Today's Featured Post
There's an interesting article at ComputerWorld. A Texas banking customer lost $800k to some bad guys in Romania and Italy due to what they claim is insufficient online banking security.
The bank, PlainsCapital, counter-sued, claiming that "someone" used valid "credentials" and therefore it is not the banks fault.
The bank is asking the court to rule that their security is "reasonably secure." So, what does "reasonably" secure mean? I see in the article they also refer to "commercially reasonable."
This case, and another, Shames-Yeakel vs. Citizens Bank will test both the commercial and consumer banking industry online banking security standards.
If PlainsCapital loses this case, it will change commercial online banking forever. On the consumer side, the same holds true with the Shames-Yeakel case, which is centered around whether entering a username and password provides a secure online banking environment.
There is a safe way to two-factor-authenticate an online banking session. Think ATM's. What is required in order for you to obtain $200.00 in cash from one? You need your card, your PIN and an ATM. Our PCI 2.0 Certified PIN Entry Device serves as a HomeATM. Swipe your Card, Enter your PIN. Voilla! The user is Instantly authenticated, using existing bank rails. I'm sure I've mentioned that any bank using our device to authenticate online banking sessions, would also virtually eliminate any and all threats posed by phishing, as there would no longer be anything to phish phor. (e.g. usernames, passwords, mother's maiden name, etc.)
Bank sues victim of $800,000 cybertheft
In twist, Texas bank sues business customer, claiming cybertheft not its fault
Computerworld - A Texas bank is suing a customer hit by an $800,000 cybertheft incident in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises.
The incident, which was first reported by blogger Brian Krebs this week, involves Lubbock-based PlainsCapital bank and its customer Hillary Machinery Inc. of Plano.
In November, unknown attackers based in Romania and Italy initiated a series of unauthorized wire transfers from Hillary's bank accounts and depleted it by $801,495. About $600,000 of the amount was later recovered by PlainsCapital.
Hillary demanded that the bank repay it the rest of the stolen money. In a letter to the bank in December, Hillary claimed that the theft happened only because PlainsCapital had failed to implement adequate security measures.
PlainsCapital promptly filed a lawsuit in the U.S. District Court for the Eastern District of Texas asking the court to certify that its security procedures were "commercially reasonable." In its complaint, the bank noted that it had made every effort to recover the stolen money.
The bank sought to absolve itself from blame in the heist by stating that the unauthorized wire transfer orders had been placed by someone using valid Internet banking credentials belonging to Hillary Machinery. "PlainsCapital accepted the wire transfer orders in good faith" and had therefore not breached any of its agreements with Hillary, the bank said in its complaint.
The complaint itself is somewhat unusual in that it doesn't seek anything specific from Hillary. Rather, all it asks is for the court to certify that its systems are reasonably secure.
In an interview with Computerworld today, Troy Owen, Hillary's vice president of marketing, disputed the bank's claims. Owen insisted that it was the bank's failure to implement strong authentication and fraud-detection measures that had enabled the theft.
"The bank is doing what their attorneys are telling them to do, which is to deny everything," Owen said. "They obviously can't just come out and say they know their systems are insecure, so they are trying to bully us with a lawsuit."...
Continue Reading at ComputerWorld
