A federal magistrate judge has ruled against a small business that lost $345,000 in an online bank heist, arguing that the theft largely resulted from its own failure to secure its account credentials, according to published news reports. Patco Construction Company sued Ocean Bank in 2009 after crooks used malware to siphon …
Stick On Line Banking
Clearly a strong argument for NOT using on line banking.
When dealing with banks
Bend over, relax it will all be over in a few decades.
Haven't actually read the ruling, but...
Weren't the banks the ones that are peddling their trustworthyness to the point that you have no choice but to trust them?
Of course, with this sort of IT type thing it depends heavily on just where the demarc is. If it's your computer and your webbrowser that's been infected, well, that's up to you to prevent, though that doesn't absolve the bank from having to notice bank transfer orders coming through from Nigeria all of a sudden.
If they, as I've seen banks do, require you to install a NT box with a card reader and their software on it then connect it to the 'net to send out the transfers, well, it bloody well is up to them to make sure it doesn't accidentally also contract keyloggers and such.
The bank should have spotted it, especially unusually large or odd amounts of money moving out of the account, then again the company should have been more diligent not to let malware infest their desktops/servers.
Fine both of them for incompetence and send the money to starving kiddies in Africa!
The banks seem to be winning then
Once upon a time banks were responsible for looking after your money. It was their job to keep it safe, rather than you hiding it under the mattress.
Now it seems you have to pay for the privelige of letting the bank spend your money, award massive bonuses and they don't even have responsibility for keeping it safe any more.
Hey, it could be worse
At least one of the local banks here sells lottery tickets right from the ATM. Of course the bank is getting a safe commission as they help you gamble away your savings.
Sooner or later...
...banks and financial institutions will begin to take IT security seriously. Once it starts hitting them in the pocket, of course.
If this seems like a nonsensical view (after all, those same banks have vaults, don't they?) - consider that many banks are on cost-cutting drives to save as much money on operational spend, in order to maximise the funds available for those all-important trader bonuses. Quite a few banks have become very political about reducing internal costs, with the result that all sorts of managers are looking to cut in areas they shouldn't, in order to curry favour from their superiors.
In one or two places I've worked, that has also meant that the banks have viewed IT security as something that can be pared-down, often to the extent that such banks are now in danger of failing routine security audits. Even now, managers do not believe IT security is a core business requirement.
Keep an eye out. Before too long, there will be a financial fireworks display of the likes you've never seen.
Hmmm some specifics would seem to be in order...
A little light on the details here El Reg!
How can the bank not be held responsible? What did the company do that has seen them be held accountable for the losses? The standard is that online crime comes out of the banks profits (mainly because they want people to have the confidence to use online banking), so what was the difference here?
Without this info here, this article is useless...
the article is a little light on detail.
for instance- who was infected by the malware? The bank or the small business? If it was the bank I don't see how they could accuse the business of failing to secure their account credentials as it was their computers at fault.
I imagine all that info
is in the 70 pag PDF. Unfortunately I lost the will to continue about 10 pages in, but I gained the impression that the company signed up to the normal "rape me" on line banking terms and conditions of "anything that goes wrong is your fault unless you can prove otherwise", and consequantly got stuffed. One thing that staggered me is that apperently the bank wipes their access logs every 90 days... WTF!
Oh, and all the pages about the challenge/response system
are utter bullshit. That's just a second password question, not a separate factor for authentication. Same applies to the "personal" icons that are supposed to help ID things.
I made it far enough into the PDF to find out nobody knows for sure
where the malware was. Odds are it was on the small business PC, but it sounds like the bank gave bad or unclear advice on handling the infected PCs (which they deny of course, but given their specificity of non-responsibility in the legal documents, the failure to produce written or email evidence of their exact advice is telling). Subsequently the systems were disinfected, but ruining the forensics in the process. Remnants of the Zeus bot were found on the SB systems, but they were unable to tell which specific variant. The one valid supporting claim for the bank is that the only location from which all the data could be compromised was the SB PC. Conversely, if the bad guys got their hands on the goods from the bank, more than just one SB would have been nailed.
I think this one gets appealed. The argle-bargle of the standard contract is onerous, and is subject to being summarily thrown out as binding for that reason. Moreover, the bank was aware of fraud against its accounts. I think the bank took insufficient action to prevent the fraud. The most glaring is not paying attention to serious spikes in the potential fraud scores on the fraudulent transactions. I was once called for transaction confirmation by a credit card company because I made the mistake of paying at the pump for my gas (petrol for you Brits) before going inside to pay my repair bill (2 cars, the working one needed fuel). Apparently making a small charge to confirm the card works is a common technique for that kind of fraud. Given that that was back in the early 90s, and the bank's failure is in the late 00s that failure is simply unacceptable.
Only had the engergy to read the first dozen pages of the judgement but...
It feels that the bank have a fairly slippery terms of service but Patco did agree to it after all. As an analogy with old-fashioned banking: if someone looks over your shoulder while you're writing a cheque and then forges your signature that's your problem for letting them do so. Ditto keyloggers.
Moral of the tale: choose your bank carefully, check what security they offer, and who's accountable for what if it goes wrong.
So they recovered half the money and THEN said it's their fault?
Access log history
...should be kept for at least 5 years or so.
It is the client's responsibility to ensure the PC's used by the finances/procurement departments does not have any nassssty malwaresesss on.
Also, client's responsible for the security of their passwords/logins for their bank accounts/etc. As soon as one account is lost/compromised, then that must be followed up on with password resets etc for all accounts.
Bank's responsibility is to set up some intelligent application which "learns" the company's normal day-to-day expenses, and should any large sum be requested out of the blue, then said intelligent app will pause and flag said transaction before it is allowed to proceed. Same goes for small amounts beign transferred into unknown accounts - pause these for review before proceeding.
And last, but not least, train the beancounters on the dangers of phising and spear phishing - these two activities will get nastier and sneakier as time goes by.
False-positives on security also bad
I've just had a go-round with Barclays. Usually I pay our HSBC credit cards from my HSBC current account, having previously transferred money out of my Barclays deposit/mortgage account. But last month I paid the cards directly from the Barclays account.
Paying my wife's credit card went fine. And paying my own credit card appeared to also go fine - except that Barclays subsequently decided that it was fraud, blocked the transfer, and blocked my account. And crucially they didn't contact me about it - their records say they left a voicemail message, but there wasn't a message on my phone.
Halfway through the month, HSBC stopped my credit card because I'd not paid it. I'd no idea why this happened until I'd spent a half-hour on the phone to HSBC to find out why my card had been refused twice that day. I'd had to pay from my current account, which I deliberately don't keep very full so that we've got as much as possible in the higher-interest account. Having found that the payment from Barclays hadn't happened, I then had over an hour on the phone to Barclays to try and sort this out. It took Barclays 2 days to get my Barclays account back up, and the better part of a week (this was over bank holidays) for HSBC to re-enable my credit card. And until the Barclays account came back, I couldn't top up my current account, so I was *VERY* lucky that I didn't need to buy food or fuel in those two days. If I'd been running a decorating business and needed to buy paint, say, this would have directly screwed up my business. Plus I've got credit card charges for late payment.
Thing is, I can understand security procedures on credit cards. If someone's managed to keylog your security code, then fair enough. My problem with this is that Barclays give you a card-reader, so in order to log into the Barclays account you need to have a card-reader, a card, the correct PIN entered in the card-reader for that card, and then copy the resulting 8-digit number into your login details. Unless their system is totally broken so that someone could guess the 8-digit number, there is simply no way on God's green earth that a Trojan can do that - that's the whole point of a "something you have and something you know" security process.
On the plus side, Barclays have agreed to pay the charges because I didn't get a voicemail. But they still don't accept that this kind of security block shouldn't be necessary when their system is specifically designed to avoid that class of hack.
You do have to remember that the banks are set up specifically to exclude certain things like customer service, fraud protection, risks to their bonuses, etc.
You may have even bigger problems if the bank actually DID send you a voicemail that you didn't get.
A while back someone changed my mother's maiden name as recorded on my bank account for "security" quizzing.
What it was changed to, they won't tell me. Changing it back is, apparently, a major problem because it is a joint account and requires both named owners to visit the branch and sit down with someone to achieve it. How it got changed in the first place in light of this is something of a mystery but possibly illuminated by the fact that it is still possible to get things done using other, not-hard-to-get-and-spoof information.
I'd suspect your account may have been half-hacked too, if I were you.
I never started online banking because of this nonsense.
Did the bank require the customer to use Windows?
If they did not, if their system works as well with other well-known operating systems, then their position is stronger.
Over time as Banks lose relevence...
it will be found to be safer to build your own environmentally controlled vault in your house to protect your valuables. As the world's nations go slowly bankrupt, you might want to make sure it's got enough room to store food as all the fiduciary paper out there proves to be highly useful only for papering your walls and in the bog. Across the board, it will all be proven to be paper with printing on it and worth exactly that much.
- Product round-up Coming clean: Ten cordless vacuum cleaners
- Vulture at the Wheel Ford's B-Max: Fiesta-based runaround that goes THUNK
- Worstall @ the Weekend BIG FAT Lies: Porky Pies about obesity
- Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
- 'Snoopers' Charter IS DEAD', Lib Dems claim as party waves through IP address-matching