
Bank Not Responsible for Letting Hackers Steal $300K From Customer - locopati
http://www.wired.com/threatlevel/2011/06/bank-ach-theft/
======
trotsky
If my credit card company can manage to shut down my credit card and not
reinstate it until they talk to me because I make $300 worth of charges on
vacation, it should be reasonable to expect a bank to provide that kind of
anti fraud protection on commercial accounts. The difference is who is liable
- if the banks were liable like they are with credit cards they'd certainly be
much more diligent.

Banks, after all, pushed online banking with minimal client protections
because it was cheaper than paying staff.

The risks may have been minimal when online banking rolled out, but the world
has changed significantly in the last five years. The client is not secure,
and it is borderline unreasonable to expect them all to be in this day and
age. Pretty much any client machine will fall to a persistent targeted attack.
Two factor authentication should be mandatory for electronic transfers outside
of the institution.

~~~
jonprins
It's kind of crazy. I know that my battle.net account is more secure than a
lot of people's online banking credentials: not only do I need a user name and
password to access my bnet account, but my account is linked with a mobile app
that gives me time-sensitive one-time-use 8-10 security code.

Recently I had to wipe my phone without being able to get the serial number
information from the bnet app. It was kind of a pain, but I had to actually
scan and send in an image of my drivers license for them to release the old
authenticator from my account so I could attach a new one.

Think about that. An online gaming company is more secure about account
authorization than a lot of banks are.

~~~
seabee
The law doesn't care about their game's fictional currency. They have more
incentive to protect it than a bank has to keep real money as secure as
possible.

~~~
dlikhten
See my comment. This is all in the above-and-beyond category. HOWEVER note
that the profits Blizzard is seeing from battle.net may be more than the
profits of that entire bank. They have more clients, need a reputation, and
are in fierce competition. That bank may not be.

It is overall saddening that Blizzard, a game company, protects user data
better than a bank. HOWEVER note that this happened in 2009. I doubt Blizzard
was this secure back then. Also iPhone and Android were not as big then as
they are today, and they were more up-and-coming than anything.

~~~
alanfalcon
This is a tad off topic, but the iPhone authenticator was added early in 2009
(see: [http://wow.joystiq.com/2009/04/03/battle-net-mobile-
authenti...](http://wow.joystiq.com/2009/04/03/battle-net-mobile-
authenticator-hands-on/)) and the hardware fob was already in use well before
that, with the same stringent identity verification methods in place in case
the authenticator was lost.

Blizzard offers the best of both worlds in my opinion: the authenticator is
cheap/free and optional so you can choose how secure you want your account to
be. Though, as noted, it's expensive for Blizzard to restore all the hacked
accounts so they have incentives (free Corehound pet, for example) if you opt-
in to have an authenticator on your account.

------
run4yourlives
If you actually RTFA, it was the client that was hacked, not the bank. The
client's passwords were compromised, and then the bank's services were
accessed normally with the compromised passwords.

The client's logic is that the bank should take the loss for this. I know we
all hate the banks but seriously? You get hacked and suddenly the service I
provide to you being compromised is my fault?

Sorry, the judge is right here.

~~~
enjo
Maybe banks should be responsible for stronger protection than a simple
password?

~~~
chriserin
Along those same lines, if a hacker took advantage of a vulnerability in the
banks application, but only after gaining access to that vulnerability through
credentials stolen from a client/customer, is the client responsible for weak
credentials protection in that instance as well?

This is a slippery slope.

~~~
run4yourlives
That would probably be awarded 50/50.

~~~
tptacek
If the theft was abetted by a product fault in the banks own code, my guess is
that the client would get 100 + legal fees.

------
AJ007
This is very common. By law, a bank is not responsible for theft from
commercial bank accounts. Personal accounts however, are protected.

From what I've seen based on other cases:

#1. Never use a small/local bank. These guys are the worst and have generally
pathetic or rarely enforced security policies in place.

#2. Do your banking off a boot disk if your not certain about your system's
integrity. (Why are you using a questionable machine in the first place is a
whole other story.)

#3. Try to avoid letting your business checking account get unnecessarily fat.

The fact is banks lose money. Going back to #1, most of the at risk banks in
the United States are the small local ones (The FDIC is still regularly
seizing banks.) Forget hackers, you could very well have $300k "stolen" out of
your bank account if the FDIC shuts your bank down one Friday afternoon.

If you want to read more about this, I'd recommend krebsonsecurity.com. Brian
Krebs has done a great job of covering this issue for quite some time -- in
fact he has his own opinion of this court case written up now.

~~~
keltex
Clark Howard (the consumer radio personality) recommends that businesses use a
separate computer for all bank related transactions. And that computer isn't
used for email or other web access.

You should also contact your bank and request double or dual authentication on
any wires. If your bank doesn't offer this, then get a different bank.

[http://www.clarkhoward.com/news/clarkhoward/business-
entrepr...](http://www.clarkhoward.com/news/clarkhoward/business-
entrepreneurs/simple-computer-safeguards-for-small-business/nFD8/)

~~~
run4yourlives
You could probably just use a bank that utilizes tokens or some other two
factor authentication.

~~~
marshray
What if the malware on the PC lets you log in and then takes over the session?
Yeah, it happens.

I develop on a system (PhoneFactor) where the bank now confirms the details of
a transaction (amount, dest account number, etc) over an out-of-band channel.

I really think this is where the world is moving. The current concept of login
sessions is going away, e.g., mobile phones keep browser sessions open
practically forever. Login credentials will eventually only protect the
viewing of data, things that could cost money will be subject to additional
authentication.

But the party who's interests are most protected will be the party that's
purchasing and deploying the authentication system. This is usually not the
party with the most to lose, and almost never the end user.

------
ck2
ACH is still stuck in the 1970's (along with banking mentality).

You should definitely be able to whitelist and blacklist ACH transactions on
your bank account but nope, anyone can just take the magic digits off the
bottom off any one of your checks and help themselves.

But why the heck doesn't a bank have software that sets off alerts when more
than $100k is drawn from an account, even $10k transactions have to be
reported to the government, so why not also notify the customer and bank
management?

Also, why in 2011 does it take 5 days officially to clear ACH?

~~~
kevinpet
It takes 5 days to clear ACH because "hey we took this money, you have 5 days
to let us know if that's okay" is the authentication.

~~~
ck2
Except when you transfer money into paypal, they make you wait 5 days but I
see the bank clear the money in 24-48 hours

------
raganwald
INAL, but in dealing with some banking software, the situation was explained
to me as "Devil take the hindmost." In other words, no bank wants to be the
one that implements the worst security, or security that is dramatically worse
than "average," whatever that might be.

So for example if all the banks offer four digit PINs, there's not much need
to offer six, eight, or ten digit PINs. But if a sufficiently large number of
banks start offering ten digit PINs, no bank wants to be left behind, because
at some point a customer will sue them and claim that they knowingly have
lower standards.

This is purely anecdotal, but this is how it was explained to me when the
product managers for a new product were trying to balance ease of use and
accessibility against strength of security.

------
crikli
I'm ambivalent about this one.

On one hand, I hate banks. They treated me like shit when I was penniless, now
that I have a couple to rub together they won't let me cash a check without
trying to suck-up their way into some new type of account. Ocean Bank failed
to protect their customer's money; I don't to see the difference between the
FDIC protection afforded depositors in case of physical robbery and the
protection that depositors should have from digital robbery.

On the other hand, there's no law, case or otherwise, that makes the bank
specifically liable. So the judge has no basis on which to hold the bank
accountable.

They "should" be liable, but it's an ethics issue, not a legality issue. I'm
not about to expect a bank to be ethical.

This kind of thing makes me thankful for Wells Fargo. Their fraud/theft
detection system is tops and has saved us from fraudulent charges in at least
two instances.

~~~
cheez
> They treated me like shit when I was penniless, now that I have a couple to
> rub together they won't let me cash a check without trying to suck-up their
> way into some new type of account.

Haha, I thought it was just me. "Why are you people being so nice to me all of
a sudden???"

With regards to the article, I think that they ignored the alarms is
important. I once took out $5K cash for a transaction where I had to show some
money and an internal this-is-not-normal alarm went off. While it was an
inconvenience, I'm glad that the bank did not let me walk out with the money
without checking up on me. So I think that the bank from the article was very
irresponsible.

I hope that the soon-to-be-ex-customer of the bank publicizes this issue with
the media even more. This is the only check on their carelessness.

~~~
crikli
> I once took out $5K cash for a transaction where I had to show some money
> and an internal this-is-not-normal alarm went off. While it was an
> inconvenience, I'm glad that the bank did not let me walk out with the money
> without checking up on me. So I think that the bank from the article was
> very irresponsible.

I agree 100%; I know it can be done because I've had similar experiences with
WF. We have been traveling and I've gotten phone calls from them within 5
minutes of a transaction saying, "hey, we just want to make sure this is
legit."

The fact that they ignored the alarms is important and I agree, negligent. But
it doesn't look like it was enough for the judge to find them liable and more
importantly, make it stick and not get flipped on appeal.

------
lawnchair_larry
It's the bank's fault simply because this system has been broken for at least
a decade, they know damn well it is broken, but they don't make as much profit
if they invest in fixing it.

This won't change until it becomes more expensive for them to leave it unfixed
- either by market forces, or by regulation.

------
ImJasonH
Mitchell and Webb have a great bit on this:
<http://www.youtube.com/watch?v=CS9ptA3Ya9E>

------
mediasavvy
Clearly the bank's customer has some responsibility here.

But it's not clear that the bank gave its customers the backup they needed in
the event that an account is compromised. And accounts will be compromised.

Only the bank can improve the security of large electronic transactions. And
if the bank is not held responsible, they have no incentive to do so.

~~~
chriserin
Bank customers that hear about this have an incentive to change banks though.

------
russell
IANAL, but I would suspect that the construction company has a
mediocre/inexperienced lawyer. Maybe this could be covered by check forgery
statutes or something that works by analogy. Back in the last century a friend
of mine won a case in CA where he was actually negligent himself. He was
remoddeling his house and set up an account that the contractor could draw on.
The contractor took the money and ran. My friend sued the bank for negligence.
He won because the contractor had pulled the same scam before at the same
bank.

Maybe this guy sued in the wrong court. US District court vs Maine state
court.

------
utefan001
US banks need 2 factor authentication. Do any banks on the east coast offer
this?

------
oasisbob
Some background: unlike PCI, which has very large specs for how to protect
cardholder data, banks have very little mandated requirements for protecting
online banking.

Really the only guidance they've received is the document "Authentication in
an Internet Banking Environment", released by the FFIEC in 2005. [1]

The mandate boils down to: "Financial institutions offering Internet-based
products and services to their customers should use effective methods to
authenticate the identity of customers using those products and services. The
authentication techniques employed by the financial institution should be
appropriate to the risks associated with those products and services."

So, if a FI provides basic personal online banking -- with no money transfer
abilities -- perhaps a username/password pair combined with pretend-MFA
("What's your favorite secret color?") is appropriate.

If you allow your customers to originate ACH or wire transfers, it's simply
negligent to not provide true MFA, and their auditors should have caught this
earlier.

[1] <http://www.ffiec.gov/pdf/authentication_guidance.pdf>

------
Derbasti
Banks in Germany are required to use two-step authentification and one-time
passwords for money transfers. Measures like this would have prevented that
'hack'.

I actually lived in the US for a while and the so called security of American
banks was completely incredible to me. It is true, Steam, Battle.net and
Google accounts are significantly better protcted than the US bank accounts I
had access to.

------
danneu
I actually find this ruling fair.

FTA: "But [the judge] nonetheless concluded that the law does not require the
bank to implement the “best” security measures available and that the bank is
clear to customers when they sign up about the level of security it provides
and the amount of liability it will assume if money is stolen from a customer
account."

------
bugsy
This was a bank robbery, and the customer is just out the loss for money taken
from the bank? That's a novel legal argument.

------
dminor
Of course (most) banks don't look very hard for suspicious money transfers -
they don't share much of the risk if a business account is hacked.

