Lopez discovered his company bank account was US$90,000 short and a quick check online revealed the amount had been transferred -- without his knowledge -- to a Latvian bank.
The Bank of America was duly notified, with Lopez urging its officers to stop the transfer. Unfortunately, it was too late. About US$20,000 was already withdrawn from the Latvian bank account, with the bank freezing the remainder.
After the US Secret Service combed through Lopez's computer, they realised the culprit was a trojan horse called Coreflood. Seemingly harmless when first discovered in 2001, subsequent variants proved malicious -- Backdoor.Coreflood was one example which could give control of infected machines to an attacker.
Not wanting to be left high and dry, Lopez filed suit against the Bank of America, claiming it failed to protect him from online theft. The financial institution had allegedly neglected in its duty to warn him of the security threat. It was like the bank knew someone else had a key to the vault but didn't warn customers, claimed Lopez's lawyer.
As expected, the Bank of America denied all charges saying the onus lies on customers to install security software, including regularly updating patches.
"Microsoft has indeed squandered an opportunity to set a mark in the security arena. To go one step further, Microsoft can directly be blamed for a big portion of the mess the entire Net is in today."
-- Andreas Kuhn
These limits also act as a obstacle for clandestine activities. At the moment, bank tellers are to report suspicious transactions -- such as repeat transfers -- below AU$10,000 to anti-money laundering regulator Austrac (Australian Transaction Reports and Analysis Centre).
Other authentication methods or devices in the market such as smart cards, USB tokens, password generators, and biometric readers -- are technologically sound but unwieldiness and cost barriers continue to hamper mass adoption. In terms of user friendliness, Citibank's dynamic PIN-pad login -- the mouse (instead of keyboard) used to click on random digits to form a password -- is more likely to catch on with other financial institutions and users.
But history has shown that any system can be beaten. A Malaysian man nearly walked away with around AU$625,000 before his scam was busted by authorities. Ng Kok Meng used a skimming device -- which captures data from a customer's ATM card -- to gain illegal access into the account.
Meanwhile, the Lopez vs Bank of America court ruling is still pending but this case holds valuable lessons ... primarily that Internet banking, while extremely convenient, comes with its fair share of risks. There's no silver bullet so don't expect Internet scams, hackers, trojan horses and the like to vanish overnight. The challenge for banks and customers to minimise their exposure to losses will continue. Security is neither about the journey nor the destination ... it's like an infinite loop which requires our constant attention.
Dear Fran,
Yes - there is a "magic bullet" - just like you have evry time you visit your local supermarket and pay by EFTPOS - and it's the "PINPad". Over 20 years ago its was known that a cash register was NOT safe to use for such financial purposes and Australia led the way in creating a safe and secure system based upon advanced crypto and trusted hardware attachments for the checkout or cash register. There is no other way at present for the home PC! We know that - we knew that. Even Microsoft agrees with its NGSCB project clearly outlining the need for essentially putting that PINPad on the motherboard of every PC to be used for secure transactions purposes. In simple terms, why do banks even say that a PC is safe and secure to use for this home banking purpose? I can take a horse and cart onto the F3 in Sydney but I would not call it safe - and it could be illegal! No the home PC was NEVER DESIGNED AND BUILT for safe and secure Internet transactions and to sway that it was, or is, is itself - well - utterly amazing!