52AM (#11594083)
      On the whole, east European countries, including Latvia, are notoriously dodgy and a common source of online scams. I've worked with online transaction systems here in Europe that regularly block transactions of any kind to IP's or addreses in these destinations. It's actually quite common (and often used on a 'rating' system to detemine the likelyhood a transaction is fraudulent, much in the same way spam assain works to rate emails as potential SPAM).

      Again, that's even here in Europe, because it's quite clear to companies here how much of a problem it is, even if those states are EU members now (a status they were only granted less than a year ago I might add, and they still do not yet have equal status as I recall, in a move to prevent 'brain drain' from people flooding for poorer ex-soviet countries to west block countries).

      Searching for 'crime' and 'Latvia' (something I did to help illustrate the point) shows on the first page of results from Google that the US Departement of State [state.gov] has even issued a travel notice for all US citizens going to Latvia. The state.gov web site says amoung other things:

      "Internet crime is a growing concern in Latvia. Common fraudulent schemes involve both Internet auction sites and Internet job search sites. In the first scam, criminals offer valuable items for sale at low prices on Internet auctions and request that payment be sent by wire transfer to a bank in Latvia or though a fraudulent escrow site that they have created themselves. In this scheme the money passes through a bank in Latvia and is quickly withdrawn by ATM or transferred to a bank in another country. It is very difficult in these cases to discover the identities of the account holders or recover the funds.

      The second common scam involves identity theft through false job offers. In this scheme, a company claiming to be located in Latvia, but which has a non-existent address, offers the victim employment as a U.S.-based agent or freight forwarder. When the victim responds to the job offer, commonly posted on one of several popular internet job sites, a Social Security number and other identifying information - needed for the identity theft - is required under the guise of conducting a background check.
      ".

      Just because it's a small nation, doesn't mean it's not notiously dodgy - it is, and it is known for online fraud as well as quite a few other tyes of crime (people trafficing being another that springs to mind). So as a European I'd have to say I agree with the article and think it's accurate in it's assertion.
  • How? (Score:2, Interesting)

    Hmm.

    My bank has advanced security. You get issued with a hardware device (fits on your keyring) that generates one-time-use passwords for you to use to log on.

    Further, whenever a transaction occurs on any of your accounts, you immediately receive a text message on your mobile phone. If you didn't authorize the transaction, you can challenge it.

    I'm not sure this guy has much of a leg to stand on.

  • How? (Score:2, Insightful)

    by fdicostanzo (14394)
    Access to my computer does not equate to access to my bank. How would this work?

    Are we talking keystroke monitors or something?
  • to YOU! The fact that when you deposit a check in your account and the bank won't credit it immediately. You know what I'm talking about....when a bank will wait for five business days to credit your account even thought they got the money in about .75 seconds.

    This is especially true now that Check 21 [federalreserve.gov] is in place.
    • Banks take 1 - 2 days to receive funds from other banks received through the Fed. The NSF process gives the other bank an additional 48hrs to stop payment on the check and demand money back. Five days is a reasonable amount of time to protect the bank from losing money that hasn't fully cleared yet.

      When Check 21 is fully in place, you are correct. There will be immediate availability of funds.

      Many people will be hurt by this, as it removes any buffer that they are used to dealing with for writing check
    • ...a bank will wait for five business days to credit your account...

      Maybe your bank doesn't trust you. Mine trusts me and credits my account immdiately on that same day.
  • by markus_baertschi (259069) <markusNO@SPAMmarkus.org> on Sunday February 06, 2005 @07:59PM (#11592849)

    Over here in Switzerland all banks use a strong authentication scheme to make sure only the owner of an account can get in. My UBS account has a challenge/response system (needs a special calculator and account-specific chipcard). My two other banks use a one-time pad where the same code is only valid for a single login. When the old pad is almost finished they just send a new one.

    Simple passwords are just not safe enough on the internet. Unfortunately in the real world the real joe user is just not able to make absolutely sure that no cheating is going on.

    The banks should at least take a part of the blame if they are too lazy to implement something safe.

    Markus


    • My UBS account has a challenge/response system (needs a special calculator and account-specific chipcard).

      Which makes the system pretty useless in real life.

      My bank has a simple userid/passwd that allows me to use it from almost any computer anywhere - but - it has a monitoring system that checks for anomalies, much like American Express.

      My bank will allow me to pay my rent from a Thai Internet café, because it knows I usually pays the rent to the same person every month.

      But it will not allow

      • The UBS calculator is a limitation, you need to have it with you. However, the one-time pads are just perfect, in my wallet I have them with me, even in you thai internet café.

        There is a regulation that a banks has to protect its clients data. This beats the patriot act every day. I suppose even with a allegedly unregulated US bank I can not walk up to the counter and ask the teller to hand me your account contents over.

        There is no regulation asking for strong authentication, but all of them adopted

    • by thogard (43403)
      So if someone does crack that system, you have no plausible deniability do you? With 90% of the people out there trusting computer output without fail, I like to be able to question the paper trail.
  • What if this guy had left his ID, checkbook, ATM card, etc., sitting in his car... and didn't lock it? Or, locked it, but left the windows down, and did so in a risky neighborhood? Don't think the resulting mayhem would be the bank's fault.
  • by nathan s (719490) on Sunday February 06, 2005 @08:06PM (#11592890) Homepage
    It seems to me that by allowing a compromised system into their network, the bank can't really claim that it is "not responsible for the loss because no one hacked into its system to initiate the wire transfer." I mean, from everything I've ever read about hacking, 99% of the time compromised middleman systems are used to do the hack, which is exactly what this appears to be to me. The only difference is that this hack attacked a more exposed portion of the network (the customer's system) first.

    Of course, the bank is probably still going to win on this, but that excuse is BS. While I agree that Mr. Lopez should've been running a virus scanner, you'd think that they would flag transactions to Latvia; after all, my bank has prevented me from taking out cash at an ATM for far more trivial amounts just because it was an "unusual transaction." I'd imagine that $90K to Latvia probably qualifies as an unusual transaction. :-P

    (Unless, of course, Mr. Lopez is really an illegal arms trader or something.)
  • by Boricle (652297) on Sunday February 06, 2005 @08:08PM (#11592898) Homepage
    Here in Australia, one of my financial institutions have recently changed their transfer policies so that transfers to a new destination (ie, one that you have not already transferred to) are "held" for 48 hours before the transfer completes (compared to overnight for regular transfers).

    I believe that this is to facilitate a few things, such as:

    * Easier to rollback "Oops, Wrong Account Number" problems.
    * Easier to prevent the channelling of money to accounts from pishing victims (rough guess, if destination account is receiving several transfers in 24 hours, then raise red flag).

    Of course, the cynical side of me thinks that its just an excuse for the bank to use the money on the short term money market for an extra 24 hours. ;)

    Boris.

    • This is because several Aussie banks have been burned by the wired money scam.
      It goes like this...
      Order comes from dodgy part of the world. The client is told that company won't take credit card payments from that country. Client says "ok, I'll wire the money" and wires in the amount. Client wires $1000 to company and $10 to his cousin who is in the country and has a bank account with the same bank. Money is in companies bank account so the goods get shipped. As soon as the fedex tracking system says i
  • by Anonymous Coward
    Admittedly, the guy is a moron for using an unsecured PC and whining about getting pwned.

    But why don't the banks watch spending patterns? I know the credit card companies do, and have for a while-- about 10 years ago, I had a Mobil gas card. I let my then-girlfriend use it for a while, and a week or so later I got a letter from them about "potentially questionable" charges because the activity was different from what it normally was. I usually top off my tank to get the dollar amount to the nearest $0.25,
  • by justzisguy (573704) on Sunday February 06, 2005 @08:11PM (#11592916)
    So what happens if I use an old analog-style wireless phone for my banking and someone with a portable radio overhears my conversation and intercepts my account information? Is the bank still responsible for the breach of security? Due diligence on the part of the consumer is expected in all sorts of other areas of life. If my car is stolen because I left the doors unlocked, I don't get to sue Honda because it should have warned me, even though they *knew* about the problem.

    Also, the man regularly initiated international wire transfers, hence no fraud alert triggered.

    The old adage still rings true; a fool and his money are soon parted.

  • for running a known insecure OS and blaming them.
  • by mjh (57755) <mark AT hornclan DOT com> on Sunday February 06, 2005 @08:23PM (#11592972) Homepage Journal
    This guy's bank is Bank of America. Here's a notable quote from the BofA Website [bankofamerica.com]:
    $0 liability

    With our Online Banking service, you can be confident that your Bank of America accounts will be secure and protected. We guarantee $0 liability for any unauthorized activity originating from Online Banking, including Bill Payment. Read Your Responsibilities for information about reporting unauthorized transactions to preserve your rights under this guarantee.

    Unless I'm missing it, I don't see anywhere that it says the customer is responsible for running virus protection. Is there some reason that I'm missing as to why this very public guarantee does not apply?
  • I'm sorry (Score:2, Insightful)

    but surely, although not responsible for him being the victim of a virus, they ARE RESPONSIBLE for transferring money that he didn't actually authorize? does the word 'fraud' ring any bells?
    His computer was logged in and it sent a transfer request. But he, personally, the person who the account belongs to, didn't actually authorize the transfer. Therefore it's a case of bank fraud by whoever did authorize it, which would boil down to the virus writer.
    The bank should put the money back in his account and t
  • by coyote-san (38515) on Sunday February 06, 2005 @08:34PM (#11593032)
    What annoys me the most about these stories is that there's no way for the customer to take proactive measures to disable problematic services. Maybe the default is to enable online banking, but I should have the right to tell them to disable that service and not honor any request through it unless and until I show up at a branch office with appropriate identification.

    The worst example of this was a former bank (emphasis on "former") that unilaterally disabled all existing ATM cards without warning. But not to worry - our spanking new debit cards should have already arrived, together with the new PIN number in a separate mailing.

    As if that's not bad enough, this was back before debit cards had fraud protection. If somebody cleared out your checking account that was it - that money was gone.

    I immediately cancelled my account. The drone assured me that my funds were safe, I could request (REQUEST) a new ATM card, etc. I told him there was no way I was keeping my money there - they violated my trust and they weren't getting a second chance.

    I heard, unoffically, that a full third of the bank's customers dropped their accounts because of this braindead move. But the bank's new overlords and masters in Minnesota refused to accept responsibility for a collosial FU - they said the problem was that we were all to provincial to understand the brave new world of banking, not that we were well-informed and refused to do business with assholes who could have left us traveling without access to our funds and without warning. (When I travel I usually pulled spending money out of an ATM so it's in the local currency, but now I'll probably use a "gift card.")
    • the bank's new overlords and masters in Minnesota [...] said the problem was that we were all to [sic] provincial to understand the brave new world of banking

      Sadly, they were right. Bad treatment is now the new banking paradigm. You WERE too provincial in thinking that the (obviously growing) bank was supposed to care for their customers. Banks now serve their institutional stockholders (individual stockholders are merely along for the ride) and executives. Everyone else can just take their ban
  • by Matt Perry (793115) <perry,matt54&yahoo,com> on Sunday February 06, 2005 @08:34PM (#11593033)
    It is obvious that this guy should have had an anti-virus package active
    I think a better question is that when computers are so pervasive and so integrated into the mechanisms of our daily lives, why isn't there a standard of quality for software and hardware enforced by the government? We have lemon laws for vehicles. Car companies could never get away with the type of anti-warranty that software publishers such as Microsoft currently enjoy. I'm surprised that some attorneys have not gone after Microsoft and other companies for negligence.

    It's incidents like this that is leading us towards having to be licenced to write software much like architects and engineers are licensed to practice their trade. We may be another 10-20 years away from that but unless software developers get their act together [slashdot.org] it's going to come sooner than we all think.

  • easy fix (Score:5, Informative)

    by austad (22163) on Sunday February 06, 2005 @08:36PM (#11593042) Homepage
    This kind of thing is easily preventable by issuing a SecureID or SafeWord tag to people. True, it will cost money, but it's comparatively cheap considering the alternatives.

    Some banks in Europe have been using SecureID for years. Why don't we use them here?
  • by Renraku (518261) on Sunday February 06, 2005 @08:43PM (#11593090) Homepage
    Until one of you gets burnt.

    So what happens when your due diligence isn't enough? What if someone that works at a gas station or a hotel grabs your debit card number and does the Fandango with it?

    I guaren-fucking-tee you that someone that has replied to these comments would say, "You deserve it!" and list some explanation why we should take hours a day to protect our bank accounts.

    If someone decides to transfer all my funds to a foreign country, that should be a big red flag. Or anytime a large amount is going to be transferred to another account. They should have to get verification from the account holder before high dollar amounts are able to go through.

    These people I used to work with both had their CCs stolen by an employee that quit on that day. They had hundreds of dollars racked up by day two, on each card. They went to the police, prosecuted, and their banks didn't hold them accountable for the purchases.

    Know how the woman got their CCs? They left their purses on their own desks when they went to the bathroom or went on break. According to some people, they deserved it.
  • by WindBourne (631190) on Sunday February 06, 2005 @08:48PM (#11593123) Journal
    Banks should consider the idea of posting risk assesments to the web page based on the client OS and browser. That is tell the customers that if they run a system that obtains viruses and spyware, they run a much higher risk. Likewise, if they are using a browser and a e-mail client that have known high risks, the client should be told. Obviously, Windows, IE, and Outlook are about as high of risk as it will get. Run something like Mainframe|Unix|BSD|Mac|Linux with lynx, then you have an ultra-low risk.
  • by CharlesEGrant (465919) on Sunday February 06, 2005 @08:56PM (#11593165)
    As far as I can tell from the linked Symatec information the virus turns your computer into a DOS zombie controled over IRS. It doesn't say anything about installing a keystroke logger. The Secret Service investigation is not claiming that the virus was behind the fraudulent transfer. It simply noted the infection as a fact of the investigation.

    According to the article Mr. Lopez frequently makes wire transfers (albeit not to Latvia), so I'm not sure why everyone is leaping to the conclusion that this was done by clever cyber criminals and not business associates, customers, or bank employees. It may very well be, but the article contains no evidence to support the claim.
  • by saskboy (600063) on Sunday February 06, 2005 @08:59PM (#11593181) Homepage Journal
    A bank can honestly not tell a customer that they didn't accept the risk of handing out money to thieves like candy, when they marketed their online banking as a feature people can use safely.

    Obviously, online banking is not as safe as telephone banking [when not using a portable phone], and no where near as safe as working with a teller in a bank, or an ATM machine. Although now there are examples of ATM machines being hijacked with card readers, and cameras to capture PINs. All a computer needs is a little spyware, and presto, 128bit encryption is rendered useless. And with all the machines that have spyware, it's impossible to promise reliable banking security on the desktop computer.
  • by cabalamat2 (227849) on Sunday February 06, 2005 @08:59PM (#11593185) Homepage Journal
    If the victim in this case used Microsoft Windows, with all its well-know and well-publicised security flaws, he only has himself to blame.
  • Routine Insecurity (Score:3, Insightful)

    by Sloppy (14984) * on Sunday February 06, 2005 @09:06PM (#11593224) Homepage Journal
    It would be one thing if this guy ran a reasonably secure computer, where breakins are an exception. If compromises are exceptions, then you can treat the consequences as exceptions, and maybe you shouldn't be responsible for it.

    But this guy is running a machine where compromises are the status quo. It is a regular occurance. I mean, talk to anyone who has used MS Windows on the internet, and almost all of them have horror stories. And there's even a whole industry of after-the-fact cleanup dedicated to these recurring problems. If, in the face of this reality, you choose to run MS Windows, then aren't you accepting it? For Windows machines to be compromised is not an exception -- it's something you expect to happen from time to time. And this isn't something obscure known only to the 3l33t h4xx0rs of Slashdot. Even the most simple laymen have heard about spyware, the need for virus scanners, etc. I mean, seriously, even your grandmother knows this stuff. (The difference between grandma and the "elite" is that she hasn't made the connection that it's only a Microsoft thing and that she could avoid if she wanted to; she mistakenly believes this situation of insecurity is "normal" for the whole state of personal computing.)

    Because of this, I think it's reasonable for a MS Windows user to expect their computer to be used, from time to time, by others without their consent, and with strangers impersonating them. IMHO, that's a bad situation, but apparently other people are ok with it. If they are ok with this and have accepted the situation, then why aren't they responsible for it?

    Again, I stress that I'm talking about routine, rather than exceptional, security violations. If someone breaks into your locked car and uses it to commit a crime, it's not your fault. If you paint "steal this car" on the side of your car and you routinely leave it unattended with the doors open and the engine running, day after day, year after year.. then I think you have some explaining to do, when the town drunk takes it.

An age is called Dark not because the light fails to shine, but because people refuse to see it. -- James Michener, "Space"

Working...