What is Digg?73 Comments
- 4AntiStupid, on 09/04/2009, -8/+50I think they're going to have a difficult time arguing a login and password is not sufficient considering how common that is around the world. Most likely it was snagged with a phishing email which isn't the bank's fault.
- EMFK, on 09/04/2009, -4/+36Only 26k? Obviously not an ambitious hacker!
- mclewell, on 09/05/2009, -2/+33Why at this bank could you take out a loan for $26k online?
- badqat, on 09/04/2009, -0/+30Hey, it took a couple of "hard" minutes of work to get that 26k...
- yocouchdigga, on 09/05/2009, -0/+22Expect to hear from my attorneys soon, Amy...
- Servo888, on 09/05/2009, -2/+23That's just an assumption. We have no idea how their account was compromised. Now, I have a debit card with my bank, and two credit cards with another company. My debit card was replaced a year ago when the bank realized it lost some data, which included my account information. About 4 months ago, both my credit cards had their numbers stolen. One of the cards, hadn't been used in over 6 months, while the other was used on a daily basis. I had several large transactions, and some small to foreign countries. I shop at large retailers, keep my cards safe, and passwords unique. Yet, I was still hit. I, of course, was not held liable since these were credit/debit card transactions. What bothers me the most, is that in this case, the bank transferred a large sum of money overseas, and that didn't raise any flags?...
- AmyVernon, on 09/05/2009, -0/+20If those were grounds for a lawsuit, there would be even more lawsuits than there already are.
- Cglass, on 09/05/2009, -0/+19Who doesn't take out a $26k loan when they wake up? For me my day starts like this:
1) Smash Alarm Clock
2) Open Firefox to Gmail, Digg, and various news sites I like
3) Take a crap
4) Read through firefox, but before closing check my bank account and take out a $26k loan
5) Shower, get dressed, and head to work
I can understand why they have this feature, I would not bank with my current bank without it. - yocouchdigga, on 09/04/2009, -16/+32The bank should counter sue, on the grounds that the plantiffs are retarded.
- brbubba, on 09/05/2009, -0/+12Hello! Am I the only voice of reason here? Someone maxes out their line of lending in one fell swoop and then tries to transfer the funds out of the country. Don't you think this would raise some red flags at the bank? Come on, a simple phone call to the number on file would have been sufficient to stop this mess.
- wilf_brim, on 09/05/2009, -0/+12There are two issues here, and they diverge.
1) Who was at fault for the loss of credentials? Did they come from the band, or the user. If the user had a simple password, of was phished, then the bank may not be at fault.
2) The bank failed to note on an credit report that the debt was in dispute. That seems pretty damning to me. - consolejocky, on 09/05/2009, -0/+10No characters? So all the passwords at this bank are blank?
- Nintendesert, on 09/05/2009, -0/+9Try to focus on the story at hand.
- ChileanGoD, on 09/05/2009, -3/+12Step 1. Use my user name and password to take 26k out of the bank
Step 2. Blame it on a hacker
Step 3. ?
Step 4. Profit! - Pyehole, on 09/05/2009, -1/+9Where do you come up with that? We have no way of knowing where or how the un/pw info was acquired. It could just as easily come from the bank or it's security firm as from the plaintiffs. For that matter, it could have been broken using brute force. If the bank's own tech is so bass-ackwards as not to include some kind of token for all we know the bank allows unlimited attempts to login.
- cyclopssmiley, on 09/05/2009, -1/+9Some Banks have very poor login security however. My bank password does not let me use characters, which is inexcusable.
- kurtergad87, on 09/05/2009, -0/+7A simple user name/password combination seems far too insecure for something as important as a bank account. Personally I have a user code (a 'name' I didn't choose), a password that has to conform to usual security measurements, a time-synced pin-generator that is an external piece of hardware and a personal code to operate that device.
- Atomic1fire, on 09/05/2009, -1/+6I think it may also go down to this,
why didn't the bank have some sort of finalization process, such as a phone call, to handle finishing loans.
secondly, if this is a court case, shouldn't the court have some sort of access to the information regarding the hacker, since they know what bank it is? unless the "hacker" is some nigerian using cover identity's and or russian mobster, or even someone with a swiss (bank account), I think they should get the warren for the information, though since its international, that might pose a problem.
but yeah, how was the information obtained,
if its personal fault, then the lawsuit should be nullified,
if it's lax security on the end of the bank, there could be a class action, depending on how many were compromised. - rdoger6424, on 09/05/2009, -0/+5@cyrix
apparently they actually care about bank security in Europe - valis, on 09/05/2009, -2/+6I dislike banks very much. Especially in today's financial climate. I hope she wins on principal. A login name and password is not enough. Period. Any bank or credit union with half a neuron working requires a PIN, too. Online loans approved without personal contact with the account owner? Absolute garbage. That bank is retarded.
- brbubba, on 09/05/2009, -0/+3I don't see how the password leak would determine liability here. The fact is that the username and password were stolen and at issue here is whether the bank actually has a limit on it's own liability for fraudulent activity. I think it's pretty clear to any judge presiding over the case that the fault of the password theft was far less important than the fact that the bank didn't perform any due diligence on the loan. Any halfwit would easily tell you that maxing out a line of lending in one go and then immediately turning around to perform a transfer would raise red flags across the board. In essence the bank granted a loan without identifying that this couple were the originators of the loan. A username and password, while convenient in the digital age, don't exactly cut it when it comes to burden of proof issues.
- demonicume, on 09/05/2009, -0/+3the principal at a high school in my district was hit for like $40K. when i was interviewing for my current position, 1st/2nd level desktop and network support, he sat on the board. He'd only been invited to the interview because his location would've been within the scope of my job - some administrator needed to be there to okay the hire. He asked me, hypothetically, how would I hack someone's computer and steal credit information. I was surprised. *****, I'm not a hacker, never been a hacker. I've never tried to crack any type of security outside of the scope of my job in the USAR. i've always been desktop and infrastructure support, so this question was out of my league (he didn't know the difference).
I answered "If i were still working at the AT&T's helpdesk, I'd remote into your machine - with permission. Then I'd set up some sort of remote control via VPN... or a key logger. Then I'd sit back and wait for you to pay a bill online and capture your information. i might even periodically remote into your machine and make purchases directly from your desktop, just to cover my tracks."
He stared at me for a long while. Then he told me that he'd just been hit for over $40k and that the FBI suspected that this is how it was done.
I'm starting my 3rd year in the district. - ChromaVita, on 09/05/2009, -0/+3No I know exactly what he's talking about. I tried to change my password to MickeyMouse67 and it wasn't accepted!
- Countess666, on 09/05/2009, -0/+3I'm sorry but no, its inexcusable for a bank to have just a user name and password combo as their whole security feature on-line.
any on-line activity of that much importance should be secured with a 2de line of defence with something that can be traced back in the real world.
it could be anything from a calculator that spits out a generated code to a short list of (one use!) codes to a SMS with a code and the amount being transferred.
every transaction you do should be secured with something like these options.
its inexcusable to rely just on something so easy to get a whole of if you really want it. - GezusK, on 09/05/2009, -1/+4I think it'll come down to how did the hacker get their username and password? If it was a phishing scam, or some sort of hacking into their personal computer for the info, then the case should get tossed.
- nuketrap, on 09/05/2009, -0/+3They should do what my bank does and in order to transfer any money, asides from in between your own accounts - which you have to do so at the bank in person - setup a SMS confirmation so no money can be transferred unless the code put in the confirmation box is the same as the one sent in the SMS.
- Myztry, on 09/05/2009, -0/+2Banks are generally getting better as they are at least willing to cop losses since they make so much profit with negligible cost due to online transactions.
Some other industries like Superannuation (Australian version of 401(k)) schemes are still low security. When my super scheme first went online they used passwords. Later they reduced the security to 4 number pins to tie in with their phone access system.
Okay, so they only allow 3 attempts before they lock the account and require unlocking by voice. Problem is I became tired on unlocking the access. It always seemed to be locked as anyone could lock your account with 3 tries.
Locking may be inconvenient but is it secure? The hackers only get 3 attempts preventing brute force attacks? Wrong. Get a botnet full of unique IP's even just trying 1234 once on every account and they are all but sure to get a hit. Several infact. There are more than 10,000 people with the super scheme. It's almost impossible for them not to get a hit... Especially if they use the 3 passes available.
And I can tell you now my super has WAY MUCH more money in it than my savings accounts...
Now, money in super isn't so easy to withdraw - but they can transfer it into stocks and such, and at least get some decent commission like those 'invest in fake goldmine' schemes. In the end, the money is still gone. - Atomic1fire, on 09/05/2009, -0/+2Or attack it from the inside... think about it,
someone goes inside, becomes an employee and does a con job on the inside, the system is compromised so someone assumes its a hacker. though it could be a cleverly routed attack from inside the network.
/conspiracy theory - jugglingjon, on 09/05/2009, -0/+2If the thief accessed the account by brute forcing the bank's login screen, or somehow obtained the password from breaking into the bank's system, then the bank should be responsible. If the client leaked their own password somehow, I see them at fault.
Either way, how about next time the bank give the client a call before transferring their entire credit line to a bank in Hawaii? - TeCuervo, on 09/06/2009, -0/+2lol.
State of the art... - newman8r, on 09/05/2009, -0/+2The thing I'm most surprised about here is the Austrian bank that refused to return the money or help with the investigation.
- diggaligg, on 09/05/2009, -0/+2It's most certainly negligent of the bank to poorly gaurd an access point that would allow transfer of $26 from an account. It's negligent to allow that much money to be moved online at all.
With all the phishing scams that are common today, and in 2007, simple user/pass protection isn't and wasn't good enough. Anti-brute force measures such as login CAPTCHAs and max try limits, requiring extra information when logging in from a computer for the first time, disallowing login from geographicly removed location are all common sense measures that should be implemented in addition to a user/pass.
If a bank doesn't trust their own security enough too guarantee the funds then why would they entrust customer's wallets with it? Rediculous. I hope the plaintiffs win, and then some. - Countess666, on 09/05/2009, -0/+2there isn't a bank i know that uses just a username/password combination. and if i did know them i wouldn't do business with them, as they obviously don't take security very seriously.
it might even be illegal here in the Netherlands to just use just a username/password combi.
You can use your user name and password to look at you account but for every actual transaction you need to fill in a code.
a code that you get by using a little calculator sized machine and your ATM card, or via a real world list of codes, or via a SMS (which has the code AND the amount of money being transferd in it.)
sure none of these are 100% safe but they are a hell of a lot safer then just a username and password. - bdbr, on 09/05/2009, -0/+2Exactly. Any online transaction over a reasonably small amount (5K-10K), they should have contacted the policy holder to ensure that was authorized...especially if their authentication method wasn't extremely secure.
- floejoe, on 09/05/2009, -0/+2wtf?
- bshock, on 09/05/2009, -0/+2Reminds me of the Mitchell & Webb sketch where the guy is informed by his bank that his identity has been stolen. He then points out that he still seems to be who he's always been, while it's the bank that's out a pile of money.
- cyrix, on 09/06/2009, -0/+1I wish any bank near me used such measures. They'd get my business in a heartbeat.
- carlosos, on 09/05/2009, -0/+1She has a good case because banks are required to have multi authentication system which this bank didn't do.
- kurtergad87, on 09/06/2009, -0/+1It is a Danish bank, so most of you would likely be out of luck. I had to show up in the bank twice with identification and sign three different agreements for setting up a net-account. I also received the different codes, guides and equipment in several packages to avoid mail-fraud. Even the signature had to have a signature for some reason.
The ironic thing about this bank is that they recently lost several millions due to a signature that was forged by a shady investor. Apparently there is always a bottleneck. - yocouchdigga, on 09/05/2009, -4/+5I think it's safer to assume it's not the banks fault. To each his own, I guess...
- Fistdantilus, on 09/05/2009, -0/+1When wondering if it's the banks' or the peoples' fault of how the 'hacker' got the password, I think of this:
Users trade their passwords for chocolate: http://news.bbc.co.uk/2/hi/technology/3639679.stm - JohnnySoftware, on 10/31/2009, -0/+1Read this month's news on malware.
The Washington Post publishes a good security blog. Read it and you will learn how sophisticated malware authors have gotten at spoofing bank authentication screens and hiding their withdrawals from you. Your browser might be the bad guys' accomplice in these robberies.
If you took the trouble to get a two-phase authentication key from your bank you should take the trouble to read up on the latest FBI warning about $40m stolen during past few months via online banking. Read up about dynamic viruses that might be given a "free pass" by your brand new security protection software. Then find out about drive by infections that take advantage of a popular web browser plugin that might just have been pre-installed in your computer by the new retail store you bought it from.
And when I say "might", some people can read it without that word there and it will still be a true statement. Hard to believe as that sounds.
While ID / PIN / one-time-use password sounds great, it's not good enough. If your PC is hacked, using them is no different than picking up the phone, calling the hacker, and forgetting the phone number you just called. Worse, in fact. Yeah, one time use true - but what program where is using it and is your bank data coming to you directly from the bank for from someone else's look at it?
If you go use an ATM these days, you need to scrutinize it for some kind of a low profile skimming device which is really hard to know if you don't know what the ATM looks like without it!
And for the past few months or more, banks on east and west coast have been getting robbed a lot by walk-in robbers. It used to be guys who walked in with a note asking for the money. Then they hit the next bank and they have guns. The bank after that they have assault rifles and are demanding the vault money and not just the teller's money.
So it is not a good situation to get your money by any means right now.
If you are using the safest OS you can find, the safest browser you can find, cutting back on what plugins you use if they are ones that repeatedly have known problems - at least you are cutting your risk.
If you don't, well - at least you won't get robbed and shot at the same time. - Countess666, on 09/06/2009, -0/+1@gezusk : the bank should have realised that a username/password is not adequate protection when it involves large amounts of real money.
even with a anti-virus a firewall and not clicking on a phishing site your computer can get hacked, infected or the DNS of your ISP altered to direct you to a phishing site with no way for her to know.
there is NO 100% safe computer system, specially not home-desktops, and if the bank know anything about security they'd have realised that.
her biggest mistake was not leaving the bank right away after finding out the lack of security measures at the bank. - noerrorsfound, on 09/05/2009, -0/+1At least it didn't end like this: "I'm starting my 3rd year in prison."
Guilty until proven innocent! - 4AntiStupid, on 09/05/2009, -0/+1Bank of America, American Express, USAA, and Principal are all ones I've used recently and only have a login and password. BOA is the only one that has an extra step to try to prevent phishing.
- JohnFlux, on 09/05/2009, -0/+1My bank (Barclays) sends everyone a onetime keypad. You have to put your card in it, type in your pin, then enter that number in online. That's on top of the password.
Don't use a bank with crappy security. - JohnnySoftware, on 10/31/2009, -0/+1A bank whose employees took confidential customer credentials and sold them to a third party last year just got bought out by a California bank this year. There are no morals to this story. Just because someone was "bad" does not fix anything for good people who did not do anything wrong.
Couple years back a major bank in US and/or UK had outsourced customer service to a call center in India. Those workers collected the credentials for about 10 of the bank's customers, electronically robbed their accounts, and then went on a shopping spree in India where they lived and blew the money. It was a lot. Bank said it wasn't their fault. Crooks had squandered the money. Victims could not really go to India and collect their money - who would they win it from. One of the few bank-insider theft's I have read about and the victims really did not get treated well. Not even sure the call center was fired by the bank.
There was a case in Florida where an employee took a computer tape of data about clients of the firm he worked at and sold it. There are cases in UK where private data about patients was sold to insurance companise; illegal but no one was penalized. A doctor in US - Florida, I think - passed away and his estate sold his patients' private medical records to an insurance company. These are just a few examples of what has taken place since 2000.
There are also the cases of backups and laptops being lost all over the place and PCs being hacked into via flaws in the operating system. Happened tons of times and you have read lots so no need to recount them. Horizon was the most honest about disclosing what had happened as a way to warn other companies. They were running MS-Windows, they passed the credit card handling industry's PCI certification rules, and they got hacked hard for a long time and lost a ton of CC# credentials.
FBI just pointed out at least $40m was recently stolen from small and medium sized businesses via malware. You know which operating system. Not new. It's just piling up enough to get noticed now.
A guy in Florida owned a business and used his PC for online banking. One day he lost something like $90k from his account. His bank allowed someone else to wire it to Riga, Latvia. Vanished. He only got some of it back. Everyone blamed him because his operating system got malware. Bank did not feel like it was their fault. His situation, which was a sentinel one and happened years ago, got ignored or quickly forgotten. Too bad.
Insider jobs are not necessarily the way it's happening most of the time. There are way more computers in homes and small offices across America than there are bank employees. Employees are trained not to give excess information out - computers aren't.
It is nice that these consumer victimization crimes are finally getting noticed. Until now, they were just regarded as "isolated incidents" (as a certain company says quite a lot). Now, apparently, this year someone has sat up and started connecting them together and seen that the are not isolate incidents.
I doubt the next victims will get any more of a bailout than the last but consumers might do a better job of shopping for banks and software in the future. They might read he relevant news more. I think if consumers get as serious about the issue as law enforcement clearly has this year then they're going to save some seriously large M1 (cash).
It's like the old joke where the patient goes to see his doctor and says, "Dr., every time I drink my cocoa with the spoon in the cup - I get a sharp pain in my eye!" And the doctor replies, "Then don't do that!". 8-D - bdbr, on 09/05/2009, -0/+1@cyrix: I don't know of any banks that use those, but its not particularly new technology. My company used those about 10 years ago. The password it generates is only good for a minute. Really, all banks *should* at least offer that, particularly to accounts with large balances.
- GezusK, on 09/05/2009, -0/+1ahh, the typical blame shifting. She could have been the one with poor security, no antivirus or firewall, or doing something stupid like falling for a phishing scam....but NO...its the bank's fault for not preventing that also.
- fafaforza, on 09/05/2009, -0/+1Banks in the US seem less interested in security. I have HSBC and they wouldn't give me a pin generator, even when I offered to pay for one. They don't care about lost money. They'll just hit you up with penalties and interest ($40 billion source of revenue) and take your home and sell it to cover what you owe. And the money you paid down on the debt? Oh, that's long gone. The great transfer of wealth.
-
Show 51 - 75 of 75 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is