Who is at fault?

themagicone

I have an interesting assignment for my cyber law class as WGU. It brings up a subject that I'd like to get some opinions on. Without disclosing the entire assignment I'll just share the main focus:

A bank has been notified of fraudulent transfers. The cause for the fraud is due to keylogers on customer computers, allowing them access to the customers accounts. The bank is now facing litigation from the customer because of the fraud on their accounts.

Who is to blame? The customer for not protecting their computers? Or the bank for not having a system in place to recognize the fraud?

The other part of the assignment is to decide on two laws that the bank can use to prosecute the hackers. That part is easy, wire transfer fraud and theft by swindle.

Don't worry there is a lot to this assignment and I'm not looking for answers. Just would like more opinions than my own. Personally I would think the customers would be to blame, but the bank should offer to refund any fraudulent transfer.

jamesleecoleman

I'm going to have a try...

I believe it would be the both parties faults but on certain levels. The bank for not notifying customers of security risks and the customers for not trying to find ways to keep their data safe and trying to implement the security solutions.

Qord

Not the banks fault.

DevilWAH

I will always blame the bank.

A few years back I added my wife before we got married to my bank account (crazy i know).

after we got married due to a mix up with the bank her name never got changed on the account, and a few months later the bank sent her a letter saying they suspected her of fraud.

What was interesting was that the did not notify me about it, due to further mix ups they closed my account. When i question them they told me that it was not there practice to notify any other of the account holders only the one they suspected of committing the offence..

So what let them know they are suspected so they can clear of and let the rest pick up the pices!!

contentpros

I can give you the short answer but instead here are some items to consider..

Is the bank able to prove that it has taken the steps and actions to show "due diligence" and "due care" in its actions? Does the bank currently have controls in place to reduce fraudulent activity? If so, can it show that it has acted to respond to the events in a manner that would be expected by a prudent person? Are there any requirements on any level (local, state, or federal) for a bank to notify the customer of suspected fraudulent activities and if so, were the notifications made within the required time frame?

Disclaimer: I am not claiming that any of these are required anywhere by anyone! These are just a few items to think about...

Forsaken_GA

In my opinion, the bank is at fault. They've accepted the responsibility for the management of the money, so it is incumbent upon them to validate that any actions taken with that money are authorized by the customer.

My own bank doesn't allow any money to leave via online transfer from their website. The only thing I can do is make payments on loans to them (if I have any) and transfer money between checking and savings, no outbound payments at all. So the only way money leaves my account is by check, credit, or debit. My Checks are securely locked up, as I rarely use them, the credit portion of my card is run through Visa, who assumes all liability except for up to $50 is cases of fraud, and my bank gives me the same on the debit side.

So in my case, the bank quite clearly has assumed responsibility for allowing fraudulent charges to clear my account, and there'd be no case for them to take to court.

themagicone

It's going to be an interesting paper to write. The actual scenario is different that what I have described, and a lot more detailed - but it does follow the same logic. I had to admit this might be one of the few papers that I enjoy writing! Plus I won't have to think of fillers to get to the required pages like so many other papers.

I'll add a story about how a bank screwed me twice and I learned an important lesson on bank logic. First... I had some mix ups with a charge back and my account went like -$400. Being that I was in bankruptcy anyways I figured I'd say screw it and let it go. Well I had my name as just a cosigner on another account but none of the money in the account was mine. The bank didn't care, they emptied the account to cover the OD. Second time my wife OD her account by like $800. She didn't take care of it and I forget she was on my account. Short answer - the bank took my entire pay check then some. That was not a pleasant night at home.

paul78

themagicone wrote: »

Who is to blame? The customer for not protecting their computers? Or the bank for not having a system in place to recognize the fraud?

I work in financial services for a technology provider - not on the banking side but similar.

There is legal precedent that would place the blame on the bank. The usual argument is that the bank has not exercised due-care in implementing the necessary fraud controls when it fails to recognize the transactions.

As you write your paper - take a look at the fallout of the Zeus Trojan kits and some of the lawsuits that occured. Depending on the state, I believe that it can go either way.

Zartanasaurus

Forsaken_GA wrote: »

In my opinion, the bank is at fault. They've accepted the responsibility for the management of the money, so it is incumbent upon them to validate that any actions taken with that money are authorized by the customer.

This is about where I stand. If I were a juror, I could buy a comparative negligence defense to reduce the amount of punitive damages depending on the facts of the case. The bank is the custodian of the money and is in a superior position to prevent fraud. It has to be one of their core competencies. Sure people SHOULD be safer with their money, but that's why they're giving it to the bank in the first place; For safe-keeping.

jibbajabba

How can the bank be blamed if a key logger was used ? Unless there are constant login attempts I am not sure how they can see that this was a fraudulent attempt. If the transfers were made from outside his home country - sure, but I don't think at any point has my bank locked my account for sudden transfers unless the card was used in different countries within a few days of time.

erpadmin

Without looking at the other responses, I would say that the only recourse the customer has is to get the fraudulent transfer back IF it can be proven that the customer was indeed hacked. The customer might be SOLed if a judge deems that the customer did not perform due dilligence to protect his computer (e.g. updated Anti-virus software etc.) But that would depend on how current law (federal in this case) covers it.

If the customer was the victim of a 419 scam, then the customer is truly SOLed. (Deposits a fake $5000 cashier check, bank finds it was no good, and then gets the $5k back.) But in your case, the customer might have some recourse.

DevilWAH

I would say most banks state that it is the customers responsibility to keep there log in details safe and private and not share them with any 3rd parties.

Now in this case the customer, admittedly with out knowledge did share the details with a third party. so from this point of view it is the customers fault, or lets replace "fault" with "responsibility".

In terms of should the bank have noticed and alerted the customer, this can't be answered with the information given. How unusual where the transactions made? £10,000 deposited in to 5 separate of shore bank accounts??? then yes you would expect the bank to notice that, espical if it was not some thing that had happened before. on the other hand, £500 deposited in to a named UK account, using all the correct security details. There is no reason for the bank to suspect anything.

jmritenour

Common sense would lead me to believe this is all on the user. The bank can't reasonably be expected to be responsible for the customer's home computer/network security. Though I suppose you could make the case that they should/could have had additional checks in place, success as asking for some type of ID verification when logging in from an unknown IP, or use a two factor authentication system as some banks are doing these days.

That said, "common sense" and the US legal system do not go well together, so who knows.

DevilWAH

Forsaken_GA wrote: »

In my opinion, the bank is at fault. They've accepted the responsibility for the management of the money, so it is incumbent upon them to validate that any actions taken with that money are authorized by the customer.

My own bank doesn't allow any money to leave via online transfer from their website.

This is not the case on all bank account many allow transfers and set out the detail of what will be accepted as authorization. They also lay out what they will do to validate them.

If you allow your details to become know to a third party to the extent they can pass these check then this is no longer the banks responsibility, they have laid out an agreement and kept to it.

When you sign a contract with you bank it lays all this out very clearly, and its worth reading though it. as there are cases where it clearly states that "the person requesting the trasnacation" rather than defining the "account holder".

Now if you bank account does indeed state there will be no out going transfers allowed then of course in this case if one happens then the bank is responsible. But the responsibility is not determined by what we say on this site, but in the contract that was signed.

And of course the bank need to take due care and notify if any "suspicious" activity has taken place, but that's an ambiguous term if ever I heard one.

jibbajabba

Every time I login to our online banking my local bank suggests a certain security software to download - I suppose that is their way to get out of it ..

DevilWAH

I look at it like this,

I buy a car that does 200mph, the manufacture tells me to be safe I should keep to the speed limit of 70mph. If the speedo then gets disabled/altered for some reason and I crash going at 200mph, there may be an argument that its the manufacture to insure the speedo cant be tampered with. But this still does not put the blame of the crash with them, the fault still lies with me.

NetworkingStudent

themagicone wrote: »

I have an interesting assignment for my cyber law class as WGU. It brings up a subject that I'd like to get some opinions on. Without disclosing the entire assignment I'll just share the main focus:

A bank has been notified of fraudulent transfers. The cause for the fraud is due to keylogers on customer computers, allowing them access to the customers accounts. The bank is now facing litigation from the customer because of the fraud on their accounts.

Who is to blame? The customer for not protecting their computers? Or the bank for not having a system in place to recognize the fraud?

The other part of the assignment is to decide on two laws that the bank can use to prosecute the hackers. That part is easy, wire transfer fraud and theft by swindle.

Don't worry there is a lot to this assignment and I'm not looking for answers. Just would like more opinions than my own. Personally I would think the customers would be to blame, but the bank should offer to refund any fraudulent transfer.

I wasn’t too sure, but according to this article it says banks won’t reimburse customers..

Caller ID spoofing scams aim for bank accounts

Dell SecureWorks estimates small and midsize businesses in the U.S. and Europe lose as much $1 billion a year from online banking accounts. The financial services industry often does not reimburse such losses. "We'd expect business owners to be a bit more savvy and have more resources at their fingertips," says Carol Kaplan, spokeswoman for the American Bankers Association. "That doesn't mean we're not seriously concerned about the problems small businesses are having, and there continues to be huge gobs of investment into shoring up security."

it_consultant

I am going to state the obvious here - the criminal is to blame. As far as I know, the customer is under no obligation protect their computer at all. The laws should probably be changed to reflect the new nature of online banking. It would be a stretch to blame the customer in any way. Say you throw your bank statement away and your account info is on it. Someone pilfers your trash, are you at fault because you didn't shred the statement? Is the bank at fault for not using self destructing paper?

How serious an issue is this, legally speaking? My bank calls me anytime anything remotely odd happens on my account. Once when I bought something online for a round number (this is suspicious) and another when I bought 4 sodas from the same machine. This is just within the last 6 months.

Keithdmitchell

I actually had a conversation like this many years ago with a IT security buddy of mine. The customer is at fault as they did not secure their computer and as such they were compromised with a rootkit / trojan / keykogger, allowing the criminal *The reason person/s to blame* access to their accounts.

The bank on the other hand should alert their customers regarding suspicious activity, HOWEVER if that said customer has a history of performing actions such as the criminal activity did then it may not be seen as an issue. You may have noticed that banks now give you the option of contacting you on anything they think is suspicious and they also tell you to download anti-virus software or to secure your computer before accessing your banking info online.

Good reads regarding this also;

Protect Yourself From The Dangers Of Online Banking
The Dangers Of Online Internet Banking - Financial Web

"Most banks have safeguards against hacking, but your personal computer may not have the sophisticated technology that the banks incorporate. If you don’t have a good spy-ware detection and elimination program installed on your computer then you could be advertising your personal information to those who will do harmful things with it. Be sure your computer is up to date and safe against hacker attacks."

The Dangers of Online Banking: How to Separate the Wheat from the Chaff « Impacta Blog

So in the end of the day, the customer is at fault.

erpadmin

it_consultant wrote: »

I am going to state the obvious here - the criminal is to blame. As far as I know, the customer is under no obligation protect their computer at all. The laws should probably be changed to reflect the new nature of online gaming. It would be a stretch to blame the customer in any way. Say you throw your bank statement away and your account info is on it. Someone pilfers your trash, are you at fault because you didn't shred the statement? Is the bank at fault for not using self destructing paper?

You actually make sense with this. In NJ, if a person leaves his/her keys in the car while it's running and runs into a convenience store for coffee then finds the car is gone, the person who took it (when found) would be charged for theft. Of course, common sense dictates that the person should not have left the keys in a running car in the first place.

Cops have also been known to use "bait cars" where they have a nice C-class Mercedes, leave the key in the ignition, watch passerbys see the key in the car, wait for the moron to get in and take it, and then ride off before the police then shuts the car off. Now, you probably think the thief has grounds for entrapment, but courts have ruled that the person commits unlawful trespass when entering a vehicle that's not his.

So thinking along those lines, I do see your point.

MickQ

The bank is at fault. Why? As you said, they have been notified of fraudulent activity.

If they hadn't been notified, and had taken due diligence, and the customer didn't care about their own security, then it mostly falls on the customer.

Anywhere inbetween is grey area and for insurance.

paul78

jibbajabba wrote: »

How can the bank be blamed if a key logger was used ? Unless there are constant login attempts I am not sure how they can see that this was a fraudulent attempt.

There are actually techniques to defeat key-loggers which banks can employ such as performing out-of-band transaction authorization. Additionally, fraud monitoring controls such as those used in the payment card industry could also be utilized to monitor consumer transaction patterns.

In the US - the last summer, the FFIEC issued new guidance to US banks and financial institutions that raises the bar a bit - more info if anyone is interested - FFIEC Press Release

it_consultant

This is true. I can't do anything in my bank (USAA) until I put a PIN number in. By the time I do that the SSL wall has gone up, so even if my PW is compromised they can't actually do anything in the account. If the PIN is entered incorrectly I get a message in my text and email telling me there is a possibility my account has been compromised and to call the bank immediately. BOA makes you click through a picture code you set up after you enter your creds - similar concept to the PIN.

The key is dual factor authentication.

MickQ

I hate to post so soon on this but one of my banks has a PIN system where it asks for random digits of a long PIN.
Eg. PIN: 123456789
"Please enter the 1st, 4th, and 7th numbers of your PIN"
and different the next time, and so on.
This is in addition to a password, and rotating secondary question.

apathetic enquirer

I'm of the opinion that the blame lies with the client for not properly securing their computer. Also, for at least phishing scams, the German courts have ruled that the blame lies with the client if the bank warned about the potential security problem: yro.slashdot.org/story/12/04/26/0234207/german-court-rules-that-clients-responsible-for-phishing-losses

erpadmin

MickQ wrote: »

I hate to post so soon on this but one of my banks has a PIN system where it asks for random digits of a long PIN.

BOA has this. I had it where before I would have to request them to send a text message to my phone, and then I would put the pin they sent within a minute or so. Problem was there system wasn't working right and I was not getting the text. (It wasn't my phone/service because I was able to have someone text me and I got it.) I called BOA and they said they were aware of the problem and in the meantime removed that service so I could log in. I have no put it back on since.

themagicone

I finally started this paper today. Here is my take: My understanding from the story is that the clients didn't notify the bank until after 60 days of the fraud. Also, all transfer were authorized in the eyes of the bank. The customers private key was stolen and new users were set up. Since it seemed like a normal transfer there was nothing to tip off the bank.

The customer is no longer covered under the EFTA since it was 60 days. The hacker MIGHT be found guilty under law but most laws state the system was "protected". Customers had no security or anti-virus installed.

The bank is not at fault and they are not liable for losses. They will work with the FBI to ensure evidence is turned over but that is where their involvement stops. Protect your damn systems!

drew1d

Who is to blame, the people who stole.

If the Bank took reasonable measures to stop fraudulent actions, then it's not them. Now, if all the money was wire transferred out in one transaction, I think that would have sent up a red flag. Now most of the bank websites log IP's or have a security measure to ask additional questions when logging on from a new computer. But that wouldn't necessarily stop any transaction or raise any red flags. (Answers from the Key logger, and IP's aren't always static.)

I would say it's the customers responsibility to safeguard their systems. Some use keyloggers to track Employee's use of company computers. It's a practice I don't agree with for this very reason. Other keyloggers are installed clandestinely from mal-ware or viruses... That would have to open a port through the firewall that hopefully would be blocked.

Let me throw out another scenario, It's late at night, I need to use the ATM. I go to a branch of my local bank and I notice that the outside light is out. It still takes a card to get into the building area, but the exterior isn't lit. I use the ATM and when I come out I get mugged. Do I blame the bank?

Well, it's not really an issue, because in real life, I would go to a different ATM.

ptilsen

@IT Consultant
I agree in concept, but if the customer's computer is compromised ultimately any authentication scheme going entirely through the customer's computer could be compromised. The example is specific to keyloggers, but in the real-world keyloggers aren't the only mechanism out there.

Unless I'm misunderstanding you, and the PIN is a one-time PIN, which IMO is the only system that mitigates against the possibility of the customer's PC becoming infected. I do have one bank that uses that system, but it gives the option to send to email, which is ultimately ineffective since people don't generally use different computers for email access and online banking.

I've got another account that uses the system MickQ describes and the uses the picture code system you describe. Those are better than password-only, again, but multiple intercepted sessions over time could result in those being compromised as well.

The only truly effective systems, in my opinion, are to send one-time passwords through a non-PC medium (text message for example) or to use issue RSA devices. RSA is ultimately the better method because even OTPs could be compromised if the phone is compromised, for example, but obviously carrying around a device to get on your bank is a hassle. On the other hand, hundreds of thousands, maybe millions of Blizzard gamers do it now for something (IMO) that has much less value than what's in the average bank account.

it_consultant

Any lock can be compromised, digital or physical. If there is a true man in the middle attack, it is up to the fraud detection capabilities of the bank to detect the suspicious activity. Alas, true attacks of this nature are fairly challenging to pull of properly if the user takes even basic precautions.