PlainsCapital Bank sues a victim of a $800k cyber-theft for failling to protect themselves against the theft.

Made it look less like a spam post. --Ling

Wow!  Just... wow.  The bank let this happen, to the tune of $800K, and it's the customer's fault?

My bank does a better job on my personal account, which has never held anywher near $800K, much less tried to transfer it.  In the 2-3 years I've been with them, I've received a handful of phone calls when I've made purchases that they flag as "unusual".  Once they did actually catch an unauthorized charge on my account, and I ended up getting a new card out of it.  How difficult can it be to put that sort of protection on big, expensive business accounts too, especially with all the "red flags" the article mentioned?

The title of that article appears to be at odds with the content - the bank have gone to court to prove their systems are secure; not to sue the customer.

the referenced article:

The biggest red flag should have been that the money was being transferred to foreign destinations, which had never happened before with Hillary's account, Owen said.

Sigh.  No, the biggest red flag should've been the one that didn't make the first page of the article: the emails authorizing the IP addresses came from unauthorized IP addresses - in fact, ones in different countries on another continent.

That should be enough to with the case right there.  The fact that the bank initiated action in the laughing stock of the US court system, of course, means that it won't be enough.  One can at least hope the rest will be - at least on appeal.

(For the record, I'm not saying that the overseas transfers for a company that never did them before shouldn't have been a very big red flag - just that the other should've been even bigger.)

PJH:

The title of that article appears to be at odds with the content - the bank have gone to court to prove their systems are secure; not to sue the customer.

Under the American system of juris-lack-of-prudence, there has to be some sort of ongoing action ("lawsuit") to do something like that. The bank is suing the customer, not for money or for property, but for the customer to go "Okay, okay, it isn't your fault! Uncle! Uncle!" (Even if the customer never claimed it was the bank's fault, this would still be how it's done.)

The complaint itself is somewhat unusual in that it doesn't seek anything specific from Hillary. Rather, all it asks is for the court to certify that its systems are reasonably secure.

Because a court should be able to decide whether a bank's security system is really secure.

PJH:

The title of that article appears to be at odds with the content - the bank have gone to court to prove their systems are secure; not to sue the customer.

 

Honestly, think about it. You are asking a COURT OF LAW if your system is secure. Its like going to a photographer and asking if the car you are about to buy is in good condition and if it needs repairs. The court should be able to ackgnowledge that certain steps were taken by the bank, but since shit happened it is obviously not enough.

 

And so begins the era where your EULA with the bank will include all their security measures and you must agree to them, bla bla bla, basically information overload man.

astonerbum:

PJH:

The title of that article appears to be at odds with the content - the bank have gone to court to prove their systems are secure; not to sue the customer.

 

Honestly, think about it. You are asking a COURT OF LAW if your system is secure. Its like going to a photographer and asking if the car you are about to buy is in good condition and if it needs repairs. The court should be able to ackgnowledge that certain steps were taken by the bank, but since shit happened it is obviously not enough.

They're asking the court to determine that they're secure enough to not be legally liable for breaches of security that they can blame on the customer. It's like Toyota asking a court to determine whether it should be legally liable for the sticky-accelerator problem. Maybe it's obvious that they are, maybe they aren't.... but the interaction with the court is almost certainly going to be part of the picture one way or another.

astonerbum:

Honestly, think about it. You are asking a COURT OF LAW if your system is secure.

I'm doing nothing of the kind. Perhaps you'd like to RTFA.

PJH:

astonerbum:

Honestly, think about it. You are asking a COURT OF LAW if your system is secure.

I'm doing nothing of the kind. Perhaps you'd like to RTFA.

 

Yes but can a court really determine that? What constitutes "secure enough"? Do we have laws that require certain "levels" of security? What is a level of security, can bugs in these security mechanisms constitute as flaws that make the company liable?

 

I mean this is a bit rediculous to ask of a court. We have no guidelines as to what a "secure" bank site is. Right now its "I'm more secure than my competitor". Now this could be a great thing, we might actually start a movement which will require bank sites to truly do authentication of sorts for which they will be liable if something gets through.

 

In either case I am interested in the outcome of this.

astonerbum:

PJH:

astonerbum:

Honestly, think about it. You are asking a COURT OF LAW if your system is secure.

I'm doing nothing of the kind. Perhaps you'd like to RTFA.

Yes but can a court really determine that? What constitutes "secure enough"?

Dunno. This is happening in the US. I hear of all sort of weird and wonderful court cases, one such as this wouldn't surprise me.

(Not that the UK, currently (apparently) the world centre of libel tourism, is much better, but they wouldn't be able to start a case such as this - it appears to be a pre-emptive action with no real apparent defendant.)

astonerbum:

PJH:

astonerbum:

Honestly, think about it. You are asking a COURT OF LAW if your system is secure.

I'm doing nothing of the kind. Perhaps you'd like to RTFA.

 

Yes but can a court really determine that? What constitutes "secure enough"? Do we have laws that require certain "levels" of security? What is a level of security, can bugs in these security mechanisms constitute as flaws that make the company liable?

 

I mean this is a bit rediculous to ask of a court. We have no guidelines as to what a "secure" bank site is. Right now its "I'm more secure than my competitor". Now this could be a great thing, we might actually start a movement which will require bank sites to truly do authentication of sorts for which they will be liable if something gets through.

 

In either case I am interested in the outcome of this.

Courts rely on expert witnesses.  The job of the court is to hear information from both sides of a dispute, as well as the testimony of experts in the field, for the purposes of determining legal liability.  You are an idiot if you think this is anything special or new.  Courts deal with highly technical subjects all the time.  How else would it work?

astonerbum:

Yes but can a court really determine that? What constitutes "secure enough"? Do we have laws that require certain "levels" of security? What is a level of security, can bugs in these security mechanisms constitute as flaws that make the company liable?

 

What other legal institution is qualified? I'd be willing to say the majority of court cases, criminal and civil, require knowledge that go well beyond "the law." Courts in such cases use expert witnesses. Consider the science involved in forensics. Do you really think the judge has personally mapped the human genome and truly knows what the DNA evidence really says? No, that's what testimony from the forensic analyst needs to convey to the judge. Even vehicular accidents require testimony from someone who can adequettely analyze the crash to determine who is at fault.