Phishing Victim Fights Back
It had to happen some time. Phishing victims are fighting back — against their banks. A Miami Businessman is sueing Bank of America according to AccountingWEB.com and other sources:
Joe Lopez, a Miami businessman who regularly conducts business over the Internet, is suing Bank of America for negligence and failure to provide protection for online banking risks of which he claims the bank was aware. Last April, Mr. Lopez's computer system was hacked into and $90,348.65 was wired from his account at Bank of America to a bank in Riga, Latvia without his approval.
Ralph Patino, Mr. Lopez's lawyer, claims Bank of America had knowledge of a virus called coreflood, a Trojan horse virus known for infiltrating and compromising security systems and enabling unauthorized access to infected computers, and therefore the bank had a responsibility to inform its customers of the virus.
Coreflood, according to The Register, is primarily designed to conduct Denial of Service (DoS) attacks, but the theory is that the backdoor access it enabled criminals to extract banking passwords and account details entered into Lopez's PC. This remains unproven.
This makes the case a bit more complicated than if Lopez was hoodwinked by a phishing email designed to look like something from Bank Of America. Still, the the AccountingWeb piece quotes Avivah Litan, vice president and research director for research firm Gartner Inc. and an online fraud expert, as saying
banking cybercrime cases such as this one may result in banks adopting stricter security measures in the future. "Banks can't reasonably expect consumers to protect themselves from cybercriminals," said Ms. Litan. She believes that consumers need banks to offer greater security if they want online banking to increase. Gartner Inc. predicts that within two years, "50 percent of today’s stronger methods for customer authentication will no longer be strong enough to be a safeguard against phishing and malware."
In other words, banks have got to find a better way to keep their customers secure, and arguing that cases like Lopez’ are nothing to do with them may not impress customers already increasingly nervous about doing business and banking online.
Hi Jeremy --
I think what's most likely to result from this, is banks closing down their online banking systems.
The alternative is the use of strong security measures like SecureID tokens -- which, interestingly, an Irish bank used until about 3 years ago, when they dropped them due to cost. I wonder if they plan to reintroduce them anytime soon?
great weblog btw!
Posted by: Justin Mason | February 10, 2005 at 10:39 AM
Strange that you title you post "Phishing Victim ..." and then include the sentence "This makes the case a bit more complicated than if Lopez was hoodwinked by a phishing email designed to look like something from Bank Of America.".
This incident clearly is not a case of phishing.
Posted by: Srijith | February 10, 2005 at 10:51 PM
Srijith makes an interesting point: Is a phish not a phish if it is not an email designed to lure the user by pretending to be legitimate? To me this is part of a misunderstanding of 'phishing' which goes back to the early stages of the phishing epidemic. Phishing is the act of grabbing passwords, not of sending out fake emails. The fake emails are the lure; the phishing is the catching of passwords. Phishing can involve any trick -- and indeed, has evolved fast and far since this particular phase began in late 2003 -- that gets a user to hand over passwords, wittingly, unwittingly, through whatever method. Phishing is not just limited to emails mimicking banks. It includes trojans such as coreflood.
Posted by: JW | February 10, 2005 at 11:29 PM