Is It Identity Theft Or A Bank Robbery, Part II: Couple Sues Bank Over Money Taken

from the i've-still-got-my-identity dept

Last month, we posted an amusing discussion (and comedy act) concerning whether or not “identify theft” was really a crime, or if it was really a bank robbery where the bank was passing off the liability for its poor authentication system onto the bank customer. Apparently, just such an argument is already playing out in the courts. Steven Hoy alerts us to a story of a couple who are suing their bank, after someone masquerading as them accessed their account and transferred $26,000 to Austria. The details of the case are a bit complex, but basically, the couple claims that the bank did not live up to basic standards in authentication, and cite the Federal Financial Institutions Examination Council’s claim that notes that “single-factor authentication is inadequate and calls on banks to implement two-factor systems.” Thus, the argument goes, the fault was the bank’s security, and thus, the bank should be liable. The judge found that to be convincing:

“In light of Citizens’ apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access…. If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers’ online accounts.”

Chalk one up for those who believe “identity theft” is actually a “bank robbery.”

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Is It Identity Theft Or A Bank Robbery, Part II: Couple Sues Bank Over Money Taken”

Subscribe: RSS Leave a comment
Bruce E says:

Re: Re: At Last!

HAH hardly…I just bought a home for 520K where the previous owners bought it for 700K and took out a 300k HELOC on it. They didn’t have to pay any back and already own a new home in the wife’s name. Plus, this is happening everywhere. Talk about banks getting effed in the a.

Bank management breaking their fiduciary duty to investors and depositors by making loans with undue risk and you say they’re getting screwed? You’ve got to be kidding.

Lawrence D'Oliveiro says:

Weak Authentication

The trouble is, if the banks insisted on stronger authentication, the customers would get annoyed at the inconvenience. So the bank gets screwed either way—its customers don’t appreciate the need for security until they become victims of fraud, and then they blame the bank for not protecting them.

Anonymous Coward says:

Re: Weak Authentication

That sounds just like the nonsense reasoning a bank would use for not putting in place secure measures.

It amazes me that many of my online only bank accounts still do not permit any characters other than a-z and 0-9, don’t take into account case sensitivity and actually restrict you to a maximum of 12 characters for a password.

Tell me that’s because it’s easier for customers and not because they have some outdated legacy system that can’t cope with anything other than these rigid password requirements…

Gyffes (profile) says:

Gold standard? No longer.

Luci, you’re the idiot. Our money hasn’t been backed by anything of substance in over 50 years. It’s all smoke and mirrors and a gentleman’s agreement that the stuff has value. It’s what made everyone so spooked when the latest bubble popped: there is no wizard, no spoon and noone’s wearing any goddamned pants. There are no assets, we’re not rich as Midas and the Dollar isn’t worth a Lira.

Anonymous Coward says:

“identity != music != money”

No. All three are intangible so infringe away!

“Since paper money is based upon a very real, very scarce, tangible good (precious metals), you are an idiot.”

Wow…you should probably strike the word “idiot” from your vocabulary until you actually…aren’t one.

... says:

Re: Re:

and now you play with semantics

I believe you are referring to the infringement vs theft argument. When someone “steals” music, it is copyright infringement. This is a legal definition. The term “stealing music” is used in an emotional argument attempting to sway the opinion of others.

I agree that the “id theft” terminology is incorrect, if they stole my identity then I would not longer be in possession of it. However, that does not mean that it is therefore copyright infringement (music) nor is it counterfeiting (money), hence they are not the same. Identity theft is fraud. It would be nice if MSM were more precise rather than sensationalistic in their reporting.

The term “Id theft” implys that it is the individual which has been violated and therefore stands to lose something, when in fact it is the bank, credit card co, store, etc which has been defrauded. I can see why busineses like this way of looking at it. Hopefully the courts understand the true nature of the crime.

Anonymous Coward says:

Is there more to this story? Are research reports now enforcable law?

Is it possible that Marsha and Michael Shames-Yeakel probably had a keylogger or other malware or spyware installed on their computer?

If so, is it still the bank’s fault for the couple to fail to apply basic internet security practices? Without establishing this fact can anyone really point blame.

Besides, one-time use tokens can still be circumvented via man-in-the-middle attacks, keyloggers, and the like. After all, most of these types of attacks can be thwarted by installing and maintaining a good anti-virus and anti-malware program. Additionally, using a safer web browser such as FireFox with an anti-phishing site plug-in.

You need all the pieces.

Another thing is terribly wrong here. Did US District Judge Rebecca Pallmeyer just twist an industry research report and apply it as an enforceable law?

It seems that the FFIEC offers research and best practices. The problem is that the referenced “Security Standards” were not law, nor is it indicated that it’s enforceable. But, FFIEC makes suggestions for best practices to prevent issues.

If so, this ruling really shows how clueless she is to the process of law. She comes off as a liberal judge that legislates from the bench.

Anonymous Coward says:

Re: Is there more to this story? Are research reports now enforcable law?

Most attacks can be foiled by a good virus scanner? You find me a virus scanner that does anything besides eat up system resources and I’ll start to agree. AVG? doesn’t do anything. McAffee? McSlow. Norton? Oh jesus don’t get me started on Symantec.

Your point about malware raises some interesting litigation issues… hard to prove/disprove the existence of malware.

Anonymous Coward says:

How about this scam

“Scammers have exploited the law by deceiving victims into depositing fake checks, then wiring a smaller amount back. The money the consumers deposit doesn’t exist, but the money they send is very real.”

I think this is how the scam works. Someone has an account with a few dollars in it and they write you a huge check for something, claiming it’s from their corporation. The check covers more than what they owe you so you write them a smaller check back. However, their account has insufficient funds and the bank will cover the initial overdraft check so the check would clear at first. The person never pays the bank what they owe, they close the account, but they do cash your real check. Eventually, when the bank figures that this person does not intend to pay it back what is owed, the check bounces and you owe the bank the money. So you gave this person money but they didn’t give you anything back. You are stuck with the loss. The person uses what you gave them to pay overdraft fees and they’re in the clear. If you want the money you have to track the entity down and sue them. It should be the BANK that should have to deal with this since the check cleared.

Or, there should be a way for me to tell that not only did the check clear, but it cleared without overdrafting, before someone writes a lesser check back to cover the change owed back.

Anonymous Coward says:

Re: Re:

The reason I mention this is because someone tried this scam. It didn’t work (it almost worked) but it took me a while (and a couple of google searches) to figure out what was going on. I am just warning others so they don’t fall for the scam. Here is the scam

Be aware of these scams.

Tek'a R (profile) says:

Re: (check scam)

its even simpler, and more complex then that.

Say the check claims to be a direct cashiers check from First Bank Of Mumbai on third street or some other far away place. You deposit it and your bank, assuming that you want that money right away, makes the funds available to you (after all, you have never been this dumb before).

You send the check, more often a wire transfer or bank draft Back to them, or cash, goods, etc, back to mr scammer. All this time you bank has been sitting on this check, waiting to process it in bulk with all its other checks for overseas or that country. Tick tock, tick tock, still waiting. You sent the goods, made the transfer or whatever. Now, Finally, your bank gets around to sending some stuff around.. Oops, they got a message back that, not only does that account not exist, the Bank does not even exist.

Quicker to cover their mistake then take measures earlier, they snap all the money back out of your account. If you already did something with it.. well, too bad. Its all slurped back out, in theory to be returned once this little snafu is fixed.. but it wont be fixed, because..

The authorities (if there are any this week) in the “responsible” area don’t really care about this, so any business complaints from your bank fall on deaf ears. If you manage to get the FBI involved.. well, the country still does not care (and the FBI wouldn’t be that eager to try helping anyhow, because you are the hundredth shmuck this week to call them about this)

So now you are minus money or goods, And, fun enough, the bank will keep you on their records of trying to cash bad overseas checks, the kind of record that will linger.

The other ways this scam works are worse, of course. “oh i just need a couple of those numbers off the bottom of your check so i can wire the money to your bank account for that laptop” means “Give me your account information and my totally corrupted friend will use his bank (that exists only on paper) to register a transfer from your account to a few hundred fake accounts and then to me.. thanks. and while I’m at it, I’m going to take out a few dozen student loans, car applications and mortgages in your name with the other info you gave me.. plus, thanks for the new laptop”

Anonymous Coward says:

“perhaps this is a strong call to an all-out overhaul of how our identities are protected.”

Nah man, that’s totally lame, identities want to be free, maaaaaan. Like, all our identities are totally standing on the backs of giants right? So how could, like, anyone own it? Y’know? Whoa…that wall just winked at me. Holy shit I’m on TV! Why am I on TV? Oh right, reflections, whoa…

Nate says:

About time

This is great. Nothing makes me more angry than some bank or credit card company who tries to sell me protection for some monthly payment to protect myself against theft. My response is that I already pay for thier services via the interest rates they charge. I am not going to pay them more money to do a job they should already be required to do. It is the banks job to verify that the person spending the money is entitled to. Now, if I lost my PDA with all my passwords on it or lost my wallet and then didn’t call anyone to report the cards lost that’s another thing.

Just the other day I made some purchases and didn’t have to sign because the charges were under $25. I couldn’t believe it. I guess it okay to make it easier to steal someone elses money if it’s only $25. It’s not like they check those signatures anyway, but why make it even easier?

vastrightwing (profile) says:

Bank is liable

My daughter got scammed this way. However, I went to the bank and asked at least 5 bank employees when we could safely determine if the money orders were real or fake. Their wrong answers were always 5 business days. This is wrong because money orders clearing has nothing to do with actual funds. The bank should be liable in this case because they all gave bad information to her and me. The truth is that the banks has zero risk because they will always claim you should be liable when in fact, the bank’s business used to be keeping your money safe. I argue that banks should be liable especially when they constantly give wrong information to the customer.

weneedhelp (profile) says:

Tpical users would not put up with the hassle of 2 factor authentication

2 factor authentication, something you know, like a pin, and something you dont know, like a number generated in sync on a server and a device or “soft – token.”
***I am not affiliated with RSA in any manor, nor do I own any stock in said company.***

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...