Is It Identity Theft Or A Bank Robbery, Part II: Couple Sues Bank Over Money Taken

from the i've-still-got-my-identity dept

Fri, Sep 11th 2009 6:26pm — Mike Masnick

Last month, we posted an amusing discussion (and comedy act) concerning whether or not "identify theft" was really a crime, or if it was really a bank robbery where the bank was passing off the liability for its poor authentication system onto the bank customer. Apparently, just such an argument is already playing out in the courts. Steven Hoy alerts us to a story of a couple who are suing their bank, after someone masquerading as them accessed their account and transferred $26,000 to Austria. The details of the case are a bit complex, but basically, the couple claims that the bank did not live up to basic standards in authentication, and cite the Federal Financial Institutions Examination Council's claim that notes that "single-factor authentication is inadequate and calls on banks to implement two-factor systems." Thus, the argument goes, the fault was the bank's security, and thus, the bank should be liable. The judge found that to be convincing:

"In light of Citizens' apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access.... If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts."

Chalk one up for those who believe "identity theft" is actually a "bank robbery."

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: banks, identity theft, scams, security

37 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

reboog711 (profile), 11 Sep 2009 @ 6:58pm

How long until...
How long until legislation gets put forward that protects banks from these types of lawsuits?
[ link to this | view in chronology ]
- Anonymous Coward, 11 Sep 2009 @ 7:41pm
  
  Re: How long until...
  Betting about 30secs...
  [ link to this | view in chronology ]
  - imbrucy (profile), 14 Sep 2009 @ 6:10am
    
    Re: Re: How long until...
    I'd agree accept that no politicians are that efficient.
    [ link to this | view in chronology ]
NullOp, 11 Sep 2009 @ 7:23pm

At Last!
The banks so regularly screw the customers is good to see one take a round in the ass! Banks are notorious for trying to pawn off responsibility on the customer! The days of "we're the bank, so we must be right" are coming to a close.
[ link to this | view in chronology ]
- interval, 11 Sep 2009 @ 8:51pm
  
  Re: At Last!
  @NullOp: "The days of "we're the bank, so we must be right" are coming to a close."
  
  I hope you're right.
  [ link to this | view in chronology ]
- brendy, 12 Sep 2009 @ 10:28am
  
  Re: At Last!
  HAH hardly...I just bought a home for 520K where the previous owners bought it for 700K and took out a 300k HELOC on it. They didn't have to pay any back and already own a new home in the wife's name. Plus, this is happening everywhere. Talk about banks getting effed in the a.
  [ link to this | view in chronology ]
  - Bruce E, 12 Sep 2009 @ 12:52pm
    
    Re: Re: At Last!
    HAH hardly...I just bought a home for 520K where the previous owners bought it for 700K and took out a 300k HELOC on it. They didn't have to pay any back and already own a new home in the wife's name. Plus, this is happening everywhere. Talk about banks getting effed in the a.
    Bank management breaking their fiduciary duty to investors and depositors by making loans with undue risk and you say they're getting screwed? You've got to be kidding.
    [ link to this | view in chronology ]
Anonymous Coward, 12 Sep 2009 @ 12:37am

Identity SHARING...jeez. And money is only artificially valuable and artificially scarce which means it is our natural, inalienable right to find ways to copy money and then self righteously explain why we did so.
[ link to this | view in chronology ]
- ..., 12 Sep 2009 @ 6:26am
  
  Re: 3 entirely different things
  identity != music != money
  [ link to this | view in chronology ]
- Luci, 12 Sep 2009 @ 7:17pm
  
  Re:
  Since paper money is based upon a very real, very scarce, tangible good (precious metals), you are an idiot.
  [ link to this | view in chronology ]
  - spinsheet (profile), 13 Sep 2009 @ 7:37am
    
    Money backed by what?
    @Luci
    
    Unless I am misunderstanding your post, our money fell off the gold standard in 1933 and is effectively backed only by our self discipline. The more we print, the less it's worth.
    [ link to this | view in chronology ]
  - Anonymous Coward, 13 Sep 2009 @ 7:41am
    
    Re: Re:
    The smallest gold coin you can get has $5 printed on it, but the gold content of that coin is worth $80-90 or more.
    [ link to this | view in chronology ]
  - alternatives(), 13 Sep 2009 @ 5:51pm
    
    Re: Re:
    Since paper money is based upon a very real, very scarce, tangible good (precious metals), you are an idiot.
    
    When Luci actually goes and educate itself about what paper money is backed by (in most cases, not precious metals) what will that make Luci?
    [ link to this | view in chronology ]
    - Anonymous Coward, 13 Sep 2009 @ 7:07pm
      
      Re: Re: Re:
      I'm guessing Luci was being sarcastic, not sure though. I'm sure Luci knows, just like anyone else, that mercantilism has been replaced by the floating system for a while now. Perhaps your irony meter needs to be checked.
      [ link to this | view in chronology ]
Meoip, 12 Sep 2009 @ 3:43am

Class
I call class action, I want my share of the money.
[ link to this | view in chronology ]
Anonymous Coward, 12 Sep 2009 @ 1:19pm

As for banks getting screwed... they'll be bailed out. As for legislation... here in Canada where banks rule with an iron fist - it already exists.
[ link to this | view in chronology ]
Lawrence D'Oliveiro, 12 Sep 2009 @ 4:43pm

Weak Authentication
The trouble is, if the banks insisted on stronger authentication, the customers would get annoyed at the inconvenience. So the bank gets screwed either way—its customers don’t appreciate the need for security until they become victims of fraud, and then they blame the bank for not protecting them.
[ link to this | view in chronology ]
- Luci, 12 Sep 2009 @ 7:19pm
  
  Re: Weak Authentication
  So you say. Our bank instituted stronger protection measures, and it only slowed us down by a couple of seconds in authentication to access our funds. Personally, I appreciate these measures. They do not inconvenience me in the least.
  [ link to this | view in chronology ]
- Anonymous Coward, 13 Sep 2009 @ 6:50am
  
  Re: Weak Authentication
  That sounds just like the nonsense reasoning a bank would use for not putting in place secure measures.
  
  It amazes me that many of my online only bank accounts still do not permit any characters other than a-z and 0-9, don't take into account case sensitivity and actually restrict you to a maximum of 12 characters for a password.
  
  Tell me that's because it's easier for customers and not because they have some outdated legacy system that can't cope with anything other than these rigid password requirements...
  [ link to this | view in chronology ]
Gyffes, 12 Sep 2009 @ 9:20pm

Gold standard? No longer.
Luci, you're the idiot. Our money hasn't been backed by anything of substance in over 50 years. It's all smoke and mirrors and a gentleman's agreement that the stuff has value. It's what made everyone so spooked when the latest bubble popped: there is no wizard, no spoon and noone's wearing any goddamned pants. There are no assets, we're not rich as Midas and the Dollar isn't worth a Lira.
[ link to this | view in chronology ]
Anonymous Coward, 13 Sep 2009 @ 5:21am

"identity != music != money"
-----------------

No. All three are intangible so infringe away!

"Since paper money is based upon a very real, very scarce, tangible good (precious metals), you are an idiot."
-----------------

Wow...you should probably strike the word "idiot" from your vocabulary until you actually...aren't one.
[ link to this | view in chronology ]
..., 13 Sep 2009 @ 6:46am

"identity != music != money"
-----------------
No. All three are intangible so infringe away!

Your logic -> because all three share a common characteristic, they must be the same.

Using this logic could lead to many more silly comparisons
--- If she weighed the same as a duck... she's made of wood.
--- And therefore...
--- ...A witch!
[ link to this | view in chronology ]
Anonymous Coward, 13 Sep 2009 @ 7:51am

"Your logic -> because all three share a common characteristic, they must be the same."
------------------

It's not my logic, it's the "logic" regularly espoused here: IF something is intangible THAN it can't be stolen.
[ link to this | view in chronology ]
- ..., 13 Sep 2009 @ 9:02am
  
  Re:
  and now you play with semantics
  
  I believe you are referring to the infringement vs theft argument. When someone "steals" music, it is copyright infringement. This is a legal definition. The term "stealing music" is used in an emotional argument attempting to sway the opinion of others.
  
  I agree that the "id theft" terminology is incorrect, if they stole my identity then I would not longer be in possession of it. However, that does not mean that it is therefore copyright infringement (music) nor is it counterfeiting (money), hence they are not the same. Identity theft is fraud. It would be nice if MSM were more precise rather than sensationalistic in their reporting.
  
  The term "Id theft" implys that it is the individual which has been violated and therefore stands to lose something, when in fact it is the bank, credit card co, store, etc which has been defrauded. I can see why busineses like this way of looking at it. Hopefully the courts understand the true nature of the crime.
  [ link to this | view in chronology ]
Anonymous Coward, 13 Sep 2009 @ 10:44am

Is there more to this story? Are research reports now enforcable law?
Is it possible that Marsha and Michael Shames-Yeakel probably had a keylogger or other malware or spyware installed on their computer?

If so, is it still the bank's fault for the couple to fail to apply basic internet security practices? Without establishing this fact can anyone really point blame.

Besides, one-time use tokens can still be circumvented via man-in-the-middle attacks, keyloggers, and the like. After all, most of these types of attacks can be thwarted by installing and maintaining a good anti-virus and anti-malware program. Additionally, using a safer web browser such as FireFox with an anti-phishing site plug-in.

You need all the pieces.

-------
Another thing is terribly wrong here. Did US District Judge Rebecca Pallmeyer just twist an industry research report and apply it as an enforceable law?

It seems that the FFIEC offers research and best practices. The problem is that the referenced "Security Standards" were not law, nor is it indicated that it's enforceable. But, FFIEC makes suggestions for best practices to prevent issues.

If so, this ruling really shows how clueless she is to the process of law. She comes off as a liberal judge that legislates from the bench.
[ link to this | view in chronology ]
- Anonymous Coward, 14 Sep 2009 @ 2:38am
  
  Re: Is there more to this story? Are research reports now enforcable law?
  Most attacks can be foiled by a good virus scanner? You find me a virus scanner that does anything besides eat up system resources and I'll start to agree. AVG? doesn't do anything. McAffee? McSlow. Norton? Oh jesus don't get me started on Symantec.
  
  Your point about malware raises some interesting litigation issues... hard to prove/disprove the existence of malware.
  [ link to this | view in chronology ]
Anonymous Coward, 13 Sep 2009 @ 11:35am

How about this scam

"Scammers have exploited the law by deceiving victims into depositing fake checks, then wiring a smaller amount back. The money the consumers deposit doesn't exist, but the money they send is very real."

http://www.consumeraffairs.com/news04/2006/06/check_scam.html

I think this is how the scam works. Someone has an account with a few dollars in it and they write you a huge check for something, claiming it's from their corporation. The check covers more than what they owe you so you write them a smaller check back. However, their account has insufficient funds and the bank will cover the initial overdraft check so the check would clear at first. The person never pays the bank what they owe, they close the account, but they do cash your real check. Eventually, when the bank figures that this person does not intend to pay it back what is owed, the check bounces and you owe the bank the money. So you gave this person money but they didn't give you anything back. You are stuck with the loss. The person uses what you gave them to pay overdraft fees and they're in the clear. If you want the money you have to track the entity down and sue them. It should be the BANK that should have to deal with this since the check cleared.

Or, there should be a way for me to tell that not only did the check clear, but it cleared without overdrafting, before someone writes a lesser check back to cover the change owed back.
[ link to this | view in chronology ]
- Anonymous Coward, 13 Sep 2009 @ 12:21pm
  
  Re:
  The reason I mention this is because someone tried this scam. It didn't work (it almost worked) but it took me a while (and a couple of google searches) to figure out what was going on. I am just warning others so they don't fall for the scam. Here is the scam
  
  http://whocallsme.com/Phone-Number.aspx/447035928245
  
  http://www.thelpa.com/lpa/forum-thre ad/156995/trust-worthy.html
  
  Be aware of these scams.
  [ link to this | view in chronology ]
- Tek'a R (profile), 13 Sep 2009 @ 5:22pm
  
  Re: (check scam)
  its even simpler, and more complex then that.
  
  Say the check claims to be a direct cashiers check from First Bank Of Mumbai on third street or some other far away place. You deposit it and your bank, assuming that you want that money right away, makes the funds available to you (after all, you have never been this dumb before).
  
  You send the check, more often a wire transfer or bank draft Back to them, or cash, goods, etc, back to mr scammer. All this time you bank has been sitting on this check, waiting to process it in bulk with all its other checks for overseas or that country. Tick tock, tick tock, still waiting. You sent the goods, made the transfer or whatever. Now, Finally, your bank gets around to sending some stuff around.. Oops, they got a message back that, not only does that account not exist, the Bank does not even exist.
  
  Quicker to cover their mistake then take measures earlier, they snap all the money back out of your account. If you already did something with it.. well, too bad. Its all slurped back out, in theory to be returned once this little snafu is fixed.. but it wont be fixed, because..
  
  The authorities (if there are any this week) in the "responsible" area don't really care about this, so any business complaints from your bank fall on deaf ears. If you manage to get the FBI involved.. well, the country still does not care (and the FBI wouldn't be that eager to try helping anyhow, because you are the hundredth shmuck this week to call them about this)
  
  So now you are minus money or goods, And, fun enough, the bank will keep you on their records of trying to cash bad overseas checks, the kind of record that will linger.
  
  The other ways this scam works are worse, of course. "oh i just need a couple of those numbers off the bottom of your check so i can wire the money to your bank account for that laptop" means "Give me your account information and my totally corrupted friend will use his bank (that exists only on paper) to register a transfer from your account to a few hundred fake accounts and then to me.. thanks. and while I'm at it, I'm going to take out a few dozen student loans, car applications and mortgages in your name with the other info you gave me.. plus, thanks for the new laptop"
  [ link to this | view in chronology ]
Ben, 13 Sep 2009 @ 12:50pm

I find this concept very convincing. Of course Identity Theft runs much deeper than this. Despite that, good point. Due to the deeper nature of this issue, though, perhaps this is a strong call to an all-out overhaul of how our identities are protected. "Bank Robbery" is not the only potentially damaging form of Identity Theft.
[ link to this | view in chronology ]
Anonymous Coward, 13 Sep 2009 @ 2:38pm

"perhaps this is a strong call to an all-out overhaul of how our identities are protected."

Nah man, that's totally lame, identities want to be free, maaaaaan. Like, all our identities are totally standing on the backs of giants right? So how could, like, anyone own it? Y'know? Whoa...that wall just winked at me. Holy shit I'm on TV! Why am I on TV? Oh right, reflections, whoa...
[ link to this | view in chronology ]
Anonymous Coward, 14 Sep 2009 @ 6:36am

It is both a Floor wax and a dssert topping.
>Is It Identity Theft Or A Bank Robbery?

It is both. They steal your identity and then steal your money from the bank. The first allows the second. If you steal a gun and rob a bank with it then you have committed two crimes.
[ link to this | view in chronology ]
- ..., 14 Sep 2009 @ 5:41pm
  
  Re: It is both a Floor wax and a dssert topping.
  It's fraud
  [ link to this | view in chronology ]
Nate, 14 Sep 2009 @ 7:00am

About time
This is great. Nothing makes me more angry than some bank or credit card company who tries to sell me protection for some monthly payment to protect myself against theft. My response is that I already pay for thier services via the interest rates they charge. I am not going to pay them more money to do a job they should already be required to do. It is the banks job to verify that the person spending the money is entitled to. Now, if I lost my PDA with all my passwords on it or lost my wallet and then didn't call anyone to report the cards lost that's another thing.

Just the other day I made some purchases and didn't have to sign because the charges were under $25. I couldn't believe it. I guess it okay to make it easier to steal someone elses money if it's only $25. It's not like they check those signatures anyway, but why make it even easier?
[ link to this | view in chronology ]
Known coward, 14 Sep 2009 @ 8:55am

if the bank gives money to someone it shouldn't
The bank should be liable, plain and simple.
[ link to this | view in chronology ]
vastrightwing, 14 Sep 2009 @ 10:02am

Bank is liable
My daughter got scammed this way. However, I went to the bank and asked at least 5 bank employees when we could safely determine if the money orders were real or fake. Their wrong answers were always 5 business days. This is wrong because money orders clearing has nothing to do with actual funds. The bank should be liable in this case because they all gave bad information to her and me. The truth is that the banks has zero risk because they will always claim you should be liable when in fact, the bank's business used to be keeping your money safe. I argue that banks should be liable especially when they constantly give wrong information to the customer.
[ link to this | view in chronology ]
weneedhelp (profile), 14 Sep 2009 @ 2:31pm

Tpical users would not put up with the hassle of 2 factor authentication
2 factor authentication, something you know, like a pin, and something you dont know, like a number generated in sync on a server and a device or "soft - token."
http://en.wikipedia.org/wiki/Two-factor_authentication

http://www.rsa.com/node.aspx?id =1156
***I am not affiliated with RSA in any manor, nor do I own any stock in said company.***
P...I...T...A!!!
[ link to this | view in chronology ]