Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is very common. By law, a bank is not responsible for theft from commercial bank accounts. Personal accounts however, are protected.

From what I've seen based on other cases:

#1. Never use a small/local bank. These guys are the worst and have generally pathetic or rarely enforced security policies in place.

#2. Do your banking off a boot disk if your not certain about your system's integrity. (Why are you using a questionable machine in the first place is a whole other story.)

#3. Try to avoid letting your business checking account get unnecessarily fat.

The fact is banks lose money. Going back to #1, most of the at risk banks in the United States are the small local ones (The FDIC is still regularly seizing banks.) Forget hackers, you could very well have $300k "stolen" out of your bank account if the FDIC shuts your bank down one Friday afternoon.

If you want to read more about this, I'd recommend krebsonsecurity.com. Brian Krebs has done a great job of covering this issue for quite some time -- in fact he has his own opinion of this court case written up now.



Is it not that simple. Commercial accounts do not have the same protections as personal accounts, but under UCC § 4A-202:

[... presuming a relationship between customer and bank, then..] a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders [... so long as the bank is acting in good faith.]

And then, in the very next clause:

(c) Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated.

The stuff this bank didn't do that it was supposed to do appears to be spelled out directly in the UCC, but the bank got off because the court chose to find a fine-print clause that waived these rules enforceable.


Clark Howard (the consumer radio personality) recommends that businesses use a separate computer for all bank related transactions. And that computer isn't used for email or other web access.

You should also contact your bank and request double or dual authentication on any wires. If your bank doesn't offer this, then get a different bank.

http://www.clarkhoward.com/news/clarkhoward/business-entrepr...


And the convenience of online banking just lost all of its convenience. I'd rather just drive to the bank to conduct all transfers... seems safer.


My bank has fairly lax login requirements (account ID, some random digits of a N digit PIN, some random letters of a longish password.

But to make payments to new accounts, you have to add that account to your approved list, which involves inserting your debit card into a little calculator-style reader, entering your (different) PIN, and then doing CHAP style auth with a random number supplied on the webpage, which is (hopefully decently crypto) mangled by the device, giving you a confirmation code.

It's a bit of a hassle when you need to send some money to someone quickly and can't find the little machine, but otherwise, I think it's a pretty decent level of security.


You could probably just use a bank that utilizes tokens or some other two factor authentication.


What if the malware on the PC lets you log in and then takes over the session? Yeah, it happens.

I develop on a system (PhoneFactor) where the bank now confirms the details of a transaction (amount, dest account number, etc) over an out-of-band channel.

I really think this is where the world is moving. The current concept of login sessions is going away, e.g., mobile phones keep browser sessions open practically forever. Login credentials will eventually only protect the viewing of data, things that could cost money will be subject to additional authentication.

But the party who's interests are most protected will be the party that's purchasing and deploying the authentication system. This is usually not the party with the most to lose, and almost never the end user.


...Unless they're RSA SecurIDs.

Although it seems that whoever got that info used it for poking into defence contractors, rather than banks. Still, I imagine it's perfectly possible they could have used it to defeat some multi-factor logins for large bank accounts.

I wonder how long the recall and replacement will take; there's got to be a lot of those tokens out there.


> you could very well have $300k "stolen" out of your bank account if the FDIC shuts your bank down one Friday

I thought that was the whole point of the FDIC? That we don't lose our bank account contents if our bank dies.


The FDIC only protects your bank account up to a certain limit.


It covers up to 250k if I recall. Is the implication here that you can have "up to" 550k in a bank account?


#4 Don't trust Florida based companies. Words to live by!

http://www.oceanbank.com/contact-us.html




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: