Slashdot Mirror
Who's Really Responsible In Online Banking Fraud?
TheRealStyro writes "According to this article a Miami businessman is suing a bank because of a fraudulent fund transfer possibly caused by the coreflood virus/trojan. He claims the bank is responsible because the bank failed to protect him from known online banking risks. It is obvious that this guy should have had an anti-virus package active, but shouldn't the bank have questioned such a large transfer to a republic of the former Soviet Union (these republics having gained the unfortunate notoriety of being dens of villainy and hackerdom)?"
Have you people ever been to Latvia (the country in question)? It is by no means a country of "villainy and hackerdom", it is a member of the European Union, for God's sake! I sometimes have the feeling that many /. readers are still in the Cold War era with their mindsets. Even the article mentions how Latvia is "known" for its "cybercriminals" (and Latvia, mind you, is a very small country, compared to behemoths like Russia or Ukraine, where the real bulk of "cybercriminals" from the ex-USSR resides).
PS: And, yes, if you're wondering, I come from one of those "notorious" ex-URSS republics (Moldova to be more precise).
Doomie
My UBS account has a challenge/response system (needs a special calculator and account-specific chipcard).
Which makes the system pretty useless in real life.
My bank has a simple userid/passwd that allows me to use it from almost any computer anywhere - but - it has a monitoring system that checks for anomalies, much like American Express.
My bank will allow me to pay my rent from a Thai Internet café, because it knows I usually pays the rent to the same person every month.
But it will not allow an Ukranian withdrawal of $2 M USD.
This is way better than "in Switzerland the bank forces you to be safe with tons of rules and regulations".
And, by the way, I'm using a Mac.
That is quite normal. A few years ago, a friend of mines mother is a Doctor with her own practice. She uses her visa for buisness purchases, mainly large transactions $1000+ and had been doing that for over a year. One time my friend needed some money for gas so his mom just gave him her credit card. He went to safeway, bought gas and then went in to the store and bought some snacks for his trip. The same day, his mother got a phone call form the credit card company asking if she was missing her credit card. They noticed that my friends purchaces were out of pattern and thought that someone stole the card.
When thieves steal a card, they usually make a few small purchases first to test it out before sucking the card dry. Visa was quick to act on this to prevent theft. It is in their best interest to do this. That kind of action is very normal.
Never let your sense of morals prevent you from doing what's right. --Isaac Asimov
Maybe paypal should be incharge.
Me: Hello paypal someone cracked your systems and stole my balance.
PayPal: Oh really? Tough Titties! *click*
That's not what PayPa1 would do. They'd suspend your account and the accounts of anyone who has ever transferred funds to, or received funds from your account. There would be no way to talk to a representative, as they do not publish telephone numbers and only autoresponders are "manning" the email server. Should a human-like creature ever interact with you at any point in the exchange, it will be to inform you that, 1) you will never get your money back, 2) your account will remain suspended until Jesus and all of his disciples personally send notarized letters vouching for your innocence, and 3) that they have already faxed your account and personal information to a Russian law enforcement agent who contacted them a day before the alleged theft occurred.
Here come da fudge!
Unfortunately, at my credit union each account held by a particular person is only different by 1 character. So if they've got my escrow account number they can figure out the rest.
Banks take 1 - 2 days to receive funds from other banks received through the Fed. The NSF process gives the other bank an additional 48hrs to stop payment on the check and demand money back. Five days is a reasonable amount of time to protect the bank from losing money that hasn't fully cleared yet.
When Check 21 is fully in place, you are correct. There will be immediate availability of funds.
Many people will be hurt by this, as it removes any buffer that they are used to dealing with for writing checks to pay bills that take several days to clear.
However, the vast majority of check monitary transfers are going to happen through the Federal reserve system or regional clearinghouses for a significant time to come.
Currently, many financial institutions turn your check into an ACH transation. When I pay either of my credit card bills, the check isn't returned to me. It is used as an instrument to authorize an ACH withdrawal from my checking account.
Banks are in business to make money. They don't make money by letting people abuse the time it takes transactions to clear through the Fed or clearinghouses to write bad checks.
If you want your money ASAP, cash the check and then deposit most of the cash. Assuming you are an account holder in good stead, you should have those funds available to you immediately, or utilize direct deposit.
This is because several Aussie banks have been burned by the wired money scam.
It goes like this...
Order comes from dodgy part of the world. The client is told that company won't take credit card payments from that country. Client says "ok, I'll wire the money" and wires in the amount. Client wires $1000 to company and $10 to his cousin who is in the country and has a bank account with the same bank. Money is in companies bank account so the goods get shipped. As soon as the fedex tracking system says its out of the country the client then goes to their bank and says there must be a mistake since their cousin didn't their money. International banking rules allow backing out the transaction
and the cash disappears with the goods.
The electronic payments within the US (possibly CA also) are handled via a system called ACH (automated clearing house). With ACH they could indeed hit your account such as that. But the ability to inject ACH debits usually requires a cooperating bank in the US (who recognizes the organization generating the electronic debits). Typical examples are mortgage payments, insurance companies and PayPal.
For foreign transfers (such as the one talked about here), this most likely happened via SWIFT-wire. With SWIFT-wire I do not believe it is possible to pull money (i.e. via an electronic debit). The transfer has to be pushed from the sender. So my guess would be that the cybercrook here gained access to the computer (owned by the person who lost the 90K) and faked an online transfer request. Maybe the guy has always on DSL or cable and leaves his system powered up 24/7.
At least thats my perception of what happened here. In the case of ACH fraud, I think the FBI could come down hard on the receiving bank, and who ever generated the fraudulant debits. With SWIFT-wire, its a whole different set of rules when crossing national boundries.
This msg is brought to you by the letter 'W'.. for Worthless Wuss
This kind of thing is easily preventable by issuing a SecureID or SafeWord tag to people. True, it will cost money, but it's comparatively cheap considering the alternatives.
Some banks in Europe have been using SecureID for years. Why don't we use them here?
Need Free Juniper/NetScreen Support? JuniperForum
maybe you're british, where an ATM card can buy you anything you want with just a poorly forged signature. Here in Australia you have to have the pin number for an ATM card to be of any use to you, and even then you'll only get $500 a day from it.
How we know is more important than what we know.
Basically the latter. FDIC provides insurane up to $1ooM on DEPOSITS! Not authorized debits. And YES, this was an AUTHORIZED transfer from the Bank's standpoint. This guy is at fault for not taking adequate protections to secure his own account.
This was a wire transfer, rather than typical consumer service like online bill payment.
I suspect that this customer has a commercial banking account and is using commercial banking services. For instance, see this URL:
http://www.bankofamerica.com/deposits/checksave/in dex.cfm?template=lc_faq_wire#question2
There's no mention of online wire transfers.
Also, at the top of the page you cited, it says:
Online Banking Guarantee
For Consumers and Sole Proprietors
As far as I can tell from the linked Symatec information the virus turns your computer into a DOS zombie controled over IRS. It doesn't say anything about installing a keystroke logger. The Secret Service investigation is not claiming that the virus was behind the fraudulent transfer. It simply noted the infection as a fact of the investigation.
According to the article Mr. Lopez frequently makes wire transfers (albeit not to Latvia), so I'm not sure why everyone is leaping to the conclusion that this was done by clever cyber criminals and not business associates, customers, or bank employees. It may very well be, but the article contains no evidence to support the claim.
Supermarkets in the US have credit/debit terminals where the customer swipes the card themselves and often even signs electronically. The card holder's name might appear on the register where the cashier could see it, but they seldom bother to read it, and they prectically never check the card for small purchases.
If a job's not worth doing, it's not worth doing right.
What happened to this guy is wire fraud, someone pretended to be him and authorized a wire transfer from his account. Wire transfers are sender iniated only. Nobody can contact bank and take money by wire, you contact the bank and send money by wire.
What you are thinking of with PayPal is direct debit, probably via ACH. This is a US only thing and works differently. It's a network of banks, employers and merchants that is watched over by the federal reserve. Using this yes, someone can pull money from your account. However as per their ACH contract, and federal law, they must have permission to do so. If they don't, you file a fraud complaint and contest it.
Just such a thing happened to my friend. He had been with a hosting company for some time, one with an actual signed contract. When it was up, he cancled it via fax notification. All was fine until a few months later, when they automitaclly withdrew all the cancled months worth of payments. They had a bunch of BS claims about the contract not being cancled and autorenewing and so on. So he contacted his bank and filed a fraud complaint. They put the money back in his acocunt immedatly as a temporary thing while they investigated. He sent them a copy of the contract, and of the letter he sent canceling. After a bit more investigation, the bank decided he was right, made the credit to his account perminant, and went after the hosting company for the money.
So with ACH, there's really very little to worry about. Yes, a company you've never heard of on the network could technically clean out your bank account for no reason. However you'd have the money back in less than 24 hours of filing a complain, and a few months later they'd all be doing time in federal prison.
The reason in this case the bank is refusing to help the guy is because it wasn't ACH, it was a wire transfer. Wire transfers are very different. A wire transfer would be what you do at Western Union: You pay a company to make funds immediatly available to another party of your designation. They company then worries about actually shuffiling funds later, your designee can get the money immediatly. With large ones, it can be done directly bank-bank.
So that's what happened here, someone broke in to his computer, and authorized a wire transfer from his account to another one. From the bank's perspective, they did everything correct. They recieved proper authorization for the transfer and made it. It would not have been iniated had someone with the proper credentials not requested it.
So the bank believes they've done what they should do. That his computer got hacked isn't their problem. Now we'll see if the courts agree.
Beware! My checking account was grossly overdrawn, due to a clerical error in MICR encoding the amount of a check that I has written. Without asking me, Bank of America took the funds from another account of mine to cover the check. I found out about it when I received my next statement. They eventually restored the funds to my accounts. I no longer do business with Bank of America. They let their computers make all the decisions. It was only when I complained that humans got involved.
Mea navis aericumbens anguillis abundat
They'd suspend your account and the accounts of anyone who has ever transferred funds to, or received funds from your account.
What utter nonsense. If Paypal suspended the accounts of everyone who ever interacted with a fradulent account, they would be killing off a lot of perfectly good customers. I have never seen any evidence of any kind that this kind of thing takes place. If they feel another account is closely related (like an alias used by the same person) then they may kill it, but otherwise this would be an insanely stupid thing to do. Some people conducting fradulent activity with Paypal transact with thousands of people before they are caught. In most of these cases the buyers did nothing wrong except by letting themselves be duped. If Paypal killed all of those accounts, their business model would die fairly quickly.
There would be no way to talk to a representative, as they do not publish telephone numbers
If you actually took the time to visit their contact page instead of spewing more uninformed rubbish, you would have found that their contact number is 402-935-2050.
I'm not saying Paypal is without problems. Clearly they have their share. But at least make some kind of minor effort to get your facts straight.
On the whole, east European countries, including Latvia, are notoriously dodgy and a common source of online scams. I've worked with online transaction systems here in Europe that regularly block transactions of any kind to IP's or addreses in these destinations. It's actually quite common (and often used on a 'rating' system to detemine the likelyhood a transaction is fraudulent, much in the same way spam assain works to rate emails as potential SPAM).
Again, that's even here in Europe, because it's quite clear to companies here how much of a problem it is, even if those states are EU members now (a status they were only granted less than a year ago I might add, and they still do not yet have equal status as I recall, in a move to prevent 'brain drain' from people flooding for poorer ex-soviet countries to west block countries).
Searching for 'crime' and 'Latvia' (something I did to help illustrate the point) shows on the first page of results from Google that the US Departement of State has even issued a travel notice for all US citizens going to Latvia. The state.gov web site says amoung other things:
"Internet crime is a growing concern in Latvia. Common fraudulent schemes involve both Internet auction sites and Internet job search sites. In the first scam, criminals offer valuable items for sale at low prices on Internet auctions and request that payment be sent by wire transfer to a bank in Latvia or though a fraudulent escrow site that they have created themselves. In this scheme the money passes through a bank in Latvia and is quickly withdrawn by ATM or transferred to a bank in another country. It is very difficult in these cases to discover the identities of the account holders or recover the funds.
The second common scam involves identity theft through false job offers. In this scheme, a company claiming to be located in Latvia, but which has a non-existent address, offers the victim employment as a U.S.-based agent or freight forwarder. When the victim responds to the job offer, commonly posted on one of several popular internet job sites, a Social Security number and other identifying information - needed for the identity theft - is required under the guise of conducting a background check. ".
Just because it's a small nation, doesn't mean it's not notiously dodgy - it is, and it is known for online fraud as well as quite a few other tyes of crime (people trafficing being another that springs to mind). So as a European I'd have to say I agree with the article and think it's accurate in it's assertion.
I see idiots like this guy all the time. 'No I don't want to pay for Antiviral, Antispyware, Firewall, Backups, etc'
With all due respect for the windows sheeple (not too much mind you), anyone who gets caught in such a sorry web and loses their collective asses in such a deal is only really proving the old adage that PT Barnum was fond of quoteing.
"there's one born every minute"
Well, I don't pay for AntiViral, AntiSpyWare stuff. I don't need them, (generally speaking) with linux. In 8 years of running linux, I've seen one box rootkitted, we rebooted it, installed the fix, and cleaned it up, its next reboot was 9 months later when a power outage outlasted the ups. And I do use a firewall, and I do make backups every night.
This small 2 to 3 machine home system has only had 2 access attempts that actually got thru the router to my firewall, to get logged and shut down in the last 2 years!. And guess what? Both attempts came from my assigned dns server, owned by verizon and presumably running some sort of windows dns server. Because that address was known, it got past the router & its NAT. And thats as far as it got, stopped dead with one line in the log to indicate it happened.
And I do tend to stay up with security fixes unlike the windows sheeple who's probably running a windows box with a generated serial number that would probably bounce if he tried to dl the latest patches from Redmond. That actually doesn't seem to make a hell of a lot of difference, I was reading a message from someone yesterday that had just got thru re-imaging the drive on his sisters computer because it was full of crap and it was infected again less than 45 seconds after completing the boot sequence with the network cable plugged in. There's no way in hell a windows box can survive long enough to grab and install all the fixes when its been re-imaged by the distribution cd that came with the machine.
So when are all the diehard M$ fans finally going to get the message, and start a class action suit to recover their piece of the estimated 22 billion dollars a year that the M$ poor security was estimated to cost the public?
Seems like a hell of a good question to me.
That said, I don't want to hear about how good M$ is, or field any flames, they'll be deleted from my mailbox after I read enough here to get the tone of the message.
BUT, I will drive up to 20 miles one way with a kit of cd's and install linux on your box & spend a couple of hours afterwards drinking (& recycling) your beer, and answering as many questions as I have the knowledge to answer. And I'll leave my phone number in case something else needs an answer. That isn't saying I've got the answer, but chances are I know a place to go looking for the answer.
Hows that for a deal?
--
Cheers, Gene