Slashdot Mirror
Who's Really Responsible In Online Banking Fraud?
TheRealStyro writes "According to this article a Miami businessman is suing a bank because of a fraudulent fund transfer possibly caused by the coreflood virus/trojan. He claims the bank is responsible because the bank failed to protect him from known online banking risks. It is obvious that this guy should have had an anti-virus package active, but shouldn't the bank have questioned such a large transfer to a republic of the former Soviet Union (these republics having gained the unfortunate notoriety of being dens of villainy and hackerdom)?"
Good point. If someone tricks me into giving them my ATM card, how is it the bank's fault? It's essentially the same thing.
Over here in Switzerland all banks use a strong authentication scheme to make sure only the owner of an account can get in. My UBS account has a challenge/response system (needs a special calculator and account-specific chipcard). My two other banks use a one-time pad where the same code is only valid for a single login. When the old pad is almost finished they just send a new one.
Simple passwords are just not safe enough on the internet. Unfortunately in the real world the real joe user is just not able to make absolutely sure that no cheating is going on.
The banks should at least take a part of the blame if they are too lazy to implement something safe.
Markus
Also, the man regularly initiated international wire transfers, hence no fraud alert triggered.
The old adage still rings true; a fool and his money are soon parted.
What annoys me the most about these stories is that there's no way for the customer to take proactive measures to disable problematic services. Maybe the default is to enable online banking, but I should have the right to tell them to disable that service and not honor any request through it unless and until I show up at a branch office with appropriate identification.
The worst example of this was a former bank (emphasis on "former") that unilaterally disabled all existing ATM cards without warning. But not to worry - our spanking new debit cards should have already arrived, together with the new PIN number in a separate mailing.
As if that's not bad enough, this was back before debit cards had fraud protection. If somebody cleared out your checking account that was it - that money was gone.
I immediately cancelled my account. The drone assured me that my funds were safe, I could request (REQUEST) a new ATM card, etc. I told him there was no way I was keeping my money there - they violated my trust and they weren't getting a second chance.
I heard, unoffically, that a full third of the bank's customers dropped their accounts because of this braindead move. But the bank's new overlords and masters in Minnesota refused to accept responsibility for a collosial FU - they said the problem was that we were all to provincial to understand the brave new world of banking, not that we were well-informed and refused to do business with assholes who could have left us traveling without access to our funds and without warning. (When I travel I usually pulled spending money out of an ATM so it's in the local currency, but now I'll probably use a "gift card.")
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
If you want to change the reputation these countries have, maybe you should encourage their government to take out the garbage and promote their strengths.
I think that you still didn't get my point -- Latvia is in the EU and is not, therefore, marred by rampant corruption or a careless government. Other ex-URSS countries -- Ukraine, Moldova, Russia, Belarus -- and so on have a loooong way until they reach the standards of Latvia (or the Baltic countries in general) in terms of quality of life, (lack of) corruption, etc. To be fair, Latvia has a long way until reaching the standards of the Scandinavian countries, for instance, but that's another discussion.
What I was "protesting" against is simply the automatic labeling of all possible "dens" for "cybercriminals" as such. Some countries are different than what your local newspaper -- or ignorance -- might imply.
Doomie
Banks should consider the idea of posting risk assesments to the web page based on the client OS and browser. That is tell the customers that if they run a system that obtains viruses and spyware, they run a much higher risk. Likewise, if they are using a browser and a e-mail client that have known high risks, the client should be told. Obviously, Windows, IE, and Outlook are about as high of risk as it will get. Run something like Mainframe|Unix|BSD|Mac|Linux with lynx, then you have an ultra-low risk.
I prefer the "u" in honour as it seems to be missing these days.
> Heck, I spent over a grand on a credit card transaction, Discover used to call me up and "harass" me.
Several years ago, I drove to the states to visit relatives.
When I came back, there was a voice message from Visa waiting for me.
I called them back to ask what the problem was.
Well, somebody (that would be me...) used my credit card to purchase gas in a US gas station and "it did not fit my usage profile".
Couple of years later, we went on vacation to Muskoka.
I wanted to arrange a dog-sled ride for the kids. Problem is, outside the GTAMy Fido cell phone turns into a pumpkin. I'm also out of quarters so I use the Visa card at a pay phone.
Whan I get back, you guessed it, another chat with Visa telling them not to worry, the transaction is legit, "usage patterns" notwithstanding.
Customer protection or privacy invasion?
You decide.
Next, flying abroad to visit relatives.
This time, I call them preemptively. I will be out of country approximately between xxx and yyy, the card will be used in the following countries, don't give me any troubles.
> Why? Because they stand to lose money if its a fraudulent transaction.
Zigackly!
Ok let me get this straight. If I transfer 90,000 to my business partner in Soviet Russia, then the bank will call the police, brand me a terrorist and throw me in jail.
No, the bank should contact you to additionally validate the transaction if it might appear suspect - especially for this kind of money. After all, you must have given them a valid contact point, did you not?
I'll tell you what... I'm the banker. I'll hold on to your money for you and offer two different choices for security.
1) I take all of your money for you and never monitor your account. The only person who will know anything related to your account is yourself. The only catch is that because I was not allowed to monitor your account, you can't possible hold me accountable for missing funds, and are therefore responsible for your own security. If you want this sort of security, go to a swiss bank. Until a few years ago, they didn't even require a name to open an account.
Or 2) I will have computer software monitor your account to make sure money does not disappear through suspicious activities ($300 at 11:57PM and $300 at 12:01 AM). With this survelliance, comes my guarantee that your money will be secure from unauthorized access, or I will replace the funds for you.
Obviously option 2 is a much better choice for any level headed consumer. If you are worried about the banks calling the police to brand you a terrorist (which is a valid concern), then it's the laws protecting your privacy which are the problem, not the bank.