For starters, all the details on how that particular transaction was performed, timestamps, IP addresses, all the browser fingerprints visible in the logs of that request (they tend to be quite identifying), subpoenaed logs from the claimant's ISP.
They don't have to prove that it couldn't have been someone else, they have to convince the court that it's more likely than not. Motive matters a lot - if there's some way how that transaction would have been useful for a fraudster (i.e. if it was a money transfer to them), then it's one thing; but if there's no indication of why someone else would want to make the fraudulent trade (which is the case for most stock purchases/sells) and a clear motive why the claimant would want the trade to be reversed (i.e. the stock buy seemed good on that day but turned out to be bad afterwards) then if there's any technical evidence whatsoever pointing towards the claimant, it's hard to be convinced.
If data shows that the transaction is e.g. done from some Starbucks and local security cameras show the claimant near that Starbucks at that time, it's probably not enough to get a conviction but likely enough to make them lose the civil claim.
The criminal case would be expected to get much more evidence than an ordinary civil claim, so they'd likely wait for its results and use everything that the police/prosecutors gathered to dismiss their civil claim.
> For starters, all the details on how that particular transaction was performed, timestamps, IP addresses, all the browser fingerprints visible in the logs of that request (they tend to be quite identifying), subpoenaed logs from the claimant's ISP.
Again, the IP address would obviously be associated with him and the browser because that's how the vulnerability works. The attacker just has to get the victim to visit any website with a browser which has the cookies for the bank. So proving that the user's browser/machine/IP made the request does nothing to show that the user did so intentionally.
> Motive matters a lot - if there's some way how that transaction would have been useful for a fraudster (i.e. if it was a money transfer to them), then it's one thing; but if there's no indication of why someone else would want to make the fraudulent trade (which is the case for most stock purchases/sells) and a clear motive why the claimant would want the trade to be reversed (i.e. the stock buy seemed good on that day but turned out to be bad afterwards) then if there's any technical evidence whatsoever pointing towards the claimant, it's hard to be convinced.
It doesn't have to be done by a fraudster. The motive for the attacker could simply be to fuck with people. They don't gain anything but satisfaction from the fact that they were able to successfully exploit this vulnerability.
The attack would leave traces. Timestamps would show when exactly the request was made, ISP logs or data from the claimants computer would show other requests in the same seconds (i.e. wherever the victim got served the malicious link); Sending the img link by email would be visible in that email; getting the user to view a malicious post on some webpage/forum/etc is likely to leave evidence there.
In general, you make good points, they are believable and likely would be made if such a court case happened. In the absence of hard evidence, if they seem slightly more believable than whatever story the company presents, the claimant would win; if they seem slightly less believable, the claimant would lose. In a civil claim, the company needs to prove that it was authorised only just as much as the claimant needs to prove that it was not, it's a somewhat symmetric contest - simply claiming "I didn't authorise it" is effectively countered by claiming "Yes you did", and simply moves the discussion on to further investigation.
The motive could be just a prankster messing with people, but it's a lot less convincing motive than an obvious benefit. If the transaction is one where you clearly lose money and someone (possibly anonymous) gains it, it's easy to make the case that you were hacked. But, for example, if the claimant had previously unsuccessfully complained to the company about the theoretical possibility of such vulnerability, and then complained that a seemingly random transaction is unauthorized, I'm fairly sure that any decent lawyer would successfully convince the court that "a prankster did it" is comparable to "the dog ate my homework" and it's a bit more likely that they orchestrated the claim themselves to mess with the company. Getting 51% of belief is preponderance of evidence, and sufficient in a civil trial.
And in any case, all this wouldn't be "simply claim" - seriously making such a claim would require a significant investment of time and money from the claimant. It's not something most people would do for fun. Some would do it to make a point, but that's quite a niche hobby.
Nope, but if you reported that you just noticed a fake stock deal made 12 years ago on an account that you actively use, you'd have an uphill battle proving that it really was unauthorised, and the lack of logs would only make it harder for you.
They don't have to prove that it couldn't have been someone else, they have to convince the court that it's more likely than not. Motive matters a lot - if there's some way how that transaction would have been useful for a fraudster (i.e. if it was a money transfer to them), then it's one thing; but if there's no indication of why someone else would want to make the fraudulent trade (which is the case for most stock purchases/sells) and a clear motive why the claimant would want the trade to be reversed (i.e. the stock buy seemed good on that day but turned out to be bad afterwards) then if there's any technical evidence whatsoever pointing towards the claimant, it's hard to be convinced.
If data shows that the transaction is e.g. done from some Starbucks and local security cameras show the claimant near that Starbucks at that time, it's probably not enough to get a conviction but likely enough to make them lose the civil claim.
The criminal case would be expected to get much more evidence than an ordinary civil claim, so they'd likely wait for its results and use everything that the police/prosecutors gathered to dismiss their civil claim.