Thursday, June 9, 2011

Online Banking begins to crumble

Oh, dear:

A judge in Maine has ruled that a bank that allowed hackers to steal more than $300,000 from a customer’s online account isn’t responsible for the lost money, saying the customer should have done more to protect the account credentials.


Patco Construction Company, a family-owned business in Sanford Maine, sued Ocean Bank, which is owned by People’s United Bank, after discovering in May 2009 that hackers were siphoning about $100,000 per day from its online bank account. The hackers had sent a malicious email to employees that allowed them to surreptitiously install the Zeus password-stealing trojan on an employee computer.
Up until now, banks have covered this sort of loss, as a cost of doing business.  Now, that cost has hit a pain threshold.

From customer's perspective, there's simply no way that the typical customer can protect themselves from this sort of attack.  Zeus was perhaps the biggest trojan targeting online banking.  Millions of computers got infected.  If the established legal doctrine is "you're responsible for protecting yourself" then you can sum online banking up in two words:

Game Over.

I expect that this is far from being over, but this is seriously bad juju.  Anyone who does online banking should think twice.


Lissa said...

Crap. Crap crap crap.

Guffaw in AZ said...


BioBob said...

Agree 100%.

Unfortunately, this was also the case from Day 1 of the concept of "On-line Banking" and most other forms of internet-connected-computer based debit-equivalents.

All of these are only as good as the providers willingness to back the customer vs inevitable fraud and the impetus to dumb-down the security scheme to ensure that security's required Least Common Denominator (LCD) broad acceptability.

LCD = Epic Fail

dsmith said...

Do not use MS Windows and it will not be a problem. I setup a Linux system for my wife who does our banking and these issues are not a problem. She can surf and do email using Firefox and Thunderbird just as easily on Linux as on MS Windows.

wolfwalker said...

Something stinks in that story. Read it carefully and you'll find that the judge agreed the bank was negligent -- it just wasn't liable. That doesn't make any sense to me.

dsmith: "Do not use MS Windows and it will not be a problem."

Don't bet on it. At least, not any more than you can afford to lose. PEBKAC is a threat on any computer, and any operating system. Even Linux can be hacked.

BioBob said...

@dsmith so like someone can not leech a linux wireless signal from a laptop or keyboard or telephone to learn your 3 digit pin or 6 digit inadequate password like you birthday or first name ???? Just because you use linux you automatically won't supply your password or credit card number in a phishing attack ? You using linux will stop the bank's or an online vendor's use of inadequate security measures allowing a hack attack penetration and disclosure of credit card numbers, SSS #, and passwords ???

If it is on-line and web-accessible, it is vulnerable period. If the debit system provider will not take responsibility for all and any fraud, your money and 'good name' is vulnerable period.

Anonymous said...

There is a difference between personal accounts and commercial accounts.

You are protected if you have a personal account, you are not if it is your business account.

Stuart said...

I find it funny that so many people think the bank should pay because they left the door to their premises open. The customer is the one who fell for a cheap trick and let the ba guys see the combination to the safe. Damn right the customer should pay, that wy people will wise up to the fact that not everyone on the Internet can be trusted, even when they look like good guys. Do we really need to relearn the lessons of the door to door salesmen?!?

Seriously, take responsibility for your own actions and stop expecting every else to bail you out!

Borepatch said...

Stuart, I disagree entirely. The likelihood of the typical home user (or even small business) customer to protect themselves is approaching zero. The sheer quantity of malware targeting online banking (and the size of the botnets) demonstrates that.

If it were easy to keep from getting infected, there wouldn't be a $5B a year Internet Security industry.

Even RSA got hacked, and they're some of the sharpest tools in the security shed. The DoD's classified network got hacked, for crying out loud. These organizations have the motivation, the know-how, and the resources to defend themselves. And they still got pwned.

Joe's Hardware doing online banking? Why would we expect them to be more successful than the finest security minds in the Free World?

The absolute best thing you can say about the bank is that it created an "attractive nuisance", and should have foreseen that their customers hadn't a prayer.