Slashdot Mirror

← Back to Stories (view on slashdot.org)

Korean Banks Forced to Compensate Hacking Victims

Posted by ScuttleMonkey on from the capitalism-at-lawpoint dept.

An anonymous reader writes "A brief story over on Finextra reveals that the Korean government is introducing new legislation that will force banks to compensate customers who have been victimized by identity theft even if the banks are not directly responsible. This action obviously will not stem identity theft but the hope is that this will push banks into security improvements that will make identity theft much harder."

13 of 154 comments (clear)

  1. And where will the money come from? by nharmon · · Score: 4, Insightful

    Does anyone here really think the banks are going to pay this money out from their bottom line? They'll recover it from those customers who do protect their identity through increased fees and interest.

    1. Re:And where will the money come from? by Jesus+IS+the+Devil · · Score: 4, Insightful

      You are falling for the business spin on things. If fees increase so will volume of transactions, and thus their bottom line. Banks that are able to overcome this hurdle will grab a huge chunk of market share through low prices all the while keeping good security.

      The fault here lies with two parties, the bank for not doing enough, and end users for not caring enough about security. I feel that end users should still be partially responsible for their actions. I mean, there are people out there that, despite repeated warnings, will keep getting themselves hacked and scammed. I think most of us know people like that. And really, the only remedy for them is to yank out their computers and never let them go online again.

      It's one thing to make banks more responsible for security breaches, but it's another to force them to be completely at fault, when there are so many points of entry for a crook. From the internet router from the ISP, to the user's home line, to his computer, to his keyboard, to the telephone, etc.

      --

      eTrade SUCKS
    2. Re:And where will the money come from? by bfields · · Score: 4, Insightful
      Does anyone here really think the banks are going to pay this money out from their bottom line? They'll recover it from those customers who do protect their identity through increased fees and interest.

      The whole "identity theft" terminology is screwed up; it's not your "identity" you're protecting--you're still you after someone else manages to clear out your checking account. What the "identity thief" has done is to fool the bank's authentication system into thinking their transactions were authorized by you. You do have some control over whether this happens, by your choice of password, choice of when to type it in, etc. But the decisions with the greatest affect on the security of that authentication system are completely in the bank's hands: e.g. the decision to authenticate you by asking you to enter a password into a form on a web page.

      The decision to make banks responsible for losses isn't because of a preference for consumers over banks--as you point out, expenses may be passed on to customers either way--it's because the best way to make the banking system more secure is to make sure that the entities with the most power to fix the system are the ones that see the incentives to fix it.

      This is the same reason we limit consumer's liability for credit card losses--it's the credit card company that's in the best position to detect and prevent fraud, and if we pass on the cost to them then we enable them to weigh the costs of fraud against the costs of improved security infrastructure, something that's impossible for an individual consumer to do.

    3. Re:And where will the money come from? by mumblestheclown · · Score: 4, Insightful
      The fault here lies with two parties, the bank for not doing enough, and end users for not caring enough about security.

      Would it be too gratuitous to mention that at least some percntage of the fault lies with the unethical idiots actually doing the theft?

    4. Re:And where will the money come from? by richg74 · · Score: 2, Insightful
      What the "identity thief" has done is to fool the bank's authentication system into thinking their transactions were authorized by you.

      That's exactly right. "Identity theft" is a very misleading label -- what we're talking about is good old-fashioned fraudulent transactions. The implementation is different, and facilitated by technology -- especially stupidly-used technology -- but the crime isn't that different in essence from a forged check.

      In that light, we should remember that the bank is 100 percent liable for paying a forged check, and has been for a long time. Yet banks have figured out how to cope with that, and the system seems to work.

  2. You have to make it hurt by El+Cubano · · Score: 4, Insightful

    This action obviously will not stem identity theft but the hope is that this will push banks into security improvements that will make identity theft much harder.

    I agree. I was listening to Clark Howard a couple of weeks ago on the radio and he was talking about how 99.9% of US banks have atrocious security when it comes to online banking. I know that identity theft also happens offline, but I also think that you have to criminalize grossly negligent behavior, or else you end up with a situation like what we have today: banks see it as more fiscally reasonable to absorb the cost of the problem than to even attempt to fix it. The problem is that this has tragic consequences for the individuals that are victimized. Hopefully the US congress will jump on board and start dealing with serious problems, instead of concerning themselves with things like college sports and drug testing among athletes, which ultimately shouldn't be of importance to the federal government.

  3. Great! by brunes69 · · Score: 2, Insightful

    And when said customers see their fees increse because of their bank's lack security, they will switch banks to one who has lower fees (because they have good security and don't have to pay said fines).

    Any way you cut it, with this legislation the bank is the one who loses if they don't get their act together when it comes to security.

    *Every* industry should have this type of legislation. It should not be the customers responsibility to research the security policies of their prospective banks/stores/whatever. Hell there is no way you could realisticly do that, since theres no way for you to know their internal policies.

    This is what consumer protection should be. Too bad around here all the politicians are bought and paid for by the corperations that this should be protecting us from.

  4. I see a weakness by Bastard+of+Subhumani · · Score: 3, Insightful

    1) Put money in bank account
    2) Have your pal steal your identity and the money
    3) Bank recompenses you
    4) Split PROFIT!!!!!

    --
    Only three things are certain; death, taxes, and apocryphal quotations - Ben Franklin.
  5. Re:All too brief... by runcible · · Score: 3, Insightful

    RNGs ( which are not RNGs but rather little keygen dongle type items ) don't address the class of issues that would result from -- say -- accessing your bank's site from an 0wned box...the 0wner can hijack an existing, authenticated connection.

    Or for that matter a phishing site that passes through the authentication info that you type in, including the number from your dongle...which now that I think about it, is the more likely scenario.

    The answer will never really be in authenticating the *person*, that crap can always be spoofed or stolen.

    --
    remember the wisdom of Mahatma Gandhi: If enough peasants die horribly, someone will probably notice
  6. Bollocks by brunes69 · · Score: 2, Insightful

    I sue online banking exclusivly, and pay all my bills off it. I have some 15 or so registered.

    Even so, if my bank started charging me a monthly service fee, I would jump ship with no hesitation.

    I mean, it takes all of 5 minutes to reigster 10 or 15 accounts online. It is not rocket science.

    The biggest pain would be swtiching the directd eposit at work, and only because it would take a few days to go through probably.

    Not much of a deterrent IMO.

  7. It's about time. by signine · · Score: 2, Insightful

    You can't prevent home computers from being insecure, or outright stop identity theft. The idea here is that the banks will be financially responsible if any part of the process of banking with them opens up a customer to identity theft and/or if the bank itself is fooled by the identity thieves. This seems to be perfectly reasonable to me. If you're banking online you should have every bit of confidence that the bank you're working with will not only keep the data secure on its end, but also while the data is transit to you. Ideally, they should also make it work in such a way that the data is not stored on the user's machine at all, preventing intrusion from ever being a real problem.

    Admittedly they'll never get around keystroke loggers or other such malware, but this is a good first step. Prevent what the users are able to do with a system we know is fundamentally insecure. Require various forms of authentication for requests that involve actually transferring money, at least one of which should be offline. Do not reveal information the user should already know (Credit Card numbers in full, user's SSN [or whatever the Korean equivalent is]).

    It's really not that hard, it just requires feature-happy developers to stop for a second and ask themselves "but what if someone other than the user were logged in..."

    --
    If there is a God, you are an authorized representative. - Kurt Vonnegut Jr.
  8. Others Responsible by TheOtherAgentM · · Score: 2, Insightful

    Wouldn't it make sense to make everyone involved responsible as well then? Shouldn't the ISPs be watching what comes into their users' email boxes. Why not hold Gmail, Hotmail, etc. accountable? The reason is you can't do this. You can ask them, but when it comes down to it, it's up to the user to be aware of what is going on out there. It's not the banks' fault that we are stupid, gullible people.

  9. Also in Denmark by Carewolf · · Score: 2, Insightful

    It has always been that way in Denmark. Any money the bank loses because they trust online transactions are completely their own responsibility.

    Why would it be any different? If the bank lets someone else withdraw your money over the net, I don't care how the hacker got the information, it is the bank that lets the wrong guy walk away with my cash.