North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: OT: Re: User negligence?

  • From: David Schwartz
  • Date: Sun Jul 27 04:27:55 2003

> I think there is confusion here.

> The banks are making the claim, that, if you the user, has an infected PC,
> that is compromised by an 3lit3 h4x0r, and your password to your bank
> account is compromised, then the bank is not responsible.

> That is what you are saying, Sean?

	While the bank holds your money, it is responsible for its safety. This
includes making sure the money is only released to you or to those you
authorize. If an act of theft or fraud causes the bank to release that money
without your authorization, the bank can certainly be held responsible. This
is why they hold checks and even, from time to time, call people up to
confirm suspicious transactions. Generally banks have a blanket bond to
cover theft/fraud losses and this protection extends to their customers.

	I don't think it would be that difficult to show that there are significant
security flaws in the online banking system that the user is neither
responsible for nor capable of correcting. You could get a dozen security
experts to testify that a static password is not sufficient to protect a
system that can perform unretrievable funds transfers. If that's all the
bank's online scheme provides, this may negate the argument that the user's
negligence was the sole/primary cause of the loss.

	In most states, you have additional protections under state law.