Who's Really Responsible In Online Banking Fraud?

TheRealStyro writes "According to this article a Miami businessman is suing a bank because of a fraudulent fund transfer possibly caused by the coreflood virus/trojan. He claims the bank is responsible because the bank failed to protect him from known online banking risks. It is obvious that this guy should have had an anti-virus package active, but shouldn't the bank have questioned such a large transfer to a republic of the former Soviet Union (these republics having gained the unfortunate notoriety of being dens of villainy and hackerdom)?"

Woah

[Anonymous Coward]

That text in bold really caught my attention. How did an editor miss that?

Banks should not allow funds to be transferred...

[DoorFrame]

I went to my bank the other day to see if I could put a hold on all transfers of money coming out of my account with the exception of those going to two (and only two) credit card companies. Specifically I wanted to block all money going OUT to my paypal account (I only use the account to receive funds). They said they were not able to stop companies from transferring money out of my account if they had the proper information to do so.

What the hell?

Why not demand pre-verfication on this sort of thing? Why not give the option to request a phone call confirmation of fund transfers, especially when the funds aren't simply going to Visa or the gas company? Or just allow me to set up a list of comanies/websites that are permitted to transfer funds out of my account. There's no reason the banks can't set this up, it's not very difficult. If anyone knows of a national bank that has an option for something like this, I'd be glad to hear about it.

Bank of America does not.

How?

[GrabtharsHammer]

Hmm.

My bank has advanced security. You get issued with a hardware device (fits on your keyring) that generates one-time-use passwords for you to use to log on.

Further, whenever a transaction occurs on any of your accounts, you immediately receive a text message on your mobile phone. If you didn't authorize the transaction, you can challenge it.

I'm not sure this guy has much of a leg to stand on.

Antivirus software

[ecalkin]

might have detected Coreflood. I went to symantec and their AV seems to know about it (and several variants), so in *theory*, it would have been caught/removed.

Coreflood seems to allow remote access, so a *firewall* might have helped.

now, the *real* question: If it was indeed coreflood, did someone (a real person) surf his files looking for account info, did all (most, alot, ect) of his files get downloaded, or did coreflood have enough smarts to look for the account info.

I can't see how this is the fault of his bank except that maybe 'fraud detection' didn't work too well, but I don't know what it looks for. I see idiots like this guy all the time. 'No I don't want to pay for Antiviral, Antispyware, Firewall, Backups, etc'

eric

Cooling Off For New Transfer Destinations

[Boricle]

Here in Australia, one of my financial institutions have recently changed their transfer policies so that transfers to a new destination (ie, one that you have not already transferred to) are "held" for 48 hours before the transfer completes (compared to overnight for regular transfers).

I believe that this is to facilitate a few things, such as:

* Easier to rollback "Oops, Wrong Account Number" problems.
* Easier to prevent the channelling of money to accounts from pishing victims (rough guess, if destination account is receiving several transfers in 24 hours, then raise red flag).

Of course, the cynical side of me thinks that its just an excuse for the bank to use the money on the short term money market for an extra 24 hours. ;)

Boris.

No

[temojen]

I'm betting if the Bank had called him questioning the transfer the story would be is the bank violating his privacy rights by questioning transfers.

Phoning someone and asking them if they really did make a transfer is not an invasion of privacy as the customer should already know about it, and the bank definitely does.

I've gotten this kind of call before, and I'm glad of it... In my case though, I really had made a withdrawl in one city, then a $2000 interac purchase in annother city 2 hours later, then another interac transaction a few hours later in the first city.

Why DIDN'T the bank question it?

[Anonymous Coward]

Admittedly, the guy is a moron for using an unsecured PC and whining about getting pwned.

But why don't the banks watch spending patterns? I know the credit card companies do, and have for a while-- about 10 years ago, I had a Mobil gas card. I let my then-girlfriend use it for a while, and a week or so later I got a letter from them about "potentially questionable" charges because the activity was different from what it normally was. I usually top off my tank to get the dollar amount to the nearest $0.25, and my GF didn't. That was enough to trip some alarm on some computer somewhere.

Clearly the computing power and algorithms exist for all financial institutions to do this. I guess the answer to why they don't is because it would cost them money and lower their profits, and what customer losses can't be blamed on the customer will be covered by the gummint-- so why bother?

Re:Banks should not allow funds to be transferred.

[Znork]

Any online bank that doesnt use offline one-time keys as transaction verification is insecure and vulnerable to client computer hacking.

The technology to solve the problem is available, and many banks use it, so frankly I'd say any bank which does not offer such an option should be held at least partially responsible for losses incurred through lax security policies.

What happened to BofA $0 Liability?

[mjh]

This guy's bank is Bank of America. Here's a notable quote from the BofA Website [bankofamerica.com]:

$0 liability

With our Online Banking service, you can be confident that your Bank of America accounts will be secure and protected. We guarantee $0 liability for any unauthorized activity originating from Online Banking, including Bill Payment. Read Your Responsibilities for information about reporting unauthorized transactions to preserve your rights under this guarantee.

Unless I'm missing it, I don't see anywhere that it says the customer is responsible for running virus protection. Is there some reason that I'm missing as to why this very public guarantee does not apply?

Fines or imprisonment for security vulnerabilities

[Matt Perry]

It is obvious that this guy should have had an anti-virus package active

I think a better question is that when computers are so pervasive and so integrated into the mechanisms of our daily lives, why isn't there a standard of quality for software and hardware enforced by the government? We have lemon laws for vehicles. Car companies could never get away with the type of anti-warranty that software publishers such as Microsoft currently enjoy. I'm surprised that some attorneys have not gone after Microsoft and other companies for negligence.

It's incidents like this that is leading us towards having to be licenced to write software much like architects and engineers are licensed to practice their trade. We may be another 10-20 years away from that but unless software developers get their act together [slashdot.org] it's going to come sooner than we all think.

There is a difference

[cOdEgUru]

An ATM limits you by preventing the amount you can withdraw from the account (upto 300).

A Wire transfer of 90,000 to a country which is known in Financial circles to be a haven to cybercriminals should have sent up some flags.

Heck, I spent over a grand on a credit card transaction, Discover used to call me up and "harass" me. Why? Because they stand to lose money if its a fraudulent transaction.

Why didnt BOA do the same? Coz it aint their money? Safeguards are only built in when its your ass on the line.

Re:Should they analyse your account?

[lax-goalie]

Should my bank analyse every transaction made on my account...

Why not? Credit card companies do all the time. A couple of years ago, I put an unusual charge on one of my cards while I was out of town. The credit card company tracked me down at my hotel to ask me if I had authorized it, and asked me a couple of random questions about my account to confirm that they really were talking to me.

Credit card companies do this, because they're on the hook for any fraud over 50 bucks. Banks don't, because they're not and its cheaper for them to not take any responsibility.

It's not like this would even be all that expensive for them -- it's all automated, and the software that credit card companies are already using could be easily repurposed for bank accounts.

Why isn't Parex bank giving him back the 70K

[Ganesha_Loves_You2]

I find it very odd that the majority of his funds were frozen by another bank. BofA certainly has the muscle internationally to pressure them for release. I'm thinking that something might be fishy about Mr. Lopez's business account. After all, we've all seen the emails and news stories warning us about the popular printer and ink toner scams that abound. I wonder why Mr. Lopez isn't suing the bank that actually has his funds and didn't check the identity of the person on the other end who ordered the transfer and picked up the money?

Re:virus software?

[markus_baertschi]

The PIN number is no Problem for the inventive criminal. We had ATM's modified with a thin card reader in front of the card slot and a hidden wireless camera over the keyboard. The customers didn't notice the (well done) modifications, plugged in their cards and typed the PIN.

After a couple of hours the equipment was collected and the criminals made fake cards with the same magnetic information. The card, together with the PIN, allows you to withdraw the daily maximum until the account owner notices, which can take weeks. How often do you check your account balance ?.

Here an illustrated example [haitec.de]

Markus

Re:PayPal

[LadyLucky]

You can actually listen to this happen. Someone recorded their conversation with them. Read about it here:

http://paypal.ctyme.com/paypal/paypalsucks.htm [ctyme.com]

The best bit is how PayPal allows you to record their conversations :-)

Re:Credit card companies

[secolactico]

This time, I call them preemptively. I will be out of country approximately between xxx and yyy, the card will be used in the following countries, don't give me any troubles.

At least your transactions were not rejected.

A couple of years back, I tried to pay for gas with a Visa and was rejected. When I called the bank to see what was going on, they told me that they block transactions at certain "high risk locales" by default unless the customer calls ahead. I asked them not to reject but to call and confirm if possible (they have my cell phone number) when in this situation.

Then I tried to purchased a software upgrade over the internet at about 2 in the morning and the transaction when thru fine, but two minutes later, the called me to verify this.

I guess some banks do allow you to set your own policies.

fscking BoA...

[quarkscat]

Preface:
Ever since 9/11/2001, the states have taken
some righteous blame for the ease with which
fraudulent driver's licenses have been issued.
Here in the Commonwealth of Virginia, the DMV
(Dept. of Motor Vehicles) now requires proof
of occupancy in the state before issuing new
driver's licenses.

Tale of BoA Ineptness:
I was surprised to find correspondence from
BoA in my mailbox addressed to a person I do
not know, and who has never lived at my street
address. It appeared to contain a booklet of
either "starter" checks or else a loan payment
book. Within days, a second package arrived
that was just like the first one. I returned
both back to my local US Post Office with the
complaint that the party that the mail was
addressed to did not reside at my home. With
typical USPS aplomb, this mail was re-delivered
to me. (WTF?)

In the same mail, yet another letter from BoA
arrived. By the feel of it, it contained a
credit card, debit card, or ATM card. I wrote
a letter of explanation and complaint and then
mailed the entire lot back to BoA's originating
address. No news back from BoA. Then 2 weeks
later, a CS letter and another "credit/debit/ATM"
card arrived, from Dallas, TX this time instead
of Houston, TX. Again, I wrote a second letter
of explanation and complaint to BoA's 2nd
originating address, along with the new letters
addressed to my phantom room mate. No news
back from BoA -- no letter, email, or phone call.
The next correspondence that I received from
BoA was their CS department in North Carolina.
I sent yet another cover letter to BoA, along
with their latest correspondence. BoA never,
ever tried to contact me (no thanks, let alone
any mere acknowledgement of receipt).

The final letter I received from them came
nearly a month later, also from BoA CS, also
addressed to my phantom room mate. My last
cover letter back with their CS letter was,
shall we say, somewhat rude. Nonetheless,
perhaps it was my rudeness that actually got
some attention from these flaming idiots.

Identity theft has been (IMHO) partially
usurped by "Address Theft" in an attempt
by illegal aliens to establish residency
required to obtain driver's licenses. I would
advise readers of this prose to never leave
mail out for pickup by the postman -- drop
outgoing mail at the post office or postal box.
Also, it wouldn't be a bad idea to purchase
a secure (approved) mailbox for your mail.
Times have changed, and not for the better.

My personal opinion of BoA dropped into the
basement with this exchange of correspondence,
and with BoA's totally clueless behavior. I
wouldn't do business with this bunch of clowns,
ever, any more than I would respond to an urgent
"419" letter from Nigeria.