Bank not Responsible for letting Hackers steal $300K from Customer

"A judge in Maine has ruled that a bank that allowed hackers to steal more than $300,000 from a customer’s online account isn’t responsible for the lost money, saying the customer should have done more to protect the account credentials." :

http://www.wired.com/threatlevel/2011/06/bank-ach-theft/

 

From the link,

 

For those with nothing better to do, the 70-page order is here:
-http://docs.ismgcorp.com/files/external/Order-MSJ-052811.pdf-

 

And here's a lawyer's POV:

from here:
-http://www.bankinfosecurity.com/articles.php?art_id=3705

There's also a bit about whether the bank's security truly used multifactor authentication.

 

Not a big deal. Banks also aren't responsible when you get mugged. Banks also aren't responsible when they get robbed (their money is insured and will be replaced.) Banks also aren't responsible for identity theft.

 

Seems like banks, & especially THE Bankers are not responsible for anything these days

Of course THE Bankers were/are not responsible for the worldwide financial mess THEY create, & we are in right now, & have been for over 3 years, & getting worse Every day. Oh no that Them, must have been "Some" other people then

 

What's going to be done about the hacker?

 

I find this rather strange. I spoke to my bank some time ago about this type of scenario: stolen user ID and password. I was told that setting up a transfer account requires other authentication (I won't go into it) and no way could an unauthorized person just push buttons to transfer money to his/her own destination.

I'm going to show this article to my bank and get further clarification on how something like this could or could not (hopefully could not) happen to me and my bank!

Of course, Patco should be taken to task for not having security in place to prevent Zeus trojans from surreptitiously installing!

If I were the company CEO I would fire the System Administrator!


regards,

-rich

 

My bank uses a user name n password for login. login needs a virtual keyboard rather than actual keyboard. Login is two step. First step u put user name and password. Then they send a special code on ur cell phone no( ur own cell phone registered with ur bank), in 2nd step u enter this special code and only then u can access ur account.

For transactions, first u make the transaction, then u call the bank and identify urself and tell them u have made a transaction like this n this, they will verify and then complete the transaction.

Bill payments etc don,t need such phone calls though.

 

In my case, I have two passwords. On is enough if I'm just viewing my account. The second has to be entered if I'm doing a transaction. If it's not a utility bill payment or to a predesignated payee, I'm sent a code by SMS which I have to enter.

 

Yes, I just forgot to mention that I have a 2nd password too that I need to enter to confirm any transaction, bill payment etc.

 

More outrage over the judgement:
http://www.ghacks.net/2011/06/09/banks-not-required-to-utilize-the-best-security/

I like the way "best" security is being batted about. As though there are absolute standards defining "best", not to mention the variability introduced by less-than-the-best customers.

 

There are definitely standards...

 

Like people agree on which is the best / safest
browser
firewall
AV
linkscanner
etc

Forgot to mention OS

 

They are responsible if someone comes in and physically robs them. How is this different? I thought that is what FDIC was for.

 

Because if I walk into a bank, type in my pin code, walk away and someone steals my money they aren't responsible.

Just because the money is stolen doesn't make it the banks responsibility.

 

There are well defined security standards and it has nothing to do with anything you've mentioned.

 

If they had poor security it is their fault imo.

 

The problem is so widespread (Brian Krebs has been following it for a while, just browse through: http://krebsonsecurity.com/category/smallbizvictims/ ) that it indicates that there is an endemic security problem with the system. Windows is not secure (sorry, it's true, every single case of this was a Windows box), and it should be the banks responsibility as the central point in this system to utilize a higher level of security than they do at present. But since that costs money, as long as they are not held liable there is no incentive for them to do so.

 

Whose money? If I loan you $100, that $100 becomes your money. If you get mugged, that does not wipe out your debt with me. You still owe me. How well you protected your $100, and how diligent your security was is not my concern, because that money was your property while it was in your possession.

If I deposit $100, the $100 is the banks money (because they can invest some of it to help pay their expenses - they are not literally holding cash equal to all clients account values). At that point the bank has $100, I have zero, but the bank owes me $100. If the bank gets mugged, I still expect them to pay their debt to me.

If you think otherwise, suppose Peter, Paul, and Patrick each deposit $150, $200, and $500, respectively. Then the bank is robbed for $123.46. Who do you think lost what amount? Can the bank just say, sorry Peter, that was your $123.46 that got stolen.. Paul and Patrick are lucky.

 

What about those blokes who had the $1000 transfer to their account link hidden on the banks website?

 

A similar case in a Michigan court just went the other way
http://krebsonsecurity.com/2011/06/court-favors-small-business-in-ebanking-fraud-case/

 

Can't understand why people do banking from within a browser. I mean do you see any bank atms directly connected to the internet or any of they're networks that contains their databases? i will never do internet banking. I get in my car and drive to the bank or go to the closest atm. I love my lil bit of money I got left too much

 

Some of us live a bit to far away to get in the car and drive to the bank.

Now I do drive to my local bank, but I do have accounts on the other side of the big pond.