Slashdot Mirror
Korean Banks Forced to Compensate Hacking Victims
An anonymous reader writes "A brief story over on Finextra reveals that the Korean government is introducing new legislation that will force banks to compensate customers who have been victimized by identity theft even if the banks are not directly responsible. This action obviously will not stem identity theft but the hope is that this will push banks into security improvements that will make identity theft much harder."
From TFS:'Brief' is right...'skimpy' is the adjective that comes to my mind.
A much more detailed report on this story can be found at The Korea Times.
Reading through the above referenced story, two things pop out at me:
Given these two paragraphs, this looks like I'm going to be paying higher systems costs because others can't be bothered to practice responsible computing (when this initiative moves out of Korea into the rest of the world, that is...).
____
~ |rip/\/\aster /\/\onkey
Does anyone here really think the banks are going to pay this money out from their bottom line? They'll recover it from those customers who do protect their identity through increased fees and interest.
FTA: "Under the new legislation customers will still be required to implement safety measures and won't be compensated for losses incurred from online scams if they are careless with card details, PINS and passwords." (emphasis mine)
There's 50% of it right there.
I'm not trolling here, I have a question:
Does using Windows constitute being careless? How about using unpatched Windows? How about using Windows without malware scanners installed?
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
This is exactly what Bruce Schneier has been advocating for a while...here's his take on this story.
Now that's a responsible government! Why don't other governments enact this law as well? Or are they too busy bringing laws that nullify our rights to privacy?
Imagine you work for years and years and have amassed $100,000 in your bank account. All your life savings. Some punk criminal steals your identity and boom steals all that money away. That's just HARSH. I mean really, if banks do not pay that money back, that's a real waste. All this person's life savings are gone... just like that.
I guess bringing these kinds of laws into place would cost the banks billions of dollars right? I mean, this identity theft thing costs billions of dollars every year.
While I was working for Harvard Law School, the Secret Service came and spoke to the different IT communities at Harvard. What they came to tell us was that if there was any security breach, they would help us minimize the damages and then went through their plan on how to do that. The plan was essentially to not scare the public, not tell anyone, and hide as much of the damage as possible and try to recover. That basically does nothing for anyone interested in *actually* knowing how safe they are.
Kudos to to Korea having the balls to blame the people leaving the doors to security breaches WIDE open.
Reality is nothing but a collective hunch.
So people there won't need to install any anti spyware or even use Linux.
Oh yeah and click on random links, no responsibility.
On top of that, I guess those banks won't have to offer online commerce, it's not like it helps their economy?
What if they run Windows Server? Should Microsoft compensate the bank? Worse yet, what if they run Linux or BSD (altough BSD is dead ;)?
This action obviously will not stem identity theft but the hope is that this will push banks into security improvements that will make identity theft much harder.
I agree. I was listening to Clark Howard a couple of weeks ago on the radio and he was talking about how 99.9% of US banks have atrocious security when it comes to online banking. I know that identity theft also happens offline, but I also think that you have to criminalize grossly negligent behavior, or else you end up with a situation like what we have today: banks see it as more fiscally reasonable to absorb the cost of the problem than to even attempt to fix it. The problem is that this has tragic consequences for the individuals that are victimized. Hopefully the US congress will jump on board and start dealing with serious problems, instead of concerning themselves with things like college sports and drug testing among athletes, which ultimately shouldn't be of importance to the federal government.
DNS is broken -- it is possible to ask your DNS to lookup "Bank of America", and if the hackers have screwed the DNS servers inbetween yours and root, you'll get the wrong machine. That allows someone to do a man in the middle attack: all your requests get relayed to your bank, but perhaps with different amounts or payees. That subverts two-factor methods also.
Because DNS is broken, even if the banks beef up their stuff, there's no hope for secure transactions.
E.g. suppose you need a pasword and a one-use number (from a list of magic numbers the bank gives you) to do a transfer. [this is how it is in some parts of Europe]. The bad boys do the transfer, but they transfer the money to themselves, not your payee. And they take as much as they want. And they use the magic number you've given them for your intended transaction.
So because of this potential problem, I don't do online banking.
I figure the average schmuck doesn't have a chance anyway; he's using the same OS and software as 99% of the victims, so he's an easy target.
http://www.thebricktestament.com/the_law/when_to_
I hope this serves as an example to legislators in the US.
People would be much better served to get advertisements via mail directing them to a secure website for credit-card sign up instead of the usual forms that get people into trouble. The blank checks that credit card companies send are just asking for trouble and should be illegal when not requested by the customer.
My mail-carrier can't see to well and my mail is often delivered to others in my apartment building. I usually get my mail back one way or another, but since it is a large building, I can be guaranteed due to statistics that there are a few dishonest idiots in the building that would love to try out some credit fraud. Hopefully better laws preventing banks from doing stupid things is in place before that happens.
Banking in South Korea; In other news, Maritians have placed new surcharges on all atm's to cover increased transaction costs with South Korean Banks.
Sorry I have nothing to contribute to this discussion. I know little about banking, security or Korea (except there may have been a war there and that North is bad and South is good). Please continue.
And when said customers see their fees increse because of their bank's lack security, they will switch banks to one who has lower fees (because they have good security and don't have to pay said fines).
Any way you cut it, with this legislation the bank is the one who loses if they don't get their act together when it comes to security.
*Every* industry should have this type of legislation. It should not be the customers responsibility to research the security policies of their prospective banks/stores/whatever. Hell there is no way you could realisticly do that, since theres no way for you to know their internal policies.
This is what consumer protection should be. Too bad around here all the politicians are bought and paid for by the corperations that this should be protecting us from.
The banks will use the new rules as an excuse to require Trusted Computing [or other restricted hardware/software] for home users, which in practice will mean some form of MS Windows. No MacOS, no Linux, no BSD, etc.
It sounds like a good idea, but this is covering cases where it wasn't anything the bank did/didn't do. What investment by the bank can prevent someone from giving their banking details to someone who sends them an enticing offer via email? Phishing victims aren't new; it's the same as if you walk into a bar with that 100 grand in your pocket and get hustled at a pool table.
"Because Science" is one step from "Because old book". Try "Because of my experiment testing my falsifiable assertion".
1) Put money in bank account
2) Have your pal steal your identity and the money
3) Bank recompenses you
4) Split PROFIT!!!!!
Only three things are certain; death, taxes, and apocryphal quotations - Ben Franklin.
This is a classic example of using an economic incentive where all else seems to fail. Clearly if the economic onus of identity theft is (in large part) on the shoulders of the bank, they'll come up with better and better ways to secure their information that they had no will or reason to do before. Presumably they'll start using biometrics and the like (whether or not you think that's adequate security) and hopefully, if this is enacted in the States, they'll start to require more than a bloody SSN and birthdate to open a credit card account. It's an incredibly insecure means of identifying someone. I mean, really, how many doctors' office require that information along with your insurance info? Lots. And how many doctors have a security aware IT staff? Probably a much smaller number.
Along those lines, though, who gets the fiscal responsibility if a third party, like a doctor or a university, is responsible for the ID compromise?
The secret to creativity is knowing how to hide your sources. - Albert Einstein
Looks like the government is taking a cue from Bruce Schneier Glad to see that someone is listening.
-- Knowledge shared is power lost. -- Aleister Crowley
If the SSL ceritifcate does not match the IP address of the host you are connecting to, it should raise big red flags in your head.
Sometimes, there are legitimate reasons for this (such as a bank moving servers and not having time to get a new cert), but they are usually very temporary, so to be safe you can just not do any banking during that period.
Sure, you can still bypass this via a man in the middle attack using ARP poisioning - but in order to do that the hacker has to be on your local subnet if you have a home router, or else working at your ISP if you are directly connected.
Either case is highly unlikely, and **any** way you look at it, even if your original DNS thing was an actual issue, online banking is much more secure thank banking at an ATM or via debit payment, and I bet you do that every day.
All I need to steal your money at an ATM is to install a hidden swipe reader inside the ATM/debit machine and a hidden camera to capture your PIN number. This happens *all the time*, far more than publicized. It is very easy to do, and a smart crook who just leaves the setup installed for a few hours then takes it down is rarely caught either
Even easier is to just capture the cazd swipe, us eit to make a fake identical copy of your own card, and going into the bank and convince the teller to let you change the PIN on the card cause "you forgot it". Also simple to do. Much simpler than hacking itno the DNS servers of your ISP, that's for sure.
Switching banks isn't trivial. For some folks every bill that comes into their house is paid through one bank. Switching all of those over to another requires a lot of effort. I myself maintain 3 bank accounts to make switching easier for me but I seriously doubt someone is going to jump banks beacuse of an extra $10 a month charge.
Mac OS X and Windows XP working side by side to fight back the night.
Phishing victims aren't new; it's the same as if you walk into a bar with that 100 grand in your pocket and get hustled at a pool table.
Major parsing difficulties today. I read:
'... it's the same as if you have a 100 grand bar in your pocket and you walk into a pool'
And I thought, what does a wet candy bar have to do with phishing victims?
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
I think this is a good move. Although I don't care much about Korea, people who have become victims should be compensated by companies who can write that crap off.
[%] Cingular Ringtones
If they (victims) were granted pennies on the dollar for what spammers have made by utilizing Korean open relays, there'd be a lot of rich people floating about. If the Koreans (of any institution) were charged an open relay fee, they might be a bit more motivated to fix the problem. In fact, the Koreans might think twice before leaving all of those relays ready to be raped.
Wow, 15 minutes or so and no old people joke, so here you go:
In Korea, only old people have their bank account information stolen.
(And in real life old people are frequently the target of scams, because they have money and tend to be easier to fool)
I am officially gone from
I sue online banking exclusivly, and pay all my bills off it. I have some 15 or so registered.
Even so, if my bank started charging me a monthly service fee, I would jump ship with no hesitation.
I mean, it takes all of 5 minutes to reigster 10 or 15 accounts online. It is not rocket science.
The biggest pain would be swtiching the directd eposit at work, and only because it would take a few days to go through probably.
Not much of a deterrent IMO.
If the banks actually beef things up, the next wave of attacks will likley be pharming, as it allows the bad guys to circumvent the bank's methods:
t ml
http://www.wired.com/news/print/0,1294,66853,00.h
http://www.thebricktestament.com/the_law/when_to_
He doesn't seem to realize that Linux has a Trusted Computing effort...
This action obviously will not stem identity theft but the hope is that this will push banks into security improvements that will make identity theft much harder.
If you make "identity theft much harder", then obviously you will stem it. "Stem" does not mean stop, it means to "make headway against".
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
If the cost of real, secure online financial transactions is that, then that is what it is.
The question is whether the benefits will be worth that cost. Or whether there is another option that will provide secure transactions without the cost.
Either way, the people most motivated to find the solution would be the banks IF they were held accountable as this seems to say they will be.
It would be nice if banks and credit card companies actually did something to prevent and prosecute the crime that directly involves them.
Too often I read of someone getting their identity stolen or having their account run up, and the bank will reverse the transactions, issue a new card, and take no furthur action at all. Contacting the police also seems to result in no action, as they don't have the time, equipment, or mandate to follow up possibly tricky international schemes.
I'd bank with an institution that followed up and prosecuted such actions, but forcing them to do it is an option.
You can't prevent home computers from being insecure, or outright stop identity theft. The idea here is that the banks will be financially responsible if any part of the process of banking with them opens up a customer to identity theft and/or if the bank itself is fooled by the identity thieves. This seems to be perfectly reasonable to me. If you're banking online you should have every bit of confidence that the bank you're working with will not only keep the data secure on its end, but also while the data is transit to you. Ideally, they should also make it work in such a way that the data is not stored on the user's machine at all, preventing intrusion from ever being a real problem.
Admittedly they'll never get around keystroke loggers or other such malware, but this is a good first step. Prevent what the users are able to do with a system we know is fundamentally insecure. Require various forms of authentication for requests that involve actually transferring money, at least one of which should be offline. Do not reveal information the user should already know (Credit Card numbers in full, user's SSN [or whatever the Korean equivalent is]).
It's really not that hard, it just requires feature-happy developers to stop for a second and ask themselves "but what if someone other than the user were logged in..."
If there is a God, you are an authorized representative. - Kurt Vonnegut Jr.
I put my money into a bank. I think that it isn't expecting too much of the bank to not give my money to other people. They earn money by investing my deposit, and in exchange they keep my money safe. If they get scammed, it isn't my problem.
I said it so you don't have to.
sulli
RTFJ.
Mine was swiped too, and I didn't even find out about it for about three months (had some overdrafts). Turns out this kid subscribed to some porn site that was pulling 60 bucks a month! I wasn't pleased.
I went into the bank and all they told me was they could put the funds under investigation and it would take up to 90 days to take care of. During that time I wouldn't have my money and that it wasn't likely that anything would happen. I called the companies customer service and argued the charges for about half an hour. They said they could cancel. I threatened legal action. They said it wouldn't work. I said I could prove that I never signed up for thier services, or used them because I log my IPs, and informed them it was THEIR resposability to verify ID, not mine. This is what did it. Charges refunded, overdrafts paid (and the bank refunded them too, got 60 bucks out of the deal).
Lately companies have been working harder at verifying ID, but they're also more adamant about not taking responsibility. Rather than the bank having responsability, I think, legally, if you can prove that it wasn't you, the store should be responsible.
This sig isn't original enough, it's time to come up with something witty...
...now if the Nigerian government would just do something to get my money back from that doctor fellow!
Dark Reflection
Bruce Schneier has long held the position that the banks need to be held fully responsible for this sort of fraudulant activity:
e a_solves_th.html
http://www.schneier.com/blog/archives/2005/12/kor
At the end of the day, the bank is entrusted with managing my funds. If my bank transfers my funds to someone else without my express approval, then the bank is at fault, no questions asked. The bank should have properly verified that I indeed wanted my funds to be released to the other party. If someone claims to be me, then the bank better make damn sure to authenticate that it really is me before taking my money out of my account.
An unjust law is no law at all. - St. Augustine
Wouldn't it make sense to make everyone involved responsible as well then? Shouldn't the ISPs be watching what comes into their users' email boxes. Why not hold Gmail, Hotmail, etc. accountable? The reason is you can't do this. You can ask them, but when it comes down to it, it's up to the user to be aware of what is going on out there. It's not the banks' fault that we are stupid, gullible people.
SSL certs tied to ip addresses? All mine are tied to hostnames. I don't think anyone needs to "hack into DNS servers", modifying the host file on a win32 box to override a dns response is way simpler.
Won't somebody please think of the banks? They're barely scraping by in these trying times as is it!
Modern copyright is theft of culture from everyone and it retards the progress of the useful arts and sciences.
SSL certifcates are almost never issued to IP addresses, only to fqdn hostnames. In fact I've never seen a certificate with an IP address in the CN field, and I'm not even sure how a browser would handle it. In fact, issing a certificate to an IP address would make things even less secure. With a hostname, the broswer can check against a forward and reverse looklup, theoretically maximizing the number of machines that would have to be compromised to hijack the connection. It also subverts the only real check most certificate authorities do - verifing that the cert request is coming from the domain owner on record.
Banks could require you to install a piece of software that will verify the system to be safe allowing you to access you account only after the verification has taken place.
If you the verification fails it could offer you ways to fix your pc or something along those lines and would not allow you to enter your username/password...
Visit my site @ http://www.madtorrent.com
Woo hoo!
If you disagree with me on social issues, then it's pretty clear that you are a narrow-minded bigot.
Imagine if you owned a ski resort operation and you just dropped twenty mil on a souped-up chair lift. As the lift company advised, you hired people to go regular examinations and keep it lubed up. Then one day the stress of a chair switching from the slow loading track to the high-speed main line caused the cable to snap, killing dozens of people, including lots of pregnant women carrying pandas. Checking the line integrity was not on the company-issued checklists of the maintainers you hired but the chair lift company said they'll have a look at it every six months to run stress tests themselves and they found a problem that seemed small enough not to bother fixing. The chairlift company, hopefully insured, ought to be the ones exposed to liability, and this Korean bank incident should be no different. The software company (assuming it's not Debian (in which case this wouldn't have happened anyway)) should be the ones absorbing the heat. That may not be the law, but it strikes me as common sense.
only old banks have to compensate victims.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
I sue online banking exclusivly
I assume you're talking of South Korea, as in North Korea the 'Bank' is the stockpile of dead rats you've saved so you can eat and trade.
Yes, my post is probably redundant, but just stating 'Korea' is about as descriptive as U.S.A.S.S.R.
I'd like to see 'em slam the credit bureas too, for their racketeering : first I set up a service that you cannot live without (credit cards). Then, I'll make it easy for bad guys to use that service to steal your money. Then, I'll charge you for "protection" against those bad guys. Sounds like the mafia to me.
Evil Overlord Rule #86. I will make sure that my doomsday device is up to code and properly grounded.
I think this is not a bad idea -- for example, if they made any bank/data aggregator/etc pay credit monitoring fees and penalties for every account holder's information lost (like say, when data tapes fall off a truck), banks might treat personal information a bit more like valuable information.
$50 x 100,000 records lost = big slap on the corporate hands.
It has always been that way in Denmark. Any money the bank loses because they trust online transactions are completely their own responsibility.
Why would it be any different? If the bank lets someone else withdraw your money over the net, I don't care how the hacker got the information, it is the bank that lets the wrong guy walk away with my cash.
Sometimes, there are legitimate reasons for this (such as a bank moving servers and not having time to get a new cert), but they are usually very temporary, so to be safe you can just not do any banking during that period.
1. Inform the customers in advance of server move.
2. Shut down the banking website to ALL customers until that cert is up.
No fucking around.
In my bank, which is a part of the Générali Group, you get this small device that looks like a calculator. Everytime you want to login into your account, you have to turn the device on, type in your PIN code, and get a random number each time. You than login in with your username and that random number. IMHO that severly tightens security, and prevents security unconscious users to mess things up.
And I've been reading postings on Fark.
There could be meritous arguments to both of the sides here, but yours isn't one of them.
This is much closer to forcing Ford to give you a new car because you handed the keys to your car to someone with the promise of a better car in return. Absolutist inanity like "they should protect their customers" is absurd. The best way to protect customers from fraud involving online banking would be to stop online banking. This is clearly not acceptible, so a more reasonable solution must be found. Making banks responsible for the actions of their customers lifts the responsibility from those who should, at least, bear some responsibility for their actions.
"The customer should be have more personal responsibility!", they'll say. "If a customer has their account compromised, we will charge them for the clean-up cost."
Because in the USA today...you don't count if you ain't a corp or a blathering religious retard.
Blar.
Do it the good ol' Estonian way? Estonians use online banking to pay every bill that they get, I don't know anyone that does not, but you will never hear anyone complain about fraud, why?
Because we get a seperate card when you sign up for online banking that has 36 unique 6 digit numbers each a seperate password per-say.
When you login, your username is another 6 digit number that you are given (but which is perminant) then you have to enter your password (which you are forced to change every month). Then if those 2 are correct it will ask you for a random password off that card. Then, even after that if you want to transfer money to any account then you have to enter another one of those passwords.
Sounds a bit tedious when you write it down, but its really very easy because you just remember your username number and your password then when it says "Password 25:" you just take a glance at your card and bam, your in. Even if someone stole my wallet and had all my ID's they would not be able to have anything changed without a paper sent to my address notifing me, which is not printed on a single one of my Estonian issued ID's and thus would be hard to get.
Needless to say, I have never heard of a single case of identity theft in this country.
I may be wrong but I believe this is covered for every bank in Canada is it not? I had my card double swiped and my bank account emptied (along with 50,000 other people in Vancouver I believe). I had the money back in my account within 2 weeks. All money in a bank is insured, just like your creditcard is insured. What's the difference between this and a robber stealing money from a bank?
I didn't say that all problems are the customer's fault, and your attempt to lump personal responsibility with MPAA and RIAA positions is both childish and absurd.
I said that the customers "should, at least, bear some responsibility for their actions."
Customers who sign on for password-based services should be apprised of the risks involved in divulging information pertaining to their accounts. If that information is provided to others when they merely ask for it, how is the bank to keep the customer protected? Should they just eat the cost for some stupid customers? Should we?
I don't know about you, but I didn't sign on for an insurance-style amortization-of-transient-stupidity scheme when I put my money in my credit union. At least something along the lines of the $50 max for pre-report stolen-card use costs would put some responsibility on those closest to the source of the problem.
This is how it already works in Denmark - and it works fine.
If somebody uses your card number on the internet, and the person who withdraw from your account does/can not document that it was done with your consent, you get the money refunded. So if somebody steals your credit card number and withdraws money with it, you get your money back from the bank.
A merchant may first withdraw the amount from your account when the object is shipped.
Typical Trip Master Monkey...
Every frickin' post that can possibly be made on Slashdot always has more information available somewhere else.
God bless Trip Master Monkey! Because obviously the rest of us are too fu*king stupid to use Google for ourselves! Thank the Maker that his mom bought a Slashdot subscription for him just so he can frist psot every time!
That's our TMM - our beloved "always a more informative article at this link", frist-psoting karma whore.
If the SSL ceritifcate does not match the IP address of the host you are connecting to, it should raise big red flags in your head.
The fact that you needed to point this out means that, for the vast majority of users, it will not raise a big red flag.
Thomas Galvin
...even if the banks are not directly responsible. This action obviously will not stem identity theft...
In other news, Grokster has been shut down for music piracy. Though Grokster was not directly responsible, its products could be used to illegally share copyrighted files. However, piracy continues to flourish with other P2P clients.
He doesn't seem to realize that Linux has a Trusted Computing effort
But then you still depend on your bank to provide a "trusted" build of its software for Linux. Most banks won't think it's worth the money to pay developers.
I really love bosintang and suyuk but there's only so much I can eat in a week :-) What I'd love to try is dog meat samgyupsal! I guess it'll have to wait until I can travel to Pyongyang... unless there's a good DPRK restaurant in Seoul? Haven't found one yet.
And for all you animal lovers, check this page, it has many excellent recipes...
bundaegi is good for you
The bank phoned me last Saturday to see if I had been using my credit card in Korea. Apparently four transactions had been made. They cancelled the card and assured me that I would not have to pay for any transactions that weren't mine. I haven't seen the statement yet though to see how much was spent.
sig under construction...
Where they let you choose a short password or sometimes even just a pin code.
Furthermore they often use your Social Security Number as the user id.
Online banking security in the USA is disgraceful, but no-one seems to hold the banks to task for it.
Sure, it costs $9 a month. But I don't even have to RECEIVE my bills. My mailbox and trash have little to offer a would-be identity thief. And I'm not vulnerable to anthrax attack either. I cancelled my postal mail altogether. (Of course now I do Netflix so... um... if my choice is Netflix+Anthrax or No Netflix, I'll take the anthrax please.).
They receive your bills for you and scan them in. You can view them (or not) and have them automatically paid based on rules. 2 accounts are supported and 2 emails are notified -- set up for couples. At the end of the year you can order ($20 for 1 yr or $36 for past 3 yrs) a cd with all your bills on it. It is password protected and includes a java search engine that runs live off the cd.
-Clio
Karma: Bad (mostly from not giving a fuck)
Blog: http://clintjcl.wordpress.com