So, essentially, the bank was defrauded and the judge ruled that the bank can make the customer pay for it. Sounds about right.

Sure, a bank can have crappy security that gets hit with a trojan, steals passwords and $600k, and no problem with lawsuits. But if someone connects to your wireless router and shares 80 million songs and movies because your router wasn’t ‘secure’, you’re liable. How nice…

I wonder what would’ve happened if the hackers had been sharing music and movies through the bank and what the MPAA and RIAA would’ve said… “Oh, well it’s obvious that it wasn’t intended, so we’ll just overlook that. Not like it was a home router or anything…”

Bank’s are required to have regular security analysis, and testing. Their networks are some of the most secure you will find in a private company. It is a requirement for their insurance (FDIC).

In this case, the customer failed to protect their accounts. Their account passwords were compromised on their own systems. The customer was claiming that the bank should be responsible for the loss, because they did not stop the fraudulent transactions.

The bank took proper security precautions, the customer did not. The customer wanted the bank to pay instead of them for the loss of their account credentials.

It’s like expecting the bank to reimburse you, because you lost your wallet.

Guys, this is a REALLY slippery slope for logic here.

I had some co-workers go to the UK and use an ATM while they were on an extended business trip. The ATM was compromised, but they had no idea how. Less than a few hours after they used the ATM, their bank accounts were completely drained.

Their banks all claimed to have a limit on ATM withdrawals, but they still allowed the perps to surpass the limit. In fact, my coworkers had to fight with them nonetheless to get their accounts credited for the hacked losses.

In this case, I agree, the corporation needs to prove they had adequate protection against keylogging. Unless it was a custom program, most antivirus suites would have picked this up.

However, the bank shouldn’t be allowed to get off the hook just because they didn’t review what was already flagged by suspicious behavior. That’s negligence. Worse yet, the bank was robbed and the customer is being asked to pay for it.

By this ruling, if someone who looks like me steals my identity and walks into my bank, I’m liable if they trick the teller into emptying my account?

Yikes, America.

These kind of lawsuits are typical of trying to blame someone else for your mistakes. The judge made the right call.

That said, there should be some increased security standards that banks have to meet.

Paypal has similar low level security, how many spam mails don’t people get trying to pry their Paypal creds from them? I distrust Paypal as a result.

Correct answers to; name, password & security query equal the real account holder.

Except that this was not the case, was it? Someone entered the correct name, password & security query and it was not the company in question.

I’m not saying this absolves users from managing their own security, but the system fails because the bank assumes anyone entering the users name, password and answer actually is the user.

OK Mr Guppy;

You sure are quick to claim that the system failed because the person on the keyboard wasnt the person owning the account..

EXACTLY how the hell does your simple mind think that there is any other way to authenticate the person to the account????

Maybe lick your monitor, and jack off into the keyboard for DNA Analysis???????

So, essentially, the bank was defrauded and the judge ruled that the bank can make the customer pay for it. Sounds about right.

Of course, because the customer didn’t do enough to protect the bank. Don’t you know that it’s everyone’s responsibility to protect the banks from losses? That’s why they get taxpayer bailouts. The judge was acknowledging that.

EXACTLY how the hell does your simple mind think that there is any other way to authenticate the person to the account????

Maybe lick your monitor, and jack off into the keyboard for DNA Analysis???????

You may find this hard to believe, but some people actually use their hands for other things, like making *signatures*.

Bank’s are required to have regular security analysis, and testing. Their networks are some of the most secure you will find in a private company. It is a requirement for their insurance (FDIC).
This is true. The FDIC has the juice to shut a bank down for not being in compliance.

It’s like expecting the bank to reimburse you, because you lost your wallet.
Or I guess in this case expecting the bank to reimburse you because someone stole your wallet and spent your money. How’s the store where the spent the money gonna know it wasn’t you (we’re talking cash)?

A) Bank had security on par with other banks.

Customer had security on par with other customers?

B) Bank performed due diligence informing customer of policy at signup.

Was it negotiable? Was it the customer’s policy as well?

C) Customer allowed the account authorization credentials to be stolen by poor (maybe none) email virus protection.

Email virus protection company failed. Bank allowed stolen credentials to be used. How is either one the customer’s fault?

This begs the question; Does the bank and customer get the same treatment by insurance as a bank robbery by person walking into the physical location and stealing physical bank notes?

What insurance? The customer’s insurance would not likely pay in the case of the bank getting robbed and the bank’s own insurance would not likely pay anything since the bank didn’t suffer a loss.

In this case, the customer failed to protect their accounts.

Isn’t that what the bank is supposed to do?

The bank took proper security precautions…

Really? So it’s proper to let people make unauthorized withdrawals from other people’s accounts?

…the customer did not.

So bank security is now the customer’s responsibility?

The customer wanted the bank to pay instead of them for the loss of their account credentials.

No, the customer still had their credentials. They didn’t want to repay the bank for the bank’s losses in getting robbed.

How would you suggest they improve the security? Have a human call and confirm everything over six digits? Limit the amount transferable per day? Both of those would do more harm then good; adding days if not weeks to the process.

Days or weeks to make a phone call? Really? Do you own bank stock or something?

Think of your personal account. If you get a virus and someone takes your money, do you blame the bank? No, you blame the asshole who did it and file a report with the bank.

If someone robs the bank while my money is there, I expect the bank to take the loss, not me.

This should be a warning call to anyone who has an account at that bank that your money is not safe. I know I would immediately take my money out of that bank and find a more secure bank where my money would be protected.

This is going to cost that bank a lot of money.

In my view the chain of responsibility starts with the user. Ultimately it is the user money so their responsibility.

The user then delegates a part of the responsibility (holding it) to a bank . The bank in its place delegates some responsibility back toward the user in the form of credentials the user must keep secret.

So in the case of credentials compromise the first failure is that the secret between bank and user is compromised.

This failure feeds back into the bank because is delegated some responsibility to somebody (the user) and that failed, compromising the larger responsibility of keeping the money in the bank.

Then ultimately the owner of the money is responsible for placing it in the bank in the first place.

All conversations here seem to reflect that the user is liable because the user fails to guard the credentials. As a leader is responsible for the actions of his followers, so would the bank still be responsible for the task it delegated and through the bank the user again for dealing with the bank.

So in my view the user revealing the credentials is a lesser responsibility then the bank promise to allow only the user to access the money, which again isa lesser responsibility then the user choosing to delegate to the bank.

The liability should be in proportion to the level of responsibility. So the user becomes liable for some amount for failing to guard its secret, above a certain threshold the bank has responsibility and for some higher amount the user is again responsible because he really should not have trusted that much money to that bank (Or a single bank at all probably).

The user credentials are part of the authentications system of the bank which in turn is part of the task of handling money.

The part I find interesting is that for the most part only the lowest level of responsibility is considered. And as I stated before I do not believe the user failing in his responsibility absolves the bank for failing in its responsibility.

I don’t care who was at fault for the password security. To me that’s almost irrelevant. What bugs me, and should bug any business banking customer, is a bank policy that allows a $600,000 transfer from one bank to another bank with no more than a simple online set of keystrokes.

That amount of money should be signed for, in person, with proper ID checks and personal verification by a bank representative who knows the business customer. Is that really so hard?

If I was the chief officer of a bank, I would know the first name of every customer who had at least $600,000 in my bank. I’m sure this bank did too.

So, they basically had a bank policy (forget security, it’s a non-starter) that allowed over half a million dollars to pass through it’s walls with no human oversight.

Criminal.

CBMHB

Good point.

There are special forms that have to be sent to the federal government for transactions over $10k. Any large transaction triggers extra government oversight even in the absence of any extra security implemented by the bank.

No one has cared about signatures on receipts for a very long time.

They just keep getting more secure all the time, don’t they?
/s

Ultimately it is the user money so their responsibility.

I see, so it’s the user’s fault for putting their money in the bank in the first place. If they hadn’t done that, it could never have been stolen from the bank. Yeah, I see how that works.

The user then delegates a part of the responsibility (holding it) to a bank . The bank in its place delegates some responsibility back toward the user in the form of credentials the user must keep secret.

If the bank can “put responsibility” back on the user, why not put it all back? “I’m sorry, but we made some Wall Street investments with your money that didn’t quite pan out and your money is all gone. If you want your money back, go talk to Wall Street because we don’t have it anymore. Not our problem”.

The liability should be in proportion to the level of responsibility. So the user becomes liable for some amount for failing to guard its secret,

Exactly. Kind of like how a woman “becomes liable” to some degree for getting raped if she dresses or walks the wrong way.

(Or a single bank at all probably)

ANY bank, actually. See? It’s all the customer’s own fault.

The problem is that the magistrate’s decision (the judge has to approve the order before it has legal force) dismisses the negligence cause of action as being preempted by the UCC (Uniform Commercial Code), which requires only “commercially reasonable” efforts. (Statutes take priority over the common law).

And since the purpose of commerce is profit, anything which would increase costs and thus decrease profits can be considered not “commercially reasonable” under the UCC. The UCC has all sorts of stuff in it that is pro-business, anti-consumer. No wonder, since it was written by business lobbyists as a way to protect themselves from consumers under common law.

If I wanted to withdraw MY money from MY account and was able to supply the information that the bank required from me in the agreement we had made during my opening of that account, I would expect the bank to honer that. This is all they did.
If I wanted to withdraw My money from MY account and a bank wanted to put me through an endless series of hoops to get it, I would do as they request and then find another bank.

Banks know this.
They want to keep customers, and the best way to do that is to make banking with them effortless.
It seems obvious that if you hand over the keys or they are taken it does not make a difference, they will still open the lock.

Of course there is no law requiring banks to have any certain level of security. Banks and other businesses are held to the lowest possible level of responsibility by the law.

Banks are required to be “High Security” environments, and to meet the industry standards as such. If a bank fails to provide adequate security, their regulatory agency (FDIC) can, and will shut them down. In the wake of the subprime mortgage collapse it is happening most frequently because of financial issues, but it can happen as a result of inadequate security. They must be regularly audited, and tested by security professionals. They must address all recommendations made as a result of the audit.

This particular theft was carried out using credentials stolen from the customer’s computer. The bank allowed access because the transaction occurred using the agreed upon verification parameters.

With the current online banking authentication model in place for most institutions this problem will happen again. The current model is single factor authentication. Single factor authentication is only based on something you know, ie. a username and password. Multi factor authentication is based on something you know, and something you are or have ie. username/pass and the current number on a digital key fob, or a fingerprint/retinal scan. Multi factor authentication is not currently required, but should be if you need secure identification.