This story is interesting:
A Miami businessman is suing Bank of America over $90,000 he says was stolen from his online banking account in a case that highlights the thorny question of who is responsible when a customer’s computer is hacked into.
The typical press coverage of this story is along the lines of “Bank of America sued because customer’s PC was hacked.” But that’s not it. Bank of America is being sued because they allowed an unauthorized transaction to occur, and they’re not making good on that mistake. The transaction happened to occur because the customer’s PC was hacked.
I know nothing about the actual suit and its merits, but this is a problem that is not going away. And while I think that banks should not be held responsible for what’s on their customers’ machines, they should be held responsible for allowing unauthorized transactions to occur. The bank’s internal systems, however set up, for whatever reason, permitted the fraudulent transaction.
There is a simple economic incentive problem here. As long as the banks are not responsible for financial losses from fraudulent transactions over the Internet, banks have no incentive to improve security. But if banks are held responsible for these transactions, you can bet that they won’t allow such shoddy security.
Posted on February 9, 2005 at 8:00 AM •
The Australian bank Suncorp has just updated its terms and conditions for Internet banking. They have a maximum withdrawal limit, hint about a physical access token, and require customers to use the most vulnerability-laden browser:
“suitable software” means Internet Explorer 5.5 Service Pack 2 or above or Netscape Navigator 6.1 or above running on Windows 98/ME/NT/2000/XP with anti-virus software or other software approved by us.
Posted on February 7, 2005 at 8:00 AM •
Here’s a good idea:
ASB and Bank Direct’s internet banking customers will need to have their cellphone close to hand if they want to use the net to transfer more than $2500 into another account from December.
ASB technology and operations group general manager Clayton Wakefield announced the banks would be the first in New Zealand to implement a “two factor authentication” system to shut out online fraudsters, unveiling details of the service on Friday.
After logging on to internet banking, customers who want to remit more than $2500 into a third party account will receive an eight-digit text message to their cellphone, which they will need to enter online within three minutes to complete the transaction.
It’s more secure than a simple username and password. It’s easy to implement, with no extra hardware required (assuming your customers already have cellphones). It’s easy for the customers to understand and to do. What’s not to like?
Posted on November 23, 2004 at 9:41 AM •
I can’t make heads or tails of this story:
A security loophole at a bank allowed easy access to sensitive credit card information, the BBC has found.
The Morgan Stanley website allowed users to access account details after entering just the first digit of a credit card number.
The shortcut would only work if the account holder had set up the computer to automatically save passwords.
It seems to me that if you set up your computer to automatically save passwords and autofill them onto webpages, you shouldn’t be surprised when your computer does exactly that.
Posted on November 22, 2004 at 10:24 AM •
Sidebar photo of Bruce Schneier by Joe MacInnis.