Slashdot Mirror
Who's Really Responsible In Online Banking Fraud?
TheRealStyro writes "According to this article a Miami businessman is suing a bank because of a fraudulent fund transfer possibly caused by the coreflood virus/trojan. He claims the bank is responsible because the bank failed to protect him from known online banking risks. It is obvious that this guy should have had an anti-virus package active, but shouldn't the bank have questioned such a large transfer to a republic of the former Soviet Union (these republics having gained the unfortunate notoriety of being dens of villainy and hackerdom)?"
I told you not to lock them in a room with computers. This is EXACTLY what I said would happen. *shrugs and walks off*
FuckTheFuckingFuckers.com - Post your th
How could virus software prevent something like this anyway?
I'm betting if the Bank had called him questioning the transfer the story would be is the bank violating his privacy rights by questioning transfers.
That text in bold really caught my attention. How did an editor miss that?
... Slashdot is making a bold new move in its use of story formatting.
== Jez ==
Do you miss Firefox? Try Pale Moon.
Yeaaaaahhhhhhh! Road trip!
ROFLMAO
Linux, you magnificent bastard, I read the fucking manual!
What's with half of the story being bolded? I know the editors are lazy, but that lazy? I'm almost certain now that an XSS attack could be pulled off by submitting a story to Slashdot.
Maybe paypal should be incharge.
Me: Hello paypal someone cracked your systems and stole my balance.
PayPal: Oh really? Tough Titties! *click*
Me: WTF Mate?
What could possibly go wrong?
What on earth does this have to do with everyone's favourite browser?
And tomorrow the stock exchange will be the human race
blah blah blah i am an irresponsible fool. blah blah blah someone else should pay because i don't have the capacity to face up to the result of my own foolhardy actions.
so using this logic then, if i make a bad investment through my online brokerage then Scottrade should pay because they didn't inform me that PalmOne's stock was overdue for a nosedive? right.
I went to my bank the other day to see if I could put a hold on all transfers of money coming out of my account with the exception of those going to two (and only two) credit card companies. Specifically I wanted to block all money going OUT to my paypal account (I only use the account to receive funds). They said they were not able to stop companies from transferring money out of my account if they had the proper information to do so.
What the hell?
Why not demand pre-verfication on this sort of thing? Why not give the option to request a phone call confirmation of fund transfers, especially when the funds aren't simply going to Visa or the gas company? Or just allow me to set up a list of comanies/websites that are permitted to transfer funds out of my account. There's no reason the banks can't set this up, it's not very difficult. If anyone knows of a national bank that has an option for something like this, I'd be glad to hear about it.
Bank of America does not.
--
RumorsDaily
No one cares about Mr. Lopez, because as he himself said, "It's peanuts." But if a whole bunch of people get together and sue, then we're talking multiple peanuts! But don't worry, here comes the U.S. Senate to the rescue! (Bank of America's rescue, that is...)
[o]_O
I hope this guy loses his case and gets fined for it. If you can't even be bothered to take responsibility for your own negligience/incompetence, you can't expect anyone else to.
In fact, sometimes I think there should be a LICENSE required to go online. There are just too many id10ts out there.
eTrade SUCKS
I am the cause of online banking fraud!!
I like suggestions, but I don't like contributing towards them.
I wonder if anybody has successfully sued a hotel because they got mugged in the hotel by someone who wasn't connected with the hotel? That sort of case would probably serve as a good precedent for this one.
I await the "In Soviet Russia, banks overdraft you!" comments.
There are 2 types of people in the world, those who find that stupid binary joke funny, and those who don't.
"It is obvious that this guy should have had an anti-virus package active, but shouldn't the bank have questioned such a large transfer to a republic of the former Soviet Union (these republics having gained the unfortunate notoriety of being dens of villainy and hackerdom)?"
Seattle, Washington.
Shouldn't the front desk question things when a guy wearing a leather jacket, sunglasses and carrying a baseball bat walks past?
It's the same account numbers that allow for both the in-in' and the out-in'! :-) The trick is to use 1 bank account just to 'float' enough funds for what you need and transfer money into it as needed. Only give *that* checking account # info to your online partners; not your account chock-full-o'-money!
these republics having gained the unfortunate notoriety of being dens of villainy and hackerdom
/. or what?).
Wow, two pieces of pure flame BS in one sentence, AND not even in the article text. Worst of all, the author appears to not even know the meaning of the word "hacker" (hello? Is this
Yeah, if $90K were being transferred to the US that would have made it look so much more legitimate than to Latvia (which is, btw, probably the last country I'd think of when someone says "ex-USSR"). Notice that the receipient bank held $70K of those, too.
Have you people ever been to Latvia (the country in question)? It is by no means a country of "villainy and hackerdom", it is a member of the European Union, for God's sake! I sometimes have the feeling that many /. readers are still in the Cold War era with their mindsets. Even the article mentions how Latvia is "known" for its "cybercriminals" (and Latvia, mind you, is a very small country, compared to behemoths like Russia or Ukraine, where the real bulk of "cybercriminals" from the ex-USSR resides).
PS: And, yes, if you're wondering, I come from one of those "notorious" ex-URSS republics (Moldova to be more precise).
Doomie
Looks like I can now look forward to my bank, fearing lawsuits, withdrawing most of the functionality which makes my online banking usable without a ridiculous amount of runarounds, all because windows users insist on buying broken computers and then not learning how to use them.
I know it's not quite the same, but...
Bank of America's fraud detection group called me to verify a balance transfer from my Discover account... a $2100 transaction.
I wonder if this behavior was prompted by this lawsuit or what.
500GB of disk, 5TB of transfer, $5.95/mo
Hey, that's not a bad idea. A little bit complicated keeping enough funds in there, without leaving TOO MUCH, but it's still good.
--
RumorsDaily
Shouldn't Slashdot have questioned a ffp that uses italics and bold for its editorial?
That's not a soda... it's a caffeine delivery device!
Hmm.
My bank has advanced security. You get issued with a hardware device (fits on your keyring) that generates one-time-use passwords for you to use to log on.
Further, whenever a transaction occurs on any of your accounts, you immediately receive a text message on your mobile phone. If you didn't authorize the transaction, you can challenge it.
I'm not sure this guy has much of a leg to stand on.
A possible solution: Open a second account. Keep all your money in an account you NEVER give out the details about, and specifically make sure you don't have an overdraft facility on the account you do give out details for. Then you transfer money from the account you keep most your money in only as needed.
the monkeys wont tell!!
Maybe browsers really don't have the security required for online banking, especially when viruses are taken into account. Perhaps a move to dedicated software, with built in protection for this type of thing, or heck, even a dedicated hardware or an OS would be a good idea.
might have detected Coreflood. I went to symantec and their AV seems to know about it (and several variants), so in *theory*, it would have been caught/removed.
Coreflood seems to allow remote access, so a *firewall* might have helped.
now, the *real* question: If it was indeed coreflood, did someone (a real person) surf his files looking for account info, did all (most, alot, ect) of his files get downloaded, or did coreflood have enough smarts to look for the account info.
I can't see how this is the fault of his bank except that maybe 'fraud detection' didn't work too well, but I don't know what it looks for. I see idiots like this guy all the time. 'No I don't want to pay for Antiviral, Antispyware, Firewall, Backups, etc'
eric
Access to my computer does not equate to access to my bank. How would this work?
Are we talking keystroke monitors or something?
Synergies are basically awesome, and they're even better when you leverage them. -PA
Should my bank analyse every transaction made on my account, and have free reign to investigate any of them?
I don't think I would like that. It feels too much like giving them a say in how I spend my money.
to YOU! The fact that when you deposit a check in your account and the bank won't credit it immediately. You know what I'm talking about....when a bank will wait for five business days to credit your account even thought they got the money in about .75 seconds.
This is especially true now that Check 21 is in place.
The problem is the bank decided to send your money somewhere you didn't explicitly ask for due to a dumb way of authorizing transfers.
.ru while you were out to dinner just because someone called and knew your room number.
A better analogy might be...
sue the hotel because they decided to ship your bags to some address in
(these republics having gained the unfortunate notoriety of being dens of villainy and hackerdom).
...whereas Florida is known for clear dealing and upright denizens? Wow. Things have changed. Guess I'll go check out prices on swamp land.
Over here in Switzerland all banks use a strong authentication scheme to make sure only the owner of an account can get in. My UBS account has a challenge/response system (needs a special calculator and account-specific chipcard). My two other banks use a one-time pad where the same code is only valid for a single login. When the old pad is almost finished they just send a new one.
Simple passwords are just not safe enough on the internet. Unfortunately in the real world the real joe user is just not able to make absolutely sure that no cheating is going on.
The banks should at least take a part of the blame if they are too lazy to implement something safe.
Markus
My bank offers overdraft protection, which apparently means that if I write a check that is not covered by the funds in my checking account, they automatically transfer in the funds to cover it from one of my other accounts.
The one time I did manage to forget about a transfer to Paypal and ended up with insufficient funds for a subsequent check, my bank also still cheerily dinged me for a "bounced check" fee-- so I'm not entirely clear on what it is they're protecting me from, but still.
If your bank offers that, you might want to make sure that you can opt out of it if you're going to do the 'extra hidden holding account' trick.
What if this guy had left his ID, checkbook, ATM card, etc., sitting in his car... and didn't lock it? Or, locked it, but left the windows down, and did so in a risky neighborhood? Don't think the resulting mayhem would be the bank's fault.
Don't disappoint your bird dog. Go to the range.
This still does not prevent fraudalent transfers if you do online banking and your computer is taken over by a trojan. It should be possible for a bank to simply restrict some actions to certain accounts. The burden should not be on the customer.
ato
I don't have online banking, you Insensitive Clod! Oh wait, in this case, it is a good thing.
* Note the now-fashionable use of bold.
My damn bank (Chase, until I dumped them like a syphilitic ex-girlfriend) used to shut down my credit card whenever my erratic transactions triggered some kind of "unusual activity" alarm. All the time, without warning. And PayPal locked up a few thousand bucks on me for over a year, unilaterally, solely for that reason. These bloodsucking banks are always interfering with transactions for "unusual transactions"; why couldn't they stop this one? Because banks suck, and they're never accountable for anything.
--
make install -not war
I think you'll find this problem with a lot of banks. When it comes to security for transfering funds out of your account, banks have dropped the ball.
It seems to me that by allowing a compromised system into their network, the bank can't really claim that it is "not responsible for the loss because no one hacked into its system to initiate the wire transfer." I mean, from everything I've ever read about hacking, 99% of the time compromised middleman systems are used to do the hack, which is exactly what this appears to be to me. The only difference is that this hack attacked a more exposed portion of the network (the customer's system) first.
:-P
Of course, the bank is probably still going to win on this, but that excuse is BS. While I agree that Mr. Lopez should've been running a virus scanner, you'd think that they would flag transactions to Latvia; after all, my bank has prevented me from taking out cash at an ATM for far more trivial amounts just because it was an "unusual transaction." I'd imagine that $90K to Latvia probably qualifies as an unusual transaction.
(Unless, of course, Mr. Lopez is really an illegal arms trader or something.)
picpix image polls. create - share - vote. fun!
I believe that this is to facilitate a few things, such as:
* Easier to rollback "Oops, Wrong Account Number" problems.
* Easier to prevent the channelling of money to accounts from pishing victims (rough guess, if destination account is receiving several transfers in 24 hours, then raise red flag).
Of course, the cynical side of me thinks that its just an excuse for the bank to use the money on the short term money market for an extra 24 hours. ;)
Boris.
Oh pleaze! Mine is so advanced that it catches you before you even think of turning to a life of crime.
Systems Not Affected: Windows 3.x, Macintosh, OS/2, UNIX, Linux
I think out of all of those, I'd go with Linux
(Like the use of bold?)
Phoning someone and asking them if they really did make a transfer is not an invasion of privacy as the customer should already know about it, and the bank definitely does.
I've gotten this kind of call before, and I'm glad of it... In my case though, I really had made a withdrawl in one city, then a $2000 interac purchase in annother city 2 hours later, then another interac transaction a few hours later in the first city.
Admittedly, the guy is a moron for using an unsecured PC and whining about getting pwned.
But why don't the banks watch spending patterns? I know the credit card companies do, and have for a while-- about 10 years ago, I had a Mobil gas card. I let my then-girlfriend use it for a while, and a week or so later I got a letter from them about "potentially questionable" charges because the activity was different from what it normally was. I usually top off my tank to get the dollar amount to the nearest $0.25, and my GF didn't. That was enough to trip some alarm on some computer somewhere.
Clearly the computing power and algorithms exist for all financial institutions to do this. I guess the answer to why they don't is because it would cost them money and lower their profits, and what customer losses can't be blamed on the customer will be covered by the gummint-- so why bother?
Also, the man regularly initiated international wire transfers, hence no fraud alert triggered.
The old adage still rings true; a fool and his money are soon parted.
All of my friends in the Netherlands have this system. (For example, one is called "Digipass" and is created by Vasco, who has a number of clients. They were amused to find out that, generally, one just logs into a bank's website and types a password here in the U.S. By the way, I went to a bank here in the US and asked them if they knew about these little devices. Yup, they said, but they said that Americans didn't want the hassle...
Any online bank that doesnt use offline one-time keys as transaction verification is insecure and vulnerable to client computer hacking.
The technology to solve the problem is available, and many banks use it, so frankly I'd say any bank which does not offer such an option should be held at least partially responsible for losses incurred through lax security policies.
In this case the end-user is the one with the virus. If he wins, there will be little room for the banks to move around should they be the ones with the virus. It will suddenly become risky, [ besides being expensive - e.g. code red, sql, etc. meltdowns in the larger banks last year ] to run windows for front, middle and back office.
That is quite normal. A few years ago, a friend of mines mother is a Doctor with her own practice. She uses her visa for buisness purchases, mainly large transactions $1000+ and had been doing that for over a year. One time my friend needed some money for gas so his mom just gave him her credit card. He went to safeway, bought gas and then went in to the store and bought some snacks for his trip. The same day, his mother got a phone call form the credit card company asking if she was missing her credit card. They noticed that my friends purchaces were out of pattern and thought that someone stole the card.
When thieves steal a card, they usually make a few small purchases first to test it out before sucking the card dry. Visa was quick to act on this to prevent theft. It is in their best interest to do this. That kind of action is very normal.
Never let your sense of morals prevent you from doing what's right. --Isaac Asimov
Unfortunately, at my credit union each account held by a particular person is only different by 1 character. So if they've got my escrow account number they can figure out the rest.
Banks take 1 - 2 days to receive funds from other banks received through the Fed. The NSF process gives the other bank an additional 48hrs to stop payment on the check and demand money back. Five days is a reasonable amount of time to protect the bank from losing money that hasn't fully cleared yet.
When Check 21 is fully in place, you are correct. There will be immediate availability of funds.
Many people will be hurt by this, as it removes any buffer that they are used to dealing with for writing checks to pay bills that take several days to clear.
However, the vast majority of check monitary transfers are going to happen through the Federal reserve system or regional clearinghouses for a significant time to come.
Currently, many financial institutions turn your check into an ACH transation. When I pay either of my credit card bills, the check isn't returned to me. It is used as an instrument to authorize an ACH withdrawal from my checking account.
Banks are in business to make money. They don't make money by letting people abuse the time it takes transactions to clear through the Fed or clearinghouses to write bad checks.
If you want your money ASAP, cash the check and then deposit most of the cash. Assuming you are an account holder in good stead, you should have those funds available to you immediately, or utilize direct deposit.
Typical American.
Screw up, blame someone else for your screw up, then sue that person instead of taking any responsibility for your own dumbass move.
George Bush + Linux = "I will not let information get in the way of the fight against Windows"
what exactly is the meaning of member FDIC? Your funds are insured up to $100,000 US. Does this only protect from institutions that go bankrupt and not fraudulent purchases?
No, it is quite simple. For a credit card THEY eat the fraud. For your checking account, YOU eat the fraud. That's why the "fraud protection group" doesn't give a crap about your checking account.
for running a known insecure OS and blaming them.
I prefer the "u" in honour as it seems to be missing these days.
Pleasuregirls for you, Mr. Businessman!
A little off topic, but still in line. In Canada, the bank is responsible for any debit card fraud since they do not have the systems in place to protect your money. Using that as an assumption, I would guess it depends how the virus stole them. He could very well win, by arguing the lack of security, if his bank lacks features that are needed for protection, or does not have any sort of confirmation options when banking online.
...a bank will wait for five business days to credit your account...
Maybe your bank doesn't trust you. Mine trusts me and credits my account immdiately on that same day.
All theory is gray
If you don't know how to use a computer than perhaps you shouldn't be using it to do your banking with.
What hardware are you using? Is it a Vasco Digipass-like thing?
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
My paypal/netbank account is confirmed, did it a long time ago, not sure if that's still possible via paypals current policies.
every day http://en.wikipedia.org/wiki/Special:Random
"It is obvious that this guy should have had an
anti-virus package"
So if a car randomly bursts into flame and kills the driver because of a manufacturing defect, then it's obvious that she should have been wearing a flame-retardant suit?
IMHO, the obvious thing is that the software companies fix their damn bugs - well, at least the f**king security flaws.
The electronic payments within the US (possibly CA also) are handled via a system called ACH (automated clearing house). With ACH they could indeed hit your account such as that. But the ability to inject ACH debits usually requires a cooperating bank in the US (who recognizes the organization generating the electronic debits). Typical examples are mortgage payments, insurance companies and PayPal.
For foreign transfers (such as the one talked about here), this most likely happened via SWIFT-wire. With SWIFT-wire I do not believe it is possible to pull money (i.e. via an electronic debit). The transfer has to be pushed from the sender. So my guess would be that the cybercrook here gained access to the computer (owned by the person who lost the 90K) and faked an online transfer request. Maybe the guy has always on DSL or cable and leaves his system powered up 24/7.
At least thats my perception of what happened here. In the case of ACH fraud, I think the FBI could come down hard on the receiving bank, and who ever generated the fraudulant debits. With SWIFT-wire, its a whole different set of rules when crossing national boundries.
This msg is brought to you by the letter 'W'.. for Worthless Wuss
but surely, although not responsible for him being the victim of a virus, they ARE RESPONSIBLE for transferring money that he didn't actually authorize? does the word 'fraud' ring any bells?
His computer was logged in and it sent a transfer request. But he, personally, the person who the account belongs to, didn't actually authorize the transfer. Therefore it's a case of bank fraud by whoever did authorize it, which would boil down to the virus writer.
The bank should put the money back in his account and then track down the criminal type to recoup their costs.
FGD 135
I... I couldn't resist. Forgive me, oh merciful mod-point bearing masters!
do not use checking. Use a credit card. Quite a bit safer on the net.
I prefer the "u" in honour as it seems to be missing these days.
What annoys me the most about these stories is that there's no way for the customer to take proactive measures to disable problematic services. Maybe the default is to enable online banking, but I should have the right to tell them to disable that service and not honor any request through it unless and until I show up at a branch office with appropriate identification.
The worst example of this was a former bank (emphasis on "former") that unilaterally disabled all existing ATM cards without warning. But not to worry - our spanking new debit cards should have already arrived, together with the new PIN number in a separate mailing.
As if that's not bad enough, this was back before debit cards had fraud protection. If somebody cleared out your checking account that was it - that money was gone.
I immediately cancelled my account. The drone assured me that my funds were safe, I could request (REQUEST) a new ATM card, etc. I told him there was no way I was keeping my money there - they violated my trust and they weren't getting a second chance.
I heard, unoffically, that a full third of the bank's customers dropped their accounts because of this braindead move. But the bank's new overlords and masters in Minnesota refused to accept responsibility for a collosial FU - they said the problem was that we were all to provincial to understand the brave new world of banking, not that we were well-informed and refused to do business with assholes who could have left us traveling without access to our funds and without warning. (When I travel I usually pulled spending money out of an ATM so it's in the local currency, but now I'll probably use a "gift card.")
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
It's incidents like this that is leading us towards having to be licenced to write software much like architects and engineers are licensed to practice their trade. We may be another 10-20 years away from that but unless software developers get their act together it's going to come sooner than we all think.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
This kind of thing is easily preventable by issuing a SecureID or SafeWord tag to people. True, it will cost money, but it's comparatively cheap considering the alternatives.
Some banks in Europe have been using SecureID for years. Why don't we use them here?
Need Free Juniper/NetScreen Support? JuniperForum
An ATM limits you by preventing the amount you can withdraw from the account (upto 300).
A Wire transfer of 90,000 to a country which is known in Financial circles to be a haven to cybercriminals should have sent up some flags.
Heck, I spent over a grand on a credit card transaction, Discover used to call me up and "harass" me. Why? Because they stand to lose money if its a fraudulent transaction.
Why didnt BOA do the same? Coz it aint their money? Safeguards are only built in when its your ass on the line.
Rapid Nirvana
going to a normal place rather than to porn.
gee, how amusing that i wrote this just recently. the users want something stupid, they shouldn't complain when the obvious reason it shouldn't be done happens.
That was for a credit card, not a bank account. With a credit card, the card issuer has to cover the full loss minus fifty dollars unless they can prove you made the purchase. With a bank account, the person with the account covers the full loss up to the balance of their account plus fifty dollars.
Until one of you gets burnt.
So what happens when your due diligence isn't enough? What if someone that works at a gas station or a hotel grabs your debit card number and does the Fandango with it?
I guaren-fucking-tee you that someone that has replied to these comments would say, "You deserve it!" and list some explanation why we should take hours a day to protect our bank accounts.
If someone decides to transfer all my funds to a foreign country, that should be a big red flag. Or anytime a large amount is going to be transferred to another account. They should have to get verification from the account holder before high dollar amounts are able to go through.
These people I used to work with both had their CCs stolen by an employee that quit on that day. They had hundreds of dollars racked up by day two, on each card. They went to the police, prosecuted, and their banks didn't hold them accountable for the purchases.
Know how the woman got their CCs? They left their purses on their own desks when they went to the bathroom or went on break. According to some people, they deserved it.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
'scuse me for asking the obvious question, but how come the staff at safeway/etc didn't notice that this guy was using his mother's card? ...if credit cards had a photo of the owner upon them, then (in some cases) this kinda stuff could be prevented (because--correct me if i'm wrong, i live in the uk and ccards may work differently in the usa--this kid should not have been able/allowed to use his mother's credit card in the first place)
Second: there's only so much the end user can be expected to do to keep their system secure. Anti viral software is reactive, not proactive; it only tells you you've been infected after the event, and at that point, you cannot trust your system. It's been compromised; there's always the possibility that there's code floating around that will do things you don't want done.
Third: there are solutions to this problem that are in active use around the world. You want to use online banking? Great! Here's your account number; here's your account password; here's a list of authorisation numbers; and here's a handy dandy doodad that takes an auth number and a text string, and spits out some other text string. Keep the password, authorisation numbers, and the doodad secure. Logon using the account number and password. Whenever you want to do something that involves moving money around -- paying bills, wire transfers, or the like -- we'll give you a text string and tell you to punch that, and one of the auth numbers, into the doodad; you give us the result that the doodad spits out. When you're nearly out of those numbers, we'll send you another list at no charge.
The numbers themselves would be used with the doodad to generate a one-time password type setup. Only the bank has the keys needed to generate the numbers, and to match what the doodad produces with what the bank expects. This transfers the security problem from one of computer security at the client's end to one of physical security at the client's end. Yes, the bank still needs to be careful about its computer security, but that will always be the case. This way, the customer can do Internet banking quite safely from anywhere in the world, no matter how trusted (or not) a given computer is; at worst, crooks can see your bank balances, and that's of relatively minor importance compared with keeping the funds safe.
Very common in Europe, I'm told. So why isn't it common in the US or Australia? Hell, you can even remove the doodad from the equation, although then you need to be careful with the number list, which could be a hassle; the doodad adds a small extra layer of physical security, and it's easy for the customer to know when he's lost it (or it's been stolen). A report of it being lost means the bank freezes the online account until a replacement is shipped out and the account rekeyed to work with the replacement.
The bank performed the transfer as a service on his behalf. He did not give the order to perform this service.
This is not like leaving your car door unlocked and someone stealing it, this is you paying for the car, someone else showing up claiming to be you, and them giving the car to him.
If the bank is not capable of reversing a transaction, they had better make damn well sure that it was authorized by the actual customer.
Your bank's kernel clearly does not support $$tables .
Banks should consider the idea of posting risk assesments to the web page based on the client OS and browser. That is tell the customers that if they run a system that obtains viruses and spyware, they run a much higher risk. Likewise, if they are using a browser and a e-mail client that have known high risks, the client should be told. Obviously, Windows, IE, and Outlook are about as high of risk as it will get. Run something like Mainframe|Unix|BSD|Mac|Linux with lynx, then you have an ultra-low risk.
I prefer the "u" in honour as it seems to be missing these days.
Yes, yes, </sarcasm weight="heavy"> and all...
Got time? Spend some of it coding or testing
I find it very odd that the majority of his funds were frozen by another bank. BofA certainly has the muscle internationally to pressure them for release. I'm thinking that something might be fishy about Mr. Lopez's business account. After all, we've all seen the emails and news stories warning us about the popular printer and ink toner scams that abound. I wonder why Mr. Lopez isn't suing the bank that actually has his funds and didn't check the identity of the person on the other end who ordered the transfer and picked up the money?
That being said, MNBA bank has been very good to me -- I made a large purchase halfway across the country and a fraud representative called 30 minutes later.
Religion is a gateway psychosis. -- Dave Foley
When I log into my Linux box I have to provide a password that involves upper, lower case and numbers. After this, to log into MY bank, I have to lower the bar and use only numbers. Minimum of four, maximum of six. This is my bank!!@!!, No wonder I keep my money in a sock drawer ... hang on a sec., Never mind.
As far as I can tell from the linked Symatec information the virus turns your computer into a DOS zombie controled over IRS. It doesn't say anything about installing a keystroke logger. The Secret Service investigation is not claiming that the virus was behind the fraudulent transfer. It simply noted the infection as a fact of the investigation.
According to the article Mr. Lopez frequently makes wire transfers (albeit not to Latvia), so I'm not sure why everyone is leaping to the conclusion that this was done by clever cyber criminals and not business associates, customers, or bank employees. It may very well be, but the article contains no evidence to support the claim.
A bank can honestly not tell a customer that they didn't accept the risk of handing out money to thieves like candy, when they marketed their online banking as a feature people can use safely.
Obviously, online banking is not as safe as telephone banking [when not using a portable phone], and no where near as safe as working with a teller in a bank, or an ATM machine. Although now there are examples of ATM machines being hijacked with card readers, and cameras to capture PINs. All a computer needs is a little spyware, and presto, 128bit encryption is rendered useless. And with all the machines that have spyware, it's impossible to promise reliable banking security on the desktop computer.
Saskboy's blog is good. 9 out of 10 dentists agree.
If the victim in this case used Microsoft Windows, with all its well-know and well-publicised security flaws, he only has himself to blame.
Supermarkets in the US have credit/debit terminals where the customer swipes the card themselves and often even signs electronically. The card holder's name might appear on the register where the cashier could see it, but they seldom bother to read it, and they prectically never check the card for small purchases.
If a job's not worth doing, it's not worth doing right.
I think this access one of the primary -- and un-declared -- reasons PayPal is so aggressive in asking/coercing members to become 'verified'. All it takes is that little 10 cent deposit and your acknowledgment of same to set it up.
Your bank doesn't give a crap - it's not their money, and you authorized it anyway.
Play it safe. Use a separate bank account for PayPal transactions only, and don't let funds accrue there.
But this guy is running a machine where compromises are the status quo. It is a regular occurance. I mean, talk to anyone who has used MS Windows on the internet, and almost all of them have horror stories. And there's even a whole industry of after-the-fact cleanup dedicated to these recurring problems. If, in the face of this reality, you choose to run MS Windows, then aren't you accepting it? For Windows machines to be compromised is not an exception -- it's something you expect to happen from time to time. And this isn't something obscure known only to the 3l33t h4xx0rs of Slashdot. Even the most simple laymen have heard about spyware, the need for virus scanners, etc. I mean, seriously, even your grandmother knows this stuff. (The difference between grandma and the "elite" is that she hasn't made the connection that it's only a Microsoft thing and that she could avoid if she wanted to; she mistakenly believes this situation of insecurity is "normal" for the whole state of personal computing.)
Because of this, I think it's reasonable for a MS Windows user to expect their computer to be used, from time to time, by others without their consent, and with strangers impersonating them. IMHO, that's a bad situation, but apparently other people are ok with it. If they are ok with this and have accepted the situation, then why aren't they responsible for it?
Again, I stress that I'm talking about routine, rather than exceptional, security violations. If someone breaks into your locked car and uses it to commit a crime, it's not your fault. If you paint "steal this car" on the side of your car and you routinely leave it unattended with the doors open and the engine running, day after day, year after year.. then I think you have some explaining to do, when the town drunk takes it.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
i wish my bank has ACLs like my domain registar. i can get known ip blocks i will connect from, and a separate token.
What happened to this guy is wire fraud, someone pretended to be him and authorized a wire transfer from his account. Wire transfers are sender iniated only. Nobody can contact bank and take money by wire, you contact the bank and send money by wire.
What you are thinking of with PayPal is direct debit, probably via ACH. This is a US only thing and works differently. It's a network of banks, employers and merchants that is watched over by the federal reserve. Using this yes, someone can pull money from your account. However as per their ACH contract, and federal law, they must have permission to do so. If they don't, you file a fraud complaint and contest it.
Just such a thing happened to my friend. He had been with a hosting company for some time, one with an actual signed contract. When it was up, he cancled it via fax notification. All was fine until a few months later, when they automitaclly withdrew all the cancled months worth of payments. They had a bunch of BS claims about the contract not being cancled and autorenewing and so on. So he contacted his bank and filed a fraud complaint. They put the money back in his acocunt immedatly as a temporary thing while they investigated. He sent them a copy of the contract, and of the letter he sent canceling. After a bit more investigation, the bank decided he was right, made the credit to his account perminant, and went after the hosting company for the money.
So with ACH, there's really very little to worry about. Yes, a company you've never heard of on the network could technically clean out your bank account for no reason. However you'd have the money back in less than 24 hours of filing a complain, and a few months later they'd all be doing time in federal prison.
The reason in this case the bank is refusing to help the guy is because it wasn't ACH, it was a wire transfer. Wire transfers are very different. A wire transfer would be what you do at Western Union: You pay a company to make funds immediatly available to another party of your designation. They company then worries about actually shuffiling funds later, your designee can get the money immediatly. With large ones, it can be done directly bank-bank.
So that's what happened here, someone broke in to his computer, and authorized a wire transfer from his account to another one. From the bank's perspective, they did everything correct. They recieved proper authorization for the transfer and made it. It would not have been iniated had someone with the proper credentials not requested it.
So the bank believes they've done what they should do. That his computer got hacked isn't their problem. Now we'll see if the courts agree.
I'm not convinced! Expecially taking other security procedures into account, which have been successfully impemented in other countries (view poster from the switzerland, a little above).
Down under the services and business delivered by the financial institutions, remind me very much of methodologies used by south italian organisations, oh, and its countries leader.
'Doddgy' I think would be the most appropriate term!
Imagine the following scenario: your host wants to protect your data from any malicious transactions, therefore any changes made, only take affect after 48h's....I would be pretty pissed off, and would ditch any ISP believing such to be an advisable approach to security.
BUT, a role-back/undo option has also proven to be a helpful tool, though it's as with the hammer, one should use it when apropriate!
I have on several occasions called my credit card processor - Cardservice International - about fraudulent credit card charges. They simply do not care. They just tell you to charge the funds back and charge me for the original charge and the refund (2.25% each time). I have also called to report fraudulent attempts trying to provide time/date/ip addresses and they simply do not want the information. For every fraudulent charge that has occured, I - as a merchant - have been the only one that actually has to pay for the problem.
I just had an idea come to mind, I'm not sure how it would work exactly, but what if, before any online purchase was made, you would have to go to your bank's site and get a "Allow Purchase Number" which would encrypt the date, time(allowing one hour to purchase), price, and company name with a private key, and when ordering, the number would be given to the company, and before they could take money off a card or account, they would need to give the bank the number which would prove the user wanted to order the product. This is all assuming the online bank site is secure and the password is known by the account holder only.
Make your computer faster: rm -rf
Damn right! Always those Aussies making trouble... :D:D:D
I'd have thought the bigger giveaway is that his name was "Mrs ....". I work in retail, since I'm still at university, and I was specifically told to look for that as a sign of an obviously stolen card. As a side note, while you'd think nobody would be dumb enough to try it, I did actually catch two credit card thieves about two years ago who did exactly this, coming in with a woman's credit card (both of them got arrested, you'd think that even idiots like them would know to run when I start making phone calls).
It's clear that some industry people think users are to blame: http://www.nwfusion.com/news/2005/0204netusers.htm l?fsrc=netflash-rss
There are three truths: my truth, your truth, and the truth. - Chinese proverb
Many banks will credit certain types of checks as soon as they are recieved, and wait for others to clear. My credit union credits business checks (such as payroll checks or rebate checks) the day I deposit them, but waits for personal checks to clear.
I have blog like everyone else
Australian banks are the same. Once you have allowed a company to do direct debit you have to get the company to agree to stop taking the money from your account. You cannot simply ask the bank to stop payment and then wait for the non-contactable company to scream.
Possesion is 9/10ths of the law, once they posses the keys to you account it can be difficult to stop them possesing your money.
You could also sign up for online banking at one of the banks that allows you to get alerts on electronic debits to your account.
Neither one of these stops the debits from coming through but you can catch them and get credit back if they're unauthorized.
Those who are late do not get fruit cup!
Since I had never done online banking before, I set everything up and tied my MasterCard in as one place where I could transfer funds directly from my bank account. After doing the transfers as described above, I recieved a call from the Bank the next day asking me if this was a transaction I had indeed authorized - apparently due to the many of thousands of dollars it involved, and the fact it was out of my ordinary pattern, the system had flagged it as suspicious and the Bank called to follow up.
My hat's off to them - makes me feel a bit better that my money is being protected.
If this guy was oblivious to that trojan on his system, who knows what other spyware he had? .exe or .dll loaded in memory... many of which wouldn't have been detected by anti-virus, or any other, software.
They may not have needed to remotely control his system via coreflood. His banking info may have been ftp'd by some other
Disclaimer of no sympathy:
Coreflood was discovered in 2002. He got hit in 2004. Fuck him.
...you're reasoning that due to your lack of ability to talk a country has many evil citizens?
I don't know what's more disturbing... your ineptness to talk or your ineptness to think.
My Linux box certainly doesn't have or need a virus scanner, and the Windows box I have has no virus scanner and I've not had a windows virus or worm on it or any other box of mine in I think fourteen years. (This is the last virus I got. Downloaded it from a BBS from a disk usage program. du.exe.)
It's all a matter of being smart about what you run and disabling services that you don't need. And keeping up to date on patches doesn't hurt, and neither does doing most of my Internet stuff on my Linux box. (The Windows box is mostly for games, and the occasional program my wife needs.)
I'd hate for the banks to start requiring that their electronic banking users have virus scanners installed in a knee-jerk reaction to this sort of incident.
I for one welcome our bold slashdot overlords!
First, bankers believe in security through obscurity. But for those of us who've been the victims of various cock ups at banks, we know how it really works. Demand Drafts are a funny thing.
Pretty much anyone who knows you account number can withdraw funds from your account. There isn't any verification of signature or even check number sequence. Sure, the bank notices when numbers skip on a statement by putting a little * next to the item.
In addition - they watch transaction patterns. I've used a debit card to purchse a computer from Dell. Within 30 minutes of the purchase I'd gotten a call from my bank asking if I had indeed made the purchase.
So the bank knew that $90K to Latvia was bunk. But now they'll claim CYA and security through obscurity "Heaven forbid we're open about our authentication systems they'll claim."
Beware! My checking account was grossly overdrawn, due to a clerical error in MICR encoding the amount of a check that I has written. Without asking me, Bank of America took the funds from another account of mine to cover the check. I found out about it when I received my next statement. They eventually restored the funds to my accounts. I no longer do business with Bank of America. They let their computers make all the decisions. It was only when I complained that humans got involved.
Mea navis aericumbens anguillis abundat
"He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
Not all cards have MR/MRS/etc on them. "DR" is ungendered.
Some of my cards start with "MR", some don't.
"For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"
Good! you sound like an enlightened and informed person. I have a question then. If a person gives a note of permission (with signiture) that a person can use his/her card, are you allowed to accept it? What about permission over phone or if the last names are the same (son/daughter)?
I would assume that there must be some way to allow someone else to use my credit card if I so wished. I often lend money with my credit card to friends with on-line purchases, but what if I want to lend my card to my family?
Never let your sense of morals prevent you from doing what's right. --Isaac Asimov
We had that with telecoms before deregulation. Remember the old joke ad "We don't care. We don't have to." That said a lot about the extremely expensive, piss-poor service delivered by the regulated telcos.
While I have little sympathy for corporations, whenever they get regulated, the regulations always end up benefiting the regulated corporation and screwing the consumer.
One of the main reasons that software and systems have improved so much is precisely because they haven't been regulated. Down the regulation road lies Trusted Computing, more iterations of the DMCA, and similar idiocy.
Get your teeth into a small slice: the cake of liberty
ACH transactions batched in the volume that PayPal can generate cost essentially nothing versus the 2-3% interchange from credit cards.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
Large scale Check 21 implementation (and therefore changes in the availability of funds rules) is probably a year or two away. The Fed has the charges backwards - if I want to send check images, I will need to stand the cost of all substitute checks printed to all of the banks that don't receive images. The incentive to move electrons instead of paper is backwards for now.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
Talking with my gf (a teller for BankNorth), she is fairly confident that they can do just that. It's not a national bank, but it's pretty big so far...
For now though, just check your statements promptly each month and use the method that a previous poster recommended: report any fraudulent activity immediately.
- "Nobody came out that night, not one was ever seen. But Old Man Stauf is waiting there, crazy sick and mean!"
> Heck, I spent over a grand on a credit card transaction, Discover used to call me up and "harass" me.
Several years ago, I drove to the states to visit relatives.
When I came back, there was a voice message from Visa waiting for me.
I called them back to ask what the problem was.
Well, somebody (that would be me...) used my credit card to purchase gas in a US gas station and "it did not fit my usage profile".
Couple of years later, we went on vacation to Muskoka.
I wanted to arrange a dog-sled ride for the kids. Problem is, outside the GTAMy Fido cell phone turns into a pumpkin. I'm also out of quarters so I use the Visa card at a pay phone.
Whan I get back, you guessed it, another chat with Visa telling them not to worry, the transaction is legit, "usage patterns" notwithstanding.
Customer protection or privacy invasion?
You decide.
Next, flying abroad to visit relatives.
This time, I call them preemptively. I will be out of country approximately between xxx and yyy, the card will be used in the following countries, don't give me any troubles.
> Why? Because they stand to lose money if its a fraudulent transaction.
Zigackly!
My (New Zealand) bank has adopted a strategy where they do not allow more than $2000 to be transferred through IB in one day, unless you have signed up with a programme to text a code to the bank to authorise it.
When I worked on internet banking at another bank, they limited their exposure by imposing daily transaction limits. It's the way to go. You can't guarantee perfection at the browser end, so enforce limits in the (in this case mainframe) back end for transactions through the internet banking channel.
The Bank certainly should have caught this. This is why fraud departments were invented. As a heartless banker myself, I'm quite suprised that the transfer was let through.
I went to that web site, read the literature, and listened to the recording. In my opinion, Marc Perkel hasn't shown that anything that PayPal did was unreasonable or wrong, but simply that he didn't like it. I happened to write him a reply to his blog too:
Any legitimate issues raised by others aside ... Marc, I listened to your recording in its entirety plus your other written info and I can't find anything wrong with Paypal's policy as revealed on your website. The only outstanding issue that you are raising is that they are holding your money for 180 days, to fully cover any possible charge-backs by your customers. After that time, you will get it back. Its not like they are keeping it forever. PayPal is doing what any decent merchant would do, which is protecting the customers. And yes, they are a merchant, like yourself, and not a bank or a credit card. I empathize with you for the wait you will have to endure, but I don't see that you have proven any wrong-doing on their part.
Despite advocating free speech otherwise, it seems that the guy didn't like what I said and deleted my reply from the forum. That's his right, but so much for logical arguments.
Microsoft would love it. It would annihilate GNU.
File under 'M' for 'Manic ranting'
It looks like your trying to transfer your life savings to Latvia, would you like some help
And well then it was all over.
Which brings be to TCO.
As this person found out, TCO of windows is much higher than a Macintosh.
Some drink at the fountain of knowledge. Others just gargle.
It seems like a great chance to promote non-MS Oses for any internet transaction, especially involving financial details.
For all the howls of "Linux is too hard!", "Its not ready for the desktop!", "Joe User cant recompile his own kernel!", you really have to take a pragmatic approach and look at the bigger picture here.
Lets say the victim of this spent $10,000 of time/money learning how to utilise Linux effectively for his business. How to do installs, how to maintain and install software, rudimentary and common tasks. Once any user has a browser in front of them its pretty much intuitive and simple from that point onward, even if they have never used anything other than IE.
This guy would then be $80,000 better off! Now thats what I call a Return On Investment! Microsoft-sponsored TCO studies be damned, its becoming dreadfully clear that use of Linux/MacOS/BSD in this day and age give one hell of an incentive for ordinary users - no more viruses, spyware, random lockups and data corruption, the list of tangible technical benefits goes on and on even if you ignore the idealistic 'freedom' aspects inherent to the GPL and BSD licenses. Its simply a matter of education and time before Joe Average is freed from Windows and that promiscuous petri-dish of an OS finally goes the way of the dinosaur.
Regarding your sig, it's baloney. WorldNetDaily is notorious for speculative stories that turn out to be bogus, this is one of them. The US would never and could never nuke Mecca. It would alienate America's allies, like the Saudi and Pakistani government, and trigger a massive war by Muslims worldwide. It would be like nuking the Vatican city to stop Catholic IRA terrorists.
Is this the guy who sends all those incredible toner cartdrige spams? Also, how does a DoS virus break in to your bank to forge a wire transfer. No explanation of how that virus did something of which it was incapable. Please explain.
signature pending slashdot approval
They'd suspend your account and the accounts of anyone who has ever transferred funds to, or received funds from your account.
What utter nonsense. If Paypal suspended the accounts of everyone who ever interacted with a fradulent account, they would be killing off a lot of perfectly good customers. I have never seen any evidence of any kind that this kind of thing takes place. If they feel another account is closely related (like an alias used by the same person) then they may kill it, but otherwise this would be an insanely stupid thing to do. Some people conducting fradulent activity with Paypal transact with thousands of people before they are caught. In most of these cases the buyers did nothing wrong except by letting themselves be duped. If Paypal killed all of those accounts, their business model would die fairly quickly.
There would be no way to talk to a representative, as they do not publish telephone numbers
If you actually took the time to visit their contact page instead of spewing more uninformed rubbish, you would have found that their contact number is 402-935-2050.
I'm not saying Paypal is without problems. Clearly they have their share. But at least make some kind of minor effort to get your facts straight.
Don't forget that posting anything even remotely conservative (or anti-liberal) will get you modded down faster than light.
Some close friends of mine adopted a child from Russia. While they were in the country completing the adoption process the child fell sick and they had to charge a lot of medical bills. Their bank, after spotting the change in account activity, did lock the account quite quickly. Was that the right action? It caused my friends a lot of trouble and stress. What's required is a mechanism for customers to inform their banks of expected irregular account activity.
That was damn insightful. Bravo.
Sleep is futile.
A company and/or person is not allowed to withdrawl money from random accounts. If you did not give permission to use that account, any withdrawls from it would be fradulent.
Well, now they can.
Culture is more than commerce
well, shit, don't blame the fucking criminal. it's way more fucking sinful to use microsoft fucking windows than to steal someone's fucking money.
On the whole, east European countries, including Latvia, are notoriously dodgy and a common source of online scams. I've worked with online transaction systems here in Europe that regularly block transactions of any kind to IP's or addreses in these destinations. It's actually quite common (and often used on a 'rating' system to detemine the likelyhood a transaction is fraudulent, much in the same way spam assain works to rate emails as potential SPAM).
Again, that's even here in Europe, because it's quite clear to companies here how much of a problem it is, even if those states are EU members now (a status they were only granted less than a year ago I might add, and they still do not yet have equal status as I recall, in a move to prevent 'brain drain' from people flooding for poorer ex-soviet countries to west block countries).
Searching for 'crime' and 'Latvia' (something I did to help illustrate the point) shows on the first page of results from Google that the US Departement of State has even issued a travel notice for all US citizens going to Latvia. The state.gov web site says amoung other things:
"Internet crime is a growing concern in Latvia. Common fraudulent schemes involve both Internet auction sites and Internet job search sites. In the first scam, criminals offer valuable items for sale at low prices on Internet auctions and request that payment be sent by wire transfer to a bank in Latvia or though a fraudulent escrow site that they have created themselves. In this scheme the money passes through a bank in Latvia and is quickly withdrawn by ATM or transferred to a bank in another country. It is very difficult in these cases to discover the identities of the account holders or recover the funds.
The second common scam involves identity theft through false job offers. In this scheme, a company claiming to be located in Latvia, but which has a non-existent address, offers the victim employment as a U.S.-based agent or freight forwarder. When the victim responds to the job offer, commonly posted on one of several popular internet job sites, a Social Security number and other identifying information - needed for the identity theft - is required under the guise of conducting a background check. ".
Just because it's a small nation, doesn't mean it's not notiously dodgy - it is, and it is known for online fraud as well as quite a few other tyes of crime (people trafficing being another that springs to mind). So as a European I'd have to say I agree with the article and think it's accurate in it's assertion.
"Who's Really Responsible In Online Banking Fraud?"
The criminal.
Everyone is entitled to their own opinion. It's just that yours is stupid.
Agreed. My bank does it even better.
See, to transfer funds the bank requires that I register my cell phone with them. This is only done once at an ATM. Then each time a transfer is requested, i press a button on the transfer page and an SMS is sent to my cell phone with an authorisation code. I have to type the code into the page before the transection will proceed. The code is only good for one transaction and only for the transaction for which the code was requested.
So the only way that an unauthorised fund transfer can take place is if the thieves managed to steal my cellphone and hacked my account before I contact my bank and deregister the phone.
Sometimes I wish I was a plumber, then I'd know how to deal with other people's shit.
Any transaction should go through this list before the transaction actually hits the account. The list matches the "known terrorists" phonetically to customers of the bank. The system is not the greatest but it should have forced the person performing the transfer to verify this person or the location it was going to was "not a terrorist" or on any "terror watchlists."
I wonder if you will find in the logs, the person who processed the transfer was lazy and just responded automatically to the prompt if there was one.
I work for a community bank and at a smaller bank like one of those you should and most time will find better service for your money then one of those Chase/Bank One/Bank of America/Fifth Third/etc. 99% of the time a true community bank will know you well enough to understand how your transactions work. Chances are you might get even better rates as well w/ the better service.
> I don't run Window$
or
"I STAB AT THEE!"
-----
PGP Key ID 0xCB8FF658
He also claims that the fact that a large sum of money being withdrawn in Eastern Europe should have raised red flags. Remind me never to travel to Eastern Europe if accessing my bank accounts there is going to require days of bureaucratic paperwork.
Mathematics is made of 50 percent formulas, 50 percent proofs, and 50 percent imagination.
Searching for 'crime' and 'Latvia' (something I did to help illustrate the point) shows on the first page of results from Google that the US Departement of State has even issued a travel notice for all US citizens going to Latvia. The state.gov web site says amoung other things
/. summary makes it sound like ex-USSR countries are place where "there be dragons". Which is not really true, at least not for all of them.
Reading the The US State Dept travel advisories is like reading the mind of a paranoid person. Basically every country in the world is described in pretty negative remarks in these travel advisories. Check out the description of the crime situation in Canada:
Although criminal activity in Canada is more common in urban areas, violent crimes such as murder, armed robbery, and rape can occur infrequently throughout the country. Visitors to large cities should be aware that parked cars are regularly targeted for opportunistic smash-and-grab thefts, and they are cautioned to avoid leaving any possessions unattended in a vehicle, even in the trunk. Due to the high incidence of such crimes, motorists in Montreal and some other jurisdictions can be fined for leaving their car doors unlocked or for leaving valuables in view.
It's almost like a report from FoxNews or smth. Anyway, back to my point. You say
Just because it's a small nation, doesn't mean it's not notiously dodgy - it is, and it is known for online fraud as well as quite a few other tyes of crime (people trafficing being another that springs to mind). So as a European I'd have to say I agree with the article and think it's accurate in it's assertion.
I'm already tired of saying it, but Latvian "cybercrimes" represent probably a very insignificant proportion of the total. Perhaps on a per capita basis the number of these "cybercrimes" is indeed larger, but I bet it's nowhere near places like Romania or Bulgaria. And I can assure you the people-trafficking problem is MUCH more rampant in Ukraine, Romania, Moldova, or Bulgaria (plus the Balkan countries) where it has become a national problem in the last years...
I've deviated though from my initial point -- the
PS: Just out of curiosity -- are you from the UK?
Doomie
23%!?
Wow... I wonder if your credit score might have more to do with that than Discover's interest rate being "abusive."
I only say that because my Discover is nearly 10% lower than that.
I no longer do business with Bank of America. They let their computers make all the decisions. It was only when I complained that humans got involved.
Presume that there are no computers.
Bank of America, upon reciving a check order on their hand-written "drafts out" list, would process it and debit the funds from your assocated accounts in accordance with their standard policy. Until you complained, they would just do this -- because it's what the tellers and pencil-pushers were required to do, by law and contract and policy.
Computers do simple automated tasks easily, and drawing money from an account is a simple automated task.
If you're bitching because your bank used computers to run the math and apply numbers in a given situation -- the very thing they were desinged for! -- then you're on the wrong website.
Try luddites.org.
... and this conversation only confirms that. Be very, very wary of the credit card transactions using PayPal because you will be giving up the protection that normally comes with CC transactions.
Living in an escapist society with high expectations, and someone can't take the blaim for their own actions, so to avoid dealing with their own problems, they blaim someone else.. Of course,
if the bank allowed a hacker to take money from soneone, that's a different matter.. It wouldn't suprise me if a bank would allow such a thing to happen.. Your money doesn't count, their money does.. Isn't this what we would expect of a modern day bank?
Just say no to license servers!!
That's pretty cool. Is this a U.S. bank? If so, do you care to disclose their name?
HSJ$$*&#^!#+++ATH0
NO CARRIER
Are they paying any interest for holding onto the money for half a year ? That is a looong time.
Here in Denmark, if I tell the bank I did not authorize the payment, the bank must prove otherwise. What has happened is that the bank has transferred money out of the account without the owners approval. Simple as that.
This also means, that the bank will upgrade to a better system if too much fraud is going on, rather than having their customers being responsible for their bad security. Any homebanking system which only depends on stuff on the computer + a password is too unsafe to be used on a computer that is ever connected to the Internet.
Some local banks are sending out one-time keypads, the bank I use issues an ActivCard hardware token if you request it. And these are more difficult to hack (needs serious Man-in-the-middle attack - modifying you outgoing and the incoming messages)
Nope... sadly not a US bank. I'm Malaysian.
Sometimes I wish I was a plumber, then I'd know how to deal with other people's shit.
My main credit card company calls me once or twice a year. The transactions always go through (unlike with one of the sibling posts), but sometimes I get home from a vacation and within a day or so get a call from their automated transaction checking machine. It starts giving a rundown of transactions by date, merchant category and amount, and asks for confirmation.
It doesn't bother me, but the way the transactions are recorded means I always have to call them back and ask about some of them, and they always turn out to be ok. The problem is twofold:
1) they don't say "transaction at shell station" or "transaction at Bob's kayak rental", or otherwise give the name of the merchant. Instead they use the merchant category ("weird trinkets" or "restaurant") so it takes some time to figure out what they're referring to, and there's always at least one category that's utterly ambiguous.
2) The dollar amounts aren't necessarily the amount of the real transaction. When you buy gas with a credit card, you swipe the card first and it does a transaction for $100 or something like that to verify that the card is good for the money. After you finish, the real amount gets put in through what seems to be another transaction, and the earlier one gets cancelled. I notice this when I check online, too-- often there will be pending transactions for a large amount that turn out to be a smaller amount when they come through. When the machine calls, it sometimes lists the initial $100 transaction, when all I got was $8 worth of gas on the way back to the airport. It's further complicated if the transaction was in foreign currency, since the machine reads it to you in US$.
The bank which employs me is particularily stringent about it's hold policy, and for most customers, non-local personal checks get five to seven business day holds placed on them (almost half the month!) As you may imagine, this does cause customer service issues. As a lowly teller, however, all I can really do is is shrug, sympathise, and direct the customer to the brochure explaining our hold policy, which he received when he opened his account.
In any case I certainly hope people are leaving your bank in droves. That type of customer antagonistic policy is something that should not happen. While banks are in business to make money, that does not give them the right to treat their customers, without which they'd make no money, like they're all criminals. Hell, it's arguable that the worst customer for banks are the best in terms of making money since they tend to bounce more checks and generate lots more juicy NSF charges for the bank. Don't think they don't know this either, but they certainly shouldn't be treating legit customers like shit.
I feel sorry for you, I imagine their inane policies make your life hell at work.
One comment on cashing the check and deposting the cash. I recently had to do this, as I was borrowing money to keep anything from bouncing while I waited for an erronous charge to be credited back. I knew my bank would probably tell me hell no, so I cheated a bit. I cashed it at one brank, drove to the next city and deposited the cash. No one was the wiser and it got same day credit. What turned out to be really annoying was it was my bank's fault the credit wasn't there yet. Turned out the place that had made the extra charge mistakenly uses the same bank for their credit card processing. It took them three weeks to get them to finally credit me, and in the end they had to call them up and authorize an EFT between their account and mine. The bank was never able to explain to either of us why they sat on a properly processed credit for weeks without doing anything. Incidentally they've officially never processed it, I got my money back through the EFT, but the actual credit back to my card never has shown up. The business has officially asked me to just pay by check from now on and flagged my account for no late charges thanks to this. Talk about quality customer service froma bank! (As far as the company concerned, I give them great credit for going the extra mile to make sure my money was returned, they even paid the few NSF charges that they caused.)
My bank in the Czech Republic issued me an electronic key back in '98 that generates pseudo-random one-time passwords, and is also used authorize individual transfers. When I want to transfer money online, I have to generate a password on the electronic key, and it doesn't matter if somebody's managed to install sniffer software on my computer or not. The code is good just once. Then when actually sending the money, I have to enter the receiving account, amount, etc. and generate an authorization code (which is most likely a hash of a one-time password + transaction detail data). Again, it's completely useless to anyone who intercepts it.
Since this stuff has been around for seven years now in a country that most US IT workers would consider to be third-world, I think it's fair to say that US banks are way behind the ball if they're not providing non-hackable hardware keys to their customers. If anything, a class-action suit should bring up the fact that banks aren't doing near enough to protect their customers.
Good! you sound like an enlightened and informed person. I have a question then. If a person gives a note of permission (with signiture) that a person can use his/her card, are you allowed to accept it? What about permission over phone or if the last names are the same (son/daughter)?
I would assume that there must be some way to allow someone else to use my credit card if I so wished. I often lend money with my credit card to friends with on-line purchases, but what if I want to lend my card to my family?
Well, over the phone no way in hell, it could be anyone on the other end of the line. Actual phone orders are different since they're getting delivered somewhere so we know where you're going to be if you're ripping us off. Having the same last name won't be enough either, it could just as easily be your son or another relative stealing your card, or just someone else with a similar name, and you'd be perfectly entitled to chargeback any such transaction. A signed letter of authority will generally be acceptable, since then we have a signature to prove you authorised the transaction, which is all we'd have anyway even if you were buying in person (at least, I know we accept them for store cards, I've never had someone ask about third party cards but I think it's okay). Of course, I know it's not all that hard to forge a signature, but at least we have something tangible to show the purchase is authorised to prevent people claiming they didn't authorise the purchase down the track, and we can always try calling the cardholder if there are doubts. Of course, these are only the rules at my store, and we even have some wiggle room in applying them (if we want to take the chance on a normally unacceptable authorisation, it's our money on the line).
Currently, many financial institutions turn your check into an ACH transation. When I pay either of my credit card bills, the check isn't returned to me. It is used as an instrument to authorize an ACH withdrawal from my checking account.
A lot of private businesses are doing the same thing. Something I see a lot nowadays is a check scanner in stores. You write out the check, they run it through a scanner device which scans it, calls home to verify it, and then prints a big "VOID" on it. Then they hand the check back to the customer, right there and then. A small industry is setting up around this method.
Basically it scans the check, gets the numbers off of it. It gets the amount from the register or what have you, does an ACH transaction, gets back a confirmation that it went through, then voids the check. Done deal. You can always tell when this is new to a customer too, as they go "huh?" at first but quickly get used to it.
Of course, my bet is that most of those customers stop writing checks to those stores at that point when they see how much of a waste of time it is. From the stores point of view, that is quite okay too. The vast majority of fraud at a retail store is still check fraud.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Unfortunately, Federal law mandates a limit on transfers and some banks have additional policies and charges for electronic transfers, so this is a bit impratical.
I had the pleasure of learning about this bullshit the hard way.
More information here and here. Call your bank for more info.
"shouldn't the bank have questioned such a large transfer to a republic of the former Soviet Union (these republics having gained the unfortunate notoriety of being dens of villainy and hackerdom)?"
Come on. Latvia is a full member of European Union and NATO. U.S. never recognized it's being a Soviet Union republic. It's been out of soviets now for over 13 years. If a online theft case happens via U.S. bank then what, call it a former England, former Spain and former Mexico?
They also signed me up for some balance protection thing, it was a 1% of your balance per MONTH fee. I never authorized them to do it. Long story short, Discover is a bunch of crooks.
Religion is a gateway psychosis. -- Dave Foley
I will drive up to 20 miles one way with a kit of cd's and install linux on your box & spend a couple of hours afterwards drinking (& recycling) your beer
So it *IS* free as in beer? I'm so confused.
paintball
Preface:
Ever since 9/11/2001, the states have taken
some righteous blame for the ease with which
fraudulent driver's licenses have been issued.
Here in the Commonwealth of Virginia, the DMV
(Dept. of Motor Vehicles) now requires proof
of occupancy in the state before issuing new
driver's licenses.
Tale of BoA Ineptness:
I was surprised to find correspondence from
BoA in my mailbox addressed to a person I do
not know, and who has never lived at my street
address. It appeared to contain a booklet of
either "starter" checks or else a loan payment
book. Within days, a second package arrived
that was just like the first one. I returned
both back to my local US Post Office with the
complaint that the party that the mail was
addressed to did not reside at my home. With
typical USPS aplomb, this mail was re-delivered
to me. (WTF?)
In the same mail, yet another letter from BoA
arrived. By the feel of it, it contained a
credit card, debit card, or ATM card. I wrote
a letter of explanation and complaint and then
mailed the entire lot back to BoA's originating
address. No news back from BoA. Then 2 weeks
later, a CS letter and another "credit/debit/ATM"
card arrived, from Dallas, TX this time instead
of Houston, TX. Again, I wrote a second letter
of explanation and complaint to BoA's 2nd
originating address, along with the new letters
addressed to my phantom room mate. No news
back from BoA -- no letter, email, or phone call.
The next correspondence that I received from
BoA was their CS department in North Carolina.
I sent yet another cover letter to BoA, along
with their latest correspondence. BoA never,
ever tried to contact me (no thanks, let alone
any mere acknowledgement of receipt).
The final letter I received from them came
nearly a month later, also from BoA CS, also
addressed to my phantom room mate. My last
cover letter back with their CS letter was,
shall we say, somewhat rude. Nonetheless,
perhaps it was my rudeness that actually got
some attention from these flaming idiots.
Identity theft has been (IMHO) partially
usurped by "Address Theft" in an attempt
by illegal aliens to establish residency
required to obtain driver's licenses. I would
advise readers of this prose to never leave
mail out for pickup by the postman -- drop
outgoing mail at the post office or postal box.
Also, it wouldn't be a bad idea to purchase
a secure (approved) mailbox for your mail.
Times have changed, and not for the better.
My personal opinion of BoA dropped into the
basement with this exchange of correspondence,
and with BoA's totally clueless behavior. I
wouldn't do business with this bunch of clowns,
ever, any more than I would respond to an urgent
"419" letter from Nigeria.
It is impossible to send a wire transfer (not ach) from the online banking tools. So the issue of his computer behing hacked is a moot point. The criminal probably made the transfer over the telephone, and since he had already authorized such transfers, and the criminal presumably presented all the appropriate authorization information, the real question is how on earth he thinks the bank should be liable.
You don't get mad at the lock company if you give someone a copy of the key to your front door and then they use it to steal your TV. The man gave the correct information (the keys to the account) knowingly or otherwise to someone else, causing that person to become an "authorized user" of the account (the definition of an authorized user being one who has all the correct account information).
But even if they get it right away, they may not keep it.
My bank credits some checks to my account immediately, and some 5 or 10 days later. Corporate checks with good security features are always credited immediately. Personal checks with hand signaures are usually not credited immediately, although I did just case one for $5,000 that did get creditted immediately to my surprise, apparently because I already had $5,000 in my account. (And no, it's not still there, paid off the credit card for all you elite hackers looking for cash.)
3rd party checks, 10 days.
What makes banks nervous is 1) When they can't tell if there is money in the account the check is drawn on (personal checks) or 2) they think the check may be fraudulent. That's especially true with 3rd party checks, temporary checks, or checks that just look "funny" to them. If it turns to be fraudulent, then the other bank is going to come take that money back later, and if you've already withdrawn it and run off, they're SOL.
Remember, money lost to fraud is ultimately paid by the consumer through higher fees or lower returns.
paintball
Visa (I think it's Visa) offers something called "virtual account numbers" which may be similar.
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
I just don't get it. Do wire transfers in the U.S. have no security whatsoever built-in?
I have been using online banking for years now: I have an external chip card reader with a pin pad, an HBCI compliant EC card and an enforced limit on online transactions. Even IF I had a virus/backdoor there should be enough work to do for the attacker to trick my online banking software into doing what he wants, counterfeiting a digital signature (quite impossible) or completely replacing my screen output (quite a lot of work).
Even if I only had PIN/TAN security: 90000 is a sum that's simply not transferable because of the imposed limit of a few 1,000 EUR.
What do these people use? A 4-digit PIN only?
My bank will txt you a code if you want to transfer large amounts of money over the internet. http://www.asbbank.co.nz/netcode/how.asp (They also have a very successful and funny advertising campain in New Zealand that features a American spying on them and reporting back to his boss in New York.)
If the bank gives an API to your cash, you are responsible for its usage, and they are responsible for making it secure, for correct usage.
.ru's , and if not it wo't take much imagination for poeple to have thier machines hijacked.
The virus basically made a correct usage. I would say Microsoft were to blame.
Think of this. You use an ATM, and you get mugged while using it.
Is this an unsecure API to your cash? They shoudl make each transaction pass a turin test (CAPTAPTHHP whatever the dumb-shit acronym is) so make automated transactions on human API's less possible.
One time pins that require a human to do something at least.
The bank cannot be held responsible, for one, this guy may be in cahoots with the
For the bold italic gay comment you are wrong wrong wrong. You do not have to have a virus scanner installed, or a firewall.
There should be a legal definition (not Microsofts current plight to legally wash thier hands of security (thier solution)) for software acting as it should, and sale of software should state 'this is secure' and there should be a heirarchical contract of libraries and vendors, and each security flaw shoudl be tracke dand the blame assigned.
Outlook isn't vunerable to worms, it is just a published API that happy programs can call to do anything they want.
A wrom isn't a worm if it contains no burrowing code, if it just calls an open API then it is a client.
In todays world it is feasible to write an honest program that makes a mistake, and triggers a alrge scale problem in a deployed environment, these end is lawsuits, why don't the mistakes Microsoft make end in lawsuits?
The guy is responsible for not being buyer beware. He can blame Microsoft for having an open published API and selling him an OS that does not wokr as advertised.
You have to have blame in the right places. The bank made their 'correct usage' fair and secure, his correct usage was just fraudulent beyond his control.
If someone stole his laptop, then as far as the bank is concerned, someone stole his wallet.
Buyer beware.
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Discover seems to keep pretty close track of my card.
Every time I've placed an order of more than a couple thousand $ from an online merchant, I've gotten a phone call within a few minutes to verify that I still have the card.
I've been called after I've bought gas outside of the area I normally travel in.
They turned my card off once, after a gas pump reported it as a counterfeit due to some sort of read error. (I didn't have my cell phone with me at the time).
I've also had to deal with their fraud department 5-6 times over the past few years, to take care of places that double/triple charged me for things, and every time (even for a double charge on a $5k server) I had no problem getting the charge taken off.
"So when are all the diehard M$ fans finally going to get the message"
.so libraries on the system in the process. (And don't even get me started about what that means if that app is a copy-protected game _and_ you have an ATI graphics card.)
;)
About the time there will be a real alternative to it.
Fact is, most people aren't really "fans" of any one OS. Noone except the Linux fanboys (been one myself, believe it or not) actually gives a damn about the _OS_. It's like having a flame war about whether brown seat covers are more evil than blue seat covers in a car. It's that stupid.
The OS is just a necessary evil you need to load the _applications_. _That_'s what matters. Most of us could live just as happily without an OS at all, if the apps could be loaded otherwise. No, seriously. The OS is just a necessary evil, no more.
So until Linux actually starts having some more useful apps, it's just not a competitor. It doesn't matter how good the OS is.
So the sad choice really is, do I:
A) get Linux, spend weeks coaking Wine/WineX/CrossoverOffice into running each program. And recompile half the
B) get Linux, spend weeks learning some half-arsed dysfunctional equivalent to even the most common apps, or
C) Get windows.
Took me about two years of messing with Linux (and ranting on newsgroups about how the evil MS will never again see a cent from me) to realize that I was in fact increasingly often giving up and taking route C. Which is to say, booting my Windows partition.
"And I do tend to stay up with security fixes unlike the windows sheeple who's probably running a windows box with a generated serial number"
Ah, the usual "if they don't want Linux for free, they must be running a warezed version of Windows" fallacy. How refreshing. I hadn't read that fallacy in, oh, about two days, and was starting to get withdrawal syndrome
Reality is more complex than that. Even by BSA statistics -- and BSA is _paid_ to cry wolf and exaggerate -- piracy isn't _that_ wide spread in the Western world. The fact is, like it or not, most of us have knowingly paid for Windows.
In my case, I can even tell you why I went back to it. Because, as they say, "Linux is for free only if your time is worth nothing." Dunno about you, but if I put even a minimum wage price on my time, Windows has practically paid for itself by now.
"There's no way in hell a windows box can survive long enough to grab and install all the fixes when its been re-imaged by the distribution cd that came with the machine."
Again, yes, there is. Go to the TCP/IP properties, tell IPSEC to allow only outgoing connections. It's been built in at least since NT 4.0, maybe earlier.
No, it's not a full-featured firewall, but it will keep you safe enough while you download the patches.
And here's the fun part: it takes less time than whining about how Microsoft sucks. Now it may not be as fashionable as whining about MS on Slashdot, but it will keep your computer safe.
A polar bear is a cartesian bear after a coordinate transform.
You think that's bad?
..... after all, if the banks can make smart cards, so can the fraudsters}.
Here in the UK, real-life stores are moving to a payment system called Chip and PIN. The idea is that instead of signing the receipt when you pay for your goods, you will enter your PIN {the same one as used for hole-in-the-wall machines} using a small, hand-held keypad. Your bank card will include a "smart card" chip, which is supposed to make it more difficult to forge than the old-fashioned magnetic stripe {at least, until more people become aware of smart card development kits
The problem is that this system, while it might have a temporary impact on the use of forged cards, is not at all secure against physical theft of the real card. At least with the signature system, you have a grace period as long it takes for someone to learn to forge your signature convincingly before anyone can get at your account. If you notice your card is missing, you can hopefully report it before anyone has learned your signature {about an hour or two in my experience}. With Chip and PIN, anybody can steal your card and use it to pay for goods. It isn't hard to spot someone's PIN being typed {people who aren't used to the system have even been observed to say it out loud to the cashier}, nor does it take long to persuade a person to reveal a PIN if you hold a blade to their throat.
The traditional problem with this kind of intimidation-based robbery has been that H-I-T-W users are photographed; and if some account holder appears to have had a head transplant, someone somewhere will want to know why. Shops and filling stations probably have their own CCTV systems -- nobody is ever out of sight of a camera in the UK, except maybe in their own home and even then only with the curtains drawn -- but their arrangements are almost certain to be less formal than the banks' ones, and getting access to a third party's CCTV footage means more bureaucracy.
The real benefit is that human beings -- specifically the cashiers, who previously had the responsibility to decide if a signature was valid -- are taken out of the loop, so there is one less person to blame if {when} a fraudulent transaction does go through. This of course mainly benefits the banks. Someone will end up paying for all these false transactions, and in all likelihood it will be the cardholder {who has no way to prove the transaction was not legitimate} and the store {who won't be paid by the bank because they can't prove the transaction was legitimate}. This is the short-term future of card crime in the UK: many independent small-time operators. Get a card, purchase a few high-value-density items {cigarettes, cosmetics, designer clothes}, ditch the card, rinse and repeat. Of course, once somebody works out how to forge smart cards, the paradigm will shift again, back in favour of crime bosses.
Anyway, it's back to cheques for me. At least there is a reasonable audit trail backed up by a signature.
Je fume. Tu fumes. Nous fûmes!
if not all of it.
The crooks didn't get away with all the money. $70,000 was frozen in the receiving bank account.
BoA has basically done jackshit to help him get the money out of the frozen account.
I never remember signing anything that authorized the bank to make unauthorized withdrawals from my other accounts in the event that there were insufficient funds to cover a check.
Mea navis aericumbens anguillis abundat
I can't figure out why the OFAC, Office of Finincial Account and Controls, list didn't catch this transfer first.
Possibly because, as this guy ran a business and often used wire transfer to move money about, the sum involved wasn't unusual enough to get picked up.
The list matches the "known terrorists" phonetically to customers of the bank
It appears that the fraudster was fairly bright and so they probably set up an innocuous sounding account at Parex which wouldn't ring any alarm bells.
I'm not saying the bank shouldn't have noticed but I don't think it's reasonable to assume that they are definitely at fault here.
My bank in New Zealand has just started a similar system for transfers to user-specified accounts. If you transfer > NZ$2500 (US$1500?) a day they will do the SMS thing. See here for more information on how it works.
The recent rise of money laundering operations in Latvian banks recently have been stated as one of the most important issues to be resolved, what, actually, isn't that simple, because Latvia is very popular money transferring facility for legimate Russian and Asian businesses. In fact some of our banks have cancelled their relationships with more suspicios banks aboard, exactly due to this reason.
;) No problems with passwords here. Each bank uses slightly different, but efficient three-level authorisation system. Including keypads, challenge/code generators and similar nifty solutions.
And as for online banking security
And as for loosing the money - give me a break. We are an european union country, so, of course, we are quite capable to cooperate fast & efficient with law enforcement in such cases. Even in this case - the criminal actually got only 20000 usd, the rest (70'000) currently is frozen, and of course, will be transferred back as soon as situation is clear (and the small amount of loss is just because we have a law that you cannot withdraw or operate with money amount exceeding ~9'800 USD without proper passport ID authorisation)
everyone is responsible in their own way. The victim is responsible because he shouldn't have been such a complete moron as to leave open the possibility that someone he doesn't know could initiate a transfer in his name. The bank holds some of the responsibility because on a transfer that large, they should have expended the effort to check it out in more detail. But please don't forget that by far the greatest portion of the blame falls on the jerk who actually stole the money.
All this is assuming that the guy didn't actually make the whole thing up to try to make a buck, in which case the first jerk and the third jerk are the same jerk, and the bank's complicity is still relatively small.
Unfortunately such a scheme would be doomed to failure (for the vast majority of the population) because it would be "too much trouble". Everybody likes things to be as easy as possible ("one click ordering" for example) and this would just make it twice as difficult to shop online.
:-) ) which will negate most of the risks involved.
I'd say that online shopping is about as secure as it needs to be, given the current level of fraud. Anyone who is concerned about the security of online transactions can take some very simple steps (like not using Windows
The problem is that too many people are unaware that there are risks associated with online anything and those people will continue to be caught out by spam/viruses/trojans etc. etc. etc.
Hey, everybody. "Pin number" is redundant. What you're actually saying is "pin number number."
You're wrong. "PIN number" means "personal identification number number", not "PIN number number".
If "PIN number" means "PIN number number", like you said, then that in turn can be expanded to "PIN number number number", which in turn means "PIN number number number number", which means....
We have an infinite loop.
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
There are a few banks which have had to go thru the "outside the US wire transfer" headaches with their clients and have already set up A SEPARATE BANK DEPARMENT FOR WIRE TRANSFERS. So that if your account has a request for a wire transfer to ANYWHERE for ANY AMOUNT, the bank won't allow it unless you talk to them and clear all the guidelines (and they'll hang up on you and walk away from you if you don't have even one of the many access codes or securities they assigned to you when you signed up with them) with them first proving you're you and that you're allowing this. Yeah, it's a headache with clients because they get frustrated with all the fences they have to climb, but in the end, the banks that take this type of policy rarely if ever lose $$$.
This is what i'm saying about banks/businesses with great security. Those banks or other businesses with great security will continue to gain clients and those without will lose clients or get sued. It's difficult to be a cheapskate with security and it's difficult to do business with cheapskate businesses with bad security.
Yeah, it's the client's butt on the line because he didn't treat his computer like the computer was his bank, but on the other hand, it's pretty obvious the bank dropped this one. I sure wouldn't want to hold any of my $$$ with his bank.
More than likely, this bank like all the other remaining banks will have to develop fast SECUREpolicies regarding wire transfers also.
* weedshare.com 50% to artists, webjay.org iuma.com CDBaby.com Epitonic.com ampcast.com
Although your bank doesn't seem to support this firewalling through their software, you can always use hardware firewalling of your bank account. It involves the acquisition of a rather large axe and visiting the party involved in the transaction.
8 of 13 people found this answer helpful. Did you?
Unfortunately, the banking industry right now has no sense of responsibility. Part of the reason for this is various insurance schemes like FDIC which make it easy for banks to write off fraud. For instance, there is no mechanism in place right now that provides security against unauthorized drafts. Any schmoe with a debit card machine and a ripper can empty your account, and there is little your bank can or will do about it without you directly threatening them. Even then, they only refund your money less the transaction fees, which can amount to 5%. Consumers need to put pressure on their banks to come up with a system which allows consumers to recall drafts, block drafts from unauthorized individuals, or institute lists of authorized drafters for reliable online billpay.
As was pointed out before, a bank is expected to be a bit more security minded than that.
E.g., the bank my money is at, first of all needs all online transactions to be validated with a one-time number. You get a pad with maybe 100 such numbers, and each can be used only _once_. That number is thereafter recorded as invalid and can't be used again.
And, oh, you can't do a brute force attack through all combinations either, because after the third failed attempt they lock the account.
So even if someone recorded your keystrokes, and even if they had complete remote control of your computer, they'd have a pretty damn hard time impersonating you and transferring money out of your account online. (Which is what happened to this guy.) Even if they recorded one such single-use number, they can't use it.
There is also a limit on online money transfer per day and per week. They can set it higher or lower for you, but the safeguard exists. _And_ there's a limit on how far below zero the account can get. There is no way in heck someone can just transfer 90,000$ out of my account in one go.
See, that's what real security is about. Thinking _how_ can you prevent something from happening, even if you live in an imperfect world. In fact, _because_ you live in an imperfect world.
E.g., that one-time pad is there precisely _because_ someone might record your keystrokes.
Shrugging and blaming the victim ("If the victim in this case used Microsoft Windows, with all its well-know and well-publicised security flaws, he only has himself to blame.") is the nemesis of security. That-a-way lies just madness and making a piss-poor product.
A polar bear is a cartesian bear after a coordinate transform.
I never remember signing anything that authorized the bank to make unauthorized withdrawals from my other accounts in the event that there were insufficient funds to cover a check.
What you're describing is the bank's right of set-off, which I understand most financial institutions claim--it's buried somewhere in the fine print of your account agreement. (Actually, I'm not as familiar with U.S. banking law; is set-off just assumed?) This has been around for a long time; it didn't show up with the invention of computers. (See for example the 1913 case American National Bank of Nashville v. Miller, which refers to this right). They can, at their option, draw upon your other accounts to fulfill unsatisfied debts.
I expected them to bounce the check, or have a human examine it and recognize that the written amount of the check was a tenth of the amount indicated by the MICR.
They may well have believed they were doing you a favour. Rather than bouncing your check and embarrassing you in front of your creditors, they let it through because of your generally good credit behaviour. As for hand rechecking the amounts, someone already saw the physical check once and goofed. It was a human being that misread the amount of your check, not a computer. The electronic bits--the MICR routing to your account and so forth--worked properly. Even if your bank instead waited for all checks to arrive at the local branch for processing, you can still have the clerk who makes a typo/calculating error/other mistake, and you get the added bonus of waiting two weeks for checks to clear.
Banks made numerical errors long before electronic computers. The boardgame Monopoly was first sold in 1935, and it has a "Bank error in your favor" card for a reason.
~Idarubicin
The implications of this assertion make me shudder.
If you did have a case to sue someone because you were too stupid to secure your computer properly, wouldn't it be the manufacturer or the retailer?
Why not get a Mac?
I use a PC, but for my kids and wife, they have a Mac, and there is never a problem.
Windows is fine, but you have to pretty technically savvy in odd ways to use it.
I can see why people would think that the bank should have checked with this guy before they wired so much money out of the country, especially to Eastern Europe. But on the other hand, if I ordered an urgently-needed wire transfer of a large amount of money and the bank refused to do it because I wasn't conveniently available when they tried to contact me for verification I would certainly be pissed, and might sue if their refusal to transfer the money seriously hurt me or my finances badly enough.
I searched and didn't find one reference to Sarbanes-Oxley, Gramm-Leach-Bliley, or PATRIOT Act in any of the responses. Without knowing the whole story, this guy would appear to be S.O.L. Electronic payment systems are run thru the federal clearinghouse system. Some methods, such as wire transfers, have a 24 hour life. Other methods, such as an electronic payment, have somewhere between 30-60 days.
t m
4 ad ministrative.html
The only person who appears to have screwed up in this case is the account owner. Now, if the financial institution actually had a policy in place to contact their customers in this eventuality and they didn't contact him, then they are at fault. However, they are not required by law to have such a policy and it is strictly a courtesy.
As a former financial institution examiner, I have a bit of familiarity with these laws so I qualify my statements above with this, "IANAL. Do not rely on my experience to be the final answer. It behooves you to understand the law and your responsibilities in respect to maintaining/guarding your account."
Start reading here for the real stuff. They even list the idiots who thought they could get away with fraud while working at a financial institution. Makes for entertaining reading how stupid some of these people are.
http://ncua.gov/RegulationsOpinionsLaws/index.h
http://ncua.gov/administrative_orders/Admin/200
I'm good with numbers -
Bah, I bet you're gonna say their story that "Bin Laden filmmaker sues Michael Moore" isn't true either.
I dont know what kind of bank you go to buddy but i can guarantee that BoA does not take 5 days... only @ either 12:00am or pm the next day
In this case several people are at fault...
1. the user
for not running AV, a firewall, and exercising safe surfing habits.
2. the pc vendor
for not setting up a user account for the user, which if properly done, won't allow software to be installed.
3. microsoft
for making it all so damned easy
4. the bank
for allowing an uncharacteristic transfer of funds to a foriegn country without checking with the bank customer. This is a big no no and they should have caught it, called the customer, and asked if it was legitimate. My bank does this for all fund transfers over $500 to a single destination in a single day.
Not only that, the bank should contact the foriegn bank, report the fraud and insist that it be taken back out of the theif's account.
I don't blame the guy. He won't win the court battle against the bank, because he probably doesn't have enough money to beat them, but he is right and is entitled to be reimbursed. As always it's not who's right, it's who has the most money for the best lawyers, who wins.
l8,
AC
have a human examine it and recognize that the written amount of the check was a tenth of the amount indicated by the MICR.
... I did not expect them to program their computer to grab the money from my other bank accounts, and worse, not notify me that they had raided another account.
A, single, human did examine it. Very quickly, in a data processing center where you processed the check, and where an error is easy to crop in.
Checks are typically hand-written, and you can't reliably OCR handwriting on the scale of check processing.
I expected them to bounce the check
So, you expected your bank to cause you to commit a federal crime rather than simply apply the debit against other funds they hold in your name?
You should have simply looked into it. It's common sense that if I owe you $100, and I you're short on contributing money towards our $50 order of pizza, I'll just take your share from the $100 you owe me. Why would you think the bank would do any different?
(And did you even look at your bank statement?)
Reading the The US State Dept travel advisories is like reading the mind of a paranoid person. Basically every country in the world is described in pretty negative remarks in these travel advisories. Check out the description of the crime situation in Canada:
Okay point taken, some of entires in there are pretty crazy I'll admit (and I agree it is pretty Fox like), though the issues specifically acknowledged which was my only intent.
I don't wan't to imply it's a place where thar be dragons. However, I don't see why it's not exactly the same proportion of the population as in many of the neighbouring countries, or other east European states, because as I see it the problem is entirely economic. That said would agree that Romania is responsible for a huge proportion of online fraud I've seen from European destinations.
i.e. The people are not very wealthy by the standard of western countries not that far away. In truth, the difference is quite dissproporitonate (due of course to government mismanagement that lasted for many decades, not just specifically in Latvia but in the region as a whole, which obviously hurts Latvia too). And of course, where there is such a gross disparity in wealth, there is inevitably crime (as there in between poor and wealthly neighbour hoods in towns and cities).
But, they are well informed know how wealthly they could be. They also have the equipment and the knowledge to commit the online crime. I'd imagine that fraud, especially online fraud, is a much easier type of crime to fall into than others too.
PS: Just out of curiosity -- are you from the UK?
I am yes. It's probably much more noticeable here as we do so much more business than even France or Germany online and more than most European states put together. Though it is hard to see that remaining the case much beyond the next decade or so, by then I think integration between the EU countries will resolve problems of internal instances of fraud (both by increasing the spread of wealth, and through tighter integration of law enforcement bodies).