×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

German Court Rules That Clients Responsible For Phishing Losses

samzenpus posted about 2 years ago | from the be-more-careful dept.

Crime 245

benfrog writes "A German court has ruled that clients, not banks, are responsible for losses in phishing scams. The German Federal Court of Justice (the country's highest civil court) ruled in the case of a German retiree who lost €5,000 ($6,608) in a bank transfer fraudulently sent to Greece. According to The Local, a German news site, the man entered 10 transaction codes into a site designed to look like his bank's web site and his bank is not liable as it specifically warned against such phishing attacks."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

245 comments

Lets just hope (1, Troll)

Chrisq (894406) | about 2 years ago | (#39804381)

Lets just hope that it doesn't become European law. Actually I hope the judge loses a million

Re:Lets just hope (5, Insightful)

Sique (173459) | about 2 years ago | (#39804395)

Why? How should a bank discover the fraud, if everything is authenticated correctly?
Is a bank also responsible for your losses if a guy comes to your front door, poses as a bank clerk and you cut him a cheque?

It's always the fault of that 1% (5, Insightful)

Taco Cowboy (5327) | about 2 years ago | (#39804447)

Phishing, as we all know (at least those of us who frequent sites like /.) is a scam - and we also know that we should be responsible for our own action, however stupid it might turn out to be

But there are people who will never want to be responsible for any of their own action, and they will tell you that it's all the fault of that "1%" --- including those "banksters", and those "judge"

Re:It's always the fault of that 1% (-1, Troll)

Anonymous Coward | about 2 years ago | (#39804505)

But there are people who will never want to be responsible for any of their own action, and they will tell you that it's all the fault of that "1%" --- including those "banksters", and those "judge"

That post is as hilarious as it is hypocritical considering that "banksters" and "judges" are one of those least responsible for their own actions.

Re:It's always the fault of that 1% (0)

jaymemaurice (2024752) | about 2 years ago | (#39804637)

But there are people who will never want to be responsible for any of their own action, and they will tell you that it's all the fault of that "1%" --- including those "banksters", and those "judge"

That post is as hilarious as it is hypocritical considering that "banksters" and "judges" are one of those least responsible for their own actions.

This post is as hilarious as it is you he was talking about.

Re:It's always the fault of that 1% (4, Insightful)

ByOhTek (1181381) | about 2 years ago | (#39804819)

Not necessarily - You can take responsibility for your actions and still believe that bankers (more precisely, many investors) are not held accountable for their losses.

That "1%" has the ability to screw things up and still get huge bonuses/payments equal to what would take someone with an average salary 50-100 years to make. Not is not being held responsible. Even someone who is responsible for their actions, ESPECIALLY someone who is responsible for their actions, can see that.

* note - I had not money lost in the meltdown, but at the same time, if I screw up like some of those people did, in my job, then I'd be fired on the spot, and rightfully so. Likewise, if I were dumb enough to enter my data to fraudulent site, then it would be my responsibility to fix the issue, and rightfully so.

Re:Lets just hope (5, Interesting)

Anonymous Coward | about 2 years ago | (#39804461)

The problem with this ruling is that the customer hardly had a chance. The bank offers an authentication protocol that is vulnerable to a widespread and difficult to defend against type of attack. The bank knew that the protocol isn't secure and even warned about the vulnerability. All this despite the availability of protocols which are much more secure.

Suppose a credit card company told you to keep your credit card number secret and declined responsibility for fraudulent transactions because you once handed your credit card to a waiter. Would that be OK? If the bank offers a vulnerable protocol, it should bear the damage.

Re:Lets just hope (4, Interesting)

bickerdyke (670000) | about 2 years ago | (#39804563)

That security protocol isn't in use anymore.

The bank specifically issued a warning against exactly the type of attack the customer fell for.

That ruling is in line with the laws in place 2008, when that happend, Laws have been changed since then.

Re:Lets just hope (0)

Anonymous Coward | about 2 years ago | (#39804617)

The attack works just the same if the customer only enters one TAN to authorize a transaction. Banks do use TANs to authorize transactions other than money transfers too. Besides, the specific warning on the bank's web site against entering multiple TANs without a transaction may not even have reached the customer, as he was redirected to a fraudulent site. In practice you can only defend against this type of vulnerability by keeping your system squeaky clean, which is hard for professionals and nigh impossible for mere users.

Re:Lets just hope (3, Informative)

Niedi (1335165) | about 2 years ago | (#39804815)

Mod Parent up, that post is spot on. In fact, the law has been changed 2009 (if I remember rightly) to shift the liability towards the bank unless the customer acts grossly negligent (grob fahrlässig). The court did NOT decide whether the customer would have been liable according to the laws in place today.
Plus many banks in Germany phased out the iTAN system in favor of SMS-codes or TAN-generators that require the debit card to operate and are only valid for the transaction that was entered to generate the TAN (amount, target account etc...).

Re:Lets just hope (2)

rtfa-troll (1340807) | about 2 years ago | (#39804639)

Why? How should a bank discover the fraud,

Answer a) is whatevery way they want. b) is; if need be by calling the guy back on his phone number; If they are suspicious enough, by having him come into the office and sign it personally whilst being compared against a photo. By requiring him to use a hardware token. Whatever.

What my bank does is sends out an SMS which contains the sum of the transaction; the person it's being paid to and, at the end, an authorization code. As long as my phone isn't hacked they can be pretty sure that I actually authorized the transaction.

if everything is authenticated correctly?

The things were not authenticated correctly. A transaction which the guy didn't want was put through. The authentication system was inadequate for the job and there are very good reasons why people use more sophisticated ones nowadays.

What's most important is that it's the bank which chooses the authentication system. The customer cannot decide that they want to use a different one. Even changing banks often won't help. Because of this, the banks should always take the loss unless the customer acts in a clearly and openly negligent / fraudulent way. If the losses become too big then they can choose to change. If they are acceptable then they can choose a cheaper authentication system. In this case went for the cheaper system rather than a smar card/ certificate based one which would have protected the guy against his own mistake. That decision probably saved them millions of Euros; they can afford to pay out in this particular case.

Is a bank also responsible for your losses if a guy comes to your front door, poses as a bank clerk and you cut him a cheque?

This depends. If the bank provides a service where they come to your door and there was no reasonable, easy way for you to tell this wasn't a person from that service without using specialist knowledge, then yes. If, on the other hand they don't provide such a service or they make sure that you can easily identify the service, then maybe not. They would have to do something like not carrying out the transactions you asked for if you didn't specfically verithfy the clerk via a phone call so that you learn that you have to do that every time.

There are limits, but the primary responsibility should be on the banks side and they should always have to proove that the customer did something fraudulent or negligent to avoid that.

Re:Lets just hope (3, Interesting)

ArsenneLupin (766289) | about 2 years ago | (#39804653)

Why? How should a bank discover the fraud, if everything is authenticated correctly?

Because they (possibly) enabled the fraud to take place. Quoting from the artcle:

According to the Süddeutsche Zeitung, the transfer occurred three months after he entered ten transaction numbers, or TAN codes, on what turned out to be an illegally manipulated version of his bank’s website.

So, how was the site manipulated? Did the attacker actually modify the bank's server? ==> In that case, bank clearly bears the responsibility, as they have a duty to keep their service secure.

Or did the attacker take advantage of a fault in the user's OS or browser. ==> in that case, at first glance, the user would be responsible to run such shoddy software where this is possible. However, in the past, and possibly even now, many banks forced/are forcing their users to use such vulnerable software. If this is the case, again the bank should be responsible. The user would be well advised to go through the "General Conditions" for the web service of the last ten years, and search for any clauses such as "the user agrees to only use Windows and/or Internet Explorer to access the service". If any are found, he should clearly get his money back.

Is a bank also responsible for your losses if a guy comes to your front door, poses as a bank clerk and you cut him a cheque?

Yes, if the bank habitually conducts its business in such a fashion.

Re:Lets just hope (0)

Anonymous Coward | about 2 years ago | (#39804689)

Or if somebody was to fake a physical branch of "Bank of " and only take deposits. Should the bank that was impersonated be responsible for the losses?

Re:Lets just hope (0)

Anonymous Coward | about 2 years ago | (#39804785)

Why? How should a bank discover the fraud, if everything is authenticated correctly?
Is a bank also responsible for your losses if a guy comes to your front door, poses as a bank clerk and you cut him a cheque?

Actually, hand him your cheque book, all cheques signed. Which is what you do when you give someone a block of TANs.

Re:Lets just hope (1)

erroneus (253617) | about 2 years ago | (#39804895)

That's kind of the thing isn't it? Authentication? The authentication systems are stupidly weak and without human involvement. For big business, let them run their banking and transactions automated and all that all day long. Let the credit reporting system be their guides. But for the little people? The working individuals? The ID fraud and all other things related are a big problem. People should be able to talk to a real person, face to face, to discuss things when there is any question about whether something is real or not. But a system that depends on magic secret numbers that "only you" can know and calling that your identity is a tremendous convenience for the banks and big business but it is at the expense of the real people who are unwillingly defrauded.

Re:Lets just hope (5, Insightful)

Anonymous Coward | about 2 years ago | (#39804405)

What? Read the article. The person who committed the act of stupidity is the person paying for it. This is the way it has to be.

If the banks payed for the stupidity of this man there'd be no incentive not to be stupid.

Re:Lets just hope (0, Insightful)

Anonymous Coward | about 2 years ago | (#39804503)

And yet if this ruling occurred in the US I'd be reading the usual trite comments about how this could only happen in America, the country where the rights of corporations and banks are put above the rights of citizens...

Re:Lets just hope (1)

Anonymous Coward | about 2 years ago | (#39804539)

His computer was infected with a trojan that made it look like it was his bank's web site. Don't call people stupid because they can't keep their Windows computer safe from infection. Even professionals can never be 100% sure not to catch a bug.

This is like selling cars "not for going faster than 10mph" and then refusing responsibility when the brakes don't work in a real world situation because the customer didn't make sure to stay within the specified use case. To tell a customer that he's responsible for financial loss which can only be prevented by avoiding all malware on a Windows system is cruel mockery, especially when the bank could prevent the problems by giving the customer a TAN generator which incorporates the transaction details in the TAN.

Re:Lets just hope (-1, Troll)

lordbeejee (732882) | about 2 years ago | (#39804615)

Than he shouldn't do his banking on a windows machine.

Re:Lets just hope (-1)

Anonymous Coward | about 2 years ago | (#39804823)

Libertarians really poss me off sometimes with their idealism of complete personal responsibility which requires complete expertise in all subject matters all the time.

Meanwhile, back in the real world: What kind of machine should he do his banking on? A Mac? Oh, wait, those have been attacked a lot recently too. Linux? For a non-sophisticated user? Really? So what, then?

Secure authentication and authorization systems exist. Very few banks use them or offer them. Why? Well, that would be money of course. My bank like most uses an alleged two factor authentication that is nothing of the sort, simply ends up being a pain in the neck, and would do litte to stop actual fraud. But I'd bet it was cheaper than the other offerings they looked at. If my bank offered real security AND I didn't take advantage of it AND I lost money that using that system would have prevented, then it should be on me. Otherwise it's more complicated. Libertarians and conservatives want simple answers to complex issues and that just doesn't work.

Re:Lets just hope (3, Insightful)

philip.paradis (2580427) | about 2 years ago | (#39804619)

Banks could also require people to show up in person at a designated branch, present five different forms of identification, sign fifteen release forms, and swear a blood oath to Odin before agreeing to any transaction whatsoever.

My point is very simple: it is not the bank's fault that the client acted in a manner contrary to his own financial interest. Society as a whole operates on the principle that services are generally tailored to the majority. The majority isn't suffering from these issues. If the minority affected by these issues so desires, they're more than welcome to resume good old fashioned "drive down to the bank" methods.

What you're advocating is just another step toward a total nanny state where everyone walks around in government-mandated plastic bubbles. Have fun with that; I won't be attending your party.

Re:Lets just hope (5, Insightful)

jaymemaurice (2024752) | about 2 years ago | (#39804703)

To be fair, the banks do not allow you to opt in to security features or opt-out of security liabilities.

I'd love if my bank would allow me to secure my checking account to restrict outgoing payments to a list of accounts/payees confirrmed by the branch.
I'd love to opt-in to a second factor token authentication and 2nd bank card pin that has a lower withdrawl limit or one time pin that I can use in sketchy ATMs POS systems.

I pay the bank dearly to protect my money and deliver service. They have had years to spend on R&D. Luckily, I have not been affected by the lack of security or insurance from my bank.

"Medallion signature guarantee" (1)

Anonymous Coward | about 2 years ago | (#39804739)

Banks could also require people to show up in person at a designated branch, present five different forms of identification, sign fifteen release forms, and swear a blood oath to Odin before agreeing to any transaction whatsoever.

That's a passable description of the Medallion signature guarantee process http://www.sec.gov/answers/sigguar.htm and unsurprisingly many banks require you to go through that to transfer your IRA out of their bank but never require it when you transfer your IRA in.

IOW, ont when it benefits the banks do they require high security.

Re:Lets just hope (1)

mcavic (2007672) | about 2 years ago | (#39804887)

His computer was infected with a trojan that made it look like it was his bank's web site.

How much like it? Was it his bank's url at the top? I have actually seen one phishing site in my life that attempted to graphically overwrite the url bar, but it was a little off.

Anyway, malware or not, in this case he should have asked himself why he was entering the codes. (What is this TAN code shit anyway?)

In other cases you might have an argument, because not everyone is observational enough to realize if their bank's site has been altered, or if an ATM has had a skimmer attached.

Re:Lets just hope (2)

cmdr_tofu (826352) | about 2 years ago | (#39804621)

Shouldn't the criminal phisher be responsible? So I leave my car unlocked and someone steals it. You could say "you idiot you deserve that". Does the thief gain legal rights to my car now?
The bank is in a better position to try to reduce this type of scam. The non-security aware Joe, is really a victim who was pushed on to internet banking and then duped. Banks could require (or recommend) security awareness training for anyone who uses their sites, but afaik, they do not.

Re:Lets just hope (0)

Anonymous Coward | about 2 years ago | (#39804657)

You could say "you idiot you deserve that".

But your insurance company will. Most insurance will only pay if there is evidence of theft, damage to the locks, etc. If there is no visible damage, then the loss is your fault for not securing the vehicle.

Re:Lets just hope (1)

Chrisq (894406) | about 2 years ago | (#39804711)

You could say "you idiot you deserve that".

But your insurance company will. Most insurance will only pay if there is evidence of theft, damage to the locks, etc. If there is no visible damage, then the loss is your fault for not securing the vehicle.

I am not sure about "evidence of theft", people have had cars opened by hacking remotes, or even being loaded onto a tow truck and claimed succesfully

Re:Lets just hope (1)

asdf7890 (1518587) | about 2 years ago | (#39804693)

Shouldn't the criminal phisher be responsible? So I leave my car unlocked and someone steals it. You could say "you idiot you deserve that". Does the thief gain legal rights to my car now?

Who pays for your replacement car (or repairs to it if it is found damaged)? The owner of the car park you left it unlocked in? No, you pay either directly or via your insurance. So what happens in the case of you leaving your car door unlocked is exactly the same as the situation here - the owner pays one way or another, the cost of fixing the situation doesn't rest with some other entity. The only difference is that I'm not aware of companies selling "phishing insurance".

Banks could require (or recommend) security awareness training for anyone who uses their sites, but afaik, they do not.

They could. And it would be commercial suicide. If phishing insurance was a real thing, partaking in such an awareness course could be a way to reduce your premiums though, as you would be moving yourself into a lower risk group.

Re:Lets just hope (1)

gl4ss (559668) | about 2 years ago | (#39804827)

the phisher is responsible, I just suppose they couldn't reach him now.

If the bank had been responsible, then .. well, then you could double your money, just phish yourself.

Re:Lets just hope (1)

mcavic (2007672) | about 2 years ago | (#39804925)

Of course the phisher should be responsible, and when they track him down he will be. But good luck with that, and even then, you'll be lucky to get the money back.

I'm okay with this ruling, but .. (1)

Weezul (52464) | about 2 years ago | (#39804643)

In fact, creating an "incentive not to be stupid" is an incredibly stupid reason that almost no court would adopt.

In this case, the bank has already taken all measures the court felt "reasonable". Ain't possible to reverse international bank transfers like one reverses credit card transfers though.

It isn't that the customer was stupid, but that the customer has exhausted the banks serious attempt at securing their money. And trust me German banks foist much more security upon their customers than American banks.

Re:Lets just hope (0)

Anonymous Coward | about 2 years ago | (#39804709)

False statement?
If person is stupid - don't deal with him.
Create artificial barriers. Create security, that clearly shows you have done your part of job to make sure busienss is secure.
If guy is stuid and can't pass through the barrier - well, it's his probem. And than it's also your problem, as you just lost customer. But punishing customer for your failure... I wish many people would know about this.

Re:Lets just hope (5, Insightful)

Anonymous Coward | about 2 years ago | (#39804439)

Why ?

The judge is right, there's no real viable way the bank can protect against this, even more modern protection schemes involving SMS messages still involve the enduser, and if he happily provides the received code to www.illtakeyourmoneythanks.ru despite numerous warnings from the bank (I have a similar bank, they clearly try to educate their users but as always most users are rather lazy than informed.) well, then there's really no way you can still blame the bank.

I know a large amount of users here are from the US and used to credit payments (as opposed to debit, which is the case here). Credit cards generally involve some (at first glance) better customer protection by laying all the risk at the seller, but debit cards almost never do this (and there's no need really).

I wouldnt go so far as to call the victim in this case an idiot, i don't know the guy, and it sounds like something that 1 in every 5 people who operate a computer would fall for at some point or another. But not following safety instructions from your bank, when they're clearly displayed EVERYWHERE, and get send to you in both real letters and as regular email updates, well i'd say the bank tried. My bank even gives free financial and online security seminars for people who aren't sure they understand what all the fuss is about.

Re:Lets just hope (1)

gutnor (872759) | about 2 years ago | (#39804719)

Indeed if you don't follow basic safety instruction you should pay for it.
As you do if you accept to bring the "package of flu medicine" for that "nice gentleman's mum" across border control.
As you do if you don't lock you car and it gets stolen or if you "optimise" the wiring of your house and it burns down.

We have now in a time and age where computers are basically ubiquitous so we must require from people a token level of responsibility.

Re:Lets just hope (0)

Anonymous Coward | about 2 years ago | (#39804759)

No actually there is. That's the reason the IMT database exists to prevent transactions to accounts like these and why technologies like real-time transaction monitoring exist to profile your transaction habits for events like these.

Re:Lets just hope (4, Insightful)

jandersen (462034) | about 2 years ago | (#39804487)

Lets just hope that it doesn't become European law. Actually I hope the judge loses a million

I'm not sure that I agree with that. Most phishing scams are rather obvious, and people really ought to look before they jump.

What feel is missing is that banks and other take it more serious and clean up their practises. Like, I have on a few occasions had my bank call me about something related to security (eg. an unusual transaction) - and bizarrely, the guy calling is reluctant or even refuses to give information about why he calls or which department he calls from - which makes it feel like yet another scam, even if it is genuine.

Ideally, they should give you a call, then let you call back on a security number posted prominently on their web-site (so that it is well-known). This ought to be basic routine.

Re:Lets just hope (0)

Anonymous Coward | about 2 years ago | (#39804783)

I did work for a bank as analyst/programmer for about 2 years and believe me that, at least for that bank, the issue is taken quiet seriously.
I one day every programmer for the online banking department had to spend the day reading logs and going trough the transactions and traces to make sure everything was okay. That's about 20 to 25 programmers/consultants and the cost of having all of us doing that far exceeded the 3000 euros that person lost.
Every newsletter, every letter that I receive from my bank (a different bank from the one I used to work) comes with some sort of security advice to avoid phishing. That's been the case for I-forget-how-many-years.
So the issue is taken quiet seriously, you may not agree with some of the methodology, and that's fair enough, but to say banks don't take the issue seriously is misleading.

Re:Lets just hope (0)

Anonymous Coward | about 2 years ago | (#39804927)

Absolutely on dot..
many call centers for banks call up from the blue telling a few details and then asking for verification.
no way i can tell if the call is from the bank. i would feel a lot safer calling the bank on a secure number.

Re:Lets just hope (1)

Richard_at_work (517087) | about 2 years ago | (#39804533)

The bank had security in place, the "victim" gave the keys to the kingdom to third parties - why should the bank take the fall for someone who is more than willing to give the criminals everything, voluntarily.

This ruling is pure common sense - if you as a customer aren't willing to take basic precautions then you need to suffer the losses.

Re:Lets just hope (1)

jaymemaurice (2024752) | about 2 years ago | (#39804831)

Did the victim give the keys to the kingdom? or just the first door?
The bank COULD require a different/new password with telephone/sms/in person confirmation when sending money to new payee's/payment accounts.

The security model of most online banking is like having cars with locking doors but not locking ignitions... the security does not fit the way people use their banking.

Re:Lets just hope (0)

Richard_at_work (517087) | about 2 years ago | (#39804901)

What do you think the transaction authorisation numbers that he entered are supposed to be?

He gave the keys to the outer gate, the inner gate, the safe door and his daughters chambers. Not the banks problem.

that guy took it in the ass (-1)

Anonymous Coward | about 2 years ago | (#39804387)

from the greeks and the germans. 2 races that both like to give it in the ass. ass.

Online banking uses outdated crypto (4, Informative)

GeneralTurgidson (2464452) | about 2 years ago | (#39804393)

Theses sort of cases are really hurting the customer, banks have no reason to invest in a serious authentication scheme for online banking. It's a joke, my bank uses a password and some random question about me. At the very least they need to offer a true two factor solution, preferably token or certificate based.

Re:Online banking uses outdated crypto (2)

BorgDrone (64343) | about 2 years ago | (#39804413)

My bank uses a token that require me to insert my debit card into the token, enter my PIN and type in resulting code to log in. For transferring money I need to insert my card, enter PIN, enter code from the screen into token and then type in code from token.

Never heard of a proper bank requiring just a password.

Re:Online banking uses outdated crypto (0)

Anonymous Coward | about 2 years ago | (#39804499)

This is the way it should be done.

Re:Online banking uses outdated crypto (0)

Anonymous Coward | about 2 years ago | (#39804697)

You're not from the US. Very, very few banks if any offer anything more than the barest of two factor authentication. Basically there's no reason for them to because the government doesn't make them and it's cheaper to pay off the people that they can't refuse to pay.

Re:Online banking uses outdated crypto (1)

zippthorne (748122) | about 2 years ago | (#39804929)

"TWO" factor?

Although the website to my bank is now more secure (it actually allows me to use password, rather than just using the old 4-digit PIN), the account still has a routing+account number that requires no cryptographic token (or even a one-time-use-with-a-limit number) to allow anyone full access to do anything with the account..

Also, it prints this routing number on the paper, "personal checks" that it issues to every checking customer.

I would love to have a bank that uses two factor authentication. As far as I can tell, the above situation is true for all banks in the US.

Re:Online banking uses outdated crypto (3, Interesting)

TheRaven64 (641858) | about 2 years ago | (#39804893)

I have a US bank account which is very much like the grandparent described. I also managed to get them to give me the login credentials over the phone knowing only my name, address, and date of birth. Security there is appalling and in any other vaguely civilised country would mean that they would be liable for pretty much anything bad that happened to my account.

In contrast, my UK bank has an authentication scheme much as you describe. Any time I pay a new person (or a large amount), I need to separately authenticate that transaction, including typing the amount into the external device that generates a single-use token from the chip on my card. The debit card from my US bank doesn't even have a chip...

Re:Online banking uses outdated crypto (1)

gnasher719 (869701) | about 2 years ago | (#39804423)

Theses sort of cases are really hurting the customer, banks have no reason to invest in a serious authentication scheme for online banking. It's a joke, my bank uses a password and some random question about me. At the very least they need to offer a true two factor solution, preferably token or certificate based.

Well, it hurts the bank's customer, because the bank's customer was the one who entered ten transaction codes into a fraudulent website himself. With a token based solution, you will come back screaming when a scammer convinces a customer to hand over their token.

Re:Online banking uses outdated crypto (2)

ledow (319597) | about 2 years ago | (#39804441)

Shouldn't your first thought be to change bank then? And inform them WHY you've changed bank?

Security tokens are a pain in the bum but there are banks that offer them in just about any country you want to pick.

And, how, precisely would it have stopped this attack? He typed security information (which would also include his one-time tokens) into a website that was fraudulent. There's nothing stopping them recording those tokens and typing them into the REAL account just the same and nobody would know until a) he noticed his bank account was empty or b) he tried to log in online on the proper website using the token and it wouldn't accept it.

Very true (5, Interesting)

Chrisq (894406) | about 2 years ago | (#39804443)

A key finding from the Security expert Ross Anderson is [cam.ac.uk] :

Another unexpected nding was the relationship between risk and security investment. One might expect that as US banks are liable for fraudulent transac- tions, they would spend more on security than British banks do; but our research showed that precisely the reverse is the case: while UK banks and building soci- eties now use hardware security modules to manage PINs, most US banks just encrypt PINs in software. Thus we conclude that the real function of these hardware security modules is due diligence rather than security. British bankers want to be able to point to their security modules when ghting customer claims, while US bankers, who can only get the advertised security benet from these devices, generally do not see any point in buying them. Given that the British strategy did not work - no-one has yet been able to construct systems which bear hostile examination - it is quite unclear that these devices add any real value at all.

Re:Online banking uses outdated crypto (1)

dragisha (788) | about 2 years ago | (#39804483)

In the world of ultimate surveillance, like one we are becoming (and fast) - some kind of rollback mechanism is (at least to me) most logical thing to do.

Money can be followed, to the moment when a person gets it from ATM or bank clerk. Also, it can be found later - serial numbers are there to be used and I do not doubt they are.

On the other hand, bank can make better authentication (as GeneralTurgidson implies) but also some mechanism for keeping a customer in loop. Some banks report transactions through SMS, for example. Mechanism where transaction is delayed for some time, during which customer can take action. If I don't get SMS confirmation in 3 hours, for example - call bank hotline to stop everything.

And many other things, other than - let customer pay.

Re:Online banking uses outdated crypto (1)

arth1 (260657) | about 2 years ago | (#39804801)

ome banks report transactions through SMS, for example. Mechanism where transaction is delayed for some time, during which customer can take action. If I don't get SMS confirmation in 3 hours, for example - call bank hotline to stop everything.

And many other things, other than - let customer pay.

So does the bank pay for a mobile phone plan for the customer? No? Then how is it not "let the customer pay"?

I know, you probably meant let the customer pay when being swindled. Which I think is very reasonable. If there's gross negligence on the side of the bank, they should pay for that, and if there's gross negligence on the side of the customer, they should pay for that. And if both, let the customer lose his money and fine the bank.

(And, if a customer engages in what he thinks is an illegal activity (like 419 scams), hit him for that too. These scams wouldn't be common unless people fell for their own greed and lack of respect for the laws.)

It's time that both banks and customers understand that there is a great need for customers to get better educated. They need to understand basic security and be sceptical, or if they can't, abstain from using a self-service, and instead pay for professional services.

Re:Online banking uses outdated crypto (1)

thegarbz (1787294) | about 2 years ago | (#39804511)

Your bank being a joke does not make it the norm. Certainly every bank I dealt with uses some form of two factor authentication often combined with multiple identifiers. My previous bank went like this:

Login: User / Password
External Transaction: SMS an ID number to the elected phone number which is not visible nor can it be changed online.
External transaction over $1000 or to a new account: SMS + two identification questions chosen from a pool of ~10.

My current bank uses a RSA token:
Login: User / Password / Current token
Any External Transaction: Token

This practice seems to be the norm rather than the exception here both for major banks and small credit unions. Maybe it's time you look at alternative places to keep your money?

Re:Online banking uses outdated crypto (1)

Danieljury3 (1809634) | about 2 years ago | (#39804599)

I noticed recently that my bank doesn't differentiate between lower and uppercase in both the username and password fields. Found out when I decided to change some of the letters in my password to uppercase and it complained that the old and new passwords were the same.

Re:Online banking uses outdated crypto (1)

MadKeithV (102058) | about 2 years ago | (#39804669)

I've been on sites where they've told me that my chosen password was too long. Left there quickly without giving them any more details.

Re:Online banking uses outdated crypto (2)

stephanruby (542433) | about 2 years ago | (#39804667)

Theses sort of cases are really hurting the customer, banks have no reason to invest in a serious authentication scheme for online banking. It's a joke, my bank uses a password and some random question about me. At the very least they need to offer a true two factor solution, preferably token or certificate based.

I know it's customary not to read the article, but seriously, please read the article before making these kinds of assumptions. This bank actually had good 2-factor token-based security. German banks usually do. The judge made the right call in this case.

And yes, I do realize that there are lousy banks out there. I know at least one major bank in the US that has super shitty security (even worse than your bank). Thankfully, not all US banks are that bad, it's a mixed-bag really. Sometimes, the blame can be placed squarely with the bank, and sometimes, the blame can be placed squarely with the user.

In this case, the judge clearly took into account the security measures taken by the bank before issuing a verdict against the user. This is as it should be. Fraud can only be dampened down only when incompetency is penalized, regardless of its origin.

Re:Online banking uses outdated crypto (1)

sociocapitalist (2471722) | about 2 years ago | (#39804861)

This TAN code is probably a set of codes on a card that the customer is instructed to input based on [ column, row ], when they want to do something on line. I have something similar here in France. Seems this customer was fooled into putting more than one of them, along with username & password most likely, into the fake web page and the bad guys then were able to use one of them to make the transfer.

I have a business account in Hong Kong that they've provided me a one time token similar to Secure ID for which is going to be a lot more secure unless someone physically got a hold of it, along with my username and password so overall I do agree with you that banks should be using these tokens instead of the matrix cards.

Tricky (3, Insightful)

Spad (470073) | about 2 years ago | (#39804401)

I do kind of agree with this; beyond a certain point of security measures, information campaigns and automated fraud-protection mechanisms it starts getting unreasonable to expect the banks to take financial responsibility for their customers' stupidity.

Now I agree that the bar should be set very high, but at some point you have to accept that there are very stupid people out there who will do everything in their power to circumvent the things you put in place to protect them from themselves and it's not really fair that the rest of us should have to pay to bail them out (which is essentially what happens, the banks inevitably pass on the costs of fraud to their customers).

Re:Tricky (2)

rtb61 (674572) | about 2 years ago | (#39804795)

Duty of care by the Bank should have warranted a check of unusual transaction. Bank was too lazy and cheap to make a single phone call to check out of pattern transactions, especially in the case of the most vulnerable in the community, pensioners.

Bank should should have been held at least 50% liable for the fraudulent transactions.

they needed a court for that? (1)

greenfruitsalad (2008354) | about 2 years ago | (#39804411)

Why did this need a court decision? It seems pretty logical to me. Banks should be praised for providing free information about phishing attacks.

Re:they needed a court for that? (2)

Robert Zenz (1680268) | about 2 years ago | (#39804519)

Well, the U.S. is not the only ones with stupid people, we (Austrians, and Germans too) have got some seriously dumb people, too.

shitty lawyer (1)

nazsco (695026) | about 2 years ago | (#39804431)

Even though i agree with Zappa's plan to get rid of suckers...

All it would take was for the lawyer to ask one bank member to do one transaction. Most banks would require 2 keys.

One for login, another to complete the transaction.

Both with messages that the bank only asks one per session.

Re:shitty lawyer (0)

Anonymous Coward | about 2 years ago | (#39804517)

All it would take was for the lawyer to ask one bank member to do one transaction. Most banks would require 2 keys.
One for login, another to complete the transaction.

That does not help if the user happily enters both passwords on a phishing site. This is exactly what happened: The customer did not only enter his accout login but also ten one-time passwords required to complete a single transaction.

There is a maximum level of customer stupidity... (4, Insightful)

gweihir (88907) | about 2 years ago | (#39804449)

... for which the bank still is liable. In this case, the customer grossly exceeded that level IMO.

However, what I am wondering is why the Greek bank (that could not identify where the money had gone to) is not liable. That is the real problem I see here. AFAIK, a bank has to be able to cancel a transfer up to 6 weeks after the transfer at the sending bank's request. So either the customer not only gave away 10 TANs despite being warned, he also failed to notice the transfer for quite some time, or something else is amiss here that the news story does not tell.

Re:There is a maximum level of customer stupidity. (1)

Anonymous Coward | about 2 years ago | (#39804633)

A bank is not required to be able to cancel money transfers, not for 6 weeks, not even for one day. That requirement only applies to debit transactions.

Re:There is a maximum level of customer stupidity. (1)

gweihir (88907) | about 2 years ago | (#39804919)

Despite you being an AC, I will answer that: This is an European case, the laws are different here.

Re:There is a maximum level of customer stupidity. (0)

Anonymous Coward | about 2 years ago | (#39804939)

They are as I described them. I am German.

Re:There is a maximum level of customer stupidity. (0)

Anonymous Coward | about 2 years ago | (#39804793)

How do you cancel a cash withdrawal?

What happens a lot is that financial criminals seek out greedy adolescents/young adults and ask them to "borrow" their bank account under some sort of pretext, for a small reward. On this bank account a deposit is made (usually the result of some scam, like this one), and that deposit is withdrawn in cash straight away, normally via an ATM. The debit card is then handed back to the unsuspecting (naive) owner of the bank account. Two weeks later the police knocks on the door. But by then the true criminals have gone, leaving only a dead end trail behind.

Re:There is a maximum level of customer stupidity. (1)

gweihir (88907) | about 2 years ago | (#39804951)

Despite you being an AC, I will answer that:

Cash withdrawals that exceed the booked balance (i.e. plus 6 weeks in the case of a bank transfer) plus the credit limit are not possible or at the risk of the bank. Remember though that this is Europe, in the states this is likely very much different. I admit that my knowledge of this is a few years old. It is possible that they have changes some things.

As to your scenario: That is easy. The idiot that gave their bank card gets full liability. Same as for "finance agent" that pass bank transfers onwards via Western Union and the like. The funky thing in this case is that the Greek bank seems to have been unable to identify who the money was paid to.

So what (1)

cygtoad (619016) | about 2 years ago | (#39804469)

Seriously, I don't entirely disagree with this ruling. Why should the bank pay for losses from these phishing scams? It is not like there was a breach of their systems. The breach was entirely on the client side. Am I missing something here?
I expect my bank will do what it can to protect me from scams, but they can't protect me from every stupid way I might be duped.

Just my two cents (5, Informative)

timerider (14785) | about 2 years ago | (#39804471)

since noone here seems to bother to actually find out what was going on:

german banks do use a two factor authentication scheme:
- to log in you need your account number and a five digit pin
- to authorize a transaction after logging in, you need one out of 100 one-time-use 4 digit pins; The bank issues you 100 of those at a time, and then chooses one of them randomly when you enter a transaction ("Please enter pin number 17").

In this particular case the victim had:
- fallen for a phising website / trojan / keylogger, even after all the warnings in the german IT press (how else would the crooks get his account number and superpin)
- entered at least ten different PINs on one page, which the banksspecifically tell customers to NEVER do. all the bank pages have a big fat "We NEVER ask you for more than one pin" warning labels.

In other news: man drank nitroglycerine then went to jump around on a trampoline, widow sues maker of nitroglycerine.

Re:Just my two cents (0)

Anonymous Coward | about 2 years ago | (#39804495)

Nitroglycerine is poisonous. If ingested in quantities sufficient for drinking, one would be able to crawl, at most, not jumping arround.

Re:Just my two cents (1)

Anonymous Coward | about 2 years ago | (#39804535)

german banks do use a two factor authentication scheme: - to log in you need your account number and a five digit pin - to authorize a transaction after logging in, you need one out of 100 one-time-use 4 digit pins; The bank issues you 100 of those at a time, and then chooses one of them randomly when you enter a transaction ("Please enter pin number 17").

While I agree with your general point, what you're describing might be the minimum requirements; for example, at ING-DiBa [ing-diba.de] :
- to log in you need your account number + an 'ID' number at least 7 digits long + a virtual keyboard-input 6-digit PIN
- to authorize a transaction, you need a 6-digit m-TAN sent by SMS

In short, you can often find a bank paying more attention to security...

Re:Just my two cents (1)

Golden_Rider (137548) | about 2 years ago | (#39804777)

german banks do use a two factor authentication scheme:
- to log in you need your account number and a five digit pin
- to authorize a transaction after logging in, you need one out of 100 one-time-use 4 digit pins; The bank issues you 100 of those at a time, and then chooses one of them randomly when you enter a transaction ("Please enter pin number 17").

While I agree with your general point, what you're describing might be the minimum requirements; for example, at ING-DiBa [ing-diba.de] :
- to log in you need your account number + an 'ID' number at least 7 digits long + a virtual keyboard-input 6-digit PIN
- to authorize a transaction, you need a 6-digit m-TAN sent by SMS
In short, you can often find a bank paying more attention to security...

My (German) bank recently switch to a smart TAN system with a card reader. To authorize any transaction, you need to insert your debit card into the reader and then have the reader pick up some flashing bar code transmission from your screen. You then can verify the transaction on the display of the reader (amount, account number, etc.) and if everything is correct, you then use the TAN the card reader generated to authorize the transaction on your computer. So if anybody wants to transfer some money from your account, he would need a.) the password to log onto the banking website b.) your debit card and c.) your specific card reader (every bank account is linked to one specific card reader). The whole thing looks similar to this: https://www.volksbank-forchheim.com/files/smarttan_leser_klein.jpg [volksbank-forchheim.com]

Re:Just my two cents (0)

Anonymous Coward | about 2 years ago | (#39804593)

That may be how your bank does it, but certainly isn't how all German banks do it.
My bank account number is unrelated to my login account number, the password is set by me with a minimal length of 6 iirc and transactions require the SmartTan-Plus reader or m-TAN.

Re:Just my two cents (1)

sociocapitalist (2471722) | about 2 years ago | (#39804869)

You are accurate but a one time physical token (ie SecureID) would still be safer for the customer. The bank SHOULD be using these (my bank does) and as they are not then arguably they are to some degree or another responsible.

Bi-directional authentication (4, Interesting)

PSVMOrnot (885854) | about 2 years ago | (#39804521)

It has irked me for quite a while how lacking internet banking is in terms of security. That is not to say that the measures they have implemented are ineffective, but rather that they miss out on entire classes of security. It's as though they stick a bunch of locks on the front door, but leave the bathroom window wide open.

The most obvious one: bi-directional authentication. Banks require you to prove you are who you say you are. This is done by a variety of methods from passwords to hardware card reading gizmos which spew out a limited time code. What they neglect to do is prove that they are who they say they are.

If the first step in authenticating your identity was one which authenticated the bank's then it would be a lot harder for phishers to pretend to be your bank.

Re:Bi-directional authentication (0)

Anonymous Coward | about 2 years ago | (#39804555)

What about SSL certificates and browsers warning you when these are forged?

They do what they can (3, Interesting)

Sycraft-fu (314770) | about 2 years ago | (#39804663)

My bank authenticates itself in two ways:

1) Using an Extended Validation certificate, so it shows up in green in the browser (instead of blue) and lists the full name of the bank.

2) By showing me an image and phrase I chose on the login page.

I can't really think of how they can do more to prove it is them, without really getting annoying. They also allow me to use two factor authentication (which I have elected to use) and require it when any change is being made to the account like adding a payee or the like.

Is it perfect? No but I'm not seeing a whole lot more they can do and still keep things easy.

Re:They do what they can (0)

Anonymous Coward | about 2 years ago | (#39804863)

The browser could help with this. If somebody compromises a EV cert signing key, he can impersonate your bank. Your browser should tell you that the certificate is valid, but not the one that was last used.

Even better would be if the bank gave your its certificate's fingerprint when you sign up for an account (in person or by mail) and you entered that fingerprint to the browser for the bank's domain and the browser warned if the presented certificate did not match.

Re:Bi-directional authentication (0)

Anonymous Coward | about 2 years ago | (#39804781)

Well, you can get bidirectional authentification with HBCI, but this expects the customer to purchase a decent card reader.
HBCI gives you a nice PKI system, and authentificates in all directions.
Those who still use PIN/TAN systems deserve to be ripped off.

Some clarifications (5, Informative)

bickerdyke (670000) | about 2 years ago | (#39804541)

#1: this happend in 2008. Since October 2009, there is new legislation in place that, that shifts liability to the bank (except in cases of gross negligence on the side of the customer) It's the bank that save money by offering online banking instead of traditional counters, so they are responsible for making that process secure.

#2: There is not a single bank anymore that uses plain one-time transaction codes anymore.

#3: A few months ago another german court ruled that it's enough for a customer to have up to date virus software for due diligence. That's all a bank can expect from customers with typical, average computer knowledge.

#4. On the other hand (and that's what's the actual rationale behind this story here), a bank can expect customers to understand and remember a security advice along the lines of "We will never ask you for more than one transaction code in a row and we will never ask you for a transaction code at all unless you want to make a transaction in the first place"

So there is not much relevance to this story.

Re:Some clarifications (0)

Richard_at_work (517087) | about 2 years ago | (#39804611)

Niceto know people can be as stupid as they possibly could be, and still be protected from their losses under law.

How was what the person in this story did not "gross negligence"?

Re:Some clarifications (1)

bickerdyke (670000) | about 2 years ago | (#39804629)

He ignored the banks security warnings, and that's why _he_ is responsible for his losses.

Nothing to see here. please move on.

Stupidity still isn't protected by the law.

Re:Some clarifications (0)

Anonymous Coward | about 2 years ago | (#39804677)

#2: There is not a single bank anymore that uses plain one-time transaction codes anymore.

Can someone knowledgable in cryptography explain why a "one-time pad" system isn't a good solution security wise for online banking? (I get that a code generator gadget that most use today is more practical for the user)

Re:Some clarifications (1)

zAPPzAPP (1207370) | about 2 years ago | (#39804859)

The difference as I see it is, that before, as in this case, a whole number of one time codes (called TAN) was issued to a customer at once.
Any one of these TANs (by free choice of the customer) would be enough to permit a single transaction. After that it would be 'used up'.

Nowadays, the banks (that I know of) still issue a lot of TANs to their customers. But when an order needs to be authorized, they now ask for a specific TAN.
As in "give us TAN number 42". Any other TAN, even though not used yet, won't do.

Re:Some clarifications (1)

sociocapitalist (2471722) | about 2 years ago | (#39804885)

I find it easy enough to image someone who is not an expert in computers going to the wrong web page (ie typo in the bank name www.banksrsu.com instead of www.banksrus.com) and being faced with username, login and ONE code entry...which doesn't work and so the page reloads and they're asked for ANOTHER code entry. Granted most people would give up after trying a few times but nonetheless it's trivial to get a minimum of three or four codes + username and password information.

I have a card from one of my banks where there are eight columns and six rows giving 48 codes which the bad guys now have three or four of. If they are persistent or lucky they might just be able to initiate a wire transfer out of my account (I have no idea if the bank locks the account after several bad code entries but I suspect not as they assume valid username & password).

One time tokens (ie securID) should be required for ALL bank accounts for any and all online transactions.

German courts (1)

ffflala (793437) | about 2 years ago | (#39804569)

The German judicial branch's approach is often a fascinating contrast to that of US state and federal courts. Germany has specialized highest courts for specific subject matters: tax, admin, labor, social, constitutional... and the high court in TFA.

As an example: the Bundesverfassungsgericht (the highest German conlaw court, not the highest "ordinary" court in TFA) decreed it unconstitutional to publicly print (or run big news stories about) the names of notorious, convicted criminals, once the criminals have completed their sentences and have been released. The idea is that imprisonment is supposed to be such a thing that, once a person is released, they have actually been rehabilitated to the point where they can once again function in society without posing a threat to the well-being of others.

Given the depth of the cultural grab of the US first amendment --freedom of speech, baby!-- the thought that one shouldn't be able to print the names of convicted criminals in news media probably sets off all sorts of knee-jerk 1st amendment concerns. But given the realities of prison, enforcing that the prison goals of rehabilitation and public safety over raw punishment seems to me a wise approach that I wish the US would adopt. But over here, such a concept probably sounds like something that would be characterized as deplorable, pollyannish weak liberal democrat thinking.

I've read a handful of English translations of the decisions of the Constitutional Court/Bundesverfassungsgericht (the German conlaw court, not the "ordinary" court in TFA). Last time I checked, most of the text of the most useful read I found is here: http://goo.gl/dlwi9 [goo.gl] [goo.gl]

in person banking (0)

Anonymous Coward | about 2 years ago | (#39804665)

is it really that fucking inconvenient to do your banking *in person* and to not set up online banking access at all?

for generations before internet banking took off.. it was how things were done. and it worked. and still does.

it ain't hard.

Re:in person banking (2)

ledow (319597) | about 2 years ago | (#39804807)

Try it in some countries.

Some banks barely have counters any more, and my last bank had one serving member of staff for a whole branch (imagine lunchtimes, where all the local businesses come in to put their cash in, or end-of-the-day queues).

Sure, there are funny machines you can do it on, but not if you're a business, not if you're paying cash, not if the Moon is in the seventh quadrant...

And guess what, the queue forms for the cashier because THEY NEED THE CASHIER, because their concerns cannot be met online or by a machine (mainly because the banks stop you doing anything but giving them money by those processes).

You can book an appointment days in advance if you want, so long as it's not at the weekend, or outside normal business hours, and speak to a human for about 10 minutes. Who will then log into the bank's private computer system and do what you need. But if you don't book and you wait in the queue, chances are it'll take hours for a real human to come see you because a) there's one cashier and b) everyone else booked appointments.

Literally, in 2001, my bank had three counter staff, one milling around in the public area to answer questions, and managers were available by appointment or on request. By 2006, there was one single counter staff and NOBODY else except if you kicked up a fuss (like I was forced to several times). I stopped going into banks shortly afterwards. And was it only this bank? No. All three banks in the same town, all large branches of major UK highstreet banks, barely had people visible. Those that were were there to tell you how to use the machines in the branch (which couldn't do 90% of things people use a bank for).

That's *why* online banks took off. If your bank is entirely online (which a few banks are now), then you can do EVERYTHING yourself at your convenience 24 hours a day. Even closing the damn account, which can take HOURS in person.

It used to work. Then the banks realised they could save on people's pensions, so they removed all the staff and went online (some to the extent that they only trade online). Want to speak to a human? Either make an enormous fuss or (nowadays) tell them you'll be applying for a mortgage (they'll fall over themselves to give you an appointment, and then you can discuss their stupid fees for going overdrawn only because they charged you other fees instead).

I'm a little confused here. (2)

Tastecicles (1153671) | about 2 years ago | (#39804699)

From some of the comments I've read, the banks are responsible for the stupidity of individuals? Am I reading that correctly?

That it falls to a court to decide that in fact the opposite is true, and that just maybe for one tiny moment common sense kicks in and the court says "Actually, you did a dumb thing, despite the warnings all over your account literature, newspapers and broadcast media, now eat the consequences of your ill-considered actions", and the bandwagon collapses under the weight of people who bleat as one "But it's all the banks' fault! They can eat the losses!" Maybe they can, but then if one pensioner does it, and the bank eats it, how many more before it becomes too many and "too big to fail" actually... fails?

Unbefuckinglievable.

I'm with the court on this one. Idiot did idiot thing, idiot can reap the consequences.

Re:I'm a little confused here. (4, Informative)

Anonymous Coward | about 2 years ago | (#39804817)

"the banks are responsible for the stupidity of individuals"

No, the banks are responsible for their lack of transaction security.

Re:I'm a little confused here. (0)

Anonymous Coward | about 2 years ago | (#39804897)

Banks are responsible for transactions they perform. If they give some money away to someone pretending to be a customer, that's their problem: they know exactly how stupid their customers are, and how likely their secrets are to be compromised, and they still chose to use an inadequate system for identity verification.

Maybe this means that we can't have internet banking, except for people who prove they can follow basic security practices.

Makes sense in the German context (2)

Hans Adler (2446464) | about 2 years ago | (#39804961)

(I just lost a longer response because I followed the Options link from the preview, not knowing that if I change my options it will nuke my comment.)

First you should keep in mind that the banks love internet banking because it saves them a lot of money. And from a purely formal point of view the fraud started with the bank transferring money abroad in the mistaken believe that their customer asked them to do that. As he didn't, he can ask for his money back *unless* they can prove it was really his fault.

If you look at it with the logic of fairness and efficiency, rather than the logic of individualism, then the situation is as follows:

To minimise the fraud, the damage must be shouldered by whoever is in the best position to prevent it. (If the ultimate victim can't do anything to prevent the fraud, and those who are in a position to increase security have no incentive to prevent it, then we have a problem.) If the fraud is possible due to the customer's recklessness, then the customer should pay. If it could have happened to almost every customer, then it's outside the customer's control and the banks should pay. In borderline cases it is more efficient if the banks pay as well: If they are losing too much money to fraud they can improve security to reduce it, or they can raise their fees, acting in effect as a very cheap and efficient insurance company for their customers if you believe that the customers should be liable.

That's why the considerations in the decision were somewhat analogous to those in an insurance case.

body (1)

cheap true religion (2053288) | about 2 years ago | (#39804753)

Another unexpected nding was the relationship between risk and security investment. One might expect that as US banks are liable for fraudulent transac- tions, they would spend more on security than British banks do; but our research showed that precisely the reverse is the case: while UK banks and building soci- eties now use hardware security modules to manage PINs, most US banks just encrypt PINs in software. Thus we conclude that the real function of these hardware security modules is due diligence rather than security. British bankers want to be able to point to their security modules when ghting customer claims, while www.okayjeans.com US bankers, who can only get the advertised security benet from these devices, generally do not see any point in buying them. Given that the British strategy did not work - no-one has yet been able to construct systems which bear hostile examination - it is quite unclear that these devices add any real value at all.

Skagway Fishing Charter (-1)

Anonymous Coward | about 2 years ago | (#39804851)

This is the ideal post for someone who desires to be familiar with this subject.Full of professional insight based on testing by experts that knew what they were talking about.Skagway Fishing Charter [fatsalmoncharters.com]

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...