OT: Re: User negligence?

David Schwartz davids at webmaster.com
Sun Jul 27 08:25:24 UTC 2003




> I think there is confusion here.

> The banks are making the claim, that, if you the user, has an infected PC,
> that is compromised by an 3lit3 h4x0r, and your password to your bank
> account is compromised, then the bank is not responsible.

> That is what you are saying, Sean?

	While the bank holds your money, it is responsible for its safety. This
includes making sure the money is only released to you or to those you
authorize. If an act of theft or fraud causes the bank to release that money
without your authorization, the bank can certainly be held responsible. This
is why they hold checks and even, from time to time, call people up to
confirm suspicious transactions. Generally banks have a blanket bond to
cover theft/fraud losses and this protection extends to their customers.

	I don't think it would be that difficult to show that there are significant
security flaws in the online banking system that the user is neither
responsible for nor capable of correcting. You could get a dozen security
experts to testify that a static password is not sufficient to protect a
system that can perform unretrievable funds transfers. If that's all the
bank's online scheme provides, this may negate the argument that the user's
negligence was the sole/primary cause of the loss.

	In most states, you have additional protections under state law.

	DS





More information about the NANOG mailing list