Hacker News new | past | comments | ask | show | jobs | submit login

This announcement makes me wonder - Are there any banking laws to protect someone who loses money due to a hack?

The JS thing is a huge deal so someone might get their online banking credentials stolen and then account emptied. In which case, how helpful are the banks in helping to recover the money?

On the cryptocurrency side people need to secure their own money and ensure they don't open some shady ICO site. So stolen credentials means the money is gone forever.

Edit: FDIC insurance is applicable for the banks ie if the banks get hacked. The question here is on individuals getting hacked. I am not able to find if FDIC covers that.




Federal Reserve Regulation E covers bank account fraud. See page 13 of this PDF: https://www.federalreserve.gov/boarddocs/supmanual/cch/efta....

Basically your fraud protection involves your responsibility to notify the bank, and the bank's responsibility to refund the money if you notified them in time. Check your statement or balance at least once every 60 days and report fraud immediately, and you can't lose more than $500.

Fraud and theft are not covered by FDIC insurance. FDIC insurance protects your balance, up to a limit, if the bank fails or if there is a run on the bank.


OK, so that sounds like it would work out well in the case of ordinary fraud. You notify the bank in timely fashion, and the bank covers it.

But in the case of the bank being hacked, I could imagine it affecting enough accounts that the bank cannot cover it. Would that count as the bank failing (or perhaps a run on the bank?), and so then be covered by FDIC insurance?

Finally, suppose the hack is a case of financial terrorism. Say, a state sponsored group is trying to undermine confidence in the banking system and so wants to be as disruptive as possible. Instead of just getting in and stealing some money, they have been in for months and have been sabotaging things. They mucked with the backup procedure to make it so the backups are corrupt, and the bank unwisely did not do actual restore tests on samples to check things. Finally, the hackers set everyone's account balance to zero (or more fun, delete everyone's account).

So now my bank has no idea how much money I'm supposed to have (or even if I'm a customer). They fail and FDIC steps in. Do the banks have to periodically give the FDIC or other regulators lists of accounts and balances, so that FDIC would be able to at least figure out things up to the last month, say, or would the FDIC also have no idea who gets what?


>>> So now my bank has no idea how much money I'm supposed to have (or even if I'm a customer). They fail and FDIC steps in. Do the banks have to periodically give the FDIC or other regulators lists of accounts and balances, so that FDIC would be able to at least figure out things up to the last month, say, or would the FDIC also have no idea who gets what?

When a was running an exchange, which is far from a bank but already has annoying scrutiny.

We were required to have a feed of all the transactions to an off site location. Then we had to store off line archives and off site archives.

The location must be within the jurisdiction of the regulator so they can send the police to the datacenter, seize all the hardware and reconstitute the balances.


These things depend on jurisdiction and your particular contract, but in the western world generally some things apply:

  * transactions are printed physically (iirc SEPA mandates this) (account balances can be recovered, like bitcoin)
  * accounts are insured up to some ammount (will be covered by insurer provided bank cannot cover)
  * bank will cancel/refund transactions that happen x hours prior to proper notification of account compromise (details vary)


A few words as a sysadmin:

* offsite backups

* verified offsite backups (not saying this happens everywhere but I'd expect banks to some kind of routines)

A few words as a news reading citizen:

* force majeure

* fannie mae and freddie mac


> verified off-site backups

So important... i can’t tell you how many times I’ve come across a database backup process that either the cron had been failing for months, that wasnt backing up all the data, or was simply corrupted.

Not only verify your backups, but make sure you know you’re restore process too!

You’ve got to trust that our banking systems do this thoroughly though ... amirite?!1!!


> The JS thing is a huge deal so someone might get their online banking credentials stolen and then account emptied. In which case, how helpful are the banks in helping to recover the money?

Completely. These are banks we're talking about, not bitcoin exchanges.


well when the account is emptied, the money will be going places. Seems like a similar scenario to someone stealing your credit card.


Money in banks is FDIC insured. I believe that protects it from things like hacks, even if the bank itself went bankrupt.


FDIC insurance doesn't cover theft or fraud. It covers your balance (up to a limit) if the bank fails. There are separate regulations for fraud.


But presumably it does cover your balance if the bank fails because it can't cover a large loss to fraud?


The loss in case of fraud against the customer or losses due to a hacked customer is entirely the customer loss. The bank does not care, they don't have any loss. Spectre is an attack against the client and the customer is responsible to keep his client secure. It's not the banks device, they have no power over it.


That's not how it works though, people get hacked all the time and banks make their customers whole. You can literally leave your debit card on the street corner and you won't be liable for any fraudulent charges as long as you notify the bank of them.


Not in Europe in general. Chip and PIN leads to the assumption that you made the purchase or initiated the charge. In any case, card charges (or charges in general) are something entirely different than payments initiated from your banking client. Anyone can charge your account and you can dispute the charge. However, money sent from your account cannot actively be disputed. You can tell your bank that you accidentally transferred money and they’ll try and stop the transaction, by if it goes through, you need to retrieve the money from the person that got it. Banks will try to help in case of fraud as long as the money is in their reach, but will not make you whole at their expense.


For regular consumers, the FDIC insures up to $250k IIRC.


Insurance companies usually try to reduce/manage risk.

Does the FDIC have security / computer / process requirements for the banks which they insure against hacks?


I think that would be part of the FFIEC https://www.ffiec.gov


Would the FDIC cover losses?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: