Should Banks Be Liable For Online Banking Losses?
from the tricky-situation dept
While this USA Today article discussing stories of online banking users getting scammed and losing their money goes a bit too far to the fear-mongering side of things, it does raise some interesting questions. The biggest one comes from the story of a small business man who was urged by Bank of America to start using their online banking account. The guy had anti-virus and firewall software, but a keylogging trojan was still installed on his machine, allowing someone to transfer nearly $100,000 out of his bank account to an account in Latvia. Bank of America refused to help. While consumer liability is only $50, that's not the case with commercial banking. And, since Bank of America says they didn't do anything wrong, they feel that they aren't responsible. Of course, "not doing anything wrong" may depend on your definition of what's wrong -- and many people would consider the weak security on BofA's site to be part of the problem. The real issue is that, if banks knew they would be liable for such losses, then you can bet they'd make their systems a lot more secure. Of course, most of the proposed solutions still have problems of their own, so this isn't a situation that has an easy solution. Should the liability be split because the guy didn't do enough to protect his own computer, or is that blaming the victim? One thing that's clear, is that these types of crimes are likely going to increase, not decrease.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
solution to keyloggers
Citibank Demo
Citibank Login
[ link to this | view in chronology ]
Re: solution to keyloggers
If you have malware getting onto your machine, all these are all at best a temporary solution. The malware authors only need to identify when you're making an online payment (after going through all the authentication in the world) and then silently switch the amount and account number when you sumbit the form.
The solution to malware? I'm not sure, but perhaps you could start by _not_ forcing your customers to use the world's most insecure and malware-prone web browser?!!
The solution to phishing? Continue to warn your customers; my bank has regular warnings on the login page and does NOT use email to contact their customers. That's all they should have to do.
Bank customers; make a bookmark to the login page. Click that when you want to do banking and check that the address bar goes yellow before entering any authentication. Ignore everything else. If your bank really MUST get hold of you urgently they'll put a hold on your account and tell you to contact THEM via the 0800 number or by walking into any branch. Ignore everything else. It's really simple.
[ link to this | view in chronology ]
Re: solution to keyloggers
[ link to this | view in chronology ]
Re: solution to keyloggers
A key fob that relies on a time-based seed to produce a cryptographic token which the user is able to use in addition to their login/password pair is not temporary nor is it trivial to crack/by-pass. This is the route any on-line banking provider who is doing their due-dilligence is going to go. Enough said.
It's STILL trivial to bypass, assuming the attacker managed to get malware onto your machine. User enters password via mouse on logger-proof randomized keypad, enters number from SMS message, USB keyfob does magical and totally secure cryptographic authentication with biometrics. Add any other number of security measures.. it makes no difference.
After authenticating, user enters details of legitimate transfer ($250 to power company) and when they hit the submit button, resident malware (probably a BHO) switches "$250" to "$250,000" and "power company" to "russian bank account" and then sends the altered form over the nice, safe tamperproof and authenticated SSL connection. This would be slightly more work than just installing a keylogger, but still well within even a modest hacker's abilities.
About the only thing banks could do in this case is block 'out of pattern' payments (anything big and/or offshore) until you've phoned the customer and verified it. And perhaps they should just do that in the first place instead of messing about with additional layers of authentication.
[ link to this | view in chronology ]
No Subject Given
This story looks to me as though the fault lays with the bank -- for not reacting to this "unusual" funds transfer.
[ link to this | view in chronology ]
Bank Liability
[ link to this | view in chronology ]
Re: No Subject Given
[ link to this | view in chronology ]
Authentication and Identity are not the same
[ link to this | view in chronology ]
No Subject Given
Consider the case of safety deposit boxes... if you were stupid enough to leave your safety deposit box unlocked or leave your key lying around for people to copy... even then the thieves can't get into your box because of the inherent security at the branch... the branch staff have to open the lock for you in conjunction with your lock... hmmm...
maybe it's time we get hightech with fingerprint and retina scans but even then, how can the bank know that it's you being scanned and not some sort of hack tricking the bank systems into thinking it's a real scan when it's just a series of 0s and 1s intercepted along the way.
[ link to this | view in chronology ]
Re: No Subject Given
[ link to this | view in chronology ]
riiiiight....
[ link to this | view in chronology ]
he had firewall software ?
[ link to this | view in chronology ]
Re: he had firewall software ?
[ link to this | view in chronology ]
Re: he had firewall software ?
The only exception to this is software firewalls, which can be programmed by the malware once on the users machine. If the malware was installed by a user with administrator privledges, it can do anything, including see the web pages you're looking at, and then send those to some other computer on the internet.
Ignorance is one reason why people are ready to blame the victim, but in truth, it could have been you.
Firewalls do not protect you from malware! Anti-Virus software doesn't guarantee things either! Its possible to have all the security in the world and still be a victim. Thats why its scary.
[ link to this | view in chronology ]
BOA introduces sitekey
[ link to this | view in chronology ]
Seems a bit off topic...
I realize there are other issues raised here but a keylogger on a clients system is in my opinion the clients lack of scurity measures not the bank's
[ link to this | view in chronology ]
Re: Seems a bit off topic...
[ link to this | view in chronology ]
No Subject Given
[ link to this | view in chronology ]
Bank of America Fails To Provide Account Security
If a transaction looks out of the ordinary for that account holder, or in this case, out of the ordinary to an extreme extent (transferring $100,000 US to an foreign/international bank account) -- than the bank should be held at fault for not providing the correct security measures.
Now taking the devil's advocate side in this matter; who says that it wasn't actually the bank who stole the money from the account. Then told the customer, "Sorry, but you money was transferred to an foreign bank. We don't know what one and we cannot get it back. Just deal with it buddy." -- And to be honest, this is just what the bank is saying.
I am guessing that Bank of America doesn't offer a baseline STANDARD of online banking security. They obviously were NOT doing what they were hired to do -- which is to _securely_ manage this guy's account.
His money would have probably been more secure if he had put it all in a bed mattress. At least then, he would have had better control over who was able to remove it -- or at least had an idea of who it was.
Whats the point of using Bank of America to manage your money if they cannot/will not provide standardized FRAUD / THEFT PROTECTION.
[ link to this | view in chronology ]
NOT a technological issue.
You all seem to be treating this as if it were a technological issue, when it is clearly not.
This is no different than if someone steals a check out of your checkbook, (or just prints up one) fills it in, forges your signature and cashes it.
This is no different than someone walking into a bank, with a fake ID (or perhaps YOUR stolen ID if this person happens to look anything like you) and making a huge withdrawal.
My point is that this is not a technological issue, it doesn’t matter what encryption scheme you use, or what firewall you run. This is a case of FRAUD. And the victim is the bank, not the end user, because the bank is tasked with keeping the users money safe (That is what they do (in part) in exchange for the right to use it.
Lets be clear about this – the authorized user of the account did NOT initiate, or authorize the transaction. It is therefore not a legal, or legitimate transaction.
No transaction that is not authorized by the account holder is legal or legitimate. The rest is semantics.
The end user should not, can not be held responsible for the illegal, and illegitimate actions of the bank.
And the bank knows it, but rather than take responsibility for the serious FUCK UP – they are trying to pass responsibility on to someone who has little or no control over the situation.
Yet ANOTHER reason to not use B of A.
[ link to this | view in chronology ]