Judge: Not Having The Best Security Not Illegal; Defrauded Company Can't Blame Bank
from the required-security? dept
An interesting ruling coming out of Maine. A judge has sided with a bank, in a case in which a company tried to blame its bank for not having better security, after it was hit by a trojan horse password stealer on one of its computers and subsequently had scammers transfer about $600k out of its account. The judge agreed that the bank did not have particularly good security, but also noted that there is no legal requirement that the bank have the absolutely best security. This is definitely the right decision, even if some may have a gut reaction the other way. To some extent, the company has to take some responsibility for its own actions, and on the flip-side, one would hope that market pressures would drive the banks to implement better security. For example, in this case, the bank itself -- Ocean Bank -- is getting a ton of bad publicity about its really poor security due to this lawsuit. So, even if it's won the lawsuit, that hardly means the bank comes out of it unscathed.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
The **bank's** money was stolen, not the customer's money.
This Michell and Webb radio skit demonstrates through humor just how silly the bank's position can be:
http://www.youtube.com/watch?v=CS9ptA3Ya9E
[ link to this | view in chronology ]
Re: The **bank's** money was stolen, not the customer's money.
The banks are actually moving in the other direction. I used my card in a restaurant the other day and I didn't have to use my PIN, sign something or anything beyond just handing them my card. They said that for under a certain amount they no longer have to do any of those things; the card number is enough.
[ link to this | view in chronology ]
Re: Re: The **bank's** money was stolen, not the customer's money.
They put it through as "credit" instead of debit. No one has cared about signatures on receipts for a very long time.
[ link to this | view in chronology ]
Re: Re: Re: The **bank's** money was stolen, not the customer's money.
I actually did a test on this a year or two ago. For two months, I signed all my credit card slips/screens with Mickey Mouse, RU Looking, X, WTF or some other ridiculous signature. I made sure it was actually readable, and not just a scribble. Not once was I questioned.
[ link to this | view in chronology ]
Re: Re: Re: Re: The **bank's** money was stolen, not the customer's money.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: The **bank's** money was stolen, not the customer's money.
[ link to this | view in chronology ]
Re: Re: Re: The **bank's** money was stolen, not the customer's money.
They just keep getting more secure all the time, don't they?
/s
[ link to this | view in chronology ]
Re: Re: The **bank's** money was stolen, not the customer's money.
[ link to this | view in chronology ]
Re: The **bank's** money was stolen, not the customer's money.
That amount of money should be signed for, in person, with proper ID checks and personal verification by a bank representative who knows the business customer. Is that really so hard?
If I was the chief officer of a bank, I would know the first name of every customer who had at least $600,000 in my bank. I'm sure this bank did too.
So, they basically had a bank policy (forget security, it's a non-starter) that allowed over half a million dollars to pass through it's walls with no human oversight.
Criminal.
CBMHB
[ link to this | view in chronology ]
Re: Re: The **bank's** money was stolen, not the customer's money.
There are special forms that have to be sent to the federal government for transactions over $10k. Any large transaction triggers extra government oversight even in the absence of any extra security implemented by the bank.
[ link to this | view in chronology ]
Re: Re: The **bank's** money was stolen, not the customer's money.
[ link to this | view in chronology ]
Bailout
[ link to this | view in chronology ]
Re: Bailout
Of course, because the customer didn't do enough to protect the bank. Don't you know that it's everyone's responsibility to protect the banks from losses? That's why they get taxpayer bailouts. The judge was acknowledging that.
[ link to this | view in chronology ]
The company got hit with the trojan that stole their info.
They felt the bank should have caught it sooner, and made it harder for this type of thing to work.
Well they should have used multifactor authentication!
Maybe you should have opted to find that in a bank when you made your selection if it was that important.
Maybe teaching employees to not open random emails and execute code should be step 1.
[ link to this | view in chronology ]
Nice double standard there
I wonder what would've happened if the hackers had been sharing music and movies through the bank and what the MPAA and RIAA would've said... "Oh, well it's obvious that it wasn't intended, so we'll just overlook that. Not like it was a home router or anything..."
[ link to this | view in chronology ]
Bank Robbery via ACH transfers
A) Bank had security on par with other banks.
B) Bank performed due diligence informing customer of policy at signup.
C) Customer allowed the account authorization credentials to be stolen by poor (maybe none) email virus protection.
This begs the question; Does the bank and customer get the same treatment by insurance as a bank robbery by person walking into the physical location and stealing physical bank notes?
It is a really big problem but the cops do win now and then.
International Cooperation Disrupts Multi-Country Cyber Theft Ring (ACH transfer Theft)
[ link to this | view in chronology ]
Re: Bank Robbery via ACH transfers
In essence this is the same scenario: Someone orders actions on someone else's account and the intermediate party allows. All other parts of of the story are window dressing. The banks authentication failed, it identified someone as the company while it was not the company.
I'm not convinced there is enough incentive for the bank to upgrade security. Sure, it may take a hit in reputation, but this is only effective if a customer has options. Where I live there are fout banks and all of them have the same level of security.
Security expert Bruce Schneier wrote on the issue:
Information security isn't a technological problem. It's an economics problem. And the way to improve information technology is to fix the economics problem. Do that, and everything else will follow.
source: http://www.schneier.com/blog/archives/2004/11/computer_securi.html
Conclusion is that maybe currently the bank is not liable, but it should be.
[ link to this | view in chronology ]
Re: Re: Bank Robbery via ACH transfers
So, in order to not hassle customers with transfer holds the system asks the same old question every password system asks, including asking you the name of your cat. Much has been said about how easy it is to beat that secondary security method.
It falls on the user of online systems to protect their passwords & other such high value targets. All email must be scanned for viruses. Hell, the easiest way not to get hit by email borne trickery is to require all email to be text only when opened. Yes, no html. Yes, no pretty pictures. Yes, obvious spam is trapped.
[ link to this | view in chronology ]
Re: Re: Re: Bank Robbery via ACH transfers
When someone gets an account it is that person that is authorized to use that account, a user account is a representation of the person in the system. It is assumed the real world user and the system user match. Someone else providing the correct responses to the challenges does not negate the fact that matching the real world person the the system representation failed.
There are perhaps discussions possible as to what level it is reasonable for the system to ensure a correct match, but at its core this case is about a bank that assumed someone was somebody they were not.
[ link to this | view in chronology ]
Re: Re: Re: Re: Bank Robbery via ACH transfers
Since the year 2009 I would bet all banks have better security but that cannot be said about the users of online banking.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Bank Robbery via ACH transfers
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Bank Robbery via ACH transfers
Except that this was not the case, was it? Someone entered the correct name, password & security query and it was not the company in question.
I'm not saying this absolves users from managing their own security, but the system fails because the bank assumes anyone entering the users name, password and answer actually is the user.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers
Think of your personal account. If you get a virus and someone takes your money, do you blame the bank? No, you blame the asshole who did it and file a report with the bank.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers
In this case the bank allowed someone to decide what happen to your money other than you. It doesn't matter he provided the correct responses, he could even look exactly like you, have your passport and everything. In the end all that matters is that he is not you.
In the end it is a matter of responsibility. It is your responsibility to keep your authentication tokens secret and safe. It is the bank's responsibility to make sure you are the only one with access to your money.
Your failure to secure your credentials does not excuse the failure of the bank to give somebody else access. In the same way it would not excuse you from securing you credentials if the bank fails.
Think of it as your landlord allowing a thief in your apartment because he through he was you.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers
If you read the press release by the FBI you would realize these criminals are very smart and have the tech support to make their theft successful.
That is all I have. Deal with it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers
But that would reduce profits! How would they afford those sky-high CEO salaries then?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers
"It's not MY fault that I opened that strange email and had my PII jacked! The bank! That's who should have known it wasn't me at that keyboard entering my username, password and answer to my security question!"
Let's get real, here. You are the first line of defense when it comes to your money. And you fail if you open that attachment or click that strange link, even if the email appears to be from someone you know.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers
The user then delegates a part of the responsibility (holding it) to a bank . The bank in its place delegates some responsibility back toward the user in the form of credentials the user must keep secret.
So in the case of credentials compromise the first failure is that the secret between bank and user is compromised.
This failure feeds back into the bank because is delegated some responsibility to somebody (the user) and that failed, compromising the larger responsibility of keeping the money in the bank.
Then ultimately the owner of the money is responsible for placing it in the bank in the first place.
All conversations here seem to reflect that the user is liable because the user fails to guard the credentials. As a leader is responsible for the actions of his followers, so would the bank still be responsible for the task it delegated and through the bank the user again for dealing with the bank.
So in my view the user revealing the credentials is a lesser responsibility then the bank promise to allow only the user to access the money, which again isa lesser responsibility then the user choosing to delegate to the bank.
The liability should be in proportion to the level of responsibility. So the user becomes liable for some amount for failing to guard its secret, above a certain threshold the bank has responsibility and for some higher amount the user is again responsible because he really should not have trusted that much money to that bank (Or a single bank at all probably).
The user credentials are part of the authentications system of the bank which in turn is part of the task of handling money.
The part I find interesting is that for the most part only the lowest level of responsibility is considered. And as I stated before I do not believe the user failing in his responsibility absolves the bank for failing in its responsibility.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers
I see, so it's the user's fault for putting their money in the bank in the first place. If they hadn't done that, it could never have been stolen from the bank. Yeah, I see how that works.
The user then delegates a part of the responsibility (holding it) to a bank . The bank in its place delegates some responsibility back toward the user in the form of credentials the user must keep secret.
If the bank can "put responsibility" back on the user, why not put it all back? "I'm sorry, but we made some Wall Street investments with your money that didn't quite pan out and your money is all gone. If you want your money back, go talk to Wall Street because we don't have it anymore. Not our problem".
The liability should be in proportion to the level of responsibility. So the user becomes liable for some amount for failing to guard its secret,
Exactly. Kind of like how a woman "becomes liable" to some degree for getting raped if she dresses or walks the wrong way.
(Or a single bank at all probably)
ANY bank, actually. See? It's all the customer's own fault.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers
Days or weeks to make a phone call? Really? Do you own bank stock or something?
Think of your personal account. If you get a virus and someone takes your money, do you blame the bank? No, you blame the asshole who did it and file a report with the bank.
If someone robs the bank while my money is there, I expect the bank to take the loss, not me.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers
You sure are quick to claim that the system failed because the person on the keyboard wasnt the person owning the account..
EXACTLY how the hell does your simple mind think that there is any other way to authenticate the person to the account????
Maybe lick your monitor, and jack off into the keyboard for DNA Analysis???????
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers
Maybe lick your monitor, and jack off into the keyboard for DNA Analysis???????
You may find this hard to believe, but some people actually use their hands for other things, like making *signatures*.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers
I'm not really certain I should respond to a message like yours. Is this subject really so emotional to you?
There are several other or additional ways of authenticating, but it is always a tradeoff. More security also implies more inconvenience. Also even though they probably can do better, no form authentication is a 100% certain.
At some point the system will fail. The debate is about who's responsibility it is that the system failed. On one side there is you who is simply you and on the other side is the bank who designed the very system, handed you your credentials and acts as the custodian for your money.
So the point is not how prevent failure of the system (though less failure is obviously better), but how will we handle the inevitable failure.
[ link to this | view in chronology ]
Re: Re: Re: Bank Robbery via ACH transfers
Avoiding a hassle.
This is the DEATH of security regardless of what sort of security you are talking about. This same sort of stupidity applies to physical security with armed guards too.
"Avoiding a hassle" simply isn't a good reason to be sloppy.
[ link to this | view in chronology ]
Re: Bank Robbery via ACH transfers
Customer had security on par with other customers?
B) Bank performed due diligence informing customer of policy at signup.
Was it negotiable? Was it the customer's policy as well?
C) Customer allowed the account authorization credentials to be stolen by poor (maybe none) email virus protection.
Email virus protection company failed. Bank allowed stolen credentials to be used. How is either one the customer's fault?
This begs the question; Does the bank and customer get the same treatment by insurance as a bank robbery by person walking into the physical location and stealing physical bank notes?
What insurance? The customer's insurance would not likely pay in the case of the bank getting robbed and the bank's own insurance would not likely pay anything since the bank didn't suffer a loss.
[ link to this | view in chronology ]
Re: Re: Bank Robbery via ACH transfers
[ link to this | view in chronology ]
Re: Re: Bank Robbery via ACH transfers
Ok, I guess that is an answer. I really don't know how the banking insurance works. Not talking about the FDIC stuff but all the other insurance a business like a bank could have.
[ link to this | view in chronology ]
Re: Re: Bank Robbery via ACH transfers
As to banks 'allowing' stolen credentials to be used, how are they to know they were stolen? Pixie dust?
[ link to this | view in chronology ]
Re: Re: Re: Bank Robbery via ACH transfers
You know the name for that? "Non-negotiable".
If the customer signed the policy, then yes. It was the customer's policy, too.
No, that just indicates that the customer signed off on the non-negotiable policy. It still doesn't mean that they came up with it.
As to banks 'allowing' stolen credentials to be used, how are they to know they were stolen? Pixie dust?
Perhaps they should use more reliable credentials. A name is a credential. Should someone be able to walk into a bank and provide a name and remove funds from the associated accounts with no further checks? No signatures, no photo ID, nothing. By your reasoning it would seem so. Excuse me while I disagree.
[ link to this | view in chronology ]
Re: Re: Re: Re: Bank Robbery via ACH transfers
Do you give them a signature when you make an online purchase? Or do you just supply the numbers on your card? Don't try to put words in my mouth. Thanks.
[ link to this | view in chronology ]
Bank Security
In this case, the customer failed to protect their accounts. Their account passwords were compromised on their own systems. The customer was claiming that the bank should be responsible for the loss, because they did not stop the fraudulent transactions.
The bank took proper security precautions, the customer did not. The customer wanted the bank to pay instead of them for the loss of their account credentials.
It's like expecting the bank to reimburse you, because you lost your wallet.
[ link to this | view in chronology ]
Re: Bank Security
This is true. The FDIC has the juice to shut a bank down for not being in compliance.
It's like expecting the bank to reimburse you, because you lost your wallet.
Or I guess in this case expecting the bank to reimburse you because someone stole your wallet and spent your money. How's the store where the spent the money gonna know it wasn't you (we're talking cash)?
[ link to this | view in chronology ]
Re: Bank Security
Isn't that what the bank is supposed to do?
The bank took proper security precautions...
Really? So it's proper to let people make unauthorized withdrawals from other people's accounts?
...the customer did not.
So bank security is now the customer's responsibility?
The customer wanted the bank to pay instead of them for the loss of their account credentials.
No, the customer still had their credentials. They didn't want to repay the bank for the bank's losses in getting robbed.
[ link to this | view in chronology ]
Re: Bank Security
It's like the bank expecting you to reimburse them because they got robbed. No, on second thought, it's not *like* that, it *is* that. And the judge said that's the way it should be.
[ link to this | view in chronology ]
I had some co-workers go to the UK and use an ATM while they were on an extended business trip. The ATM was compromised, but they had no idea how. Less than a few hours after they used the ATM, their bank accounts were completely drained.
Their banks all claimed to have a limit on ATM withdrawals, but they still allowed the perps to surpass the limit. In fact, my coworkers had to fight with them nonetheless to get their accounts credited for the hacked losses.
In this case, I agree, the corporation needs to prove they had adequate protection against keylogging. Unless it was a custom program, most antivirus suites would have picked this up.
However, the bank shouldn't be allowed to get off the hook just because they didn't review what was already flagged by suspicious behavior. That's negligence. Worse yet, the bank was robbed and the customer is being asked to pay for it.
By this ruling, if someone who looks like me steals my identity and walks into my bank, I'm liable if they trick the teller into emptying my account?
Yikes, America.
[ link to this | view in chronology ]
Re:
The problem comes into play because in your example the question is who is responsible? Is it you because you didn't stop your double from going into the bank to clean you out or is it the bank for not somehow recognizing that your double was a fake despite passing any security checks they have?
Banking is a very iffy industry because banks like to draw in customers by telling them that everything will be alright and if something bad happens and its the bank's fault they will have you covered. Problem by their logic nothing (or nearly nothing) is ever their fault.
I work at a bank myself and have seen a few times where tellers goofed on someone's deposit, meaning it did not get deposited, causing them to go NSF (iNSufficient Funds, the account didn't have the funds to pay an item) an get charged. Do you think the bank waived that fee? Nope that customer still had to give up that NSF charge ($32.50).
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
I absolutely agree with the courts decision here too, since at the time (pre 2009) what the bank was doing was reasonable and standard across the board in relation to security compliance.
Though the bank might have some fault if the same thing happened today, since fraud detection algorithms are a lot more robust, there is SMS authorisation ability for major transactions, and other pro-active measures. Even so the bank would most likely only be at most 30-50% at fault even today.
It really means you as a customer and holder of the authorisation need to be pro-active in regards to your own security and processes. I am still amazed how most Small & Medium enterprises do not have any security protocols in place in dealing with Electronic Transactions or Internet/Intranet usage, though on the bright side I guess having to be reactive to their inability to be pro-active keeps me in steady employment.
On a better note in regards to Banks, found this gem over at the Volokh Conspiracy the other day in relation to the Bank of America (BoA).
If you aren't laughing and pumping the air in glee you are not normal! ;)
[ link to this | view in chronology ]
Thanks for the clairification
"it" is referring to the last subject which was the bank.
This is how I read this sentence: "a company tried to blame its bank for not having better security, after the bank was hit by a trojan horse"
"it" should be changed to "the company"
[ link to this | view in chronology ]
Correct judgement
That said, there should be some increased security standards that banks have to meet.
Paypal has similar low level security, how many spam mails don't people get trying to pry their Paypal creds from them? I distrust Paypal as a result.
[ link to this | view in chronology ]
Has the Bank changed its on-line security?
[ link to this | view in chronology ]
Re: Has the Bank changed its on-line security?
[ link to this | view in chronology ]
No surprise
Another interesting point is you can't find out your bank's level of security. If you were to ask you might find yourself talking to cops.
[ link to this | view in chronology ]
Re: No surprise
Banks are required to be "High Security" environments, and to meet the industry standards as such. If a bank fails to provide adequate security, their regulatory agency (FDIC) can, and will shut them down. In the wake of the subprime mortgage collapse it is happening most frequently because of financial issues, but it can happen as a result of inadequate security. They must be regularly audited, and tested by security professionals. They must address all recommendations made as a result of the audit.
This particular theft was carried out using credentials stolen from the customer's computer. The bank allowed access because the transaction occurred using the agreed upon verification parameters.
With the current online banking authentication model in place for most institutions this problem will happen again. The current model is single factor authentication. Single factor authentication is only based on something you know, ie. a username and password. Multi factor authentication is based on something you know, and something you are or have ie. username/pass and the current number on a digital key fob, or a fingerprint/retinal scan. Multi factor authentication is not currently required, but should be if you need secure identification.
[ link to this | view in chronology ]
Re: Re: No surprise
[ link to this | view in chronology ]
WoW
W...T...F
[ link to this | view in chronology ]
This is going to cost that bank a lot of money.
[ link to this | view in chronology ]
My car was stolen
[ link to this | view in chronology ]
Re: My car was stolen
In most states that's illegal. Way to go.
I am holding Ford Motor Co. responsible because they should have known it was not ME turning the key.
Was your car was in the possession of Ford at the time when someone stole it using an illegitimate key copy? Did they leave it out in the open overnight where just anyone could get to it?
[ link to this | view in chronology ]
Established Case Law
There was a landmark case that established a test to determine the standard of care for the tort of negligence. Briefly, a tugboat company was moving a barge and encountered severe weather and sank. The owner of the barge sued the tugboat company for negligence on the basis that the tugboats lacked radios and did not receive weather reports the day they sank. The tugboat company argued that very few companies had radios on their tugs at the time and it was not considered an industry best practice.
The court stated that “reasonable prudence is not necessarily common prudence.” It doesn’t matter what everyone else is doing. The court agreed that the tugboat company was negligent in its failure to adopt new radios in their tugboats.
http://itlaw.wikia.com/wiki/T.J._Hooper
United States v. Carroll Towing Co., 159 F.2d 169 (Circuit Court of Appeals, Second Circuit. 1947).
The T. J. Hooper, 287 U.S. 662; 53 S. Ct. 220; 77 L. Ed. 571; U.S. LEXIS 387 (U. S. Court of Appeals, 2nd Circuit 1932).
[ link to this | view in chronology ]
Re: Established Case Law
[ link to this | view in chronology ]
Re: Re: Established Case Law
And since the purpose of commerce is profit, anything which would increase costs and thus decrease profits can be considered not "commercially reasonable" under the UCC. The UCC has all sorts of stuff in it that is pro-business, anti-consumer. No wonder, since it was written by business lobbyists as a way to protect themselves from consumers under common law.
[ link to this | view in chronology ]
Judge absolves bank with poor security
There needs to be a balance between personal responsibility and public responsibility. Here, if you don't "vet" a bank (or a broker, or a realtor, or ...) you likely deserve what you get.
Even with violent video games (yes, Mike, unbiased research now shows it promotes violence, and my personal experience reinforces that), banning them really puts a responsibility on the public that should belong to the individual.
[ link to this | view in chronology ]
Re: Judge absolves bank with poor security
[ link to this | view in chronology ]
Bank should have watched for anomoulous account activity
Bullshit. Ordinary customers are not in a position to vet a bank's security measures. And password stealing viruses/Trojans/keyloggers are a common and **known** security issue, so while passwords (and "secret questions") may be sufficient for low level transactions they are not a sufficient security practice where larger sums are at stake.
As stated earlier in this thread, the fact is that banks have little economic incentive to make their transactions truly secure. The transaction in question should have been flagged as questionable through automatic behavioral analysis. Even your credit card company will call you if something out of the ordinary happens, such as unusual charges from out of the country. Draining the entire bank account of $600,000 clearly qualifies as unusual. You think the bank shouldn't do the same due diligence over $600,000 as your credit card company does over a $200 charge in Europe?
Security has to be much more than passwords. It is too easy to steal/intercept/forge credentials. Behavioral metrics must also be used.
[ link to this | view in chronology ]
Re: Judge absolves bank with poor security
This isn't about personal or public responsibility though, it's about a bank not doing it's job. Wtf is the point of putting your money in a bank if they give it away?
[ link to this | view in chronology ]
Re: Re: Judge absolves bank with poor security
[ link to this | view in chronology ]
Re: Judge absolves bank with poor security
[ link to this | view in chronology ]
Seems Simple
The bank chose more lax security, has no responsibility for disclosure, and so is responsible for its losses. The customer did not lose the money, the bank did. So it owes the amount, interest, and (hopefully) penalties.
[ link to this | view in chronology ]
If I wanted to withdraw My money from MY account and a bank wanted to put me through an endless series of hoops to get it, I would do as they request and then find another bank.
Banks know this.
They want to keep customers, and the best way to do that is to make banking with them effortless.
It seems obvious that if you hand over the keys or they are taken it does not make a difference, they will still open the lock.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
They want to keep customers, and the best way to do that is to make banking with them effortless."
And banks know that the bank will hand out money to the wrong people. And so long as the banks aren't held liable they will **never** fix the problem--which is why this ruling is bad for bank security and consumers.
[ link to this | view in chronology ]
Single vs. Multi-factor authentication
However, since reading the comments I think that more responsibility rests with the bank than it initially appears.
The bank established the parameters for authentication. They told the customer his money would be safe using the security measures they established. The bank relied upon a single-factor authentication process. This is known to be inherently insecure because it is based only on something you know (username/pass). In order to be truly secure, identity must be verified using multi-factor authentication. Multi-factor authentication is based on something you know (username/pass) and on something you have (digital key fob, access card, etc.) or something you are (finger print, retinal scan, DNA, etc.).
If the bank had established a multi-factor authentication process the customers money would not have been stolen. The customer trusted the bank, and relied upon the authentication process they put in place. As a result, he lost his money.
My company worked with a bank that wanted to setup a multi-factor authentication system. In addition to knowing the username/pass combination, you had to type it in using the same pattern each time. Everyone types in patterns that are unique to them, in the same way a signature is. These patterns were analyzed and stored. If someone attempted to use the username/pass to authenticate, but typed it in differently than the original user, it would not allow access.
This multi-factor model was based on something they are, it is not something that is easy to replicate.
The system worked well, but was never implemented. The bank cut the project at the end of development, because no one else was doing it yet. They still use single-factor authentication.
Unless people demand tighter security protocols, this kind of theft will continue to proliferate.
[ link to this | view in chronology ]
Re: Single vs. Multi-factor authentication
I think this concept is very cool, though I would be interested in seeing the results of this concept being put up against some serious penetration testing by industry experts while undergoing some intense real world testing to ensure it works consistently for its users. Hopefully the outcome being that it remains secure and has the client being able to access their accounts without encountering the system refusing them access. The main problem I see is that with a password, if you type in the wrong one all you have to do to get access is type in the right on. With this, by design, even if you type in the right characters it may still refuse you based on you not typing them in the right pattern. The problem being that you simply may not know what your pattern is.
I would also like to see how it compares with other forms of multi-factor authentication systems. Two ideas I am interested in are RSID keychains (that come with shielding sleeves and a built in USB reader maybe) and USB fobs with an encrypted keyfile with specific software that inhibits copying to protect it, (or perhaps an encrypted keyfile with a rotating password algorithm.)
Thoughts?
[ link to this | view in chronology ]
Re: Re: Single vs. Multi-factor authentication
[ link to this | view in chronology ]
Re: Re: Re: Single vs. Multi-factor authentication
[ link to this | view in chronology ]