Should Banks Be Liable For Online Banking Losses?
from the tricky-situation dept
While this USA Today article discussing stories of online banking users getting scammed and losing their money goes a bit too far to the fear-mongering side of things, it does raise some interesting questions. The biggest one comes from the story of a small business man who was urged by Bank of America to start using their online banking account. The guy had anti-virus and firewall software, but a keylogging trojan was still installed on his machine, allowing someone to transfer nearly $100,000 out of his bank account to an account in Latvia. Bank of America refused to help. While consumer liability is only $50, that’s not the case with commercial banking. And, since Bank of America says they didn’t do anything wrong, they feel that they aren’t responsible. Of course, “not doing anything wrong” may depend on your definition of what’s wrong — and many people would consider the weak security on BofA’s site to be part of the problem. The real issue is that, if banks knew they would be liable for such losses, then you can bet they’d make their systems a lot more secure. Of course, most of the proposed solutions still have problems of their own, so this isn’t a situation that has an easy solution. Should the liability be split because the guy didn’t do enough to protect his own computer, or is that blaming the victim? One thing that’s clear, is that these types of crimes are likely going to increase, not decrease.
Comments on “Should Banks Be Liable For Online Banking Losses?”
solution to keyloggers
Citibank of India has a nice solution…
Re: solution to keyloggers
Only a temporary solution, the same as two-factor authentication and everything else..
If you have malware getting onto your machine, all these are all at best a temporary solution. The malware authors only need to identify when you’re making an online payment (after going through all the authentication in the world) and then silently switch the amount and account number when you sumbit the form.
The solution to malware? I’m not sure, but perhaps you could start by _not_ forcing your customers to use the world’s most insecure and malware-prone web browser?!!
The solution to phishing? Continue to warn your customers; my bank has regular warnings on the login page and does NOT use email to contact their customers. That’s all they should have to do.
Bank customers; make a bookmark to the login page. Click that when you want to do banking and check that the address bar goes yellow before entering any authentication. Ignore everything else. If your bank really MUST get hold of you urgently they’ll put a hold on your account and tell you to contact THEM via the 0800 number or by walking into any branch. Ignore everything else. It’s really simple.
Re: Re: solution to keyloggers
Not so. A key fob that relies on a time-based seed to produce a cryptographic token which the user is able to use in addition to their login/password pair is not temporary nor is it trivial to crack/by-pass. This is the route any on-line banking provider who is doing their due-dilligence is going to go. Enough said.
Re: Re: Re: solution to keyloggers
A key fob that relies on a time-based seed to produce a cryptographic token which the user is able to use in addition to their login/password pair is not temporary nor is it trivial to crack/by-pass. This is the route any on-line banking provider who is doing their due-dilligence is going to go. Enough said.
It’s STILL trivial to bypass, assuming the attacker managed to get malware onto your machine. User enters password via mouse on logger-proof randomized keypad, enters number from SMS message, USB keyfob does magical and totally secure cryptographic authentication with biometrics. Add any other number of security measures.. it makes no difference.
After authenticating, user enters details of legitimate transfer ($250 to power company) and when they hit the submit button, resident malware (probably a BHO) switches “$250” to “$250,000” and “power company” to “russian bank account” and then sends the altered form over the nice, safe tamperproof and authenticated SSL connection. This would be slightly more work than just installing a keylogger, but still well within even a modest hacker’s abilities.
About the only thing banks could do in this case is block ‘out of pattern’ payments (anything big and/or offshore) until you’ve phoned the customer and verified it. And perhaps they should just do that in the first place instead of messing about with additional layers of authentication.
No Subject Given
Wouldn’t a non-standard (for this account holder’s history) transfer of $100,000 put a huge red flag up? Especially a transfer of any substantial amount to a foreign country which is not done on a regular basis, or one which is done for the first time. Shouldn’t it be preceded by a confirmation telephone call or some type of physical verification with the legal account holder the funds originate from.
This story looks to me as though the fault lays with the bank — for not reacting to this “unusual” funds transfer.
Re: Bank Liability
I am curious as to how this guy transfered 100,000 to another account via online banking. I know that with my online banking I can only transfer money between accounts. I send money to anyone else requires a seperate password and login and it takes two or more day for the transaction to post. I would think that Regulation E or Check 21 would have some liability protections for this customer.
Re: No Subject Given
yes thank you. that’s it! bank of america is probably swamped hence very disorganized since the merger. but that’s no one’s fault by theirs. they need some red tape. 100,000 is a lot of money… what’s worse is, they’re not stupid. they know they are at fault. they’re just playing dumb to save face.
Authentication and Identity are not the same
The problem is that authentication is being confused with identity. Without the banks shouldering the liability for loss, they will never spending the resources needed to address the problem appropriately. An effective identification method ties authentication to a validation process that show that the entity is who they say they are. This means that the solution will not be exclusively technological, but must involve some tie to the real world that helps to prove the authenticated’s identity. Maybe this is an encrypted hash of a biometric that ties back to a birth certificate, but relying on authentication without considering this will be more suceptible to fraud.
No Subject Given
I was going to start off by saying it’s the victim’s fault for having spyware. And then I was about to make an analogy with low-tech examples and realized those examples would actually work against my argument!
Consider the case of safety deposit boxes… if you were stupid enough to leave your safety deposit box unlocked or leave your key lying around for people to copy… even then the thieves can’t get into your box because of the inherent security at the branch… the branch staff have to open the lock for you in conjunction with your lock… hmmm…
maybe it’s time we get hightech with fingerprint and retina scans but even then, how can the bank know that it’s you being scanned and not some sort of hack tricking the bank systems into thinking it’s a real scan when it’s just a series of 0s and 1s intercepted along the way.
Re: No Subject Given
You use an encrypted hash of that biometric. This prevents the “man in the middle” attack you suggest. The impersonator could not derive your biometic data from the hash because it’s encryted, and, if the hash is well designed, there will never be any collisions (e.g. duplicated values) so old values won’t work.
He gets a keylogger on his machine, and that is the banks fault? We all know that firewalls and A/V are not fool proof, he chose internet banking, he got a trojan, he lost money. I notice the story doesn’t show if the bank offers a similar protection as personal accounts so he wouldn’t be liable for all of it. This is more of the “It can’t be my fault” attitude most people have today.
he had firewall software ?
If he had firewall software then he must have explicitely given the key-logging trojan internet access.
Re: he had firewall software ?
If he was running as admin (as so many WinXP users still do), and his firewall was a common one, then the trojan may have recognised it and arranged to give itself access.
Re: he had firewall software ?
No, outgoing connections do not require permission of the user. The firewall is designed to prevent outside attacks from getting in, not the other way around.
The only exception to this is software firewalls, which can be programmed by the malware once on the users machine. If the malware was installed by a user with administrator privledges, it can do anything, including see the web pages you’re looking at, and then send those to some other computer on the internet.
Ignorance is one reason why people are ready to blame the victim, but in truth, it could have been you.
Firewalls do not protect you from malware! Anti-Virus software doesn’t guarantee things either! Its possible to have all the security in the world and still be a victim. Thats why its scary.
BOA introduces sitekey
BOA has came up with new authentication feature along with passcode for their online banking. “SiteKey”. where customer should choose an image and title. which is specific to computer.
Seems a bit off topic...
Unless I am missing something here, it said a keylogger had been installed on the client’s system. Are we suggesting that the bank should be held liable for lack of security on the end user side of the fence?
I realize there are other issues raised here but a keylogger on a clients system is in my opinion the clients lack of scurity measures not the bank’s
Re: Seems a bit off topic...
It doesn’t matter how the thief got the information, the odd transaction should have triggered a freeze on the account until it could be verified with the account holder. One of my bank accounts, the bank freezes the account if I use my ATM card out of state until/unless I call them and verify information they have on record. BoA should have done the same with that $100k international transfer (unless that account regularly sends six digit amounts to international accounts).
No Subject Given
Bank of America Fails To Provide Account Security
Online banking should be secure for EVERYONE, not just those with a technical background.
If a transaction looks out of the ordinary for that account holder, or in this case, out of the ordinary to an extreme extent (transferring $100,000 US to an foreign/international bank account) — than the bank should be held at fault for not providing the correct security measures.
Now taking the devil’s advocate side in this matter; who says that it wasn’t actually the bank who stole the money from the account. Then told the customer, “Sorry, but you money was transferred to an foreign bank. We don’t know what one and we cannot get it back. Just deal with it buddy.” — And to be honest, this is just what the bank is saying.
I am guessing that Bank of America doesn’t offer a baseline STANDARD of online banking security. They obviously were NOT doing what they were hired to do — which is to _securely_ manage this guy’s account.
His money would have probably been more secure if he had put it all in a bed mattress. At least then, he would have had better control over who was able to remove it — or at least had an idea of who it was.
Whats the point of using Bank of America to manage your money if they cannot/will not provide standardized FRAUD / THEFT PROTECTION.
NOT a technological issue.
You all seem to be treating this as if it were a technological issue, when it is clearly not.
This is no different than if someone steals a check out of your checkbook, (or just prints up one) fills it in, forges your signature and cashes it.
This is no different than someone walking into a bank, with a fake ID (or perhaps YOUR stolen ID if this person happens to look anything like you) and making a huge withdrawal.
My point is that this is not a technological issue, it doesn?t matter what encryption scheme you use, or what firewall you run. This is a case of FRAUD. And the victim is the bank, not the end user, because the bank is tasked with keeping the users money safe (That is what they do (in part) in exchange for the right to use it.
Lets be clear about this ? the authorized user of the account did NOT initiate, or authorize the transaction. It is therefore not a legal, or legitimate transaction.
No transaction that is not authorized by the account holder is legal or legitimate. The rest is semantics.
The end user should not, can not be held responsible for the illegal, and illegitimate actions of the bank.
And the bank knows it, but rather than take responsibility for the serious FUCK UP ? they are trying to pass responsibility on to someone who has little or no control over the situation.
Yet ANOTHER reason to not use B of A.