Posted on 03/09/2005 7:49:36 AM PST by snowsislander
COLUMN
Customer vs. Bank of America: Who's to blame?
By Donald Smith
25 Feb 2005 | SearchSecurity.com
Who will win a landmark case on customer data protection?
Who decides whether a business is responsible for your data, or if you yourself are? Now it may be a judge and jury.
According to a report in The Register, Joe Lopez, a small businessman from Florida, alleges that Bank of America was negligent because it failed to protect his account from compromise through known risks. He regularly used the bank's online services to send and receive money from the U.S. and Latin America, but last April he discovered an unauthorized wire transfer for $90,348 sent to a bank in Latvia. When he became aware of the fraud, he notified the police, and when the Secret Service performed a forensic examination of his PCs, they uncovered an infection by a Trojan called Coreflood.
According to the accounts, Lopez's legal case is that Bank of America did not inform its customers of the risk posed by Coreflood, even though they knew it posed a risk. He goes on to allege several other charges, including negligence and intentional misrepresentation. He is bringing the lawsuit to reclaim his stolen money, plus lost interest.
In the same report, Bank of America denied a breach of its e-banking system, and denies responsibility for its customer's losses.
What makes this particular case stand out more than any other? This appears to be the first time cybercrime is the basis of such a lawsuit. As tensions build in the political arena concerning information security, privacy of data and a company's responsibility to secure its customers' data, this case has the ability to define the lines of responsibility. When a customer has a direct loss because his information was used for fraud, is the customer responsible for the theft, or is the bank responsible for accepting fraudulent ID, in the same way they would for cashing a check with a fake driver's license?
Bank of America released funds for a wire transfer from its e-banking system, and that wire was not authorized by its customer. On the surface, it would appear that Bank of America is the responsible party; however, I believe that either party could be found guilty, and that the verdict will depend on the technical competence of the judge and jury. In my opinion, the more technically savvy they are, the less likely it is that Lopez will win his case.
Lopez's case is based on Bank of America's failure to inform its customers of the dangers involved with Coreflood, a Trojan designed primarily for denial-of-service attacks, which functions by listening to a predetermined IRC channel for commands. This "open ear" allows a backdoor into an infected system. My hypothesis is that a hacker used that opening to install a keystroke logger, and then hit the jackpot when Lopez accessed his bank account online.
Lopez's assertions that Bank of America was responsible to notify him of the dangers of Coreflood are simply ludicrous. As a business owner, Lopez is responsible for the operations of his IS structure, including the ongoing maintenance of antivirus software for the protection of his systems and logical assets. Part of that responsibility is keeping antivirus definitions up to date, and regularly scanning the systems for malicious code.
Lawsuit could amplify data protection laws
A lawsuit brought by a Bank of America customer could set precedent for who is responsible for securing a consumer's data -- on the consumer's own computer.
ChoicePoint CISO on the hot seat, but also firing back ChoicePoint CISO Rich Baich has his hands full dealing with a data breach, and the ensuing media storm that he says has mislabled this a hack.
I have to conclude that Lopez had not maintained his systems in a commercially reasonable manner, because even had he been running 6-month-old virus definitions at the time of the breach, the virus would have been detected. Symantec (Norton Anti-Virus) has had a scanning definition for this virus since December 2002. McAfee has had a scanning definition since May 2003. Sophos (in its products in December that year) and Kaspersky Labs have had scanning definitions since October 2003. Even if Lopez had been running Sophos, the company that was last to come on board with a Coreflood virus description, his virus definitions would have had to be more than 6 months old.
Is Bank of America responsible for the illegitimate wire that was sent from Lopez's account? They say that their e-banking system was not compromised. What their assertion tells me is that no hacker has accessed their system and stolen any user names and passwords from them. Also, on Bank of America's Web site, they instruct their clients to protect their user IDs and passwords. Though I have not reviewed their online banking agreements, I have no doubt that they instruct their customers to maintain this information as secret.
If Lopez did not maintain his servers in a reasonably acceptable way, such as regularly maintaining his AV program, then I believe he did not perform his reasonably expected duty to protect his user name and password from exposure.
So who will the law say is responsible? That depends on the technical savvy of the public. Opinion is always swayed against a bank, where an abundance of cash and history of security is paramount, and the public sees the little guy being held down when his needs aren't met. Nevertheless, if the judge and jury understand that a business is responsible to maintain its systems, and that it was not Bank of America's system that was breached, but that of Lopez, I see no reason to grant Lopez an award, aside from the return of any money Bank of America is able to recover on his behalf.
About the author
Donald Smith is the IT audit manager for The Mechanics Bank of Richmond, Calif. Smith's opinions are his own, and not those of The Mechanics Bank.
I have to agree here, B-of-A is not at fault.
That being said, as technically illiterate as the jury pool is likely to be, B-of-A is probably in trouble at the first verdict. Hopefully they at least win on appeal.
This does not bode well for B of A considering they just released an announcement stating that the personal information of over 100,000 government credit card holders in the Navy and Marine Corps have been compromised.
That being said, as technically illiterate as the jury pool is likely to be, B-of-A is probably in trouble at the first verdict. Hopefully they at least win on appeal.
I have a number of problems with the article itself, and I hesitated before I posted it due to what I think are some deficiencies. These illegal activities can be really, really hard to attribute unless someone gets lucky.
The author assumes that the actual hole has been found, but unless some supporting evidence clearly showing that hole was the origin of the breach, I take it with a big grain of salt. I would be interested in what progress was made in tracing where the money went.
But assuming that the author is right, and the breach occurred not at Bank of America but at Mr. Lopez's business, then I agree that Bank of America is not resposible for Mr. Lopez's loss. However, as you point out, who knows what a technically uninformed jury will decide, when even experts might not agree on even exactly what security breach is the root fault.
It might be interesting to see what The Register article had in it; perhaps it is clearer about the exact circumstances than what my reading of this article yields.
Did B of A infect his computer? If not, why are they liable. Using his logic, Bill Gates and George Bush failed to notify him of the dangers of coreflood.
BTTT
BTTT
We use McAfee corporately and I use it at home. I also run AdAware and Spybot a couple of times a week at home.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.