Bank Sued for Unauthorized Transaction

This story is interesting:

A Miami businessman is suing Bank of America over $90,000 he says was stolen from his online banking account in a case that highlights the thorny question of who is responsible when a customer's computer is hacked into.

The typical press coverage of this story is along the lines of "Bank of America sued because customer's PC was hacked." But that's not it. Bank of America is being sued because they allowed an unauthorized transaction to occur, and they're not making good on that mistake. The transaction happened to occur because the customer's PC was hacked.

I know nothing about the actual suit and its merits, but this is a problem that is not going away. And while I think that banks should not be held responsible for what's on their customers' machines, they should be held responsible for allowing unauthorized transactions to occur. The bank's internal systems, however set up, for whatever reason, permitted the fraudulent transaction.

There is a simple economic incentive problem here. As long as the banks are not responsible for financial losses from fraudulent transactions over the Internet, banks have no incentive to improve security. But if banks are held responsible for these transactions, you can bet that they won't allow such shoddy security.

Posted on February 9, 2005 at 8:00 AM • 42 Comments

Comments

O.B.February 9, 2005 9:24 AM

How is this different from someone standing behind you at an ATM while you carelessly punch in your PIN, then pickpocketing your card and withdrawing money? Would you sue the bank?
No, you'd go to the police and they'd track down the criminal, who would be responsible.

In this case, the perps have been caught and it's working its way through the system. While I have no love for banks, I think it's clear that this guy's suing on the deep pocket principle.

If you're not comfortable with the security level, don't use the bank.

ArikFebruary 9, 2005 9:55 AM

Well, Home PCs, unless somehow secured and verified to be secure by a professional, are insecure terminals by definition.

My bank limits the amount of online wire transfer to $1500. If I put in a higher ammount, the transaction is sent "for review" by a human, and that human has my cellphone number in front of her face when she reviews the transaction. I'm betting all my money that she'll call if she sees a transfer to a bank in Latvia.

-- Arik

AsmorFebruary 9, 2005 9:56 AM

O.B. -> I agree with you in principle, but how is the average consumer supposed to know what sort of security a bank implements in general, and in online transactions specifically? It's not like any self-respecting financial institution is going to admit to having lax security and if there is any indication of it it will be buried in a mountain of fine print of the sort we're deluged with to the point that even if you wanted to read (nevermind comprehend) all of it the act is all but impossible.

DaedalaFebruary 9, 2005 10:01 AM

The article assumes that the computer was hacked; it doesn't state it. The fact that coreflood was on the computer may have just been coincidence -- most Windows computers have something on them nowadays. There's no way to tell from the article.

As for O.B.'s comment: You wouldn't need to sue the bank, because personal accounts are protected if you catch the fraudulent withdrawal fast enough. Federal law (Regulation E) says that if you catch it within 2 days, your losses are capped at $50. If you catch it within 60 days, your losses are capped at $500. Many banks have better terms for consumers. A small business has no legal protection at all. Zip. Zilch. Nada. Most small business owners aren't going to know that their business accounts are less protected than their personal accounts and won't try to negotiate better terms.

Finally, you would know to go after the perpetrator because he'd picked your pocket. That's a tangible theft. With most identity theft or account fraud, you have no idea what happpened and no idea who to go after.

Israel TorresFebruary 9, 2005 10:14 AM

This is a perfect example that such personal transactions using a person’s identity to achieve something could have easily been thwarted with a smartcard. What is the remote attacker to do when presented with a prompt requesting to insert the account's smartcard? The only thing they can do: move on to another target/system that does not use smartcard authentication.

Israel Torres

Gabe AnzeliniFebruary 9, 2005 10:21 AM

I would have to disagree with making banks liable for personal accounts past this 2-60 day period. If you don't notice in that time, it is your own fault for not watching closer. PLUS, if the banks are held liable then those of us that know how to secure our systems will have to pay for those who don't. If the transaction originated from your PC (whether it was you or not), you are responsible. Just another reason not to check that "remember my passwords" box.

Axel EbleFebruary 9, 2005 10:28 AM

Over on one of the mailinglists I'm on we had a thorough discussion of security mechanisms banks use in different countries for online banking. Over here in Germany, most banks use a challenge/response procedure with prefabricated (printed and snail-mailed) transaction numbers (TANs) which basically are one-time passwords. Login to the banking application is independent from any transaction. In Belgium and Sweden banks hand out two-factor authentication tokens, some even with a challenge/response code for generating the TANs on the fly.

From what I've heard, most US banks use a simple username/password login scheme to access the online banking application without the need for authenticating each and every single transaction. If BofA uses something like this, they should be held liable for the loss. YMMV, as usual.

DaedalaFebruary 9, 2005 10:31 AM

Gabe Anzelini says, I would have to disagree with making banks liable for personal accounts past this 2-60 day period.

It was a business account. The bank wasn't ever liable at all. The article indicates that only a small amount of money had actually been retrieved by the thieves -- they were able to freeze most of it. That suggests that the guy did, in fact, catch it soon enough.

Davi OttenheimerFebruary 9, 2005 10:40 AM

Yes, thank you. That was my point on your blog the other day (http://www.schneier.com/blog/archives/2005/02/bank_mandates_i.html).

The emerging question in information security is who holds accountability for breaches. If you listen to Howard Schmidt, he'll say that government should not regulate. But then in the next breath he'll talk about all the investigations he's worked on that led to convictions and how happy he was to be a law enforcer.

Here's the rub: victims of crime are often not always able to defend themselves. Government regulation of information security is therefore almost unanimously advocated in cases related to children (pornography) and the elderly (financial fraud).

This is an important case to watch. If the bank refuses to protect systems that customers use for banking, and customers believe they should not be held accountable for weak software, cascading consumer outrage will surely lead to government or industry regulation. The question will be regulation of what/who: the software companies with vulnerable systems, the IT professionals who manage the systems, the management of the companies, etc.

Remember the disclaimer from the Australian Bank Suncorp that I posted:
"We are not responsible for the operation of any computer or electronic system (other than our systems) you use to transact using Internet Banking or the operation of any telephone system."

Fazal MajidFebruary 9, 2005 10:45 AM

It's a well-known fact that terrorists now rely on credit card fraud, among others, to finance their operations. At this point, the failure of banks to employ reasonably effective security measures like smart cards or challenge-response calculators is inexcusable, and not merely a case of market failure. It's high time the government started mandating security standards.

pigletFebruary 9, 2005 10:50 AM

As Axel Eble pointed out, the problem is the incredible laxness of North American banks, in contrast to most European banks. The PIN/TAN system really isn't rocket science, it's neither expensive not inconvenient. Yet it offers reasonable protection and has been working fine in Europe for many years. Maybe suits like that are the forward to force banks to take security serious at last.

Clive RobinsonFebruary 9, 2005 11:12 AM

If people look back through the various blog entries they will see that account transaction security has been disscussed before and that it was sugested that only an "out of band" or "side channel" system would increase the level of security required (be it OTPs/TANs or mobile phone based).

The question should be not who is liable but what is the cost of reducing the risk to a negligable point acceptable to both parties.

I think that there is no "one size fits all" solution, so multiple level systems need to be introduced with limits on both the bank and the account holder set.

This is infact a very old idea and banks understand it well in the past but appear to have forgoton it in recent years with the mad rush to "ease of use"/"reduced costs".

As has been pointed out with physical security you don't put a vault door on the front of your house, and you don't put a five lever mortice lock on a safe. You use the apropriate tool for the job where appropriate is defined by you or others on risk / cost / ease of use / whatever.

In Europe the banks supposedly spend three times as much on security as do their American equivalents. Partly this is due to regulation part due to market perception. Maybe US banks need to spend a little more for there own protection, however I suspect that in the current cost saving climate it will only happen when the US government tightens regulation.

Francois KashyFebruary 9, 2005 12:27 PM

The guy apparently wasn't concerned about investing in security, or operational training, on his business systems. That was his $90,000 mistake. The same thing can happen to anyone who doesn't invest in security or training. It doesn't matter whether it's a sole proprietor with $100,000, or an international corporation worth multiple billions. If you don't guard your money, someone else will take it.

Based on the story, they guy's suing on both the "deep pocket principle" and the victimhood principle. Clearly, nothing is his fault, he's a victim, and he deserves compensation from someone or anyone else - in this case, the bank. As Calvin and Hobbes said, "Don't you love the culture of victimhood?" That defines a certain type of thinking in the USA.

The bank only provided the service. Maybe they could have been better about it. Regardless, they stated their terms of use, and he agreed. Nobody forced him to use electronic banking from his computer. He set up his own password, he administered his own computer, the transaction originated from a system owned by him, and he was the one who neglected his own security. He could have opted for a more secure transaction system, regular checks on his computer or his finances, or even arranged better security services with the bank. He could have had a bonded accountant handle financial issues. He could have had insurance. He didn't do any of that, and he paid the price. As technology grows, so does the cost of doing business. Good security practice is part of that cost. It's that simple.

DaedalaFebruary 9, 2005 12:38 PM

I said, "The article assumes that the computer was hacked; it doesn't state it."

I'm an ijit; what I meant was that the article assumes that the account was compromised as a result the computer being hacked. Of course the computer was hacked. It doesn't necessarily follow that the account was compromised because of that.

It's worth noting that if you have enough identity information on a person, you can set up online banking and EFTs for them.

jayFebruary 9, 2005 1:23 PM

It is as unreasonable to assume that all bank customers are to be expert (and obsessive) at security as it is to demand that customers of an auto dealership be experts in mechanics, or a homeowner be qualified to spot inadequate construction by his contractor.

My brother used to have a mail order business, and he would periodically spot an obviously fraudulent or stolen credit card sale, but the CC companies were completely uninterested in persuing it because it was the business owner who wound up paying, not them.

rcmeFebruary 9, 2005 1:27 PM

I generally agree with Bruce that the banks need to step up and start thinking about supporting real security for their customers (minimum of 2 factor authentication).

Having seen multiple forms of ATM and debit card fraud, there are a number of very simple ways to prevent this type of fraud. The simplest is to geographically restrict usage.

The fraud I had seen was mostly a US banking customer who had funds withdrawn from their accounts via an overseas transaction. Their card number could be compromised in any number of ways, and can then be used as part of a signature debit transaction. You don't necesarily need the PIN anymore with ATM/debit cards since many banks seem to have replaced ATM cards with multifunction ATM/debit cards (like a credit card, but without the credit card fraud protection), where the same card works in ATMs with PIN and in many stores with signature, both of which draw against the same account. For some transactions (i.e. gas station pay at pump) all you need is the person's card number (to create a bogus card).

By restricting account usage geographically, it would be impossible for a senior citizen in Nebraska to have funds withdrawn from their account from an overseas location like Romania (or to have funds electronically transferred to an overseas account). Even if their account number is stolen, the transactions would only be approved from US merchant locations (or funds could only be transferred to a US bank account). If nothing else, the criminals would be easier to track (and prosecute) since all transactions would be within the US.

We could even go so far as restricting debit card activity by state (or even city), if the person (i.e. senior citizen) never leaves Nebraska, why do they need their ATM/debit card to work in Texas? If the banks allowed their customers to set "usage zones" like this, I would expect that ATM/debit/account fraud would decline dramatically.

Davi OttenheimerFebruary 9, 2005 1:28 PM

@Clive
The issue in America right now IS accountability. Whomever is accountable is liable for the cost of implementing secure systems. The longer we wait, the higher the cost. Regulation helps define accountability and therefore who should pay for reasonable security.

@Francois
The chance of becoming a victim, and shouldering the cost of prevention, is precisely the issue. Blaming the victim (and blaming victimization) has been a common fallacy repeatedly overturned in the American legal system. Again, there are many clear-cut cases where a victim can not be expected to defend themselves (child pornography, financial fraud against the elederly, slavery)

The important question here is whether there is any onus to be placed upon a financial data company to secure their customers' transactions, including any system used to access the data. I would say, based on the European precedent, that the answer should be a resounding yes. It is possible and the banks should do it sooner rather than later.

It appears that the Banks are not moving quickly enough (since they do not have to pay the cost of a breach). Government regulation is needed to force security to a reasonable standard (similar to Europe's) in a more timely fashion. Compare this to many many years and unfortunate victims it would take for the market to even begin to consider self-regulation. That was partially the reasoning behind California's SB1386 law. This does not mean regulation is always good. It means that good laws are better than bad, which are better than none at all, especially in cases where victims can not be resonably expected to defend themselves.

I think it would be fair to say the average consumer is not in a position to have the knowledge to adequately secure their own car, home, computer, etc. and that is why we have safety standards and compliance tests administered by independent review.

As an aside, to those who think markets will self-regulate in a timely fashion, I suggest you move to Nebraska and wait for manure fires to put themselves out:
http://www.cnn.com/2005/US/01/28/cow.fire.ap/

Paul ChenFebruary 9, 2005 2:24 PM

Should the bank be responsible when a user's computer is hacked by 1000 viruses, trojan horses, worms, etc.?
Absolutely not! The consumer, who want to enjoy the online banking's convenience, should take actions to protect him/herself, just like we protect our ATM card and PIN.

In places that fraud is rampant, like China, savvy online banking consumers already pay for the smart card USB token to protect themselves. That's the cost, and basic self defense, if you want to enjoy online banking.

http://www.cardtechnology.com/cgi-bin/readstory.pl?story=20040602CTDN346.xml

Davi OttenheimerFebruary 9, 2005 3:00 PM

@Paul

The bank should provide a secure system that is able to protect the personal identity information. If they use a system compatible only with Microsoft Windows software, for example, and advocate using IE 5.5 with a static username and password in cleartext...that should not be considered reasonable. Can a consumer be well informed to know that, let alone should they? Is the average consumer really prepared, if required, to advocate for a more secure banking identity?

It is easy for security professionals to say "choose your banks wisely", but security professionals know better than to expect users to make all the right choices without costly education and training. Better to fix the system they use by applying reasonable controls.

FelixFebruary 9, 2005 3:09 PM


I live in the UK were I don't believe the banks use these hi-tech European security methods :-)

I wish they did!

Anyway I hope you in the US will soon see an advertising campaign by a bank (probably paying this guy to appear) which states that "with our new 2 factor authentication system, we have the most secure online banking system in America".

BTW, I claim copyright on this idea.

Filias CupioFebruary 9, 2005 4:52 PM

From the reports I've found of such fraud here in New Zealand or Australia, we are just slightly better off: the international transfer seems to have to be a manual step, so the scam requires three participants: Victim, Idiot and Crook. Crook lives overseas, Victim and Idiot are locals.

Crook steels Victim's identity, typically by phishing or trojan. They recruit Idiot either by greed or guile*. Crook transfers money from Victim to Idiot. Idiot 'wires' the funds (less a cut - perhaps 10%) to Crook. Victim finds fraudulent transaction, and complains to bank. Idiot finds the transaction is reversed (leaving them with a -90% profit) and police knocking on their door.

* Sometimes Idiot knows they're doing something illegal, sometimes it is diguised as a legitimate business arrangement.

There is another party dodging responsibility in all this: the criminal's country, which has the capability to prevent this, but doesn't. Perhaps if banks started putting a 48 hour delay on all transfers to the problem countries it would encourage them crack down on this?

FredFebruary 9, 2005 5:02 PM

Paul, by that same thinking, Ford and the tore company (don't remember its name) should not be held liable for any roll over. The consumer that wants to enjoy a ride in a machine capable taking him from here to there in comfort should take actions to protect himself through mechanical training, etc. At least an engineering degree and a good set of tools to do some testing and make sure the machine will not kill him. It is not the manufacturers responsibility to make sure that an expected user will not be killed if things are not just perfect.

Stuart BermanFebruary 9, 2005 10:32 PM

Sorry, I don't see this as a security problem. I see this as a force of economics. The only thing that can screw it up is government regulation. If the customer loses the suit and fraudulent activity continues to grow then banks will lose business (or increase costs) as customers avoid online banking. The bank will come up with better methods to protect its customers (maximum transfer amounts, technology, indemnification). If the customer wins the suit then banks will lose money as fraud increases. The bank will come up with better methods to (a) protect its customers or (b) restrict its own liability. If (b) then see the earlier case.


If banks in the US have such a problem with laxity, then why are they still so profitable? In economics I was taught that each business needs to find the 'right' amount of bad debt to carry. If you get rid of all bad debt (too much security) then you are losing business.


All too often contrarian... I blame it on Russell Roberts...

Affected EmployeeFebruary 10, 2005 9:12 AM

http://www.signonsandiego.com/uniontrib/20050203/news_1b3saic.html

So a company computer was lost/stolen which contained sensitive personal data about the company's employees and shareholders. Along with this data is EFT (banking) data for most of the employees.

The loss was in California, so it was reported as required by law.

http://www.signonsandiego.com/uniontrib/20050203/news_1b3saic.html

But for the affected employees and shareholders, their personal information (SSN, address, EFT, and more) is no longer in the control of the company's data custodians.

If my bank account is drained, who is to blame? I am responsible for the entire loss or can I share the loss with the custodian (company) and the bank?

The bank was notified and told said that the account needed to be closed and a new one would be opened. But what about all those other EFT transactions that are legitimate? My dedicated direct deposits, my utility bills, and more?

We are so tied to a bank system that has obvious weaknesses and custodians of our data that are irresponsible. What are we to do?

FoxyshadisFebruary 11, 2005 2:42 AM

rcme: One problem with 'zones' is that when you travel is precisely when you lean most heavily on your card. Lowering daily and per-transaction limits for out-of-area purchases I could see, though.

I was scared as hell when I found out that my debit card allowed a $1500 withdrawl (for a student) as part of my car payment. I immediately notified them that I needed it lowered.

Stuart: The problem with self-regulation is precisely that seems much more profitable to ruin lives than to safeguard them, and no amount of long-term customer bleed will affect quarterly profits as long as the current board is in power. Especially since positive advertising expenditures typically outweigh negative from customers by a huge margin, so it can continue to con people into believing it's safe and burying its mistakes.

The airline industry has been through this - early airlines had many crashes and fatalities, because it was more profitable to kill people than to provide proper maintenence and robust specs. So jets, autos, accountants, senators, and others tempted to play fast and loose with peoples' lives for a quick buck become regulated. It's the interests of the common good overweighing the good of the five people on top and the 5,000 people making money off them, and balancing that with capitalism is how we keep from imploding.

pigletFebruary 11, 2005 12:02 PM

@Stuart: "I see this as a force of economics. ... The bank will come up with better methods to protect its customers . ... If banks in the US have such a problem with laxity, then why are they still so profitable?"
Obviously because they don't have the problem - it's the customers who have the problem. I have no idea why the US banking system is 10 years behind its European counterparts in terms of security but obviously, the "force of economics" theory just doesn't hold. The banks don't act, and the customers don't act. Maybe they will one day, but at the time possibly all confidence in internet security will have disappeared (as Bruce has argued repeatedly). Note that security is not only about protecting individuals, it's also about protecting a common good. If you wait until market forces "solve the problem", it may be too late.
Having said that, I find it really amazing that there shouldn't be a single bank in North America offering better security. As Felix remarks, the marketing appeal should be irresistible. The idea *must* have appeared to some bank manager.

Stuart BermanFebruary 11, 2005 10:55 PM

@foxy
Sorry - I don't buy these arguments. Customer trust is a vital asset to most companies - I don't ascribe to the theory of the evil overlord society ruling us. There are a number of bad players and some of them are in line to go to jail now. The airline analogy is just plain inaccurate. Some of the worst airline accidents were not caused by poor maintenance habits BUT by excellent maintenance habits. (The JAL crash into Mt Fuji is a great example - JAL has some of the finest maintenance in the world, they called Boeing in to repair some belly 5 damage to ensure that the repair was perfect. Boeing screwed up and the loss of life was unprecedented.)

@piglet
I have banked in Europe and the US and the middle east, but I don't agree with your assessment. The banking style suits each culture, the US system does not need to catch up to the European. I don't see lots of customers holding the bag in the US - in fact US banks go out of their way to appease customers, reverse fraudulent charges, and waive fees. Our culture is based on minimal government power and the power of the free markets, I contend that the free market economy means that banks _are_ 'responsible for [customer] financial losses from fraudulent transactions'. History shows that the socialist model is a failed model. The lack of widespread US adoption of stringent security for Internet transactions proves that the risk managers don't find the argument compelling.

To demonstrate the issue more clearly, look at check fraud. It is easy to forge a check and use a false ID to pass it. Why aren't we up in arms about how primitive this vulnerability is? Shouldn't the banks require that prior to accepting any check you must first call the bank for some side-band validation (bank asks to speak to customer, then asks customer some secret question from a pool of questions with the answer in the form of a multiple choice question [answer a,b,c or d])? (And please don't talk about all of that fancy check technology when many clerks have no clue.)

More security is not necessarily better security. (Unless your goal is simply to sell security.)

EuripidesFebruary 14, 2005 7:31 AM

As with most security breaches it's two edged. One could also say: As long as a user is not responsible for financial losses from fraudulent transactions over the Internet, he has no incentive to improve security. In said case, the bank and the user should share the loss.

pigletFebruary 14, 2005 12:01 PM

@Stuart Berman: why do I read so often about this type of fraud in the US (for example in Bruce's web log)? Not to mention the diffrerent but related question of identity theft which is also facilitated by laxness?
"I contend that the free market economy means that banks _are_ 'responsible for [customer] financial losses from fraudulent transactions'." Do you have any evidence for that?
"History shows that the socialist model is a failed model." Are you saying that good security is socialist, bad security is capitalist? ;-)

Stuart BermanFebruary 14, 2005 12:41 PM

@piglet

Ouch - how did I wind up there? I was trying to say that excessive government regulation is a hallmark of socialism. The more the government micromanages business the more chance of failure.

As far as exposure to fraud info - I do not know what the actual statistics are between countries and doubt they would be relevant anyway. I am also not advocating that other nations adopt some of our practices into cultures that would not find them compatible.

Part of the problem with ID theft is that different countries have different determinants of ID. In the middle east you may have a single ID document that is proof positive of who you are and fairly dificult to forge (in that locale). In the US we have no strong ID mechanism: SSN? A card with numbers on it issued at birth... Driver license? Each state has their own, different rules to obtain, fairly easy to obtain a forgery since there is a thriving market for them...

pigletFebruary 14, 2005 3:37 PM

ID theft: I brought that up because part of the problem is laxness on the part of financial institutions. I read some stories about ID theft cases. So there was that guy who was able to live under the identity of somebody else (producing no documents, just knowing the SSN and some other data of that person), spent the other guy's money, committed a murder under that identity and in the end, the fraud victim spent the rest of his life trying to prove that he wasn't the guy who had committed that murder under his name. If things like that can happen in the US (and there are millions of cases, albeit not always as outrageous), I'm sorry but that doesn't look like a system that is working well. Financial institutions should be careful to verify their customers' identity, they should be liable for damage done to fraud victims caused by their negligence, they should be obliged to clear up credit histories of fraud victims, etc. All that isn't happening right now, so whether you like it or not, some government regulation is needed to protect the victims.

pigletFebruary 14, 2005 3:46 PM

P.S. This isn't about the US vs the rest, it's about identifying problems and looking for solutions. It's never a good idea to ignore or play down problems.

Peter DeaconFebruary 16, 2005 1:04 PM

I can't even begin to count the number of online banking outfits currently providing 'secure' logons from an 'insecure' home/web page. From a security perspective this is an oxymoron totally cirumventing the security properties of SSL. Whats worse is that banks will ususally also provide fake keylock icons near the logon page to confuse people into thinking the logon is secure even though the keylock doesen't appear in the browsers status bar.

The security of SSL is dependant entirely on a trusted third party system. Simply put your browser trusts verisign, verisign trusts the bank and what do you know a little secure icon appears at the bottom of the web site.

Without the trust relationship any yahoo acting as a middle man can easily decode the traffic and steal your passwords, account information..etc using commercially avaliable off the shelf software. This is why commerce companies pay CA's hundreds of dollars a year for their certificates.

Trying to be nice I've brought this to the attention of a couple of their IT/bank staff and all I got back was a form response not to worry or static that it doesen't matter because the people who should know better don't understand the concept of a trusted third party.

If my bank can't grasp such a basic security concept do I have reason to be worried about where else they are screwing up?

one who knowsMarch 29, 2006 12:30 PM

Unfortuneately, there are many programs out there (peer to peer), that allow other users to view all kinds of files on other peoples systems, without them even knowing it's possible. I was once looking to download a tax program and ended up with a list of over 100 tax returns of various individuals staring me right in the face. Does this man have any documents on his computer giving bank account information. If so, then its easy to use Limewire or a similar program to get in quite easily.

MooreAugust 30, 2006 8:31 AM

OK, this guy was doing online banking. We have a different problem with SC State Credit Union, Columbia, SC. We have found that a branch manager went into our account and made unauthorized transactions. We have the proof. She also forged a signature several times. This was to the tune of 99,558.00. WE have written our complaint, met with the auditor and president of the credit union and most recently with the insurance company Cuna Mutual. NOTHING HAS BEEN DONE! We do have an attorney now working on this, but the insurance company and credit union do not believe they are at fault! UNFORTUNATELY, we will incur hefty attorney fees and still don't see that anything will be done. Any suggestions? WE would love for this to be made public as sometimes the heat can make a difference, but just don't know how to go about it. WE believe the banks should be held liable, ESPECIALLY since it was one of their OWN.!!!!!

baburavSeptember 8, 2006 11:52 PM

hi
i am baburav aapte, and i want to quiries about the unauthorised transaction so please give me.

suppose sone person know my ATM card pin number and one day i lost my card and in this some transaction done. so how can find the person who cand do the transaction.

AlisaNovember 30, 2006 11:14 PM

Dear Moore in Columbia, S.C.,

Any bank that is insured by FDIC is legally required to return money removed by unauthorized transactions as long as the dispute was filed within 60 days of occurrence. The electronic funds transfer act does not exclude transactions made through the use of personal computers. The bank has 10 business days to conduct an investigation and inform the consumer of the results in writing. Up to 45 days can be utilized but only if the money is returned and then upon completion of the 45 days any monies not supported in the dispute can be removed as long as a written notice and explanation is received by the consumer. The Fair Credit Act enforces state banks to comply with these laws. The Federal Reserve enforces federal banks. In the instance of unauthorized electronic funds transfers which is a federal offense, the consumers liability of loss is diminished to almost nothing. FDIC has an online consumer complaint form that can be submitted to enforce insured banks to comply with the law. Contacting your state's Attorney General investigative unit is also a secondary method for enforcement of insured banks. A bank's failure to comply with established laws and regulations can hold them liable under the Fair Credit Act for adverse effect. The federal government is as I write this post, fine tuning The Red Flag Regulations Act which will finally force banks to implement a designated officer and system that will trigger when suspected unauthorized transactions are taking place. All government insured fiduciary institutions by state and federal law have a legal liability to replace uauthorized transactions regardless of the location or method utilized to obtain access. The only stipulation that would prevent replacement of funds is if the dispute is made 60 days or more after the unauthorized transaction takes place. Hopes this helps someone.

colleenDecember 16, 2007 5:16 AM

I just got off the phone with Bank of America because they took $1473.72 out of my checking when they should not have. I authorized a transaction for one particular account that I had with them and then when I clicked to authorize it jumped to a different account. I called and wanted it cancelled. They said it would and if it didn't appear within 7-10 business days then everything would be fine. 19 ays later the money comes out of my checking. I have a three year old that I will not be able to buy Cjristmas presents for because they took money out of my checking without my consent. I only had $400.00 in there in the first place. I also cannot believe that my checking account would allow an authorization for so much passed what is in my account. Bank of America told me to go to a Casino to get the money out to pay on my checking. Too bad I will boune a million little checks by then

EricJuly 25, 2008 2:24 PM

Are any of you willing to speak on Camera for a feature documentary about Bank of America?

katherineMay 12, 2010 1:30 AM

I was convicted of felony theft and sentenced to to 3 years hd labor, susp. sentence 3 years probation,$10,251 restitution,$1,200 court fees, and 45 day of comm. service, 2 nights in jail, placed on a $40,000 bond. because I stopped payment on a check of which i over paid this contractor about $4,100 more than he should have gotten. I wrote the check for $7,574. I asked him to return the chek but he refused. Shortly after I found that he hadn't supplied most of the material in his contract, used some of my old lumber, etc. My credit union did a cash stop payment.But did not stop it electronically. This man held that check about 3 weeks and turned it into an electronic item and it cleared. I complained to the credit union about it they had me fill out an affidavit of forgery(wrong form) to put the money back in my account. this man file criminal charges against me saying i said he forged the check by that form they gave me. The court was out to get me anyway because I reported them for falsely arresting me, on what should have been a civil matter. The credit union admitted that they gave me the wrong form and that they were responsible but I was convicted anyway. Prior to this I had no criminal record, not even a traffic ticket. I am ruined. I can't get a job, can't run for office, no income. Everyone tells me to file suit against the credit union. But I live in Louisana. The contractor don't live in the state of Louisana, and wasn' even licensed.

Ezequiel RodriguezMay 1, 2012 7:17 PM

I do believe banks should be held responsible for fraudulent and unauthorized charges to customers accounts. And this is why i believe it should be that way. If I personally use my card to buy something debit or credit, i have to swipe my card,punch in my pin number or sign a receipt for credit,and EVEN SOMETIMES present ID,to complete the transaction,that's to use my OWN money, how is then my fault if some hacker stole my information from my computer and made charges from Europe,and even when i reported it before it cleared,it was still ok'd and paid,and now i just have to wait for my money to be reimbursed? Sounds to me like delinquents have better rights than honest people and nobody is going after them cause if they were they would stop stealing what is not they'rs

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..