Jeez, insurance companies are all the same. Regardless if you're an individual or a bank with millions on the line... you get treated with the same slight of hands and nonsense interpretations of reality.
> those exclusions rules out coverage for any loss “resulting directly or indirectly from the use or purported use of credit, debit, charge, access, convenience, or other cards . .
How could a spear phishing campaign using malware that hijacked critical parts of the banks infrastructure not be part of the C&E coverage, and merely 'debit and credit'. The last part was merely how the money was exfiltrated. But the entire crime was the result of the intrusion.
This seems like an easy to win case to me. But who knows.
It's usually something similar to this, for example a policy with a clause saying we always cover if X and another clause saying we never cover if Y, when both X and Y are true. That kind of thing.
My favorite example along these lines is the insurance for the World Trade Center disaster, which hinged on a question of if the 9/11 attacks were one event, or two, since of course it was two separate planes taking off at different airports piloted by different terrorists.
No matter how much you plan ahead and try to use definitive language it's usually possible to end up in a spot where it's still a matter of debate.
In this case it's a lot of discussion of proximate cause (the phrase "but for" is the tell there) which is a standard feature of insurance claim arguments after some sort of major loss.
Typically what happens is each side assesses how close the other's argument is to compelling and then based on that both sides come to a settlement agreement.
People will argue anything.
I mean the Equifax security was laughable and no one got in trouble. I wouldn't be surprised if this case takes a complete 180 from common sense.
How do I even know whether my bank has good security? Cyber-security being such a major threat, I would be willing to change banks if my bank is proven to have crappy online security.
Case in point: ETRADE. Just received an update to the customer agreement. The definition of “Force Majeure Event” (unforeseeable circumstances) was updated to include cybersecurity incidents. Also this: ETRADE ... makes no representation or warranty of any kind ... with respect to security.
and the new:
Here's the new force majeure definiton:
> “Force Majeure Event” shall mean any act beyond E-TRADE’s control, including any earthquake, flood, severe or extraordinary weather conditions, natural disasters or other act of God, fire, acts of war, acts of foreign or domestic terrorism, insurrection, riot, strikes, labor disputes or similar problems, accident, action of government, government restriction, exchange or market regulation, suspension of trading, communications, system or power failures, cybersecurity incident, and equipment or software malfunction.
Here's the new force majeure clause:
> No Liability for Indirect, Consequential, Exemplary, or Punitive Damages; Force Majeure
In no event shall any E-TRADE Indemnified Parties be held liable for (i) indirect, consequential, exemplary, or punitive damages or (ii) any loss of any kind caused, directly or indirectly, by any Force Majeure Event, and the Account Holder unconditionally waives any right it may have to claim or recover such damages (even if the Account Holder has informed an E-TRADE Indemnified Party of the possibility or likelihood of such damages).
Wow. First they define acts beyond their control to include things clearly within their control. Then they say they're not liable for "any loss of any kind" resulting therefrom.
These contracts are maddening because they won't be enforced as written until they are. Until a loss due to an avoidable issue costs them more to cover than it does in reputational damage. So it doesn't get reported because it doesn't feel like a real policy.
New York law applies here. If you sue them and lose, you pay their attorney fees. You've waived the right to a trial by jury and have likely agreed to forced arbitration unless you've explicitly opted out (see last page).
While the contract states that, that part should actually be unenforceable unless a certain set of conditions is in place.
As I noted in another post, it's important for people to review the rules of governing arbitration forum. That said, law is more an art than a science and weird determinations are often made when major $$ and entrenched interests are involved.
edit: speaking only in regards to arbitration
The logical maneuvering the insurance companies employed to avoid paying their shares would have been awe inspiring to behold if I was not personally involved and therefore caught in the middle of a devastating situation.
If I learned anything, it’s that marketing B.S. and testimonials mean absolutely nothing when a transportation company is at fault after an accident. Also, always insure your classic automobiles with “agreed upon value” policies. This way you are covered to some reasonable fraction of your restoration outlay...otherwise you end up cry-laughing when the low-ball, hand-selected comparative values show up for significantly under the value of your receipts.
I don't really trust them to keep my money safe (nor do I trust myself, exactly, but I'm in a remote location and an unlikely target).
Easy. Don't keep it all in one place.
Also, don't you care about interest or capital gains?
The interest rate on savings is under 3%. It's like paying that amount on an insurance policy to guarantee that your money isn't stolen by the bank or through the bank's negligence. And considering how banks behave these days, that's not a crazy investment.
It's shocking how many people make this error. Walter White buries millions of dollars in only one spot in Breaking Bad. People make only one copy of their cryptocurrency wallet seed. People have only 1 bank account. Etc.
It’s a pretty sweet deal so I’m wondering if there isn’t anything like that in the US. With SV I’d be very surprised if the U.K. is pioneering this
Retail banking is pretty heavily regulated in the US so maybe that's the issue? I've seen a lot of startups in other banking areas, like Mint or Square, but none for checking/savings accounts.
More here: https://www.moneycrashers.com/best-free-checking-accounts/
FDIC insures deposits in U.S. branches up to $250k per account, IIRC;
SIPC covers securities held by brokerages, (forget the amount).
Vanguard's user agreement says this:
Data security is, of course, a top priority. To mitigate computer virus attacks and other acts of cyberterrorism, We have implemented controls monitored by a dedicated team of information security specialists. We also maintain a network of redundant systems, off-site data storage, and off-site tape vaults to ensure that all source data are recoverable in a disaster.
The attackers likely avoided that route because it would be easy to trace.
That’s likely the same reason that the insurance policy has special treatment for debit card/ATM incidents, because those sorts of transactions are more difficult to trace and therefore have a higher risk classification.
The fact there were two similar incidents 8 months apart tells me there was a fundamental security issue which wasn't addressed correctly.
It's possible, but the only evidence we have is that insurance companies want to avoid the payout, not that poor practices impacted premiums at all. Given what I've seen from security audits of the past, particularly when influenced by non-security professionals (such as the accountants in this scenario, both the insurers and the insured), I have little faith that if insurance companies dictate the practices that we'll get actual useful security increases, but plenty of extra bureaucratic hoops that will result in the same "productivity vs security _risk_" dilemma we have now, except the CBA changes to "is the hit to our productivity worth this hoop compared to the cost our lawyers would involve to prove this hoop was unnecessary or unrelated times the likelihood that it comes up"
What about Equifax?
The things actually specified in the contract, taking account the exclusions?
That said if too many "hacking insurance" policies fail to pay out, business are going to be less keen to use them.
Did you read this bit:
‘The second exclusion in the C&E rider negates coverage for “loss involving automated mechanical devices which, on behalf of the Insured, disburse Money, accept deposits, cash checks, drafts or similar Written instruments or make credit card loans . . ..”‘’
And never lose the opportunity to blame 'Russian' hackers.
“Foregenix .. determined the hacking tools and activity appeared to come from Russian-based Internet addresses .. according to the bank Verizon’s forensics experts concluded that the tools and servers used by the hackers were of Russian origin”
They're clever enough to hack a bank but not clever enough to disguise their IP address.
We expect the NSA to be compromising foreign systems. We don't expect them to be doing this with them.
I suspect it had to have been people in on the scam because I don’t see how you could conceivably convince strangers to withdraw cash for you at that scale without raising eyebrows
It also seems like you'd need a lot of domain knowledge to make this happen. If you gave me an open machine in a bank I'd have no idea what to do.
> The bank’s complaint against Everest notes that the financial institution doesn’t yet know for sure how the thieves involved in the 2017 breach extracted funds. In previous such schemes (known as “unlimited cashouts“), the fraudsters orchestrating the intrusion recruit armies of “money mules” — usually street criminals who are given cloned debit cards and stolen or fabricated PINs along with instructions on where and when to withdraw funds.
The book "Kingpin" talked about how most of the people doing the withdrawing of cash were usually "mules" who were in on the scam. They'd withdraw the money, get a small cut and send the rest to a middleman.
The book itself goes into a lot more detail on how it worked:
It goes back at least to 2009 (Worldpay US) and possibly before that.
The ATM element is important as one of the hardest parts of electronic bank theft is getting the money out of the banking system in an untraceable form.
If you go to https://www.verizonenterprise.com, it redirects to http://
*edit: the quality isn't necessarily the best
Certainly BT security had a bit of a rep - not always in a good way :-)
Wow. One incompetent company leading another incompetent company. What could possibly go wrong?
I don’t have hope for these types of companies. Their security is a joke. Their industry security is a joke.
Verizon has a reputable security consulting arm that competes with Bishop Fox, FireEye, Rapid7, NCC Group, and other recognized computer security firms. Verizon is a massive company and isn't just wireless and home internet.
Either up your security so Verizon is finally considered a credible brand, or spin the security business off as a separate entity.
Such negligence tends to make me wonder if it's to leave open the possibility of some easy insurance fraud. In this particular case, that seems to have backfired with supposed hackers arriving first, and the insurer sleazily wiggling out of their own obligations.
At a past job, we ran thousands of shared linux servers for web hosting purposes. This was back in the early 2000s, and even then we had replaced all the installed shells with versions logging all interactive commands via UDP to a centralized syslog server. There was a simple IRC bot filtering the logs and echoing suspicious stuff into an IRC channel we monitored. Things like attempts to gain root, looking at /etc/passwd, lines starting with "./", running known irc bouncers or other script kiddie activities would be clearly visible and someone would intervene.
That was just a web hosting company with a small team and quite limited resources. I expect better from these national financial service providers, this is just pathetic.
At some point you really do need to give up on your fancy canaries, gateway and host IDS, perimeter blinky boxes, threat intelligence feeds, endpoint protection products, etc, and just start firing those in your employ who willfully and joyously thumb their noses at basic security hygiene.
You can't fix your security posture until you fix your update culture.
Until it's your top salesperson who 2x'd the quarterly revenue target... I'd like to live in a world where everyone knew basic security hygiene, but we have to teach it first, not punish.
> 8.2.4 Change user
> passwords/passphrases at least once
> every 90 days.
The consequences range in severity based on the number of times an employee is caught over a 12 month period, or if, as part of the attack, the employee enters their credentials on the webpage linked in the email (a big no-no). They range from: a meeting with your manager to discuss, a requirement to park outside the security gate and walk in for at least 2 weeks, to your vacation accrual rate being reduced, all the way to unpaid suspension or termination with 4 failures in 12 months.
Of course as part of the on-boarding process the company provides pretty extensive training on how to spot a phishing attempt but some attacks can still get a large portion of our company.
The downside is now some employees who have been burned before are terrified of opening any external emails. This ironically resulted in an exceptionally low participation rate in our company's annual employee engagement survey conducted by, you guessed it, an external party.
I think they have other mitigation strategies. Like probably quietly installing extra scanners on the email of the most "problematic" people who open anything and forward chain letters constantly.
In ancient times .exe were banned outright, and I have customers who also ban .zip. And a Word Doc with embedded macro is in effect an executable.
Accounts payable, for example, gets lots of these things as an expected part of the workflow, as does legal, and various parts of management.
PDFs have had problems of their own.
Many of the people that you most want to secure are the same people who need to be exposed to the outside world. CEO and CFO HAVE to deal with random people, as it's the job, but they are the most dangerous. If someone needs a 5 step verification process that takes days to communicate with your CEO, then you are not going to get may new clients or investors.
Everyone knows that to get the Macro to work, step one is to enable all macros.
The old approach, which I used, was to use a mix of desktop and embedded boards physically separated with a KVM switch plus controlled, sharing mechanism. Just keep the untrustworthy stuff on their own machines. It's klunky but a greater chance of working securely.
PS: do they seriously have a system that can turn off the need of entering the pin to withdrwa money? why?
You need the card (something you have, factor 1) and the PIN number (something you know, factor 2).
The only things I can think of that uses one-time passcodes are the occasional password reset or login from a new device? Are there other uses I'm not aware of?
Some people I know are still not comfortable using an ATM, if you add passcodes they are going to have a very bad time.
however, if your system allows one to disable even the PIN code that's pointless.
Because ATMs have daily withdrawal limits and security cameras. Neither are infallible but they limit and discourage fraud.
In the end, it's probably not a good idea, anyways.