Slashdot Mirror

← Back to Stories (view on slashdot.org)

Korean Banks Forced to Compensate Hacking Victims

Posted by ScuttleMonkey on from the capitalism-at-lawpoint dept.

An anonymous reader writes "A brief story over on Finextra reveals that the Korean government is introducing new legislation that will force banks to compensate customers who have been victimized by identity theft even if the banks are not directly responsible. This action obviously will not stem identity theft but the hope is that this will push banks into security improvements that will make identity theft much harder."

20 of 154 comments (clear)

  1. All too brief... by TripMaster+Monkey · · Score: 4, Informative

    From TFS:
    A brief story over on Finextra...
    'Brief' is right...'skimpy' is the adjective that comes to my mind.

    A much more detailed report on this story can be found at The Korea Times.

    Reading through the above referenced story, two things pop out at me:
    • The investment to build a safe e-banking environment may result in astronomical increases in systems costs given the insecure nature of the electronic commerce infrastructure.
    • The biggest challenge to the banking sector would be how to make home PCs secure. Hackers are increasingly preying on the home PCs, the most susceptible online link of all. Many bank customers tap in from home, often on a computer with little or no security software.

    Given these two paragraphs, this looks like I'm going to be paying higher systems costs because others can't be bothered to practice responsible computing (when this initiative moves out of Korea into the rest of the world, that is...).
    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:All too brief... by TripMaster+Monkey · · Score: 3, Interesting


      Sounds like you're talking about RSA's SecurID products.

      These things are expensive to purchase and deploy. Who's gonna foot that bill? Just the users who can't get the hang of responsible computing....or all of us?

      Besides, SecureID does have its flaws...no panacea here.

      --
      ____

      ~ |rip/\/\aster /\/\onkey

    2. Re:All too brief... by runcible · · Score: 3, Insightful

      RNGs ( which are not RNGs but rather little keygen dongle type items ) don't address the class of issues that would result from -- say -- accessing your bank's site from an 0wned box...the 0wner can hijack an existing, authenticated connection.

      Or for that matter a phishing site that passes through the authentication info that you type in, including the number from your dongle...which now that I think about it, is the more likely scenario.

      The answer will never really be in authenticating the *person*, that crap can always be spoofed or stolen.

      --
      remember the wisdom of Mahatma Gandhi: If enough peasants die horribly, someone will probably notice
    3. Re:All too brief... by inoffensif · · Score: 4, Informative

      To the parent, thanks for the Herald link.

      There are many factors which are prompting this in SK. I am not a native but I have been residing in South Korea for 2 years.

      -This place is the mecca of broadband internet access. I mean anywhere and everywhere in the country, everyone is connected at speeds that would humble first world nations. Not that SK isn't first world, economically they are, socially it's another story...
      -Everyone and their mother, uncle, step-sister uses IE explorer. Most Korean sites are designed for IE and don't work with any other browser.
      -The networks are dirty, before I had a physical firewall, ZoneAlarm was registering 1000+ intrusion attempts a day on my system.

      Put your average mom and pop who don't know any better, in an online banking situation in this environment, and you are asking for disaster.

      It will probably set a precedent for many online banking SOPs in the west.

      For those idiot western media brainwashed idiots who don't know a thing about Korea, get a clue, nobody gives a damn about eating dogs or even hears about North Korea more than once a month here, just listen to your dear leader dog tell you who to attack next.

      --
      - you are sofa king weed todd did
    4. Re:All too brief... by Sangbin · · Score: 3, Interesting

      Amen brother. Just a rant, but to shed some light on the current computing environment in SK, SK gov checks the speed of the internet connection ramdomly and requires full refund to all the customers if it isn't as fast as advertised.
      Yes, gov stepping into corporate arena is a bad thing, but it seems to be keeping their Starcraft players happy enough.

  2. And where will the money come from? by nharmon · · Score: 4, Insightful

    Does anyone here really think the banks are going to pay this money out from their bottom line? They'll recover it from those customers who do protect their identity through increased fees and interest.

    1. Re:And where will the money come from? by Jesus+IS+the+Devil · · Score: 4, Insightful

      You are falling for the business spin on things. If fees increase so will volume of transactions, and thus their bottom line. Banks that are able to overcome this hurdle will grab a huge chunk of market share through low prices all the while keeping good security.

      The fault here lies with two parties, the bank for not doing enough, and end users for not caring enough about security. I feel that end users should still be partially responsible for their actions. I mean, there are people out there that, despite repeated warnings, will keep getting themselves hacked and scammed. I think most of us know people like that. And really, the only remedy for them is to yank out their computers and never let them go online again.

      It's one thing to make banks more responsible for security breaches, but it's another to force them to be completely at fault, when there are so many points of entry for a crook. From the internet router from the ISP, to the user's home line, to his computer, to his keyboard, to the telephone, etc.

      --

      eTrade SUCKS
    2. Re:And where will the money come from? by bfields · · Score: 4, Insightful
      Does anyone here really think the banks are going to pay this money out from their bottom line? They'll recover it from those customers who do protect their identity through increased fees and interest.

      The whole "identity theft" terminology is screwed up; it's not your "identity" you're protecting--you're still you after someone else manages to clear out your checking account. What the "identity thief" has done is to fool the bank's authentication system into thinking their transactions were authorized by you. You do have some control over whether this happens, by your choice of password, choice of when to type it in, etc. But the decisions with the greatest affect on the security of that authentication system are completely in the bank's hands: e.g. the decision to authenticate you by asking you to enter a password into a form on a web page.

      The decision to make banks responsible for losses isn't because of a preference for consumers over banks--as you point out, expenses may be passed on to customers either way--it's because the best way to make the banking system more secure is to make sure that the entities with the most power to fix the system are the ones that see the incentives to fix it.

      This is the same reason we limit consumer's liability for credit card losses--it's the credit card company that's in the best position to detect and prevent fraud, and if we pass on the cost to them then we enable them to weigh the costs of fraud against the costs of improved security infrastructure, something that's impossible for an individual consumer to do.

    3. Re:And where will the money come from? by mumblestheclown · · Score: 4, Insightful
      The fault here lies with two parties, the bank for not doing enough, and end users for not caring enough about security.

      Would it be too gratuitous to mention that at least some percntage of the fault lies with the unethical idiots actually doing the theft?

  3. No big deal by Red+Flayer · · Score: 4, Interesting

    FTA: "Under the new legislation customers will still be required to implement safety measures and won't be compensated for losses incurred from online scams if they are careless with card details, PINS and passwords." (emphasis mine)

    There's 50% of it right there.

    I'm not trolling here, I have a question:

    Does using Windows constitute being careless? How about using unpatched Windows? How about using Windows without malware scanners installed?

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  4. Schneier likes it by Anonymous Coward · · Score: 5, Informative

    This is exactly what Bruce Schneier has been advocating for a while...here's his take on this story.

  5. Better than the Secret Service's crap here... by chroot_james · · Score: 5, Interesting

    While I was working for Harvard Law School, the Secret Service came and spoke to the different IT communities at Harvard. What they came to tell us was that if there was any security breach, they would help us minimize the damages and then went through their plan on how to do that. The plan was essentially to not scare the public, not tell anyone, and hide as much of the damage as possible and try to recover. That basically does nothing for anyone interested in *actually* knowing how safe they are.

    Kudos to to Korea having the balls to blame the people leaving the doors to security breaches WIDE open.

    --
    Reality is nothing but a collective hunch.
  6. You have to make it hurt by El+Cubano · · Score: 4, Insightful

    This action obviously will not stem identity theft but the hope is that this will push banks into security improvements that will make identity theft much harder.

    I agree. I was listening to Clark Howard a couple of weeks ago on the radio and he was talking about how 99.9% of US banks have atrocious security when it comes to online banking. I know that identity theft also happens offline, but I also think that you have to criminalize grossly negligent behavior, or else you end up with a situation like what we have today: banks see it as more fiscally reasonable to absorb the cost of the problem than to even attempt to fix it. The problem is that this has tragic consequences for the individuals that are victimized. Hopefully the US congress will jump on board and start dealing with serious problems, instead of concerning themselves with things like college sports and drug testing among athletes, which ultimately shouldn't be of importance to the federal government.

  7. Banks will require Trusted Computing by jreiser · · Score: 3, Interesting

    The banks will use the new rules as an excuse to require Trusted Computing [or other restricted hardware/software] for home users, which in practice will mean some form of MS Windows. No MacOS, no Linux, no BSD, etc.

  8. I see a weakness by Bastard+of+Subhumani · · Score: 3, Insightful

    1) Put money in bank account
    2) Have your pal steal your identity and the money
    3) Bank recompenses you
    4) Split PROFIT!!!!!

    --
    Only three things are certain; death, taxes, and apocryphal quotations - Ben Franklin.
  9. Thats what SSL ceriticates are for by brunes69 · · Score: 3, Informative

    If the SSL ceritifcate does not match the IP address of the host you are connecting to, it should raise big red flags in your head.

    Sometimes, there are legitimate reasons for this (such as a bank moving servers and not having time to get a new cert), but they are usually very temporary, so to be safe you can just not do any banking during that period.

    Sure, you can still bypass this via a man in the middle attack using ARP poisioning - but in order to do that the hacker has to be on your local subnet if you have a home router, or else working at your ISP if you are directly connected.

    Either case is highly unlikely, and **any** way you look at it, even if your original DNS thing was an actual issue, online banking is much more secure thank banking at an ATM or via debit payment, and I bet you do that every day.

    All I need to steal your money at an ATM is to install a hidden swipe reader inside the ATM/debit machine and a hidden camera to capture your PIN number. This happens *all the time*, far more than publicized. It is very easy to do, and a smart crook who just leaves the setup installed for a few hours then takes it down is rarely caught either

    Even easier is to just capture the cazd swipe, us eit to make a fake identical copy of your own card, and going into the bank and convince the teller to let you change the PIN on the card cause "you forgot it". Also simple to do. Much simpler than hacking itno the DNS servers of your ISP, that's for sure.

  10. That's all well and good... by OakDragon · · Score: 4, Funny

    ...now if the Nigerian government would just do something to get my money back from that doctor fellow!

    --
    Dark Reflection
  11. Re:Thats what SSL ceriticates are for by Russ+Steffen · · Score: 3, Informative

    SSL certifcates are almost never issued to IP addresses, only to fqdn hostnames. In fact I've never seen a certificate with an IP address in the CN field, and I'm not even sure how a browser would handle it. In fact, issing a certificate to an IP address would make things even less secure. With a hostname, the broswer can check against a forward and reverse looklup, theoretically maximizing the number of machines that would have to be compromised to hijack the connection. It also subverts the only real check most certificate authorities do - verifing that the cert request is coming from the domain owner on record.

  12. Holding software/service companies responsible. by Douglas+Simmons · · Score: 3, Interesting
    I'd love to see a EULA that had a line which afforded the user legal protection instead of just the typical kind that is intended exclusively to cover their ass. I read the article and there's no mention of which software was compromised, but if it's one that offers not only the software but maintenance and updates to it, be it Redhat or MS. This article doesn't mentioned whose product/service screwed up, or if it was human error on behalf of the bank. The hackers should not be the only ones to be demonized. You run an operation like this with a hole open, someone's going to break through it. I just installed snort on a small website and now the snort hack attempt email notification fills up my box faster than spam. Hacking should be expected just as rain would if the building's construction company used a form of concrete that wasn't waterproofed.

    Imagine if you owned a ski resort operation and you just dropped twenty mil on a souped-up chair lift. As the lift company advised, you hired people to go regular examinations and keep it lubed up. Then one day the stress of a chair switching from the slow loading track to the high-speed main line caused the cable to snap, killing dozens of people, including lots of pregnant women carrying pandas. Checking the line integrity was not on the company-issued checklists of the maintainers you hired but the chair lift company said they'll have a look at it every six months to run stress tests themselves and they found a problem that seemed small enough not to bother fixing. The chairlift company, hopefully insured, ought to be the ones exposed to liability, and this Korean bank incident should be no different. The software company (assuming it's not Debian (in which case this wouldn't have happened anyway)) should be the ones absorbing the heat. That may not be the law, but it strikes me as common sense.

  13. insurance? by mottie · · Score: 3, Interesting

    I may be wrong but I believe this is covered for every bank in Canada is it not? I had my card double swiped and my bank account emptied (along with 50,000 other people in Vancouver I believe). I had the money back in my account within 2 weeks. All money in a bank is insured, just like your creditcard is insured. What's the difference between this and a robber stealing money from a bank?