Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Government Politics

Korean Banks Forced to Compensate Hacking Victims 154

An anonymous reader writes "A brief story over on Finextra reveals that the Korean government is introducing new legislation that will force banks to compensate customers who have been victimized by identity theft even if the banks are not directly responsible. This action obviously will not stem identity theft but the hope is that this will push banks into security improvements that will make identity theft much harder."
This discussion has been archived. No new comments can be posted.

Korean Banks Forced to Compensate Hacking Victims

Comments Filter:
  • All too brief... (Score:5, Informative)

    by TripMaster Monkey ( 862126 ) * on Wednesday December 14, 2005 @01:03PM (#14257520)

    From TFS:
    A brief story over on Finextra...
    'Brief' is right...'skimpy' is the adjective that comes to my mind.

    A much more detailed report on this story can be found at The Korea Times [hankooki.com].

    Reading through the above referenced story, two things pop out at me:
    • The investment to build a safe e-banking environment may result in astronomical increases in systems costs given the insecure nature of the electronic commerce infrastructure.
    • The biggest challenge to the banking sector would be how to make home PCs secure. Hackers are increasingly preying on the home PCs, the most susceptible online link of all. Many bank customers tap in from home, often on a computer with little or no security software.

    Given these two paragraphs, this looks like I'm going to be paying higher systems costs because others can't be bothered to practice responsible computing (when this initiative moves out of Korea into the rest of the world, that is...).
    • The solution is as easy as random number generators. I've seen them used for logons to Motorola corporate networks since around 1995 and for internet banking for at least five years. It is quite difficult to find internet banking here in Sweden, for instance, which doesn't issue a small random number generator keychain-sized thingie.
      • Re:All too brief... (Score:4, Interesting)

        by TripMaster Monkey ( 862126 ) * on Wednesday December 14, 2005 @01:19PM (#14257656)

        Sounds like you're talking about RSA's SecurID products [rsasecurity.com].

        These things are expensive to purchase and deploy. Who's gonna foot that bill? Just the users who can't get the hang of responsible computing....or all of us?

        Besides, SecureID does have its flaws [homeport.org]...no panacea here.
        • LOL! Nice 10 year old flaw.

          There are better ways to pick on SecurID than that.

          The reality is it changes the mix for the banks just enough to be useful. Not cheap though.
        • They don't have to be expensive. They should be very cheap if manufactured in large quantities. I can buy a solar LCD calculator for $1 at Wally World.
      • by runcible ( 306937 )
        RNGs ( which are not RNGs but rather little keygen dongle type items ) don't address the class of issues that would result from -- say -- accessing your bank's site from an 0wned box...the 0wner can hijack an existing, authenticated connection.

        Or for that matter a phishing site that passes through the authentication info that you type in, including the number from your dongle...which now that I think about it, is the more likely scenario.

        The answer will never really be in authenticating the *person*, that c
    • 1.-Wouldn't making a policy of not granting this kind of insurance to people unable to demonstrate security meassures implemented on the PC systems they will use for access the bank network... do the trick? 2.-Wouldn't also be interesting to ask people doing online banking to register the terminals (Disk Serial number and whatever identification possible) and IP addresses, and the cost of that paperwork should be charged as an 'electronic theft insurance fee', and that it would be possible for people who a
    • Re:All too brief... (Score:4, Informative)

      by inoffensif ( 604265 ) <waygook@NOSPAm.gmail.com> on Wednesday December 14, 2005 @01:25PM (#14257718) Homepage
      To the parent, thanks for the Herald link.

      There are many factors which are prompting this in SK. I am not a native but I have been residing in South Korea for 2 years.

      -This place is the mecca of broadband internet access. I mean anywhere and everywhere in the country, everyone is connected at speeds that would humble first world nations. Not that SK isn't first world, economically they are, socially it's another story...
      -Everyone and their mother, uncle, step-sister uses IE explorer. Most Korean sites are designed for IE and don't work with any other browser.
      -The networks are dirty, before I had a physical firewall, ZoneAlarm was registering 1000+ intrusion attempts a day on my system.

      Put your average mom and pop who don't know any better, in an online banking situation in this environment, and you are asking for disaster.

      It will probably set a precedent for many online banking SOPs in the west.

      For those idiot western media brainwashed idiots who don't know a thing about Korea, get a clue, nobody gives a damn about eating dogs or even hears about North Korea more than once a month here, just listen to your dear leader dog tell you who to attack next.
      • Re:All too brief... (Score:3, Interesting)

        by Sangbin ( 743373 )
        Amen brother. Just a rant, but to shed some light on the current computing environment in SK, SK gov checks the speed of the internet connection ramdomly and requires full refund to all the customers if it isn't as fast as advertised.
        Yes, gov stepping into corporate arena is a bad thing, but it seems to be keeping their Starcraft players happy enough.
        • Just a rant, but to shed some light on the current computing environment in SK, SK gov checks the speed of the internet connection ramdomly and requires full refund to all the customers if it isn't as fast as advertised.

          This is also why SBC only sells DSL to 14,500 feet regardless of how good your copper is. At least, that's the case in California. They used to sell to 17,000 feet but then the FCC started fining the shit out of them if their DSL was slow. So, existing customers got to stick around, bu

    • If the cost of real, secure online financial transactions is that, then that is what it is.

      The question is whether the benefits will be worth that cost. Or whether there is another option that will provide secure transactions without the cost.

      Either way, the people most motivated to find the solution would be the banks IF they were held accountable as this seems to say they will be.
    • I agree with the poster. What incentive is it to behave responsibly when people know that the government is going to bail them out? I mean, look at it. My bank says they will never send me alerts through email or have me go to a website and update my information...But I got one in my email, and I just want to make sure its not for real. Now the bank is on the hook for it, leading to higher costs all around...

      Most phishing sites have nothing to do with the original institution, other than nipping off enough
    • Given these two paragraphs, this looks like I'm going to be paying higher systems costs because others can't be bothered to practice responsible computing (when this initiative moves out of Korea into the rest of the world, that is...).

      Well, you're making two rather large assumptions, firstly that the precident will spread, and second that this would be a bad thing for your bottom line. But many large banks already cover identity theft, and that money comes from somewhere (hint: you). If the net result is
  • by nharmon ( 97591 ) on Wednesday December 14, 2005 @01:08PM (#14257556)
    Does anyone here really think the banks are going to pay this money out from their bottom line? They'll recover it from those customers who do protect their identity through increased fees and interest.
    • Great! (Score:3, Insightful)

      by brunes69 ( 86786 )
      And when said customers see their fees increse because of their bank's lack security, they will switch banks to one who has lower fees (because they have good security and don't have to pay said fines).

      Any way you cut it, with this legislation the bank is the one who loses if they don't get their act together when it comes to security.

      *Every* industry should have this type of legislation. It should not be the customers responsibility to research the security policies of their prospective banks/stores/whatev
      • Switching banks isn't trivial. For some folks every bill that comes into their house is paid through one bank. Switching all of those over to another requires a lot of effort. I myself maintain 3 bank accounts to make switching easier for me but I seriously doubt someone is going to jump banks beacuse of an extra $10 a month charge.
        • Bollocks (Score:3, Insightful)

          by brunes69 ( 86786 )
          I sue online banking exclusivly, and pay all my bills off it. I have some 15 or so registered.

          Even so, if my bank started charging me a monthly service fee, I would jump ship with no hesitation.

          I mean, it takes all of 5 minutes to reigster 10 or 15 accounts online. It is not rocket science.

          The biggest pain would be swtiching the directd eposit at work, and only because it would take a few days to go through probably.

          Not much of a deterrent IMO.

      • *Every* industry should have this type of legislation. It should not be the customers responsibility to research the security policies of their prospective banks/stores/whatever. Hell there is no way you could realisticly do that, since theres no way for you to know their internal policies.

        i agree! i'm tired of all of these mailings that my bank sends me to tell me how to protect my identity. aside from not giving out personal info to people i don't trust, i should not have to be responsible for prote
        • What gets me is the "service" that credit card companies and credit reporting bureaus offer to protect you incase your identity is stolen - for a fee. Excuse me but how in the world can they ethically justify turning identity theft into a profit point.

          Credit card companies have always (or for quite some time anyway) been on the hook for fraudulent charges, just as banks have always been on the hook for stolen money.

          Why the rise of the internet should allow them to offer a service protecting you is nonsense,
    • by Jesus IS the Devil ( 317662 ) on Wednesday December 14, 2005 @01:23PM (#14257695)
      You are falling for the business spin on things. If fees increase so will volume of transactions, and thus their bottom line. Banks that are able to overcome this hurdle will grab a huge chunk of market share through low prices all the while keeping good security.

      The fault here lies with two parties, the bank for not doing enough, and end users for not caring enough about security. I feel that end users should still be partially responsible for their actions. I mean, there are people out there that, despite repeated warnings, will keep getting themselves hacked and scammed. I think most of us know people like that. And really, the only remedy for them is to yank out their computers and never let them go online again.

      It's one thing to make banks more responsible for security breaches, but it's another to force them to be completely at fault, when there are so many points of entry for a crook. From the internet router from the ISP, to the user's home line, to his computer, to his keyboard, to the telephone, etc.
      • by mumblestheclown ( 569987 ) on Wednesday December 14, 2005 @01:43PM (#14257854)
        The fault here lies with two parties, the bank for not doing enough, and end users for not caring enough about security.

        Would it be too gratuitous to mention that at least some percntage of the fault lies with the unethical idiots actually doing the theft?

      • "...If fees increase so will volume of transactions..."

        ???

        I'm sorry, I missed the leap of logic which allowed you to make this statement. Tytpically speaking as the cost of a given thing increases the likelihood that someone will do that particular thing decreases, all else being equal. Care to enlighten me?
      • Make no doubt, banks love online banking. It means you are not walking into a branch. It means less paper processing so the lockbox department is less worked (which means less paid since most transaction processors are paid per the transaction). Branches have overhead, and lots of it. Even rolling out an expensive security system is WHOLLY worth it to the banks because they will be able to attract more online bankers and this, in the end, will save them money.

        Think ATM machines....these things were UB
    • by bfields ( 66644 ) on Wednesday December 14, 2005 @01:32PM (#14257771) Homepage
      Does anyone here really think the banks are going to pay this money out from their bottom line? They'll recover it from those customers who do protect their identity through increased fees and interest.

      The whole "identity theft" terminology is screwed up; it's not your "identity" you're protecting--you're still you after someone else manages to clear out your checking account. What the "identity thief" has done is to fool the bank's authentication system into thinking their transactions were authorized by you. You do have some control over whether this happens, by your choice of password, choice of when to type it in, etc. But the decisions with the greatest affect on the security of that authentication system are completely in the bank's hands: e.g. the decision to authenticate you by asking you to enter a password into a form on a web page.

      The decision to make banks responsible for losses isn't because of a preference for consumers over banks--as you point out, expenses may be passed on to customers either way--it's because the best way to make the banking system more secure is to make sure that the entities with the most power to fix the system are the ones that see the incentives to fix it.

      This is the same reason we limit consumer's liability for credit card losses--it's the credit card company that's in the best position to detect and prevent fraud, and if we pass on the cost to them then we enable them to weigh the costs of fraud against the costs of improved security infrastructure, something that's impossible for an individual consumer to do.

      • What the "identity thief" has done is to fool the bank's authentication system into thinking their transactions were authorized by you.

        That's exactly right. "Identity theft" is a very misleading label -- what we're talking about is good old-fashioned fraudulent transactions. The implementation is different, and facilitated by technology -- especially stupidly-used technology -- but the crime isn't that different in essence from a forged check.

        In that light, we should remember that the bank is 100 perce

      • But the decisions with the greatest affect on the security of that authentication system are completely in the bank's hands: e.g. the decision to authenticate you by asking you to enter a password into a form on a web page.

        Or better yet - the decision to authenticate purchasers by having merchants ask users for a 16-digit number which is transmitted in the clear to the merchant and later relayed to the bank. Credit card numbers are a system that should have abandoned ages ago. Imagine an email system wher
        • Merchants should never be given master account authentication credentials. They should be given signed message digests, or one-time authentication codes, or something along these lines, which are tied to the transaction date and amount. Even if credit card companies just put secureID readouts on their cards it would MASSIVELY cut fraud.

          I would have thought so too, but the credit card companies (ast least in the US) seem to have been happy enough just paying the price of fraud for a long time now....

          Also

          • Couldn't agree more. I'd put both a modem with speaker/mic on it, RF interface, and USB connection. Transaction sent over phone/air/cable to box, box displays amount, vendor, and date, user enters PIN on device keypad for confirmation. Credentials never leave box - just the signed hash and certificate. PIN never goes anywhere but the box. All authorizations have a serial number, so no replay attacks. Box would use small LCD display. Such a system should be hackproof in concept - as long as the IO cod
          • > the credit card companies (at least in the US) seem to have been happy enough just paying the price of fraud

            And this is because the credit card companies make money coming and going. They make vast sums from merchants, by charging a few percent of the purchase price when you buy something. That's how some card companies can give you 1% back on purchases -- if they're skimming 3% off the top, and returning 1% to you, they're still skimming 2%. Fraud is just a cost of doing business to them, and as the

            • And this is because the credit card companies make money coming and going. They make vast sums from merchants, by charging a few percent of the purchase price when you buy something.

              Sure. But that doesn't prevent them from wanting to make even more money if they could.

              So if they could save X in fraud by spending Y<X on security infrastructure, you'd think they would. Beats me.

  • No big deal (Score:5, Interesting)

    by Red Flayer ( 890720 ) on Wednesday December 14, 2005 @01:08PM (#14257560) Journal
    FTA: "Under the new legislation customers will still be required to implement safety measures and won't be compensated for losses incurred from online scams if they are careless with card details, PINS and passwords." (emphasis mine)

    There's 50% of it right there.

    I'm not trolling here, I have a question:

    Does using Windows constitute being careless? How about using unpatched Windows? How about using Windows without malware scanners installed?
    • Does using Windows constitute being careless? How about using unpatched Windows? How about using Windows without malware scanners installed?

      No.
      Yes.
      No.

    • An argument can be made either way. If you use any kind of electronic commerce, it is less secure than being at a bank in person.
      I don't think a bank will hold you responsible for a hardware keylogger on the back of the computer you're working on etc.
      But I am thinking more along the lines of giving passwords out in phishing e-mails, writing your passwords down, putting your pin in permanent marker on the back of the card.
      As for Windows? I doubt it.
    • Hmmm. Though your question is tongue-in-cheek, it raises the point, how do you define careless? Expect lots of litigation along these lines. This is a trial lawyers dream law. Notwithstanding the opportunities for fraud.
  • Schneier likes it (Score:5, Informative)

    by Anonymous Coward on Wednesday December 14, 2005 @01:09PM (#14257564)
    This is exactly what Bruce Schneier has been advocating for a while...here's his take [schneier.com] on this story.
  • by chroot_james ( 833654 ) on Wednesday December 14, 2005 @01:11PM (#14257585) Homepage
    While I was working for Harvard Law School, the Secret Service came and spoke to the different IT communities at Harvard. What they came to tell us was that if there was any security breach, they would help us minimize the damages and then went through their plan on how to do that. The plan was essentially to not scare the public, not tell anyone, and hide as much of the damage as possible and try to recover. That basically does nothing for anyone interested in *actually* knowing how safe they are.

    Kudos to to Korea having the balls to blame the people leaving the doors to security breaches WIDE open.
    • You're wrong. They are blaming the big pockets. The people leaving the doors open are the bank's customers.
      • If they're providing the service, they should protect their customers.
        • And I've been reading postings on Fark.

          There could be meritous arguments to both of the sides here, but yours isn't one of them.

          This is much closer to forcing Ford to give you a new car because you handed the keys to your car to someone with the promise of a better car in return. Absolutist inanity like "they should protect their customers" is absurd. The best way to protect customers from fraud involving online banking would be to stop online banking. This is clearly not acceptible, so a more reasonable
          • And yet, unlike a car (which people can and do loan out), a bank account site could take fairly simple steps to provide a more-secure authentication method. But they don't.

            Personally, I'm not a fan of making it the responsibility of the smart to defend the stupid from themselves, but some of these things are things even smart people can't defend against, like stupid webdesigners. (Not an isolated issue. Look at www.wamu.com, www.bankofamerica.com, www.chase.com, the main pages are not encrypted but they h
  • by El Cubano ( 631386 ) on Wednesday December 14, 2005 @01:13PM (#14257603)

    This action obviously will not stem identity theft but the hope is that this will push banks into security improvements that will make identity theft much harder.

    I agree. I was listening to Clark Howard [clarkhoward.com] a couple of weeks ago on the radio and he was talking about how 99.9% of US banks have atrocious security when it comes to online banking. I know that identity theft also happens offline, but I also think that you have to criminalize grossly negligent behavior, or else you end up with a situation like what we have today: banks see it as more fiscally reasonable to absorb the cost of the problem than to even attempt to fix it. The problem is that this has tragic consequences for the individuals that are victimized. Hopefully the US congress will jump on board and start dealing with serious problems, instead of concerning themselves with things like college sports [go.com] and drug testing among athletes [govtrack.us], which ultimately shouldn't be of importance to the federal government.

  • by putko ( 753330 ) on Wednesday December 14, 2005 @01:16PM (#14257630) Homepage Journal
    DNS is broken -- it is possible to ask your DNS to lookup "Bank of America", and if the hackers have screwed the DNS servers inbetween yours and root, you'll get the wrong machine. That allows someone to do a man in the middle attack: all your requests get relayed to your bank, but perhaps with different amounts or payees. That subverts two-factor methods also.

    Because DNS is broken, even if the banks beef up their stuff, there's no hope for secure transactions.

    E.g. suppose you need a pasword and a one-use number (from a list of magic numbers the bank gives you) to do a transfer. [this is how it is in some parts of Europe]. The bad boys do the transfer, but they transfer the money to themselves, not your payee. And they take as much as they want. And they use the magic number you've given them for your intended transaction.

    So because of this potential problem, I don't do online banking.

    I figure the average schmuck doesn't have a chance anyway; he's using the same OS and software as 99% of the victims, so he's an easy target.
    • by brunes69 ( 86786 ) <slashdot@nOSpam.keirstead.org> on Wednesday December 14, 2005 @01:29PM (#14257745)
      If the SSL ceritifcate does not match the IP address of the host you are connecting to, it should raise big red flags in your head.

      Sometimes, there are legitimate reasons for this (such as a bank moving servers and not having time to get a new cert), but they are usually very temporary, so to be safe you can just not do any banking during that period.

      Sure, you can still bypass this via a man in the middle attack using ARP poisioning - but in order to do that the hacker has to be on your local subnet if you have a home router, or else working at your ISP if you are directly connected.

      Either case is highly unlikely, and **any** way you look at it, even if your original DNS thing was an actual issue, online banking is much more secure thank banking at an ATM or via debit payment, and I bet you do that every day.

      All I need to steal your money at an ATM is to install a hidden swipe reader inside the ATM/debit machine and a hidden camera to capture your PIN number. This happens *all the time*, far more than publicized. It is very easy to do, and a smart crook who just leaves the setup installed for a few hours then takes it down is rarely caught either

      Even easier is to just capture the cazd swipe, us eit to make a fake identical copy of your own card, and going into the bank and convince the teller to let you change the PIN on the card cause "you forgot it". Also simple to do. Much simpler than hacking itno the DNS servers of your ISP, that's for sure.
      • SSL certifcates are almost never issued to IP addresses, only to fqdn hostnames. In fact I've never seen a certificate with an IP address in the CN field, and I'm not even sure how a browser would handle it. In fact, issing a certificate to an IP address would make things even less secure. With a hostname, the broswer can check against a forward and reverse looklup, theoretically maximizing the number of machines that would have to be compromised to hijack the connection. It also subverts the only real chec
      • Sometimes, there are legitimate reasons for this (such as a bank moving servers and not having time to get a new cert), but they are usually very temporary, so to be safe you can just not do any banking during that period.

        1. Inform the customers in advance of server move.
        2. Shut down the banking website to ALL customers until that cert is up.

        No fucking around.
      • If the SSL ceritifcate does not match the IP address of the host you are connecting to, it should raise big red flags in your head.

        The fact that you needed to point this out means that, for the vast majority of users, it will not raise a big red flag.
    • I thought that server certificate and SSL were supposed to fix this. You lookup the IP of your bank through DNS, and it doesn't match the IP on the certificate, shouldn't your browser give you a warning? Then you encrypt the data going to that IP with the public key of the server. If you look at the certificate you can verify that it belongs to your bank, and therefore, all information you send out, should only be readable by the bank. Unless their private key has been comprimised. Which i think is ano
    • Here is a possible solution.
      The bank would give you a little thing thats like a calculator.
      When you do a funds transfer, the bank outputs a random number.
      You then input the number along with the amount being transfered into the calculator which makes a hash of them and a secret number stored in the device.
      This number is input back into the bank system before the transaction goes through. If the hash computed by the bank doesnt match what the user entered, no transfer would take place.

      Unless the hacker can c
  • I hope this serves as an example to legislators in the US.

    People would be much better served to get advertisements via mail directing them to a secure website for credit-card sign up instead of the usual forms that get people into trouble. The blank checks that credit card companies send are just asking for trouble and should be illegal when not requested by the customer.

    My mail-carrier can't see to well and my mail is often delivered to others in my apartment building. I usually get my mail back one way
  • by jreiser ( 590600 ) on Wednesday December 14, 2005 @01:19PM (#14257655)
    The banks will use the new rules as an excuse to require Trusted Computing [or other restricted hardware/software] for home users, which in practice will mean some form of MS Windows. No MacOS, no Linux, no BSD, etc.
  • I see a weakness (Score:3, Insightful)

    by Bastard of Subhumani ( 827601 ) on Wednesday December 14, 2005 @01:21PM (#14257672) Journal
    1) Put money in bank account
    2) Have your pal steal your identity and the money
    3) Bank recompenses you
    4) Split PROFIT!!!!!
  • Economic Incentives (Score:2, Interesting)

    by e4g4 ( 533831 )
    This is a classic example of using an economic incentive where all else seems to fail. Clearly if the economic onus of identity theft is (in large part) on the shoulders of the bank, they'll come up with better and better ways to secure their information that they had no will or reason to do before. Presumably they'll start using biometrics and the like (whether or not you think that's adequate security) and hopefully, if this is enacted in the States, they'll start to require more than a bloody SSN and b
  • Bruce Schneier (Score:3, Informative)

    by diakka ( 2281 ) on Wednesday December 14, 2005 @01:23PM (#14257692)
    Looks like the government is taking a cue from Bruce Schneier [slashdot.org] Glad to see that someone is listening.
  • I think this is a good move. Although I don't care much about Korea, people who have become victims should be compensated by companies who can write that crap off.
    • I would agree except when they "write that crap off" that means that all taxpayers are picking up the pieces. If they are allowed to do such a thing then they still have little/no incentive to fix the problem.


  • If they (victims) were granted pennies on the dollar for what spammers have made by utilizing Korean open relays, there'd be a lot of rich people floating about. If the Koreans (of any institution) were charged an open relay fee, they might be a bit more motivated to fix the problem. In fact, the Koreans might think twice before leaving all of those relays ready to be raped.


  • Wow, 15 minutes or so and no old people joke, so here you go:

    In Korea, only old people have their bank account information stolen.

    (And in real life old people are frequently the target of scams, because they have money and tend to be easier to fool)
  • If the banks actually beef things up, the next wave of attacks will likley be pharming, as it allows the bad guys to circumvent the bank's methods:

    http://www.wired.com/news/print/0,1294,66853,00.ht ml [wired.com]
  • English lesson? (Score:2, Interesting)

    by LordNimon ( 85072 )
    Someone needs to learn English:

    This action obviously will not stem identity theft but the hope is that this will push banks into security improvements that will make identity theft much harder.

    If you make "identity theft much harder", then obviously you will stem it. "Stem" does not mean stop, it means to "make headway against".

  • It would be nice if banks and credit card companies actually did something to prevent and prosecute the crime that directly involves them.

    Too often I read of someone getting their identity stolen or having their account run up, and the bank will reverse the transactions, issue a new card, and take no furthur action at all. Contacting the police also seems to result in no action, as they don't have the time, equipment, or mandate to follow up possibly tricky international schemes.

    I'd bank with an institutio
  • It's about time. (Score:3, Insightful)

    by signine ( 92535 ) <slashdot@@@signine...org> on Wednesday December 14, 2005 @01:51PM (#14257904) Homepage
    You can't prevent home computers from being insecure, or outright stop identity theft. The idea here is that the banks will be financially responsible if any part of the process of banking with them opens up a customer to identity theft and/or if the bank itself is fooled by the identity thieves. This seems to be perfectly reasonable to me. If you're banking online you should have every bit of confidence that the bank you're working with will not only keep the data secure on its end, but also while the data is transit to you. Ideally, they should also make it work in such a way that the data is not stored on the user's machine at all, preventing intrusion from ever being a real problem.

    Admittedly they'll never get around keystroke loggers or other such malware, but this is a good first step. Prevent what the users are able to do with a system we know is fundamentally insecure. Require various forms of authentication for requests that involve actually transferring money, at least one of which should be offline. Do not reveal information the user should already know (Credit Card numbers in full, user's SSN [or whatever the Korean equivalent is]).

    It's really not that hard, it just requires feature-happy developers to stop for a second and ask themselves "but what if someone other than the user were logged in..."
  • Finally... (Score:3, Interesting)

    by steveo777 ( 183629 ) on Wednesday December 14, 2005 @02:03PM (#14257993) Homepage Journal
    A step in the right direction. Back in college some kid was swiping credit cards from people wallets and signing up for online services (porn mostly, but some dating services too). He wouldn't keep the cards, he'd just copy the info. People's addresses were freely available from the online roster, so that was all you needed.

    Mine was swiped too, and I didn't even find out about it for about three months (had some overdrafts). Turns out this kid subscribed to some porn site that was pulling 60 bucks a month! I wasn't pleased.

    I went into the bank and all they told me was they could put the funds under investigation and it would take up to 90 days to take care of. During that time I wouldn't have my money and that it wasn't likely that anything would happen. I called the companies customer service and argued the charges for about half an hour. They said they could cancel. I threatened legal action. They said it wouldn't work. I said I could prove that I never signed up for thier services, or used them because I log my IPs, and informed them it was THEIR resposability to verify ID, not mine. This is what did it. Charges refunded, overdrafts paid (and the bank refunded them too, got 60 bucks out of the deal).

    Lately companies have been working harder at verifying ID, but they're also more adamant about not taking responsibility. Rather than the bank having responsability, I think, legally, if you can prove that it wasn't you, the store should be responsible.

    • Did you report this to the police? That was theft at the minimum. In Iowa, that would have fallen under an Identity Theft statute for prosecution.

      The bank you dealt with was following Reg E and was doing what was proper. If you didn't find out for 90 days from the first such item, you might have even been out that first amount because you didn't report it back to the bank soon enough.

      It is your responsibility as the customer to review your statement and make sure that there is no fraudulent or unauth

    • Re:Finally... (Score:3, Interesting)

      by swb ( 14022 )
      went into the bank and all they told me was they could put the funds under investigation and it would take up to 90 days to take care of. During that time I wouldn't have my money and that it wasn't likely that anything would happen.

      This is why I won't have anything to do with a Visa/MC "debit" card attached to my bank account. All the banks "promise" that they will refund your money right away, yadda yadda, but the bottom line is YOU have to wait for THEM to give you YOUR MONEY back.

      With a credit card, t
  • by OakDragon ( 885217 ) on Wednesday December 14, 2005 @02:03PM (#14257997) Journal
    ...now if the Nigerian government would just do something to get my money back from that doctor fellow!
  • Bruce Schneier has long held the position that the banks need to be held fully responsible for this sort of fraudulant activity:

    http://www.schneier.com/blog/archives/2005/12/kore a_solves_th.html [schneier.com]

    At the end of the day, the bank is entrusted with managing my funds. If my bank transfers my funds to someone else without my express approval, then the bank is at fault, no questions asked. The bank should have properly verified that I indeed wanted my funds to be released to the other party. If someone claims to b
    • From talking to people who work in the banking industry, security seems to be strictly based on cost-benefit ratio. For the bank, it is often cheaper to skip security checks. Everything is automated and they rely on the customer to detect and report any problems. They will happily accept and pay out on forged checks that wouldn't fool a five-year-old.
  • Others Responsible (Score:3, Insightful)

    by TheOtherAgentM ( 700696 ) on Wednesday December 14, 2005 @02:11PM (#14258061)
    Wouldn't it make sense to make everyone involved responsible as well then? Shouldn't the ISPs be watching what comes into their users' email boxes. Why not hold Gmail, Hotmail, etc. accountable? The reason is you can't do this. You can ask them, but when it comes down to it, it's up to the user to be aware of what is going on out there. It's not the banks' fault that we are stupid, gullible people.
  • Won't somebody please think of the banks? They're barely scraping by in these trying times as is it!
  • by Douglas Simmons ( 628988 ) on Wednesday December 14, 2005 @02:22PM (#14258141) Homepage
    I'd love to see a EULA that had a line which afforded the user legal protection instead of just the typical kind that is intended exclusively to cover their ass. I read the article and there's no mention of which software was compromised, but if it's one that offers not only the software but maintenance and updates to it, be it Redhat or MS. This article doesn't mentioned whose product/service screwed up, or if it was human error on behalf of the bank. The hackers should not be the only ones to be demonized. You run an operation like this with a hole open, someone's going to break through it. I just installed snort on a small website and now the snort hack attempt email notification fills up my box faster than spam. Hacking should be expected just as rain would if the building's construction company used a form of concrete that wasn't waterproofed.

    Imagine if you owned a ski resort operation and you just dropped twenty mil on a souped-up chair lift. As the lift company advised, you hired people to go regular examinations and keep it lubed up. Then one day the stress of a chair switching from the slow loading track to the high-speed main line caused the cable to snap, killing dozens of people, including lots of pregnant women carrying pandas. Checking the line integrity was not on the company-issued checklists of the maintainers you hired but the chair lift company said they'll have a look at it every six months to run stress tests themselves and they found a problem that seemed small enough not to bother fixing. The chairlift company, hopefully insured, ought to be the ones exposed to liability, and this Korean bank incident should be no different. The software company (assuming it's not Debian (in which case this wouldn't have happened anyway)) should be the ones absorbing the heat. That may not be the law, but it strikes me as common sense.

    • I agree it was interesting that the actual faulty software product was not named (was it the bank or Outlook displaying links wrongly). And the chair lift analogy is a good one.

      My problem is that I understand that there are solutions. Whereas with the chair lift you could add an anti-sway system, you could give bank customers an RSA key, smart card or similar. But it means users who know better than to click a link from OE will have to pay this 'Outlook Express tax' now.
  • only old banks have to compensate victims.
  • I think this is not a bad idea -- for example, if they made any bank/data aggregator/etc pay credit monitoring fees and penalties for every account holder's information lost (like say, when data tapes fall off a truck), banks might treat personal information a bit more like valuable information.

    $50 x 100,000 records lost = big slap on the corporate hands.
  • Also in Denmark (Score:3, Insightful)

    by Carewolf ( 581105 ) on Wednesday December 14, 2005 @02:33PM (#14258235) Homepage
    It has always been that way in Denmark. Any money the bank loses because they trust online transactions are completely their own responsibility.

    Why would it be any different? If the bank lets someone else withdraw your money over the net, I don't care how the hacker got the information, it is the bank that lets the wrong guy walk away with my cash.
  • Why not just... (Score:2, Interesting)

    by shiznatix ( 924851 )
    Do it the good ol' Estonian way? Estonians use online banking to pay every bill that they get, I don't know anyone that does not, but you will never hear anyone complain about fraud, why?

    Because we get a seperate card when you sign up for online banking that has 36 unique 6 digit numbers each a seperate password per-say.

    When you login, your username is another 6 digit number that you are given (but which is perminant) then you have to enter your password (which you are forced to change every month). Then if
  • insurance? (Score:4, Interesting)

    by mottie ( 807927 ) on Wednesday December 14, 2005 @03:40PM (#14258756)
    I may be wrong but I believe this is covered for every bank in Canada is it not? I had my card double swiped and my bank account emptied (along with 50,000 other people in Vancouver I believe). I had the money back in my account within 2 weeks. All money in a bank is insured, just like your creditcard is insured. What's the difference between this and a robber stealing money from a bank?
  • by thue ( 121682 ) on Wednesday December 14, 2005 @03:49PM (#14258852) Homepage
    This is how it already works in Denmark - and it works fine.

    If somebody uses your card number on the internet, and the person who withdraw from your account does/can not document that it was done with your consent, you get the money refunded. So if somebody steals your credit card number and withdraws money with it, you get your money back from the bank.

    A merchant may first withdraw the amount from your account when the object is shipped.

Whoever dies with the most toys wins.

Working...