Who's Really Responsible In Online Banking Fraud?

TheRealStyro writes "According to this article a Miami businessman is suing a bank because of a fraudulent fund transfer possibly caused by the coreflood virus/trojan. He claims the bank is responsible because the bank failed to protect him from known online banking risks. It is obvious that this guy should have had an anti-virus package active, but shouldn't the bank have questioned such a large transfer to a republic of the former Soviet Union (these republics having gained the unfortunate notoriety of being dens of villainy and hackerdom)?"

virus software?

[Anonymous Coward]

How could virus software prevent something like this anyway?

Re:virus software?

[SilentChris]

Good point. If someone tricks me into giving them my ATM card, how is it the bank's fault? It's essentially the same thing.

If we're making fun analogies

[Hal The Computer]

Shouldn't the front desk question things when a guy wearing a leather jacket, sunglasses and carrying a baseball bat walks past?

Wow

[T0t0r0_fan]

these republics having gained the unfortunate notoriety of being dens of villainy and hackerdom

Wow, two pieces of pure flame BS in one sentence, AND not even in the article text. Worst of all, the author appears to not even know the meaning of the word "hacker" (hello? Is this /. or what?).

Yeah, if $90K were being transferred to the US that would have made it look so much more legitimate than to Latvia (which is, btw, probably the last country I'd think of when someone says "ex-USSR"). Notice that the receipient bank held $70K of those, too.

Re:Banks should not allow funds to be transferred.

[vidarh]

A possible solution: Open a second account. Keep all your money in an account you NEVER give out the details about, and specifically make sure you don't have an overdraft facility on the account you do give out details for. Then you transfer money from the account you keep most your money in only as needed.

How?

[fdicostanzo]

Access to my computer does not equate to access to my bank. How would this work?

Are we talking keystroke monitors or something?

Should they analyse your account?

[Anonymous Coward]

Should my bank analyse every transaction made on my account, and have free reign to investigate any of them?

I don't think I would like that. It feels too much like giving them a say in how I spend my money.

Strong Authentication

[markus_baertschi]

Over here in Switzerland all banks use a strong authentication scheme to make sure only the owner of an account can get in. My UBS account has a challenge/response system (needs a special calculator and account-specific chipcard). My two other banks use a one-time pad where the same code is only valid for a single login. When the old pad is almost finished they just send a new one.

Simple passwords are just not safe enough on the internet. Unfortunately in the real world the real joe user is just not able to make absolutely sure that no cheating is going on.

The banks should at least take a part of the blame if they are too lazy to implement something safe.

Markus

Re:zerg

[ScrewMaster]

The U.S. Senate, huh ... speaking of wretched hives of scum and villainy. I wonder if some of these people actually believe what they are doing is in the best interests of the nation as a whole, or are just in it for the money and power. Beats me, but it's truly pathological in any case.

Re:wtf? "villainy and hackerdom"?

[Doomie]

Although I understand your point, your indignation is rather ironic. Moldova gained some unwanted publicity in the US as being a favorite for calls from hijacked modems for porn sites.

Yes, I heard about that. You'll also note that I did not say anything positive about Moldova -- in many respects, that country is still in the URSS, if not worse.

But Latvia? Come on! Moldovans, for instance, would love to enjoy the standards of life from there. My point was that just because a country was in the ex-URSS, it doesn't mean that it's full of "villains and hackers" or that it's ruled by some authoritarian communist dictator and that you should automatically be overly cautious about money transfers to it.

My 2 (canadian, I guess) cents

I don't know much about hacking but...

[nathan s]

It seems to me that by allowing a compromised system into their network, the bank can't really claim that it is "not responsible for the loss because no one hacked into its system to initiate the wire transfer." I mean, from everything I've ever read about hacking, 99% of the time compromised middleman systems are used to do the hack, which is exactly what this appears to be to me. The only difference is that this hack attacked a more exposed portion of the network (the customer's system) first.

Of course, the bank is probably still going to win on this, but that excuse is BS. While I agree that Mr. Lopez should've been running a virus scanner, you'd think that they would flag transactions to Latvia; after all, my bank has prevented me from taking out cash at an ATM for far more trivial amounts just because it was an "unusual transaction." I'd imagine that $90K to Latvia probably qualifies as an unusual transaction. :-P

(Unless, of course, Mr. Lopez is really an illegal arms trader or something.)

Re:Probably depends on precedents

[ari_j]

There is precedent for foreseeability of criminal intervention not cutting off the causal chain between negligence and damages. For instance, a train negligently goes past a girl's stop and she has to walk 1 mile back to the stop as a result. On the way, she gets raped two times. The railroad is liable even though intentional criminal activity intervened, because it was foreseeable that she might get raped walking a mile alone at night along a railroad track.

I didn't read TFA, because I don't have TFT to FDI, so this may or may not be an even remotely plausible analogy to the case here, but it was worth pointing out.

Restating the Obvious

[justzisguy]

So what happens if I use an old analog-style wireless phone for my banking and someone with a portable radio overhears my conversation and intercepts my account information? Is the bank still responsible for the breach of security? Due diligence on the part of the consumer is expected in all sorts of other areas of life. If my car is stolen because I left the doors unlocked, I don't get to sue Honda because it should have warned me, even though they *knew* about the problem.

Also, the man regularly initiated international wire transfers, hence no fraud alert triggered.

The old adage still rings true; a fool and his money are soon parted.

Re:Strong Authentication

[thogard]

So if someone does crack that system, you have no plausible deniability do you? With 90% of the people out there trusting computer output without fail, I like to be able to question the paper trail.

Re:wtf? "villainy and hackerdom"?

[nacturation]

That's probably why the text said "unfortunate notoriety". And your point is well made -- in terms of total losses, I would be surprised if the US isn't number one for fraud. Certainly it's been shown many times that the bulk of all spam originates in the US.

I'm sorry

[Anonymous Cowpat]

but surely, although not responsible for him being the victim of a virus, they ARE RESPONSIBLE for transferring money that he didn't actually authorize? does the word 'fraud' ring any bells?
His computer was logged in and it sent a transfer request. But he, personally, the person who the account belongs to, didn't actually authorize the transfer. Therefore it's a case of bank fraud by whoever did authorize it, which would boil down to the virus writer.
The bank should put the money back in his account and then track down the criminal type to recoup their costs.

Lack of proactive measures indefensible

[coyote-san]

What annoys me the most about these stories is that there's no way for the customer to take proactive measures to disable problematic services. Maybe the default is to enable online banking, but I should have the right to tell them to disable that service and not honor any request through it unless and until I show up at a branch office with appropriate identification.

The worst example of this was a former bank (emphasis on "former") that unilaterally disabled all existing ATM cards without warning. But not to worry - our spanking new debit cards should have already arrived, together with the new PIN number in a separate mailing.

As if that's not bad enough, this was back before debit cards had fraud protection. If somebody cleared out your checking account that was it - that money was gone.

I immediately cancelled my account. The drone assured me that my funds were safe, I could request (REQUEST) a new ATM card, etc. I told him there was no way I was keeping my money there - they violated my trust and they weren't getting a second chance.

I heard, unoffically, that a full third of the bank's customers dropped their accounts because of this braindead move. But the bank's new overlords and masters in Minnesota refused to accept responsibility for a collosial FU - they said the problem was that we were all to provincial to understand the brave new world of banking, not that we were well-informed and refused to do business with assholes who could have left us traveling without access to our funds and without warning. (When I travel I usually pulled spending money out of an ATM so it's in the local currency, but now I'll probably use a "gift card.")

Re:virus software?

[Anonymous Coward]

That's the whole problem though - even though they are essentially the same thing, in your case the bank may well be liable and would have to pay out, whereas with the online situation they've conveniently (for them) re-written the Terms and Conditions/EULA to make *you* liable for any fraud. (Hasn't that ever worried you, when you read "If your password/account is compromised, then you are responsible for any losses until you report it"? It comes up an awful lot with online services - not just online banks, either.)

And then they hail that online banking is safe because they've lost less money due to fraud ;)

Re:wtf? "villainy and hackerdom"?

[Doomie]

If you want to change the reputation these countries have, maybe you should encourage their government to take out the garbage and promote their strengths.

I think that you still didn't get my point -- Latvia is in the EU and is not, therefore, marred by rampant corruption or a careless government. Other ex-URSS countries -- Ukraine, Moldova, Russia, Belarus -- and so on have a loooong way until they reach the standards of Latvia (or the Baltic countries in general) in terms of quality of life, (lack of) corruption, etc. To be fair, Latvia has a long way until reaching the standards of the Scandinavian countries, for instance, but that's another discussion.

What I was "protesting" against is simply the automatic labeling of all possible "dens" for "cybercriminals" as such. Some countries are different than what your local newspaper -- or ignorance -- might imply.

All fun and games..

[Renraku]

Until one of you gets burnt.

So what happens when your due diligence isn't enough? What if someone that works at a gas station or a hotel grabs your debit card number and does the Fandango with it?

I guaren-fucking-tee you that someone that has replied to these comments would say, "You deserve it!" and list some explanation why we should take hours a day to protect our bank accounts.

If someone decides to transfer all my funds to a foreign country, that should be a big red flag. Or anytime a large amount is going to be transferred to another account. They should have to get verification from the account holder before high dollar amounts are able to go through.

These people I used to work with both had their CCs stolen by an employee that quit on that day. They had hundreds of dollars racked up by day two, on each card. They went to the police, prosecuted, and their banks didn't hold them accountable for the purchases.

Know how the woman got their CCs? They left their purses on their own desks when they went to the bathroom or went on break. According to some people, they deserved it.

Risks and Notification from banks

[WindBourne]

Banks should consider the idea of posting risk assesments to the web page based on the client OS and browser. That is tell the customers that if they run a system that obtains viruses and spyware, they run a much higher risk. Likewise, if they are using a browser and a e-mail client that have known high risks, the client should be told. Obviously, Windows, IE, and Outlook are about as high of risk as it will get. Run something like Mainframe|Unix|BSD|Mac|Linux with lynx, then you have an ultra-low risk.

The Bank is responsible

[saskboy]

A bank can honestly not tell a customer that they didn't accept the risk of handing out money to thieves like candy, when they marketed their online banking as a feature people can use safely.

Obviously, online banking is not as safe as telephone banking [when not using a portable phone], and no where near as safe as working with a teller in a bank, or an ATM machine. Although now there are examples of ATM machines being hijacked with card readers, and cameras to capture PINs. All a computer needs is a little spyware, and presto, 128bit encryption is rendered useless. And with all the machines that have spyware, it's impossible to promise reliable banking security on the desktop computer.

Did the businessman use MS Windows?

[cabalamat2]

If the victim in this case used Microsoft Windows, with all its well-know and well-publicised security flaws, he only has himself to blame.

Routine Insecurity

[Sloppy]

It would be one thing if this guy ran a reasonably secure computer, where breakins are an exception. If compromises are exceptions, then you can treat the consequences as exceptions, and maybe you shouldn't be responsible for it.

But this guy is running a machine where compromises are the status quo. It is a regular occurance. I mean, talk to anyone who has used MS Windows on the internet, and almost all of them have horror stories. And there's even a whole industry of after-the-fact cleanup dedicated to these recurring problems. If, in the face of this reality, you choose to run MS Windows, then aren't you accepting it? For Windows machines to be compromised is not an exception -- it's something you expect to happen from time to time. And this isn't something obscure known only to the 3l33t h4xx0rs of Slashdot. Even the most simple laymen have heard about spyware, the need for virus scanners, etc. I mean, seriously, even your grandmother knows this stuff. (The difference between grandma and the "elite" is that she hasn't made the connection that it's only a Microsoft thing and that she could avoid if she wanted to; she mistakenly believes this situation of insecurity is "normal" for the whole state of personal computing.)

Because of this, I think it's reasonable for a MS Windows user to expect their computer to be used, from time to time, by others without their consent, and with strangers impersonating them. IMHO, that's a bad situation, but apparently other people are ok with it. If they are ok with this and have accepted the situation, then why aren't they responsible for it?

Again, I stress that I'm talking about routine, rather than exceptional, security violations. If someone breaks into your locked car and uses it to commit a crime, it's not your fault. If you paint "steal this car" on the side of your car and you routinely leave it unattended with the doors open and the engine running, day after day, year after year.. then I think you have some explaining to do, when the town drunk takes it.

Re:All fun and games..

[nuggetboy]

I keep seeing references to "a large amount" of money and "$90,000" as if there is some magic amount where the bank is supposed to say, "whoa there!" Looking at the article, I cannot see any claim that this was an amount out of the ordinary. The article plainly states that Lopez "often" made wire transfers into and out of the country. We cannot assume the bank should have stopped this from the information presented in the article.

Re:Banks should not allow funds to be transferred.

[Fished]

I think this access one of the primary -- and un-declared -- reasons PayPal is so aggressive in asking/coercing members to become 'verified'. All it takes is that little 10 cent deposit and your acknowledgment of same to set it up.

Not at all. Paypal wants you to become verified so they can make your checking account the default payment method. They want checking to be your default payment method because credit card transactions cost a lot more than ach transfers - something like 2-3% of the total more.

Credit card companies

[alexo]

> Heck, I spent over a grand on a credit card transaction, Discover used to call me up and "harass" me.

Several years ago, I drove to the states to visit relatives.
When I came back, there was a voice message from Visa waiting for me.
I called them back to ask what the problem was.
Well, somebody (that would be me...) used my credit card to purchase gas in a US gas station and "it did not fit my usage profile".

Couple of years later, we went on vacation to Muskoka.
I wanted to arrange a dog-sled ride for the kids. Problem is, outside the GTAMy Fido cell phone turns into a pumpkin. I'm also out of quarters so I use the Visa card at a pay phone.
Whan I get back, you guessed it, another chat with Visa telling them not to worry, the transaction is legit, "usage patterns" notwithstanding.

Customer protection or privacy invasion?
You decide.

Next, flying abroad to visit relatives.
This time, I call them preemptively. I will be out of country approximately between xxx and yyy, the card will be used in the following countries, don't give me any troubles.

> Why? Because they stand to lose money if its a fraudulent transaction.

Zigackly!

Re:There is a difference

[Too Much Noise]

Ok let me get this straight. If I transfer 90,000 to my business partner in Soviet Russia, then the bank will call the police, brand me a terrorist and throw me in jail.

No, the bank should contact you to additionally validate the transaction if it might appear suspect - especially for this kind of money. After all, you must have given them a valid contact point, did you not?

Re:There is a difference

[Caseyscrib]

Ok let me get this straight. If I transfer 90,000 to my business partner in Soviet Russia, then the bank will call the police, brand me a terrorist and throw me in jail. Yup, sounds legal.

I'll tell you what... I'm the banker. I'll hold on to your money for you and offer two different choices for security.

1) I take all of your money for you and never monitor your account. The only person who will know anything related to your account is yourself. The only catch is that because I was not allowed to monitor your account, you can't possible hold me accountable for missing funds, and are therefore responsible for your own security. If you want this sort of security, go to a swiss bank. Until a few years ago, they didn't even require a name to open an account.

Or 2) I will have computer software monitor your account to make sure money does not disappear through suspicious activities ($300 at 11:57PM and $300 at 12:01 AM). With this survelliance, comes my guarantee that your money will be secure from unauthorized access, or I will replace the funds for you.

Obviously option 2 is a much better choice for any level headed consumer. If you are worried about the banks calling the police to brand you a terrorist (which is a valid concern), then it's the laws protecting your privacy which are the problem, not the bank.

Re:Banks should not allow funds to be transferred.

[Planesdragon]

I no longer do business with Bank of America. They let their computers make all the decisions. It was only when I complained that humans got involved.

Presume that there are no computers.

Bank of America, upon reciving a check order on their hand-written "drafts out" list, would process it and debit the funds from your assocated accounts in accordance with their standard policy. Until you complained, they would just do this -- because it's what the tellers and pencil-pushers were required to do, by law and contract and policy.

Computers do simple automated tasks easily, and drawing money from an account is a simple automated task.

If you're bitching because your bank used computers to run the math and apply numbers in a given situation -- the very thing they were desinged for! -- then you're on the wrong website.

Try luddites.org.

Won't work well in the U.S. due to Federal law

[kiddailey]

Unfortunately, Federal law mandates a limit on transfers and some banks have additional policies and charges for electronic transfers, so this is a bit impratical.

I had the pleasure of learning about this bullshit the hard way.

More information here [fdic.gov] and here [ftc.gov]. Call your bank for more info.

Heh... Nice rant, but no banana

[Moraelin]

"So when are all the diehard M$ fans finally going to get the message"

About the time there will be a real alternative to it.

Fact is, most people aren't really "fans" of any one OS. Noone except the Linux fanboys (been one myself, believe it or not) actually gives a damn about the _OS_. It's like having a flame war about whether brown seat covers are more evil than blue seat covers in a car. It's that stupid.

The OS is just a necessary evil you need to load the _applications_. _That_'s what matters. Most of us could live just as happily without an OS at all, if the apps could be loaded otherwise. No, seriously. The OS is just a necessary evil, no more.

So until Linux actually starts having some more useful apps, it's just not a competitor. It doesn't matter how good the OS is.

So the sad choice really is, do I:

A) get Linux, spend weeks coaking Wine/WineX/CrossoverOffice into running each program. And recompile half the .so libraries on the system in the process. (And don't even get me started about what that means if that app is a copy-protected game _and_ you have an ATI graphics card.)

B) get Linux, spend weeks learning some half-arsed dysfunctional equivalent to even the most common apps, or

C) Get windows.

Took me about two years of messing with Linux (and ranting on newsgroups about how the evil MS will never again see a cent from me) to realize that I was in fact increasingly often giving up and taking route C. Which is to say, booting my Windows partition.

"And I do tend to stay up with security fixes unlike the windows sheeple who's probably running a windows box with a generated serial number"

Ah, the usual "if they don't want Linux for free, they must be running a warezed version of Windows" fallacy. How refreshing. I hadn't read that fallacy in, oh, about two days, and was starting to get withdrawal syndrome ;)

Reality is more complex than that. Even by BSA statistics -- and BSA is _paid_ to cry wolf and exaggerate -- piracy isn't _that_ wide spread in the Western world. The fact is, like it or not, most of us have knowingly paid for Windows.

In my case, I can even tell you why I went back to it. Because, as they say, "Linux is for free only if your time is worth nothing." Dunno about you, but if I put even a minimum wage price on my time, Windows has practically paid for itself by now.

"There's no way in hell a windows box can survive long enough to grab and install all the fixes when its been re-imaged by the distribution cd that came with the machine."

Again, yes, there is. Go to the TCP/IP properties, tell IPSEC to allow only outgoing connections. It's been built in at least since NT 4.0, maybe earlier.

No, it's not a full-featured firewall, but it will keep you safe enough while you download the patches.

And here's the fun part: it takes less time than whining about how Microsoft sucks. Now it may not be as fashionable as whining about MS on Slashdot, but it will keep your computer safe.

Re:Banks should not allow funds to be transferred.

[Idarubicin]

I did not expect them to program their computer to grab the money from my other bank accounts, and worse, not notify me that they had raided another account.
I never remember signing anything that authorized the bank to make unauthorized withdrawals from my other accounts in the event that there were insufficient funds to cover a check.

What you're describing is the bank's right of set-off, which I understand most financial institutions claim--it's buried somewhere in the fine print of your account agreement. (Actually, I'm not as familiar with U.S. banking law; is set-off just assumed?) This has been around for a long time; it didn't show up with the invention of computers. (See for example the 1913 case American National Bank of Nashville v. Miller [findlaw.com], which refers to this right). They can, at their option, draw upon your other accounts to fulfill unsatisfied debts.

I expected them to bounce the check, or have a human examine it and recognize that the written amount of the check was a tenth of the amount indicated by the MICR.

They may well have believed they were doing you a favour. Rather than bouncing your check and embarrassing you in front of your creditors, they let it through because of your generally good credit behaviour. As for hand rechecking the amounts, someone already saw the physical check once and goofed. It was a human being that misread the amount of your check, not a computer. The electronic bits--the MICR routing to your account and so forth--worked properly. Even if your bank instead waited for all checks to arrive at the local branch for processing, you can still have the clerk who makes a typo/calculating error/other mistake, and you get the added bonus of waiting two weeks for checks to clear.

Banks made numerical errors long before electronic computers. The boardgame Monopoly was first sold in 1935, and it has a "Bank error in your favor" card for a reason.

Re:Lack of proactive measures indefensible

[LaCosaNostradamus]

the bank's new overlords and masters in Minnesota [...] said the problem was that we were all to [sic] provincial to understand the brave new world of banking

Sadly, they were right. Bad treatment is now the new banking paradigm. You WERE too provincial in thinking that the (obviously growing) bank was supposed to care for their customers. Banks now serve their institutional stockholders (individual stockholders are merely along for the ride) and executives. Everyone else can just take their banking business elsewhere ... which explains the explosive growth in check-cashing places, methinks.

Banks have been getting rid of the small customer for years. You're just another expense for them (i.e. your accounts divided by customer support is too small a number). The real money is in serving the wealthy, and every bank wants in on that action. In this frenzied scrabbling for loot, common customer service is often lost ... and since there really aren't enough wealthy people to support a fat slice of every bank's profit margins, this just leads to all kinds of agony.