Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Appeals Court Says Bank Liable For Losses From Poor Online Security

Posted by timothy on from the perhaps-should-apply-to-more-than-banks dept.

An anonymous reader writes with this extract: "Threatpost reports that a judge on the United States Court of Appeals this week ruled that People's United Bank's processes and systems for protecting customer accounts from fraud were not "commercially reasonable." The ruling in People's United Bank (formerly Ocean Bank of Maine) versus Patco Construction Company reverses a lower court's ruling in a case that stems from six allegedly fraudulent transactions that occurred over the period of a week in May, 2009 and drained close to $589,000 dollars from Patco's accounts. Patco alleged that People's United Bank did an inadequate job of protecting them against fraud, ignoring repeated 'high risk' warnings from the bank's fraud detection system. Now the Appeals Court appears to agree. The ruling could have broad implications in the U.S., where businesses that are the victim of account takeovers and fraudulent transactions are suing banks to recover lost funds."

94 comments

  1. It's about fucking time by DogDude · · Score: 5, Insightful

    It's about fucking time. Banks (and yes, even credit unions) have been warning its customers that whatever happens through their online interfaces isn't their fault. That's really just absurd, when a person or company's entire financial life is available via a single password on the Net. Security, of course, isn't the sole responsibility of the banks, but it is their responsibility. Banks provide giant safes for our physical valuables, they provide insurance for theft or collapse, but online, it's "good luck, customers!"? Bullshit. It's time to hold them at least somewhat responsible for their online interfaces, as well.

    --
    I don't respond to AC's.
    1. Re:It's about fucking time by drinkypoo · · Score: 4, Insightful

      It's well past time. My bank is retarded. Mandatory security questions that people can find out answers to by research, you can lie to them but then you have to remember your lies. Also, your initial online access PIN is the last four of your SSN, and it persists from the time you go to the bank to get it activated to the first login, which could be a very short time (it was for me) or a very long time but either way is terrible.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:It's about fucking time by Anonymous Coward · · Score: 5, Informative

      Basic tort theory states that responsibility for a loss should be placed on the individuals or entities that are most capable of preventing the loss. In this case, banks are responsible for security controls on their own accounts. Banks are most capable of preventing most losses due to fraudulent transactions. It's absurd that they have not already been held responsible for all the fraud out there.

    3. Re:It's about fucking time by peragrin · · Score: 1

      I am waiting for banks to go the route blizzard has requiring a third party component with an additional access code. find it funny game companies are pushing some sort of third point authentication systems yet banks use passwords and pins.

      Banks should be doing this. Okay here is your new account and be sure to get your new security dongle.

      --
      i thought once I was found, but it was only a dream.
    4. Re:It's about fucking time by Anonymous Coward · · Score: 5, Informative

      Yep. Though actually this isn't governed by tort law, it's governed by Art. 4A Sec. 202 of the Uniform Commercial Code. (http://www.law.cornell.edu/ucc/4A/4A-202.html) (But you're right; the UCC seems just to be codifying the principle you identified.) So, the good news may be that the law has always been pretty sensible about this sort of issue (at least in theory). Though perhaps individual judges and juries have lagged in their understandings of "commercially reasonable."

    5. Re:It's about fucking time by Mashiki · · Score: 2

      Considering most banks don't even have FOB service, I find this not surprising. Heck, look at Blizzard, EA, Sony, *insert MMO*, even Google. They all provide two factor authentication for their services. Banks? Ahahaha...yeah good luck.

      --
      Om, nomnomnom...
    6. Re:It's about fucking time by drinkypoo · · Score: 2

      Basic tort theory states that responsibility for a loss should be placed on the individuals or entities that are most capable of preventing the loss.

      Really? Where did you go to law school?

      Courts (in the USA) have repeatedly ruled that cops do NOT have a legal obligation to protect you, or prevent you from being robbed.

      Logical fallacy, attacking a straw man. The cops aren't there to protect you. The cops are there as a system of punishment for people who have already committed crimes. In the long run, that is meant to protect society but it is not feasible for the cops to protect you. Sometimes they will give it the ol' college try, though. If you're lucky. And white.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    7. Re:It's about fucking time by FrankieBaby1986 · · Score: 1

      Logical fallacy, attacking a straw man. The cops aren't there to protect you.

      Well, at least they pretend to in LA: http://www.joinlapd.com/motto.html

      --
      ERROR: SIG NOT FOUND (A)bort, (R)etry, (F)ail?:
    8. Re:It's about fucking time by Anonymous Coward · · Score: 1

      Where in his post did the GP say anything about cops? Perhaps if you knew anything about law you would realize that tort law governs interactions between private citizens. Cops have nothing to do with it. And, yes, what he said is unambiguously correct (at least as a generalization) -- and he is correct with respect to the reasons for the law applied in this particular case. (And, if you're wondering, I went to a top 10 American law school.)

    9. Re:It's about fucking time by xelah · · Score: 1

      Logic also suggests that if someone, whether a man in the street or your bank, owes you money and, through some trickery, a third party tricks him in to giving a repayment to that third party, that he still owes you the money. He hasn't repaid you, so he still owes you. This is perhaps not the case if you're careless...if through your recklessness with your password you impose that loss on your borrower then you maybe should have to compensate him by that amount.....but it should always be the starting point.

      Or, to put it another way, if your bank didn't get your mortgage payment and you said 'sorry, I gave it to some guy who said he was you and who had put your logo on his letters', do you think they'd just let it drop? So why is it different with the roles switched?

    10. Re:It's about fucking time by 0100010001010011 · · Score: 1

      Unless it's a human taking the answer you can always md5sum($maidenname) or sha1($city_of_birth).

    11. Re:It's about fucking time by rtb61 · · Score: 1

      Banks have lots of brick and mortar outlets. Three strikes and online access is dead until you visit a brick and mortar outlet, who can verify anything the bank wants too to secure itself from the losses of having to replace the money it has stolen, it just claims to have given to a fraudulent claimant. Banks can track your image, fingerprints, password and signature. In reality unless the fraudulent claimant who took the money from your account can be found, the bank should be charged with stealing your prove ie it is legally the banks responsibility to prove where the money went.

      --
      Chaos - everything, everywhere, everywhen
    12. Re:It's about fucking time by Anonymous Coward · · Score: 0

      Have you not been paying attention for the past 30 years? Banks have been given the most passes on malfeasance out of any industry in existence. Some of those, I can as necessary so to stop the dam from bursting, but trusted online secure banking culpability should have been written in stone during the Clinton administration. They knew it was heading that way, proselytizing the future business environment the Internet would provide, and sat on their laurels instead.

      I really hope this makes its way up and becomes consistent across the board. It's really the only way we're going to see some amount of trust brought back to the banking industry after the last few years.

    13. Re:It's about fucking time by Anonymous Coward · · Score: 0

      I couldn't agree more! As a banking software designer/developer for 30 years the bank is more interested in less cost and more feature than customer protection.

    14. Re:It's about fucking time by Anonymous Coward · · Score: 0

      As someone who used to work for the Credit Unions, I can tell you that most of the time if something happens the banks/credit unions etc usually pay up to keep it all quiet. It happens more often than they would like advertised. I think in this case it was because it was close to half a million dollars that the bank decided not to pay up in the hope they could get away without paying. The usual amounts are in the hundreds, thousands or tens of thousands. Half a million is a big leap.

    15. Re:It's about fucking time by Ocker3 · · Score: 1

      My (Australian) bank offers an RSA key, making their online access three-factor if you get one. Their security still sucks (imo), doesn't allow the complexity of passwords that I like.

  2. Right ruling by DoofusOfDeath · · Score: 5, Interesting

    I don't see why it's any more complicated than, "I gave the bank X dollars. I have not withdrawn any money. They owe me X dollars."

    The fact that this hasn't been the case so far strikes me as a case of the banks owning their regulators and the legislature. But I don't want to make too hasty of an assumption. Does anyone know the history of this issue?

    1. Re:Right ruling by Anonymous Coward · · Score: 0

      Not for certain, but look at identity theft vs fraud. The result is basically the same, but the bank is only legally on the hook for fraud, and not the fairly-newly invented crime of identity theft.

    2. Re:Right ruling by slew · · Score: 5, Informative

      RTFA.

      Apparently the issue is that although individuals are protected against fraud by legal statutes, businesses are not. Specifically at issue is the authorization of commerical ACH (automated clearing house) transactions to the account (when you use your debit card it's authorized under the EFTA or electronic funds transfers act).

      In this case the bank so egregiously ignored it's own security measures (authorized transactions even though it's internal fraud alert systems was warning against the transaction) that it was clear the bank was in the wrong...

    3. Re:Right ruling by SunTzuWarmaster · · Score: 1

      I don't see why it's any more complicated than:

      I gave the bank X dollars. I have not withdrawn any money. They owe me X dollars.

      My business gave the bank X dollars. My business has not withdrawn any money. They owe my business X dollars.

      Fixed.

    4. Re:Right ruling by slew · · Score: 3, Informative

      I don't see why it's any more complicated than:

      I gave the bank X dollars. I have not withdrawn any money. They owe me X dollars.

      My business gave the bank X dollars. My business has not withdrawn any money. They owe my business X dollars.

      Fixed.

      IANAL, but as I understand it the question is the definition of "my business" in the withdrawn case. When it is a person, it is much clearer if you have authorized the money to be withdrawn because of the way the law is written. If it is a business, it isn't a statute thing, it is often a matter of the uniform commercial code or a business to business contract or the charter to your business (e.g., is the "treasurer" allowed, is a "sales-person" allowed, or third party "accountant" is allowed, or my "niece" is allowed to use a checking account), thus these facts sometimes need to be discovered in a court to determine if there is actual fraud, or if the company is instead required to sue the person who took the money (instead of the bank that authorized the transaction).

      For example, if a bookkeeper employeed by a company wanted to embezzle money from the company and gave his password to his aunt in russia to do the deed, the company would probably have to sue the ex-employee and the uncle and the bank would be off the hook since to the bank, the bookeeper was authorized to take the money.

      In this case, it was clearly the bank's fault, but that's not always the case in business (which is one of the reason business accounts are different than individual accounts).

    5. Re:Right ruling by tqk · · Score: 2

      Does anyone know the history of this issue?

      RTFA.

      No need to be rude.

      What's wrong with this picture? You asked a question, and s/he replied that the answer is in TFA, which I have to assume you didn't bother to read if so. How is that rude?

      Your epidermis is way too thin.

      --
      "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
    6. Re:Right ruling by Anonymous Coward · · Score: 0, Funny

      RTFA.

      Apparently the issue is that although individuals are protected against fraud by legal statutes, businesses are not.

      But, but but.... I thought corporations were people!

    7. Re:Right ruling by Lucidus · · Score: 1

      The rudeness quite obviously lies in the 'F' of RTFA. We are so used to the acronym that perhaps we forget exactly what it stands for.

    8. Re:Right ruling by Sloppy · · Score: 1

      How is that rude?

      "TFA" instead of "TA". Let's go easy on all the pro_anity, as it it o__ends some people. There's no reason immediately drop the _ bomb. I think i_ we try hard, we can all learn to type without that _ucking letter.

      --
      As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
    9. Re:Right ruling by Anonymous Coward · · Score: 0

      Dude you should start reading reddit/r/technology. It's the same articles but without the pricks saying "RTFA" and generally a more positive discussion.

    10. Re:Right ruling by tqk · · Score: 1

      How is that rude?

      "TFA" instead of "TA".

      "The Fine Article" instead of "The Article"?

      Physician, heal thyself. You're the one who's needlessly reaching for the F-bomb.

      --
      "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
    11. Re:Right ruling by tqk · · Score: 1

      The rudeness quite obviously lies in the 'F' of RTFA.

      Not so obvious. Old farts like me remember when it could be parsed as either "Fine" or the f-bomb, user's choice.

      --
      "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
    12. Re:Right ruling by pdabbadabba · · Score: 2

      Well, it's clear that someone owes them X dollars, the question is whom. In cases where the bank's security measures aren't to blame (the typical case will be when the user picked a weak password, or allowed his password to be stolen somehow, or lost it to keylogging software they installed along with a desktop weather widget) why place the loss on the bank? All they did was implement the security measures that they and their customer agreed upon. It was the customer's fault (by hypothesis) that their account was compromised. The alternative would give customers no incentive to keep their passwords secure and would expose banks to essentially infinite uncontrollable liability.

      Of course, if it really was the bank's fault then, yes, the customer should be able to recover directly from the bank and the bank should be the one left to track down the thief if they want their money back. It's this distinction that the law tries to capture (see UCC Art 4A Sec. 202, http://www.law.cornell.edu/ucc/4A/4A-202.html), and I think it generally does a good job (except, of course, for the inevitable problem of keeping courts up to speed on what counts as "commercially reasonable" -- but that's the beauty of our adversarial system: we can usually count on the parties' lawyers to keep the judges more-or-less educated).

      --
      caritj.org
    13. Re:Right ruling by pdabbadabba · · Score: 1

      Mmm...I think it's pretty obvious. I always read "RTFA" as hostile. I've got no problem with you or your comment, but thought you might be interested in another data point on the off chance that you actually do care about not coming off as rude. Cheers.

      --
      caritj.org
    14. Re:Right ruling by gottabeme · · Score: 0

      Right--so the next time someone says, "F you!" to me, I'll just assume he thought I asked how he was doing...

      --
      "Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
    15. Re:Right ruling by evilviper · · Score: 3, Interesting

      In cases where the bank's security measures aren't to blame (the typical case will be when the user picked a weak password, or allowed his password to be stolen somehow, or lost it to keylogging software they installed along with a desktop weather widget) why place the loss on the bank? All they did was implement the security measures that they and their customer agreed upon.

      The reason the bank should ALWAYS be liable is because "the customer" never gets a chance to "agree upon" the bank's security measures. I want two-factor authentication, I want one-time-use credit card numbers, I want cryptographically secure transactions... My bank doesn't care what I want.

      Oh, and an important aside... Banks are REQUIRED BY LAW to provide two-factor authentication for their online banking services. Has your bank ever sent you an RSA key? No? That's because they got their lawyers to work out a loophole where those 'forgotten passwork"-type questions count as one factor, and your password the second. So EVERY BANK OUT THERE is actively circumventing the law, to provide insecure access to your account. Did they ever ask you? They sure didn't ask me.

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    16. Re:Right ruling by evilviper · · Score: 3, Informative

      1) 3-letter acronyms are much less clear and more easily mixed-up than 4-letter acronyms.

      2) It's only YOU assuming that the F stands for something profane. I refer you to Jimmy Kimmel's "best of unnecessary censorship" series...

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    17. Re:Right ruling by pdabbadabba · · Score: 1

      Interesting, but I can't quite tell what you're proposing. I agree with you in wanting banks to use better security measures. This seems to go to the definition of "commercially reasonable." And, as I said, there may be a problem with judges' understanding of the costs and benefits of the technologies involved that could work to ensure that this definition lags.

      But this seems like a different question from the one I was primarily answering: who is liable for a breached account if the banks DID employ commercially reasonable security measures. To answer that question, you'd have to say something about the problem of infinite liability for banks in cases like the one when my grandmother loses her password negligently.

      What law is it that requires banks to use RSA keys? I've googled and come up with nothing applicable. If you can show it to me, that would be great so I can sue my bank into compliance. (Seriously.) I suggest you do the same!

      --
      caritj.org
    18. Re:Right ruling by pdabbadabba · · Score: 1

      I missed the obvious: are you sure there is no bank that provides these things? Most of them? Have you Googled it? I just did, and I found quite a few options. But I take it that, for some reason, you have chosen not to use one of those banks or services. That's the sense in which you are using your bank's security regime voluntarily. You never had to do business on those terms in the first place if you didn't like them. In fact, the law is designed to help you in just the way you have in mind: it provides some limit on the "whatever you agreed to" default. If the security regime offered by your bank is not commercially reasonable, it doesn't matter whether or not you agreed to use it. The problem, again, is just that you want more than what courts have found to be "commercially reasonable" and anf for some reason have not chosen to find a bank that meets your needs better. What am I missing?

      --
      caritj.org
    19. Re:Right ruling by sjames · · Score: 1

      True, but fine was always in implied bold italics.

    20. Re:Right ruling by ancientt · · Score: 1

      You can find information about the requirement on the FFIEC site at http://www.ffiec.gov/pdf/authentication_guidance.pdf.

      I don't think it explicitly requires RSA keys, but it does speak of multi-factor authentictation. RSA is often a reference to a specific company. The government guidelines would be rightly questionable if they endorsed a specific company as the potential solution. However, RSA the company does do a job of (possibly) providing multi-factor authentication.

      Generally it works like this: The user is prompted for a username which is then used to check credential information and displays a particular image to the user (previously selected by the user) before the password is entered. That ensures that the user is prompted to enter information, and then is given a chance to recognize or back out of a transaction based on their recognition of their custom image before a password is entered. This provides positive verification in addition to the password requirement. The second factor is based on the device in use by the user where a cookie has been stored if the user has displayed the ability to add additional layers of known information, generally the answers to questions the user has selected and answered previously.

      This layered authentication process, username, positive verification, device validation, conditional challenges, is generally considered consistent with the requirement for multiple factors of authentication. I'm not sure that it meets the goals of the guidlines published by the FFIEC, but it does provide layers of authentication which is generally all a financial instutition can implement without running afoul of patents (a whole separate painful issue) which is generally acceptable in a competitive market. Instutitions which require a second channel of authentication, such as a phone number communication, key fob, remote key or other device generally are seen as unnecessarily annoying by customers. Essentially the problem boils down to a compromise between convenience demanded by end users vs security demanded by legislative guidelines. As always, the real problem is the users who don't actually want the hassle of a more secure system.

      This says nothing about the security compromises in financial instutitions where a maximum number of password characters defies sanity coupled with a limitation of potential characters. That's just stupid. Also common.

      --
      B) Eliminate all the stupid users. This is frowned upon by society.
    21. Re:Right ruling by Sloppy · · Score: 1

      "The Fine Article" instead of "The Article"?

      But _ine contain_ the letter _ and everyone know_ that _tand_ _or _uck, ju_t a_ word_ containing _ are a re_erence to the vulgar word _hit!

      We need to eliminate all the_e o__en_ive letter_ le_t the internet de_cend into a terrible toilet o_ gutter conver_ation. I don't know what the big deal i_; even without _ and _ we _till have twenty _our letter_ which which to _pell word_. Although now that I think o_ it, if we go by the George Carlin li_t (_hit, _i__, _u_k, _unt, _o_k_u_ker, _other_u_ker, and _i__) i_ _hould be _wen_y.

      __ _____ __ ______ ____ ____ ___, ____ __ __ ______ ____.

      --
      As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
    22. Re:Right ruling by tlhIngan · · Score: 1

      Most North American banks implement what is known as "Wish-it-Was Two Factor" authentication..

      Which is nothing more than another password.

    23. Re:Right ruling by Anonymous Coward · · Score: 0

      The link you provided is for "guidance." Is that the same as a legal requirement?

    24. Re:Right ruling by ancientt · · Score: 1

      I don't think so. I think it is about the requirements and what is acceptable to meet them (as I said.) It is not the actual requirements. You can read the foot notes to find out what expressly they're addressing, but good luck slogging through that stuff. The link I gave was 14 pages of mind numbing drudgery, but here's the (first four) footnotes that pretty well cover where to find the actual requirements:

      1 Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision.
      2 Customer information means any record containing nonpublic personal information as defined in the Interagency Guidelines Establishing Information Security Standards at section I.C.2. 12 CFR Part 30, app. B (OCC); 12 CFR Part 208, app. D-2 and Part 225, app. F (FRB); 12 CFR Part 364, app. B (FDIC); 12 CFR Part 570, app. B (OTS); and 12 CFR Part 748, app. A (NCUA).
      3 The Interagency Guidelines Establishing Information Security Standards that implement section 501(b) of the Gramm–Leach–Bliley Act, 15 USC 6801, require banks and savings associations to safeguard the information of persons who obtain or have obtained a financial product or service to be used primarily for personal, family or household purposes, with whom the institution has a continuing relationship. Credit unions are subject to a similar rule.
      4 The regulations implementing section 326 of the USA PATRIOT Act, 31 USC 5318(l), require banks, savings associations and credit unions to verify the identity of customers opening new accounts. See 31 CFR 103.121; 12 CFR 21.21 (OCC); 12 CFR 563.177 (OTS); 12 CFR 326.8 (FDIC); 12 CFR 208.63 (state member banks), 12 CFR 211.5(m) (Edge or agreement corporation or any branch or subsidiary thereof), 12 CFR 211.24(j) (uninsured branch, an agency, or a representative office of a foreign financial institution operating in the United States (FRB); and 12 CFR Part 748.2 (NCUA).

      When you're preparing to make sure your company stays in business, links like the one I referenced are what you go by. You then ask your lawyers to see if what you are planning and doing meet the actual requirements. (Which is a lot of what lawyers get paid for and at least part of the reason I am not a lawyer.) When all is in place and you're grilled by examiners/auditors, you have references to back up your plan and the opinions of actual lawyers to refer them to. Do feel free to read through it on your own if you like of course. I've spent some time carefully researching some of the laws that are applicable to managing financial transactions and don't envy your next couple weeks if you decide to go that route. Of course you should also note that this is particularly focused on household rather than business relationships which I inferred to be the relationship in question by the poster I was replying to.

      --
      B) Eliminate all the stupid users. This is frowned upon by society.
    25. Re:Right ruling by evilviper · · Score: 1

      http://www.prweb.com/releases/2007/07/prweb537332.htm

      The numbers say that 96% of banks are out of compliance. Giving me the option of using just 4% of all banks is no choice at all.

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    26. Re:Right ruling by pdabbadabba · · Score: 1

      Interesting. But it matters which banks comprise that 4%. (Though the most relevant number for us is 6%, I would thin, since that is the percentage that allows you to opt in to a two-factor system.) Bank of America is one of them -- they offer an optional second factor in the form of an RSA SiteKey fob. Other major banks do the same. Remember that you also have the choice to not use online banking. So, yes, given that backdrop, I;d say it is definitely fair to say that you "chose" to use whatever system it is that your bank has you using.

      It's not entirely on point anymore, but I'd also point out that that FFIEC guidance is not likely to be legally binding. With agency guidance documents it's sometimes hard to tell, but in this case it seems pretty clear that it is only informational. (IAAL -- though, of course, this isn't legal advice and I'm not your lawyer. I'm just some guy on /.)

      --
      caritj.org
    27. Re:Right ruling by pdabbadabba · · Score: 1

      This is interesting, and thanks for the information. Though having read it, it seems pretty clear that this guidance document doesn't set out legal requirements -- it's only informational. (Some guidance docs can indeed be legally binding, but I don't think this one is.) [IAAL -- but, of course, I'm not YOUR lawyer so don't treat this as legal advice. I am also not admitted to the bar in your state. Etc.]

      --
      caritj.org
  3. People's by Anonymous Coward · · Score: 5, Funny

    I still get that cuddly, fuzzy Russian Soviet communist feeling every time I see or hear the word People's.

    1. Re:People's by bky1701 · · Score: 1

      I always thought The People's Court sounded a little socialist. Then Sliders proved me right!

      --
      Great Intellect...
  4. Video explanation by Paradise+Pete · · Score: 5, Funny

    This video properly explains it.

  5. Now lawyers to design security protocols? by 140Mandak262Jamuna · · Score: 3, Informative
    This decision is going to create a new problem. Bank lawyers are going to design and approve the security measures of the bank. They do it purely from a lawyer view point. "Will this procedure allow the bank to argue in a court, we have done all we could your honor, to protect the customer.". They would not worry about whether are not the security has been actually enhanced, or whether the procedures would be convenient enough for the customers to adopt.

    Each bank and brokerage account I have wants to send me an RSA dongle. "It is free! It is convenient! Add it to your key bunch! And lug it every where!". If I follow their advice my key fob will have more RSA dongles than actual keys. Then once you accept an RSA dongle, Quicken is not able to download transactions. "You want both security and also download transactions to Quicken? Choose either this or that buddy. I will tell the court we offered RSA dongle and he refused. He is totally at fault.".

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Now lawyers to design security protocols? by mjr167 · · Score: 1

      And this is different from now how?

    2. Re:Now lawyers to design security protocols? by Mindcontrolled · · Score: 2, Informative

      So you want security, indemnity and you do not want to do anything for it, yes?

      --
      Ubi solitudinem faciunt, pacem appellant.
    3. Re:Now lawyers to design security protocols? by The+Mighty+Buzzard · · Score: 4, Insightful

      I honestly don't see how this is a problem. A bank's fundamental commitment is to be a safe place to stuff your money. They pay a pretty fair chunk of money to physical security experts to make sure nobody can walk in and take the money in their charge. They should take their online security just as seriously and if they don't they should be held liable.

      --
      Violence is like duct tape. If it doesn't solve the problem, you didn't use enough.
    4. Re:Now lawyers to design security protocols? by jonwil · · Score: 1

      The problem (like other things in the computer security world such as HIPAA, PCI etc) is that the banks will do the things that will make the lawyers happy and/or reduce the banks risk and not the things that will actually improve security.

    5. Re:Now lawyers to design security protocols? by Anonymous Coward · · Score: 2, Insightful

      False dichotomy - the choice isn't usually between 'lawyer security' and 'real security'. The bank is often choosing between 'lawyer security' and 'no security'.

    6. Re:Now lawyers to design security protocols? by Anonymous Coward · · Score: 0

      Better they do something, than the nothing they are doing now.

    7. Re:Now lawyers to design security protocols? by Anonymous Coward · · Score: 0

      This decision is going to create a new problem. Bank lawyers are going to design and approve the security measures of the bank.

      Ha. On my bank's website, it says:

      we have no control over the privacy of your e-mail communications with us. We recommend that you not include private and sensitive information in e-mails to the Bank, including, but not limited to, account numbers, balances, passwords, etc. Scotiabank and its subsidiaries and affiliates will not be responsible for any damages you may suffer if you transmit confidential or sensitive information to us through e-mail.

      That is all true. Email is not a secure method of communications .

      So when the bank teller asked me for my email address, I said no thanks. She was stunned that I would decline, and she asked why. I said she should talk to the bank's lawyers. If the bank would guarantee the security of email, I would be happy to provide them with my email address.

    8. Re:Now lawyers to design security protocols? by sociocapitalist · · Score: 1

      You want security, or you want convenience? You cannot have both.

      I have a dongle for my business account and I sleep well at night. I even have a soft token on my phone for by Blizzard account. It's not so complicated, and I really don't mind.

      --
      blindly antisocialist = antisocial
    9. Re:Now lawyers to design security protocols? by Anonymous Coward · · Score: 0

      You mean nothing besides allow them to make profit from my money? Fuck yes. They are going to do that, so I'm ok for getting something in return shit head.

    10. Re:Now lawyers to design security protocols? by Anonymous Coward · · Score: 0

      No, he just wants it to not break the functionality he previously had.

    11. Re:Now lawyers to design security protocols? by bill_mcgonigle · · Score: 1

      "You want both security and also download transactions to Quicken?"

      If only technology existed where you could digitally sign a chain of trust between multiple business partners.

      Oh, wait, this isn't 1977 - my bad.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    12. Re:Now lawyers to design security protocols? by Teun · · Score: 1
      So you can't imagine E-mail exchanges with useful yet non-confidential information?

      My bank regularly sends me mail advising me to log in on my account (via a challenge-response system) and read the message or act on the instructions there.

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    13. Re:Now lawyers to design security protocols? by Teun · · Score: 1

      Surely the US court system knows the option to invite an outside expert to make one's point.

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    14. Re:Now lawyers to design security protocols? by Anonymous Coward · · Score: 0

      So you can't imagine E-mail exchanges with useful yet non-confidential information?

      Yes, of course.

      But I also imagine the bank sending me huge amounts of spam for products that I am not interested in.

      Or that the bank's email messages will contain information that would make identity theft easier. I remember once when the bank was trying to verify my identity over the phone, they asked what types of accounts I have with them.

      An email announcing that the interest rate on my line credit is dropping by 2% is useful information to me, but also announces that I have a line of credit with the bank.

    15. Re:Now lawyers to design security protocols? by The+Mighty+Buzzard · · Score: 1

      The problem (like other things in the computer security world such as HIPAA, PCI etc) is that the banks will do the things that will make the lawyers happy and/or reduce the banks risk and not the things that will actually improve security.

      You mean they'd put the same effort into covering their asses rather than securing the site, which would also cover their asses? I'll grant you there will probably be some portion of the budget devoted to largely useless but legally expedient pursuits but a good portion of it will also have to be actual better security. They may not particularly care about security but their lawyer is going to ask them "will it stand up to security experts scrutinizing the hell out of it?".

      --
      Violence is like duct tape. If it doesn't solve the problem, you didn't use enough.
    16. Re:Now lawyers to design security protocols? by Anonymous Coward · · Score: 0

      How secure is that Quicken download system, anyway? I'd be awfully nervous about putting all my banking credentials in a Quicken file without knowing a lot more about their security than they seem willing to reveal.

    17. Re:Now lawyers to design security protocols? by Anonymous Coward · · Score: 1

      As some comedian put it, "identity theft" is really an euphemism for bank robbery, nothing more. Someone stole money from a bank, but my identity is still here.

      There's really only one way to fix this: make the banks responsible for any transactions with your money that you have not authorized them to do. If they give money to someone pretending to be you, and you can show it was not really you, then it's them who got defrauded, and not you. It becomes an issue of economics, not law: perhaps the banks will invest in better security measures, or perhaps take out insurance to cover the losses.

      Unless the banks are responsible for their own fraud losses, the situation will never be fixed. A customer cannot improve bank security on their own, and the banks will not be motivated to do any better when they can get away with it.

    18. Re:Now lawyers to design security protocols? by kqs · · Score: 1

      Absolutely. As always, the Free Market provides. There are people who make a very good living being expert witnesses in US court, testifying to prove whatever their client's point is.

    19. Re:Now lawyers to design security protocols? by jd · · Score: 1

      Oh, wait, this isn't 1975 - my bad.

      FIFY. Even if GCHQ never did anything with the technology, you only stipulated it had to exist. :)

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    20. Re:Now lawyers to design security protocols? by 140Mandak262Jamuna · · Score: 1
      Quicken repeatedly pitches moving my account tracking to "quicken.com" instead of my home desktop so that I can access it from anywhere. I don;t use it. It allows me to use its "bank safe" feature to store all the passwords in one place with one master password. I don't use it. I don not give my password to any third party. I punch in the password every time I down load transactions. The quicken file(s) will not have any passwords.

      But Quicken is a private proprietary closed software and I just have to trust them, that they are not acting as man in the middle and cache my software. Also I should trust them to have enough procedure control over the source code to prevent rogue employees from slipping in a man-in-the-middle malware. But I have not found any serious alternative to Quicken.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    21. Re:Now lawyers to design security protocols? by bill_mcgonigle · · Score: 1

      GCHQ

      Fair enough. If only the beancounters at the banks knew it existed. OK, seriously, though, maybe the banks will let their security people do their jobs now.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  6. It is LONG past time for holding companies... by WindBourne · · Score: 1

    responsible. If they put up garbage servers, and they allow their employees on garbage OS, then it is an invite to be cracked sooner, rather than later. Similarly, BOA was cracked in the same way several years ago. They are another one that will be cracked again and this time, I hope that large lawsuits follow.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  7. when I opened my first bank account by way2trivial · · Score: 5, Insightful

    back in the 80's I was asked for my mothers maiden name-

    I asked why they needed it- and they said for a password in case I ever called
    - i immediately thought -- my brother knows the answer to that- and he's the only person I can see attempting it

    My mothers maiden name has been snotrag ever since (not snotrag, but something equally offcolor) and it's always been the same answer

    the one my brother does not know.

    --
    every day http://en.wikipedia.org/wiki/Special:Random
    1. Re:when I opened my first bank account by roman_mir · · Score: 0

      My mothers maiden name has been snot rag ever since

      - I know some people don't like their mothers, but come on!

      --
      You can't handle the truth.
    2. Re:when I opened my first bank account by Xtifr · · Score: 2

      And now you just have to hope that your brother doesn't read slashdot! ;)

    3. Re:when I opened my first bank account by drinkypoo · · Score: 1

      - I know some people don't like their mothers, but come on!

      Don't worry, he said it's not actually snot rag.

      ...it's actually jiz rag...

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:when I opened my first bank account by roman_mir · · Score: 1

      well, I did say come on

      --
      You can't handle the truth.
  8. I thought that was obvious... by Anonymous Coward · · Score: 0

    I thought that was obvious...
    Does amurica needs lawyers and court for everything?

  9. Now on to "Identity Theft" by Anonymous Coward · · Score: 1

    Now let's move on to make "Identity Theft" become what it really is in every other country on the planet: a bank lending money to a third party that in no way makes YOU liable. Whether that third party convinced the bank they are you by knowing "secrets" such as ten-digit numbers one is required to put on every piece of paper, a date of birth that Facebook considers public information, etc, should not be your problem AT ALL. It is not your identity that is being stolen. It is they who are falling for a fraudster.

    If someone pretending to be Bank of America's representative comes to me and I "deposit" money with that person, does that mean Bank of America is liable and they owe me the money ? Of course not. Why then are so many people burdened with "identity theft protection" and other similar schemes perpetrated by the very institutions that are supposed to be guarding the money ?

  10. This counts as news? by petes_PoV · · Score: 1

    Where I live this has been the de-facto position since forever. How could it possibly be anyone else's responsibility, or fault?

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  11. Split the loss by default by rossjudson · · Score: 1

    Seems to me that if you modify the law to split the loss by default, both parties will be very well motivated to ensure that security procedures are properly followed. Follow-on litigation can take care of additional liability on either side for unreasonable conduct or procedures.

    Allowing banks to write a contract that says they aren't liable doesn't make sense, but neither does providing blanket protection for business.

    1. Re:Split the loss by default by lpq · · Score: 1

      Excuse me, but a large company like TJMAX loses a million credit card numbers, why should a million customers be forced to split losses with TJMAX?

  12. This should be required by any business by Stan92057 · · Score: 1

    This should be required by any business to use up to date security methods to protect their customers financial data. I'm pretty sure there was a case against Walfarts or some-other major chain store for knowingly using out dated security measures for wireless internet. And they shouldn't allow customer to use dumb passwords force them to be at least 15 letter number symbol combo. Don't like it don't use the internet to buy stuff or run a business.

    --
    Jack of all trades,master of none
  13. If you think THAT's something... by Anonymous Coward · · Score: 0

    My bank [Key Bank] did a completely-boneheaded and arrogant thing - my "password questions" are premeditated, nonsensical phrases. My password is 16 characters full ASCII. So what do they do?

    Insert a series of questions based on my public records [car ownership, past addresses], thereby bypassing my own crafted security routine with questions that could be answwered by anyone Googling for a half hour.

    Needless to say, after writing several letters to Key Bank regional managers, I'm shopping for a new bank.

    1. Re:If you think THAT's something... by Ocker3 · · Score: 1

      Swapping banks needs to be a Lot easier than it is!

  14. Banks are obsolete by PeterWone · · Score: 1

    Historically, banks sold three things:

    • -- Secure storage - a fortress for gold
    • -- Record keeping
    • -- Authentication
    • -- Authorisation

    We don't use gold anymore. As for the other three services, I can get a machine to do that. Very cheaply. So, they don't actually provide secure storage (see TFA) and the other things can be done more reliably without them.

  15. Transaction records by volmtech · · Score: 2

    I find it amazing that every email, tweet, and Facebook post is saved and retrievable forever but a million dollar bank transaction disappears in milliseconds

  16. Lazy Security & Cheapskate Bankers by jack4888 · · Score: 1

    I worked for major brokerage firms and banks and was shocked and appalled by the cavalier attitude of some security people and programmers who are too lazy to change the default login & passwords in software supplied by some vendors,. Talk about liability, the Court has finally seen the light and sided with the victim of the bank fraud crime. The implementers of info systems are responsible not only for our money but our sensitive tax, family, medical info & Veteran records etc. The lawyers will force the security protocols onto companies too busy to take care of truly important business, information security practices. Start using the best practices in business. r Better peer review of code must be done to prevent buffer overflow etc.. Shutdown the brute force password cracking after a number of tries. We must secure our power grid, water & sewer plants, too. Our military is fighting cyberwar daily, they know thru trial & error. Lets learn & use that warped genius of crackers & hackers and re-direct their efforts to help plug the holes.