Author

Topic: Bank Agrees to Reimburse Hacking Victim $300K in Precedent-Setting Case (Read 1242 times)

sr. member
Activity: 350
Merit: 250
Trust me, these default swaps will limit the risks
Why would we even put our money in the bank if it wasn't secure. Might as well put it in our closet beside the 12 gauge. See if someone wants to play with our money then.
hero member
Activity: 868
Merit: 1000
What banks are you banking with ? US banks ?

In Norway, two factor identification seem to be the norm everywhere. Also using a code calculator that's completely offline seems to be the norm.
full member
Activity: 196
Merit: 100
Banks are fucked when it comes to security. My web banking limits my password length to 12 characters... Why the hell would you limit a password length, it is just going to get hashed anyways(god I hope they are hashing them).



you would be surprised how many don't.
The other thing is that SOME do not even check the IP address of the login cookie when it is issued, so you can "drop" the connection from one IP address and re-use the authentication cookie from another IP, until the  web-page is logged out or expires.

I reported this to one VERY well known bank, and they "thanked me for my suggestion and put my email on file for later improvements"

12 months later they are STILL doing the same thing.........
newbie
Activity: 56
Merit: 0
Banks are fucked when it comes to security. My web banking limits my password length to 12 characters... Why the hell would you limit a password length, it is just going to get hashed anyways(god I hope they are hashing them).

hero member
Activity: 868
Merit: 1000
The reality here is that the bank set up the customer to fail in a big way by their operating system requirements.

completely horrible!
legendary
Activity: 2282
Merit: 1050
Monero Core Team
Yes I do agree that Peoples United Bank should be held fully responsible for the loss in this case, but only for the following reason: In their electronic services agreement they require the user to use either Microsoft Windows or Mac OS X and do no allow a user to use GNU/Linux. I checked their website. In addition they require users to use old versions of Firefox 3.0, 3.5 and IE 6, 7 or 8.

So for example if a user were to access the online banking with say Ubuntu (GNU/Linux 12.04 and Firefox 17.0) thereby avoiding the whole risk of Microsoft Windows specific malware which after all was the cause of the fraud in this case they would be in violation of the agreement with the bank.

The reality here is that the bank set up the customer to fail in a big way by their operating system requirements.
hero member
Activity: 868
Merit: 1000
Isn't the reason we put money in the bank is for the safety and security of our funds?

Exactly, and that's why I think the banks should do their absolute best to secure said funds. And if they don't they should rightfully be punished.

Does a bitcoin exchange have that same level of responsibility?
 - http://www.reddit.com/r/Bitcoin/comments/12j9gi/i_just_had_715_stolen_out_of_my_mt_gox_account/


At MtGox you can have two factor authentication. I guess there's an open issue as to whether this should be enforced on all users? If you have a sizeable amount of coins there, I guess it's a good thing to have..

Now, for all practical reason, no law enforcement agency will lift a finger for the theft of 0.7K USD. So MtGox will probably never hear from the police in this case, so filing that police report the user claimed to have done, will probably help nothing.

From MtGox's point of view, how can they know if a user is legitimate and was actually 'hacked' or that he did it himself and then later claims he was 'hacked'? If MtGox started to be 'nice' and reimburse in cases like this, you can be pretty sure the level of thefts would skyrocket because of it.

Also, I am not a lawyer, but I'm sure MtGox has their reasons for 'not being helpful' in cases like this. For one reason, it doesn't help their bottom line directly, which is a 'good' (not good from a customers perspective) reason to not help. As for not giving out information about IP adress used by the attacker, and other information, I don't know why they don't do it.

As far as MtGox is concerned, someone just logged in with a legit username and password, and transferred some coins. If someone lost 300K USD though, I'm sure there'd be court process to settle the matter.

I can think of ways to possible slow down or prevent cases like this though. If the IP used when logging in is another that usual, or if the time of the login is unusual, it could raise 'red flags' which could freeze the account until further communication with the customer was established. I don't know how much of this they already have in place.

Personally I'd rather have 0.7K USD frozen for a week, or even a month, instead of losing it.
legendary
Activity: 2506
Merit: 1010
Isn't the reason we put money in the bank is for the safety and security of our funds?

Exactly, and that's why I think the banks should do their absolute best to secure said funds. And if they don't they should rightfully be punished.

Does a bitcoin exchange have that same level of responsibility?
 - http://www.reddit.com/r/Bitcoin/comments/12j9gi/i_just_had_715_stolen_out_of_my_mt_gox_account/
hero member
Activity: 868
Merit: 1000
Isn't the reason we put money in the bank is for the safety and security of our funds?

Exactly, and that's why I think the banks should do their absolute best to secure said funds. And if they don't they should rightfully be punished.
sr. member
Activity: 350
Merit: 250
Trust me, these default swaps will limit the risks
Isn't the reason we put money in the bank is for the safety and security of our funds?
hero member
Activity: 868
Merit: 1000
The bank should of course pay up on cases like these. Also, you can't expect all businesses to be experts at information security,
Anyone storing $3K nonetheless $300K should be well aware of two factor authentication.

Are you aiming at the bank her, or the business in question ?

In general, I think a business that stores valuables or money should do their very best to minimize fraud, and not put blame on the customers in cases like the one I linked. I guess only sending a verification code to the accountant at the company to verify the transaction would've stopped this fraud (sms to smartphone) for example. Of course that is not entirely fool proof either, but it would be more difficult to attack. Or just using a code generator generating a one time code for the transaction. That's kinda hard to 'hack' over the internet. Smiley You always have man-in-the-browser attack too, but I've seen some banks sending you an sms to verify when you send money to an unknown account too.

So in short, the more sophisticated your security measures, the lesser the risk of fraud.
legendary
Activity: 2506
Merit: 1010
The bank should of course pay up on cases like these. Also, you can't expect all businesses to be experts at information security,

Anyone storing $3K nonetheless $300K should be well aware of two factor authentication.
hero member
Activity: 868
Merit: 1000
It's interesting how poor the security at this bank was. I don't even understand how a bank can run a system with this poor security. No two-factor? Isn't that a 101 in security for banking? How can anyone work without it?

It just looks too simple, once you have control of the users computer, you can transfer anything, and the bank doesn't block a transfer until it's manually approved by the client.

The bank should of course pay up on cases like these. Also, you can't expect all businesses to be experts at information security, so I think the banks should hold a high degree of responsibility here.

I would think the only way for some banks to change and improve security would be to actually have cases like this happening to them, or else they would have no incentive to change.

http://www.wired.com/threatlevel/2012/11/bank-to-pay-hacking-victim/2/
Jump to: