Dag-Erling Smørgrav
2017-Dec-12 11:56 UTC
http subversion URLs should be discontinued in favor of https URLs
Michelle Sullivan <michelle at sorbs.net> writes:> User gets an email saying his banking details are compromised, and to > update them now. User clicks the link and gives banking details to > phishing site as well as having a keylogger and rootkit installed > during the process. User has bank account hacked. Where did the bank > go wrong?Banks and financial institutions have whole teams working 24/7, usually in cooperation with national authorities, to detect, investigate and shut down phishing campaigns, and to warn customers (either directly or through mass media) of particularly large or well-executed campaigns. In the EU and EEA, banks are liable for losses in excess of ?150 unless the customer acted ?with intent or gross negligence?, but the definition of ?gross negligence? is fluid. Legal precedent in Norway is to hold the customer liable only if the email was ?an obvious forgery?, for some definition of ?obvious?. TL;DR: yes, banks are held liable for losses attributable to phishing. Source: I do this for a living (although not at a bank). DES -- Dag-Erling Sm?rgrav - des at des.no
Michelle Sullivan
2017-Dec-12 19:10 UTC
http subversion URLs should be discontinued in favor of https URLs
Dag-Erling Sm?rgrav wrote:> Michelle Sullivan <michelle at sorbs.net> writes: >> User gets an email saying his banking details are compromised, and to >> update them now. User clicks the link and gives banking details to >> phishing site as well as having a keylogger and rootkit installed >> during the process. User has bank account hacked. Where did the bank >> go wrong? > Banks and financial institutions have whole teams working 24/7Not out side of Europe (and those that do are not large.)> , usually > in cooperation with national authorities, to detect, investigate and > shut down phishing campaigns, and to warn customers (either directly or > through mass media) of particularly large or well-executed campaigns.No.> In the EU and EEA, banks are liable for losses in excess of ?150 unless > the customer acted ?with intent or gross negligence?, but the definition > of ?gross negligence? is fluid. Legal precedent in Norway is to hold > the customer liable only if the email was ?an obvious forgery?, for some > definition of ?obvious?.Maybe that will change stuff.> TL;DR: yes, banks are held liable for losses attributable to phishing.No, and I can tell you I had a discussion with some un-named bank (but very well known, very very very well known) online security managers and I said to them, hold the users responsible for 419 type spams. The response was a resounding 'no', and not because of regulation, but purely because they were worried about losing market share to other banks through bad publicity!> > Source: I do this for a living (although not at a bank). > > DESSo do I, have been in the business I am since 2000, and a lot of what I do and who for I can't even mention. What I can tell you is I built SORBS, I still run SORBS and I still work closely with LEOs and Banks (amongst others) dealing with online security for the company that now owns SORBS. This is getting way off-topic though. The topic is about forcing the use of https over http in the name of 'securing' an inherently insecure and compromised network, in the name of privacy for a couple of people. Wrong solution, for the wrong reasons, svn over https is already available those people that believe it gives security should use it and get out of other peoples business. If they really want to make an impact on the perceived problem they should target the malicious actors and the use of Tor as a pseudo secure platform (ie the few that would use http over Tor for downloading source that don't know the dangers should probably learn or not use Tor in the first place!) Regards, Michelle