Subscribe to RSS
Follow me on Twitter
Join me on Facebook
A district court judge in Maine last week approved a pending decision that commercial banks which protect accounts with little more than passwords and secret questions are in compliance with federal online banking security guidelines.
Sanford, Maine based Patco Construction sued Ocean Bank in 2009, alleging poor security after a $588,000 cyber heist. Patco sued to recover its losses, arguing in part that the bank failed to live up to the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password. On May 27, a magistrate recommended that the court make Patco the loser by denying Patco’s motion for summary judgment and granting the bank’s motion.
On Thursday, the judge presiding over the lawsuit affirmed that recommended decision (PDF), ruling that no further proceedings were necessary. Patco’s attorney Dan Mitchell said the company has 30 days to file an appeal, but that it hasn’t yet decided whether to challenge the decision.
The decision comes as commercial account takeover victims in other states are challenging banks over the security of their online banking platforms. In June, a Michigan court ruled that Comerica Bank is liable for more than a half a million dollars stolen in a 2009 cyber heist against a small business. In July, A California real estate escrow company that lost more than $465,000 in an online banking heist last year sued its former financial institution, alleging that the bank was negligent and that it failed to live up to the terms of its own online banking contract.
These cases are being tried decided at the trial level in different federal districts. They are not “case law.” Case law requires a published decision at the appellate level, and is only binding on the courts in the district where it is made. Other district courts may consider and quote trial and appellate rulings, but they are not bound to follow them. Establishing a uniform national standard for judging all cases involving cyber theft would require a decision by the U.S. Supreme Court. Banks and organizations may not be willing to carry their appeals to this level, fearing that a national standard may not be in their best economic interests.
KrebsOnSecurity will continue to follow these cases and to bring you updates on new developments as they happen. Stay tuned.
Related posts:
- Court Favors Small Business in eBanking Fraud Case
- Court: Passwords + Secret Questions = ‘Reasonable’ eBanking Security
- Charting the Carnage from eBanking Fraud II
- Calif. Co. Sues Bank Over $465k eBanking Heist
- Charting the Carnage from eBanking Fraud
Tags: Comerica Bank, Dan Mitchell, ebanking heist, Patco, Patco Construction v. Ocean Bank
Why ANYONE with a business uses on-line banking at this point, I don’t know. The risk seems way too high unless you can convince the bank to give you a letter saying cyberattacks are their fault.
The “security” practices of US banks never cease to amaze me. A month or to back a friend of mine wanted to get her credit card replaced because the lettering on her existing one was partially worn off, but since it was a vanity replacement the bank was going to charge her for the new card. I suggested, entirely tongue-in-cheek, that she should use the card on her next business trip to the US, wait for the fraudulent charges to start appearing, and then get her bank to replace it.
Two weeks after she got back from San Francisco, fraudulent charges started appearing from various locations in Oakland.
How a banking system like that can continue to function is beyond me…
The banking system is not to blame for that. Credit card numbers get pinched by dishonest people on the inside of various businesses every day.
And the banking system isn’t responsible for your using their site from a machine that’s been compromised by a keylogger. I don’t care how many passwords they put in your way, you’re going to be vulnerable if you aren’t careful.
>The banking system is not to blame for that.
>Credit card numbers get pinched by dishonest
>people on the inside of various businesses every day.
The US does seem to be awfully prone to this though. I do a lot of travelling worldwide (including eastern Europe, which isn’t exactly known for credit card security), and the only place I’ve had my card details lifted is in the US. I feel more nervous using my credit card in San Francisco than I do in St.Petersburg, arguably the capital of Russian cybercrime.
>I don’t care how many passwords they put in
>your way, you’re going to be vulnerable if you
>aren’t careful.
And again, that’s something that seems to be somewhat unique to the US banking system, that they don’t provide anything other than passwords for authentication. Since my bank uses SMS-based cryptographic transaction auth (to a non-smartphone, so you can’t trojan it), it doesn’t matter what’s on the PC because all that’s ever entered there is a crypto checksum to authenticate the transaction details sent via SMS.
@Brian – are there any cases that have progressed past the district level? Are there any cases that have the potential to make it to that level right now?
The Patco decision doesn’t make a lot of sense to me. How anyone can find the security that was in place is adequate, is just mind boggling.
Keep up the great work.
Because the security in place is compliant with the current law.
@ Nicholas: Businesses and institutions use online banking because of its tremendous economy.
The real questions are why customersdon’t have insurance and why they don’t pay attention to their financial institutions’ advice. Banks’ websites are loaded with information on avoiding intrusions and fraud. Many banks have seminars and all furnish recommendations to their customers when accounts are opened. Small businesses often don’t have the time or inclination to follow the guidelines. Larger businesses and organizations have IT departments – but, they aren’t perfect and can’t guard against all newly-emerging threats. That’s why insurance is an important backup. (No, I don’t sell insurance.)
@ Steve: Losing parties are often unwilling to file an appeal because it is expensive and time consuming. An adverse appellate decision is binding and can have far-reaching consequences – as Brian notes, this may be an unacceptable risk.
The FFIEC updated guidelines, which were not in effect when Patco suffered its loss, recognize the need to protect customers from newer threats, but stop short of endorsing any specific technology or approach. Instead, they call on banks to conduct more rigorous risk assessments, to monitor customer transactions for suspicious activity, and to work harder to educate customers — particularly businesses — about the risks involved in online banking.
See: http://krebsonsecurity.com/tag/ffiec/
Hidden due to low comment rating. Click here to see.
Sure you can get insurance against employee theft and computer fraud bundled together! Just Google ” insurance policy computer fraud.”
Here’s an example, *not a recommendation*, of the types of policies available:
http://www.insurecast.com/html/crime_insurance.asp
Hidden due to low comment rating. Click here to see.
“The computer owner and user effectively HAVE NO TOOLS AT ALL to reliably prevent, detect, or correct a bot infection in a conventional system. However, most systems can be secured by booting from a Linux LiveDVD like Puppy Linux. ”
This is nonsense. Believe it or not, there are plenty of us who have never been compromised and don’t go to the extreme of booting off DVD. For example, running OS X with free Sophos anti-virus and Firefox w/noscript is pretty darn secure. You have to keep your software patched not be an idiot too, and that is where I see the most failures. There needs to be some evidence that the customer did their part too.
Hidden due to low comment rating. Click here to see.
While I would agree that generally there is no 100% fix… lets face it, both parties hold some responsibility.
1. The customer/business – SHOULD do everything they can to be secure. Such as using a DVD or only using the computer for banking transactions and leaving it off otherwise (only turning it on otherwise to patch and update AV)… etc. The customer/business cannot be let off the hook if they choose to do NOTHING or use poor judgment – there is not a patch for human error. If they choose to do online banking they SHOULD do their research, know the risks, and do what they can to be secure.
2. The banks – SHOULD do everything they can to TEACH the customer how to be secure and OFFER the best security they can. You have to remember – regardless of what is offered, unless the customer/business actually uses it correctly then the fault is not of the banks. There are many ‘secure’ solutions that need to implemented in a certain way if they’re not… then they’re open to more security flaws than it otherwise would be. If you choose to ignore the guidelines and do it your way – you could be leaving a door open that you didn’t know was there but the banks did (which is why they gave you the guidelines)… this is your fault, not their’s – they cannot control your actions.
The banks CANNOT offer a 100% safe online banking experience… there are too many factors. They can offer some (just for argument we’ll say 60%) and the customer business has their part as well (just for argument we’ll say 20%)… however there’s always going to be that 10% (or whatever the number really is) that is possible to be breached. Even if we don’t know of a security flaw, that doesn’t mean it doesn’t exist… and it doesn’t mean that at some point in the future, someone will malicious intent won’t find it. Short of not banking online (and the actual bank could still be robbed too – they may have lowered the odds, but it’s still possible) – there is no end all be all cure to make it safe. There is ALWAYS a risk – even if you don’t see it. Together, the banks and customers/businesses need to be on top of things 100% of the time… someone trying to steal money only has to get lucky once… and even if one may give up by not being able to get in, that doesn’t mean another won’t try later.
Hidden due to low comment rating. Click here to see.
“It is NOT POSSIBLE for computer owners and users to be responsible for having a bot infection which their equipment inherently accepts, and which they cannot prevent, cannot detect, and cannot correct.”
You mean to tell me if I get a virus on my computer which completely wipes my hard drive and I lose everything on it that I’m not responsible? Who would I hold accountable for that? Surely Dell, HP, Apple, etc aren’t willing to take the blame… but ultimately it’s their computer that allows me onto the internet and that allows my computer to be vulnerable to attack… or is it the internet’s fault for allowing the virus to be able to be delivered to my computer? Last I checked, if I got a virus by something I DID – I had to deal with the lost data, pay to have someone restore it (if it’s even restorable), and pay to fix my computer or buy a new one… Would it be convenient for me to say “Since there can be no absolute security, there is always something else which can be done, even if ineffective or counterproductive. Doing “everything” is not a solution.” and therefore I’m not responsible? Sure… is that reality – no. Yes their product has vulnerabilities, but they offer me patches to help and I make the CHOICE to use the best security methods I know how and am willing to do… those I know about and am not willing to do, I’m making that choice and risking it… those I don’t know about I am still responsible for because I am choosing to risk it and not look into what else I could be doing. And if, as you said, it’s “… impossible even for an expert to make the “right” decision every time…” then how can I expect the computer company, or bank, to offer a 100% safe solution for me?
Just like the computer companies are not responsible for my actions – nor should the banks be responsible for their customer’s actions. You know the old saying, “you can lead a horse to water but you can’t force it to drink”… same thing applies here. They can lead the users to better security practices – but they cannot force them to “live” security (as you put it).
“Specifically what guidelines would those be, which somehow convey the user to the magic realm of security? ”
I’m not saying I know what they guidelines the bank gave the company were… my comment stemmed from your earlier comment of, “My technical involvement with “guidelines” and “recommendations” leads me to see them as little more than “cover my ass” legal BS for the banks.” I could be wrong – but there could also be some good intent in giving the guidelines… they could be helpful. A 100% fix no, but not something to just ignore either. Just because something isn’t a 100% fix doesn’t mean it should be ignored. Nothing is a 100% fix… that’s why layered security is so important.
“Security is not a seminar, but a way of life. Customers are not going to change their way of life just to put their money in a bank. ”
So because the customer isn’t willing try, the bank is ultimately responsible? I’m sorry if this sounds rude – but that sounds like an entitlement attitude to me… “I want to put my money in the bank and I want to access it online, but I don’t want change my normal online behavior just because I’m accessing my banking info”…
Please don’t misunderstand my point… I do think the banks hold SOME responsibility… they should have good security measures in place. They should have some type of red flag for suspicious behavior on accounts. They should be quicker to react sometimes when things go wrong (as they inevitably will)… However – putting all the responsibility on the bank is not realistic. They could have the most state of the art security and someone could walk into a business and steal hard copies of their information and use it to commit fraud online… that’s no fault of the banks. The business cannot blame the bank for getting breached – it was their poor security that allowed it originally. Now YES – they can expect the bank to have additional fail-safes set up to help prevent issues… and they can expect the bank to work with them to recover costs or stop transactions when they’re found… but the bank cannot be responsible for the business’ poor security business practices. It needs to be a joint effort.
Should the bank, in this case, perhaps have done more – very possible. I don’t know all the details behind what they did or didn’t do… nor do I know all the details of what the company did or didn’t do… all I am saying is that there should at least be some of the responsibility to the businesses themselves as well…
I believe it’s the business attitude of “it’s not my responsibility” that leads to many of the regulations we have today (like PCI and HIPAA)… businesses have to secure the information they’re trusted with. Now that goes for ALL businesses – banks included. And yes, some have more responsibilities than others… but that doesn’t mean that one company can get out of all their responsibilities and give them to the bigger company. They should still use good security practices regardless if they’re going to go into business.
This shouldn’t be a matter of “it’s not my fault – it’s theirs” – because the reality of the matter is, both parties are responsible for the issue.
Hidden due to low comment rating. Click here to see.
I think this is a matter that we’ll have to agree to disagree on…
To me, just as the banks know there are risks with banking online – so should the businesses… they are wanting the convenience of banking online and should be aware of the risk.
I do think, in many, situations some banks cut corners to save money… and am in no way saying it’s appropriate to knowingly offer an option without explaining the risks… and IF they know there’s a big issue with the way they’re set up they should fix it (just like if a car is on the market and the breaks are found to be faulty they should be recalled). However, other businesses cut corners too. Some skimp on security and believe it should be someone else’s responsibility.
The sad truth is, some companies focus solely on their bottom dollar – and even if there is a problem, as long as it doesn’t impact a huge amount of their business – they may not see it as worth fixing. Just like the car company that didn’t recall a car with a known issue until after enough people died that people were coming after the company directly – ultimately hurting their bottom dollar and becoming a legal issue. However, originally they thought fixing the issue would cost more than it was worth – and they were talking human lives… sad but true. Until that mentality changes – I don’t think issues like the one Patco faces will change. Companies need to do more, to do what they know is right instead of trying to push responsibility off elsewhere. The banks try to blame the businesses and the businesses try to blame the banks… it’s not going to solve anything until both sides accept their role/part in the issue.
The responsibility of protecting one’s online bank account, in my opinion, does not lie 100% with the person who’s account it is nor 100% with the bank that holds the account. I do think the bank has more responsibility than the account holder – but both sides are responsible and should be held accountable.
Do I think the bank should’ve done more… yes – it doesn’t sound like they really had much security in place. However, that’s really more of a moral issue with their decision to not do more since at the time – they were meeting the legal requirements.
“Tools simply do not exist which can guarantee to find a hiding bot. That means YOU CANNOT KNOW whether or not you have been compromised. Virtually any system which boots from a hard drive can be infected. ”
Ah yes, the zealotry of the typical security guy…either 100% secure or 0%. Newsflash…booting off a known clean ISO isn’t 100% either, the runtime can still get infected. And it’s a moot point, since very few people are willing to do it.
““Pretty darn secure?” Just how would you know?”
Yes, it’s my opinion, but I do this for a living. Don’t get caught up in the OS, I prefer Windows actually. OS X is still less targeted, so safer from that perspective. In my experience, many malware infections are caused by user ignorance. They click links in phishing e-mails, they do “breaking news” image search and just blindly click on stuff. They have antivirus but the sigs expired 2 years ago. the point is, you can’t put all the blame and responsibility on the .
“Tools do not exist which can certify a system as safe for online banking. No customer can “do their part” to control something they cannot detect or correct.”
again, this is bull. This is like the old security adage, “the only secure computer is a disconnected one”. while true, it’s not helpful. It’s not about being 100% Trusted…even booting from ISO doesn’t do that. I’m saying let’s at least require that the customer made some effort to secure secure their environment.
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
Ask the credit card companies. They’re really good at it.
Some of the stories Brian has posted here give good examples. New people on the payroll, payroll on a new day, dozens of overseas wire transfers from a company that has never done any overseas transactions before, flurry of payments right after disabling or rejecting alerts.
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
What’s dreadful about it? The customer failed to do their part. There is really nothing that the bank could have done. The technology and infrastructure do not exist. Personal responsibility. Learn it. Live it.
Hidden due to low comment rating. Click here to see.
Monitoring and balancing ones accounts daily.
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
I have a really technical small correction re your post. Trial court decisions *are* case law, but they aren’t binding, even on a different judge in the same court. By contrast, a decision from the court of appeals will be binding on all the trial courts from which an appeal can be taken to that court of appeals.
As you suggest, although trial court decisions are not binding, they can serve as persuasive precedents. In practice, trial court decisions that are the first to get to a particular legal issue can be very influential, especially if they’re well reasoned.
My opinion on this isn’t worth much–I’m mostly involved in different areas of law, and haven’t done anything with bankers–but it seems to me as a matter of first principles that the banks should have a lot more responsibility than these decisions give them. As a practical matter, it’s a lot easier for one bank to learn about effective banking security than it is for its thousands of customers to learn it, so the bank is what we’d call the least-cost avoider. Shifting that responsibility with boilerplate may be legally effective, but it does nothing to reduce the overall incident of theft, which is what the social goal is.
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
You may have mixed up the new and old releases of the FFIEC Guidance on authentication. Per the old guidance they are indeed compliant, per the new one we can hope they would be found in compliant.
Hidden due to low comment rating. Click here to see.
You have the right of it, just from the legal perspective the new guidance doesn’t take effect until January 2012 I believe. At which point the company (I assume) would then be legally liable per the standards.
Hidden due to low comment rating. Click here to see.
One of the common threads in these comments is how banks should be 100% liable for business losses related to malware. One of the chief complaints I have with this thought process stems from this argument:
“THE TOOLS DO NOT EXIST which would allow the businesses to be responsible when using a hard-drive-boot operating system for online banking”
If the tools don’t exist for the consumer, and malware has been an issue for 20+ years, how can the tools exist for banks who have only been dealing with this on a large scale for 3+ years? The simple answer is they definitely don’t. So we implement layered security to help mitigate this effort. Man people advocate contacting the customer for “odd” transactions. The simple reality of this is it doesn’t work, its no scalable, and how can you trust any process to perform this 100%? If there aren’t sufficient tools to detect infection how can I be sure the bank’s PCs aren’t infected and feeding inappropriate contact information to tellers?
I know for certain that malware can coordinate between a phone and PC to steal true out of band authentication credentials so that really isn’t a trusted channel. I know malware can intercept phone calls or record conversations, so a phone call isn’t trusted. Email or other systems don’t really work because its the same channel as the origination. Perhaps a faxing system could be worked out, but it probably isn’t scalable for larger organizations. Sure a linux OS or an Ironkey type device might work, but again is it scalable and what would user acceptance be?
The point being that implementing layered controls to detect this fraud isn’t exactly simple. Take a Title company for instance. They generate huge amounts of inbound/outbound transactions to extremely inconsistent locations. They also have incredibly strict demands on processing times if they are going to stay your customer. How do you implement a detection process that is going to identify “odd” transactions, and remain scalable so your customer simply doesn’t leave you for another less secure bank?
Its easy to simply push the cost in these situations off to the bank, because they are the big company with deep pockets. And heck the vast majority of banks seem like pretty bad businesses. The reality is, is that these situations are generally a failure of both parties to ensure proper controls and measures are in place. I agree that a consumer doesn’t have the tools to detect malware… But a small business sure does, even if they choose not too. Banks are already being held to an evolving (although slowly) standard, bu so far there isn’t a standard for these businesses.
Ideally I would like to see the cost of these losses split 50/50 when the bank had reasonable (per FFIEC) controls in place. I think its fine to hold banks to a standard, as long as the negligent business is as well. In cases where the bank is not FFIEC compliant, make them 100% liable.
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
A bank robbery really isn’t a good analogy in this case I think. Of course the customer wouldn’t take any lose from a bank robbery, in a bank robbery there is no customer influenced controls. Security of the bank’s physical location is 100% the responsibility of the bank. Aside from the reimbursing cash to customers for a robbery is a safety issue, not a monetary policy.
I’m not sure you can easily draw a real world analogy for the situation that has arisen with internet banking. Malware is incredibly effective, and social engineering more so, there is a not a system in the world you can design that will be secure against these attacks. Part of a layered security approach has to be customer education, and to some degree responsibility.
Hidden due to low comment rating. Click here to see.
Pretty much agree with everything you said there. I would love the Windows/Linux Live CD approach personally. But it would pretty much have to be made an industry requirement over night for it to gain customer acceptance. Currently if we rolled that out, all but a select few customers would probably bail. They complain that the key fob authentication for transactions is too complex…
The other thing to is customers have a VERY strong tendency to say, “whatever that thing is you did to my computer broke it, now you need to pay to have it fixed”. We know full well a LiveCD couldn’t possibly do anything, but the customer is always right (or they leave at the drop of a hat).
Overall I think its an awesome idea, I just don’t see the practical road to getting it widely implemented.
@Terry Ritter,
With all due respect, I have a secure system without any need to boot to a Live CD. Yes, it’s a Windows system, always has been. Yet somehow I’m able to balance security and convenience all at the same time while minimizing risk to malware. Been doing it for 15 years now! So, it’s possible. And it’s done by countless of us out here in the real world. I’d say a majority that we NEVER hear from!
Also, the incessant preaching about Live CD’s and claiming “No tools exist” does not make your opinions any more valid. It also doesn’t help to repeatedly throw Windows under the bus so to speak. It just sounds like a fan boy. But, the real problem is that it all completely fails Law #10 of the Immutable Laws of Security; “Technology is not a panacea”.
“Technology can do some amazing things. Recent years have seen the development of ever-cheaper and more powerful hardware, software that harnesses that hardware to open new vistas for computer users, and services that change our expectations for both, as well as advancements in cryptography and other sciences. It’s tempting to believe that technology can deliver a risk-free world if we just work hard enough. However, this is simply not realistic.
Perfect security requires a level of perfection that simply doesn’t exist, and in fact isn’t likely to ever exist. This is true for software as well as virtually all fields of human interest. Software development is an imperfect science, and all software has bugs. Some of them can be exploited to cause security breaches. That’s just a fact of life. But even if software could be made perfect, it wouldn’t solve the problem entirely. Most attacks involve, to one degree or another, some manipulation of human nature, a process usually referred to as social engineering. Raise the cost and difficulty of attacking security technology, and bad guys respond by shifting their focus away from the technology and toward the human being at the console. It’s vital that you understand your role in maintaining solid security, or you could become the chink in your own systems’ armor.
The solution is to recognize two essential points. First, security consists of both technology and policy—that is, it’s the combination of the technology and how it’s used that ultimately determines how secure your systems are. Second, security is a journey, not a destination—it isn’t a problem that can be “solved” once and for all, but a constant series of moves and countermoves between the good guys and the bad guys. The key is to ensure that you have good security awareness and exercise sound judgment.”
http://technet.microsoft.com/en-us/library/hh278941.aspx
Hidden due to low comment rating. Click here to see.
You keep insisting that the solution is a technological one. I guess you don’t believe in the definition of “immutable”. As such, there is simply no point in trying to debate with you. I have neither the energy nor the inclination. But, I made my point and will leave it at that. Happy trails.
“Our malware problem is not philosophical, it is technological… it is about our computing platform, the equipment and software, being inherently vulnerable to the bot infections which are our most serious problem. Because this hardware and software vulnerability is a technological problem…”
But the technology can only be as good as the people who are writing the code and creating it. The issue is not technology – the issue is people are not perfect and therefore technology won’t be either. We have to find ways to account for human error – in the software/hardware/etc as well as the users.
“As of September 2010, about 99.4 percent of all malware was designed to run under Microsoft Windows. (Previously it was more like 99.9 percent.) ”
As of September 2010 about 88% of users were running Microsoft Windows – is it really that much a surprise that malware was being designed for the most popular OS? Would it have made sense to have more malware targeting Mac’s – which at the time was only about 7% of users worldwide?
The % of malware written for a particular OS is irrelevant unless you’re taking the popularity of that OS into account as well. 99% of malware tagetting Windows doesn’t necessarily mean it’s the easiest – simply that it’s the most popular and therefore most profitable. Notice the increase in Mac malware as Apple is becoming more popular lately.
Stats quoted are from http://www.w3schools.com/browsers/browsers_os.asp… the share of Windows users is also around 88% at http://www.w3counter.com/globalstats.php?year=2010&month=9, though Mac users do go up to almost 9% there.
Hidden due to low comment rating. Click here to see.
I think that at least Brian is careful to maintain the distinction between “you should not bank with a general-use Windows PC” and “Windows is terrible because…”. He’s even posted about an incident where person was compromised when he “just one time” used his home Mac to log in to the business account.
It doesn’t really matter whether Windows is compromised so often because it’s targeted so much or because it’s full of holes (I’m one of those who think MS has come a long way). What does matter is that they ARE compromised so often that businesses should never bank with a general-use Windows computer. A general-use Mac might be slightly better, but a dedicated-use machine or Live disc would be best.
Has anyone ever told you that you’re kind of a dick?
My company just added significant cybersecurity insurance, and we’re a shoestring operation, so it can’t be too prohibitive. When I did a search for companies selling it, it does cover breaches regardless of cause. You fill out a questionnaire about your security policies to get a quote. Just going through the questionnaire would be a good way for a company to improve their security, as it will make them get answers to questions they previously hadn’t considered.
Hidden due to low comment rating. Click here to see.
My recommendation to any victim of a cyber bank heist would be to tell the world about it; companies hate negative publicity regardless of who the courts ultimately decide is to blame. Simply telling the story to the world on Facebook, Twitter, various websites, creating a website, doing radio and TV interviews, etc is the best way to recover your losses. Simply telling the story about what happened without laying blame is provocative enough to create concern among the FI’s customer base and target market. Remember, it’s only defamatory if you unjustly point the finger. Keeping it simple like, “We banked at [bank name] and we had our money taken without our consent, and [bank name] did not cover the losses as they would had it been a personal checking account or consumer credit card.” Soon enough, many people will realize that banks are not created equal. Some banks, particularly the larger world banks have the resources to implement much better security than their smaller competitors. Even many of the large domestic banks that were getting hacked are starting to implement tighter security than what the government requires; not because of the threat from actual thieves, but from the trials taking place in the court of public opinion that ends of costing them more than if they would have simply refunded the banking customer and tightened up to begin with.