Slashdot Mirror
Korean Banks Forced to Compensate Hacking Victims
An anonymous reader writes "A brief story over on Finextra reveals that the Korean government is introducing new legislation that will force banks to compensate customers who have been victimized by identity theft even if the banks are not directly responsible. This action obviously will not stem identity theft but the hope is that this will push banks into security improvements that will make identity theft much harder."
FTA: "Under the new legislation customers will still be required to implement safety measures and won't be compensated for losses incurred from online scams if they are careless with card details, PINS and passwords." (emphasis mine)
There's 50% of it right there.
I'm not trolling here, I have a question:
Does using Windows constitute being careless? How about using unpatched Windows? How about using Windows without malware scanners installed?
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
While I was working for Harvard Law School, the Secret Service came and spoke to the different IT communities at Harvard. What they came to tell us was that if there was any security breach, they would help us minimize the damages and then went through their plan on how to do that. The plan was essentially to not scare the public, not tell anyone, and hide as much of the damage as possible and try to recover. That basically does nothing for anyone interested in *actually* knowing how safe they are.
Kudos to to Korea having the balls to blame the people leaving the doors to security breaches WIDE open.
Reality is nothing but a collective hunch.
DNS is broken -- it is possible to ask your DNS to lookup "Bank of America", and if the hackers have screwed the DNS servers inbetween yours and root, you'll get the wrong machine. That allows someone to do a man in the middle attack: all your requests get relayed to your bank, but perhaps with different amounts or payees. That subverts two-factor methods also.
Because DNS is broken, even if the banks beef up their stuff, there's no hope for secure transactions.
E.g. suppose you need a pasword and a one-use number (from a list of magic numbers the bank gives you) to do a transfer. [this is how it is in some parts of Europe]. The bad boys do the transfer, but they transfer the money to themselves, not your payee. And they take as much as they want. And they use the magic number you've given them for your intended transaction.
So because of this potential problem, I don't do online banking.
I figure the average schmuck doesn't have a chance anyway; he's using the same OS and software as 99% of the victims, so he's an easy target.
http://www.thebricktestament.com/the_law/when_to_
The banks will use the new rules as an excuse to require Trusted Computing [or other restricted hardware/software] for home users, which in practice will mean some form of MS Windows. No MacOS, no Linux, no BSD, etc.
Sounds like you're talking about RSA's SecurID products.
These things are expensive to purchase and deploy. Who's gonna foot that bill? Just the users who can't get the hang of responsible computing....or all of us?
Besides, SecureID does have its flaws...no panacea here.
____
~ |rip/\/\aster /\/\onkey
It sounds like a good idea, but this is covering cases where it wasn't anything the bank did/didn't do. What investment by the bank can prevent someone from giving their banking details to someone who sends them an enticing offer via email? Phishing victims aren't new; it's the same as if you walk into a bar with that 100 grand in your pocket and get hustled at a pool table.
"Because Science" is one step from "Because old book". Try "Because of my experiment testing my falsifiable assertion".
This is a classic example of using an economic incentive where all else seems to fail. Clearly if the economic onus of identity theft is (in large part) on the shoulders of the bank, they'll come up with better and better ways to secure their information that they had no will or reason to do before. Presumably they'll start using biometrics and the like (whether or not you think that's adequate security) and hopefully, if this is enacted in the States, they'll start to require more than a bloody SSN and birthdate to open a credit card account. It's an incredibly insecure means of identifying someone. I mean, really, how many doctors' office require that information along with your insurance info? Lots. And how many doctors have a security aware IT staff? Probably a much smaller number.
Along those lines, though, who gets the fiscal responsibility if a third party, like a doctor or a university, is responsible for the ID compromise?
The secret to creativity is knowing how to hide your sources. - Albert Einstein
This action obviously will not stem identity theft but the hope is that this will push banks into security improvements that will make identity theft much harder.
If you make "identity theft much harder", then obviously you will stem it. "Stem" does not mean stop, it means to "make headway against".
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
Mine was swiped too, and I didn't even find out about it for about three months (had some overdrafts). Turns out this kid subscribed to some porn site that was pulling 60 bucks a month! I wasn't pleased.
I went into the bank and all they told me was they could put the funds under investigation and it would take up to 90 days to take care of. During that time I wouldn't have my money and that it wasn't likely that anything would happen. I called the companies customer service and argued the charges for about half an hour. They said they could cancel. I threatened legal action. They said it wouldn't work. I said I could prove that I never signed up for thier services, or used them because I log my IPs, and informed them it was THEIR resposability to verify ID, not mine. This is what did it. Charges refunded, overdrafts paid (and the bank refunded them too, got 60 bucks out of the deal).
Lately companies have been working harder at verifying ID, but they're also more adamant about not taking responsibility. Rather than the bank having responsability, I think, legally, if you can prove that it wasn't you, the store should be responsible.
This sig isn't original enough, it's time to come up with something witty...
Imagine if you owned a ski resort operation and you just dropped twenty mil on a souped-up chair lift. As the lift company advised, you hired people to go regular examinations and keep it lubed up. Then one day the stress of a chair switching from the slow loading track to the high-speed main line caused the cable to snap, killing dozens of people, including lots of pregnant women carrying pandas. Checking the line integrity was not on the company-issued checklists of the maintainers you hired but the chair lift company said they'll have a look at it every six months to run stress tests themselves and they found a problem that seemed small enough not to bother fixing. The chairlift company, hopefully insured, ought to be the ones exposed to liability, and this Korean bank incident should be no different. The software company (assuming it's not Debian (in which case this wouldn't have happened anyway)) should be the ones absorbing the heat. That may not be the law, but it strikes me as common sense.
Amen brother. Just a rant, but to shed some light on the current computing environment in SK, SK gov checks the speed of the internet connection ramdomly and requires full refund to all the customers if it isn't as fast as advertised.
Yes, gov stepping into corporate arena is a bad thing, but it seems to be keeping their Starcraft players happy enough.
Do it the good ol' Estonian way? Estonians use online banking to pay every bill that they get, I don't know anyone that does not, but you will never hear anyone complain about fraud, why?
Because we get a seperate card when you sign up for online banking that has 36 unique 6 digit numbers each a seperate password per-say.
When you login, your username is another 6 digit number that you are given (but which is perminant) then you have to enter your password (which you are forced to change every month). Then if those 2 are correct it will ask you for a random password off that card. Then, even after that if you want to transfer money to any account then you have to enter another one of those passwords.
Sounds a bit tedious when you write it down, but its really very easy because you just remember your username number and your password then when it says "Password 25:" you just take a glance at your card and bam, your in. Even if someone stole my wallet and had all my ID's they would not be able to have anything changed without a paper sent to my address notifing me, which is not printed on a single one of my Estonian issued ID's and thus would be hard to get.
Needless to say, I have never heard of a single case of identity theft in this country.
I may be wrong but I believe this is covered for every bank in Canada is it not? I had my card double swiped and my bank account emptied (along with 50,000 other people in Vancouver I believe). I had the money back in my account within 2 weeks. All money in a bank is insured, just like your creditcard is insured. What's the difference between this and a robber stealing money from a bank?
This is how it already works in Denmark - and it works fine.
If somebody uses your card number on the internet, and the person who withdraw from your account does/can not document that it was done with your consent, you get the money refunded. So if somebody steals your credit card number and withdraws money with it, you get your money back from the bank.
A merchant may first withdraw the amount from your account when the object is shipped.