Who's Really Responsible In Online Banking Fraud? 463
TheRealStyro writes "According to this article a Miami businessman is suing a bank because of a fraudulent fund transfer possibly caused by the coreflood virus/trojan. He claims the bank is responsible because the bank failed to protect him from known online banking risks. It is obvious that this guy should have had an anti-virus package active, but shouldn't the bank have questioned such a large transfer to a republic of the former Soviet Union (these republics having gained the unfortunate notoriety of being dens of villainy and hackerdom)?"
Woah (Score:2, Interesting)
Banks should not allow funds to be transferred... (Score:5, Interesting)
What the hell?
Why not demand pre-verfication on this sort of thing? Why not give the option to request a phone call confirmation of fund transfers, especially when the funds aren't simply going to Visa or the gas company? Or just allow me to set up a list of comanies/websites that are permitted to transfer funds out of my account. There's no reason the banks can't set this up, it's not very difficult. If anyone knows of a national bank that has an option for something like this, I'd be glad to hear about it.
Bank of America does not.
How? (Score:2, Interesting)
Hmm.
My bank has advanced security. You get issued with a hardware device (fits on your keyring) that generates one-time-use passwords for you to use to log on.
Further, whenever a transaction occurs on any of your accounts, you immediately receive a text message on your mobile phone. If you didn't authorize the transaction, you can challenge it.
I'm not sure this guy has much of a leg to stand on.
Antivirus software (Score:4, Interesting)
Coreflood seems to allow remote access, so a *firewall* might have helped.
now, the *real* question: If it was indeed coreflood, did someone (a real person) surf his files looking for account info, did all (most, alot, ect) of his files get downloaded, or did coreflood have enough smarts to look for the account info.
I can't see how this is the fault of his bank except that maybe 'fraud detection' didn't work too well, but I don't know what it looks for. I see idiots like this guy all the time. 'No I don't want to pay for Antiviral, Antispyware, Firewall, Backups, etc'
eric
Cooling Off For New Transfer Destinations (Score:5, Interesting)
I believe that this is to facilitate a few things, such as:
* Easier to rollback "Oops, Wrong Account Number" problems.
* Easier to prevent the channelling of money to accounts from pishing victims (rough guess, if destination account is receiving several transfers in 24 hours, then raise red flag).
Of course, the cynical side of me thinks that its just an excuse for the bank to use the money on the short term money market for an extra 24 hours. ;)
Boris.
No (Score:5, Interesting)
Phoning someone and asking them if they really did make a transfer is not an invasion of privacy as the customer should already know about it, and the bank definitely does.
I've gotten this kind of call before, and I'm glad of it... In my case though, I really had made a withdrawl in one city, then a $2000 interac purchase in annother city 2 hours later, then another interac transaction a few hours later in the first city.
Why DIDN'T the bank question it? (Score:2, Interesting)
But why don't the banks watch spending patterns? I know the credit card companies do, and have for a while-- about 10 years ago, I had a Mobil gas card. I let my then-girlfriend use it for a while, and a week or so later I got a letter from them about "potentially questionable" charges because the activity was different from what it normally was. I usually top off my tank to get the dollar amount to the nearest $0.25, and my GF didn't. That was enough to trip some alarm on some computer somewhere.
Clearly the computing power and algorithms exist for all financial institutions to do this. I guess the answer to why they don't is because it would cost them money and lower their profits, and what customer losses can't be blamed on the customer will be covered by the gummint-- so why bother?
Re:Banks should not allow funds to be transferred. (Score:5, Interesting)
The technology to solve the problem is available, and many banks use it, so frankly I'd say any bank which does not offer such an option should be held at least partially responsible for losses incurred through lax security policies.
What happened to BofA $0 Liability? (Score:5, Interesting)
Fines or imprisonment for security vulnerabilities (Score:3, Interesting)
It's incidents like this that is leading us towards having to be licenced to write software much like architects and engineers are licensed to practice their trade. We may be another 10-20 years away from that but unless software developers get their act together [slashdot.org] it's going to come sooner than we all think.
There is a difference (Score:5, Interesting)
A Wire transfer of 90,000 to a country which is known in Financial circles to be a haven to cybercriminals should have sent up some flags.
Heck, I spent over a grand on a credit card transaction, Discover used to call me up and "harass" me. Why? Because they stand to lose money if its a fraudulent transaction.
Why didnt BOA do the same? Coz it aint their money? Safeguards are only built in when its your ass on the line.
Re:Should they analyse your account? (Score:3, Interesting)
Should my bank analyse every transaction made on my account...
Why not? Credit card companies do all the time. A couple of years ago, I put an unusual charge on one of my cards while I was out of town. The credit card company tracked me down at my hotel to ask me if I had authorized it, and asked me a couple of random questions about my account to confirm that they really were talking to me.
Credit card companies do this, because they're on the hook for any fraud over 50 bucks. Banks don't, because they're not and its cheaper for them to not take any responsibility.
It's not like this would even be all that expensive for them -- it's all automated, and the software that credit card companies are already using could be easily repurposed for bank accounts.
Why isn't Parex bank giving him back the 70K (Score:2, Interesting)
Re:virus software? (Score:3, Interesting)
The PIN number is no Problem for the inventive criminal. We had ATM's modified with a thin card reader in front of the card slot and a hidden wireless camera over the keyboard. The customers didn't notice the (well done) modifications, plugged in their cards and typed the PIN.
After a couple of hours the equipment was collected and the criminals made fake cards with the same magnetic information. The card, together with the PIN, allows you to withdraw the daily maximum until the account owner notices, which can take weeks. How often do you check your account balance ?.
Here an illustrated example [haitec.de]
Markus
Re:PayPal (Score:5, Interesting)
http://paypal.ctyme.com/paypal/paypalsucks.htm [ctyme.com]
The best bit is how PayPal allows you to record their conversations :-)
Re:Credit card companies (Score:3, Interesting)
At least your transactions were not rejected.
A couple of years back, I tried to pay for gas with a Visa and was rejected. When I called the bank to see what was going on, they told me that they block transactions at certain "high risk locales" by default unless the customer calls ahead. I asked them not to reject but to call and confirm if possible (they have my cell phone number) when in this situation.
Then I tried to purchased a software upgrade over the internet at about 2 in the morning and the transaction when thru fine, but two minutes later, the called me to verify this.
I guess some banks do allow you to set your own policies.
fscking BoA... (Score:4, Interesting)
Ever since 9/11/2001, the states have taken
some righteous blame for the ease with which
fraudulent driver's licenses have been issued.
Here in the Commonwealth of Virginia, the DMV
(Dept. of Motor Vehicles) now requires proof
of occupancy in the state before issuing new
driver's licenses.
Tale of BoA Ineptness:
I was surprised to find correspondence from
BoA in my mailbox addressed to a person I do
not know, and who has never lived at my street
address. It appeared to contain a booklet of
either "starter" checks or else a loan payment
book. Within days, a second package arrived
that was just like the first one. I returned
both back to my local US Post Office with the
complaint that the party that the mail was
addressed to did not reside at my home. With
typical USPS aplomb, this mail was re-delivered
to me. (WTF?)
In the same mail, yet another letter from BoA
arrived. By the feel of it, it contained a
credit card, debit card, or ATM card. I wrote
a letter of explanation and complaint and then
mailed the entire lot back to BoA's originating
address. No news back from BoA. Then 2 weeks
later, a CS letter and another "credit/debit/ATM"
card arrived, from Dallas, TX this time instead
of Houston, TX. Again, I wrote a second letter
of explanation and complaint to BoA's 2nd
originating address, along with the new letters
addressed to my phantom room mate. No news
back from BoA -- no letter, email, or phone call.
The next correspondence that I received from
BoA was their CS department in North Carolina.
I sent yet another cover letter to BoA, along
with their latest correspondence. BoA never,
ever tried to contact me (no thanks, let alone
any mere acknowledgement of receipt).
The final letter I received from them came
nearly a month later, also from BoA CS, also
addressed to my phantom room mate. My last
cover letter back with their CS letter was,
shall we say, somewhat rude. Nonetheless,
perhaps it was my rudeness that actually got
some attention from these flaming idiots.
Identity theft has been (IMHO) partially
usurped by "Address Theft" in an attempt
by illegal aliens to establish residency
required to obtain driver's licenses. I would
advise readers of this prose to never leave
mail out for pickup by the postman -- drop
outgoing mail at the post office or postal box.
Also, it wouldn't be a bad idea to purchase
a secure (approved) mailbox for your mail.
Times have changed, and not for the better.
My personal opinion of BoA dropped into the
basement with this exchange of correspondence,
and with BoA's totally clueless behavior. I
wouldn't do business with this bunch of clowns,
ever, any more than I would respond to an urgent
"419" letter from Nigeria.