Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Maybe banks should be responsible for stronger protection than a simple password?


Along those same lines, if a hacker took advantage of a vulnerability in the banks application, but only after gaining access to that vulnerability through credentials stolen from a client/customer, is the client responsible for weak credentials protection in that instance as well?

This is a slippery slope.


That would probably be awarded 50/50.


If the theft was abetted by a product fault in the banks own code, my guess is that the client would get 100 + legal fees.


Maybe, but if you're okay with that when you do business with them, you can't exactly complain about it when things go wrong.


Expecting people who know nothing about security to make an informed decision is unreasonable. It's much like expecting people to choose a building that won't fall over in an earthquake when they aren't architects - the responsibility lies with the architect for claiming that the security is good enough, not with the customer for trusting the expert.


?

You're suggesting that if I place a lock on your door, and you and I both agree that it is adequate, that it is my fault that you lose your keys and have your TV stolen because I should have known that a lock is not good enough and you should have had an alarm system as well....

Seriously, have some bit of personal responsibility.


The degree of "personal responsibility" you're alluding to here is unreasonable to apply to a regional commercial construction firm. It is simply not feasible for most businesses to keep a password-only protected online bank login secure using general-purpose operating systems, and particular not with Windows.

You're commenting because you know that:

* The firm could have dedicated a machine to do nothing but provide access to the bank account, perhaps from a single-use VM

* The firm could have structured its bank accounts so that only a minimal amount of its cash flow would be exposed to any single compromise

* The firm could have aggressively monitored transfers in and out on a better than daily basis

I'm telling you that (a) getting these things set up is a 5-figure consulting project that no bank tells its client base it needs to do, (b) that it is vanishingly unlikely that the bank made sure the client was informed that it needed to take these steps, (c) that failing to do that and leaving accounts exposed only to simple passwords is probably an example of a failure of due care, and (d) that the simplest and most reasonable way to solve all of these issues would be for the bank to simply strengthen its authentication mechanisms for commercial accounts.


You are placing a ridiculous expectation on the service provider while excusing the client using any form of security at all!

Sorry, but in 2011 it is not beyond reasonable expectation that a password be kept secret. Getting hacked sucks, certainly. Your company being hacked however is not the liability of your service providers, even if they are banks.


Speak to the people deploying multifactor and reputational authentication at major banks, and to a one, they will tell you that it is not considered a reasonable expectation that Windows systems be kept intact in order to secure bank accounts.

Banks can't come out and simply say that because of market realities (there are lots of market realities involving software security that terribly impact your day to day life) and concomitant liability.


The banks we talk to are certainly aware that a significant percentage of the customer-provided client machines are pwned by malware (and not just dumb keyloggers either). The Zeus trojan in particular is currently one of the most-discussed topics in online banking security.


It would only be fair to mention your commercial interest in that fact, Marsh. :)


tptacek is referring to that I work for PhoneFactor and we sell a multi-factor auth product to secure against these types of things. You're probably right, and thanks for the input.

It's hard to know when to worry about not disclosing affiliations and when to worry about sounding like a product name-pusher. I felt like I was on such basic facts in this comment that it wasn't so relevant, but I did mention it in a later comment in this thread.


Don't get me wrong; I'm glad you're here.


If I shot you, would it be your fault because you weren't wearing a bullet-proof vest?


Um, no. If you shot Mr. Smith over there, who was wearing one of my bullet-proof vests, but didn't do up the zipper/velcro, it's not my fault.


At least in the US, if you didn't put a stern warning about doing up the zipper/velcro in the vest's instruction manual, I'd be willing to bet there'd be plenty of lawyers who would gladly sue you on behalf of Mr. Smith's estate. Sadly, there would probably be some juries who would find in the estate's favor, too.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: