Wright's Online SANS Education

Jackson County Case Study

Messaging Architects E-mail Policy Workshop

IT Administrators

Twitter

  • Follow benjaminwright on Twitter

Wright's Google Profile

Custom Professional Training

Local ARMA Quote

  • "The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.
My Photo

Blogger

  • Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He is a pioneer in the promotion of public relations to address Internet legal issues and crises. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

  • "The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

  • No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

    The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

    Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

    Mr. Wright's contributions to blogs, web courses and the like constitute an online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

    The only person responsible for Mr. Wright's words is Mr. Wright.

    Mr. Wright often earns money or other reward from organizations he mentions or links on blogs, such as Messaging Architects, SANS Institute, Credant Technologies, state CPA societies, LabMD and others.

    Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

    Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

    Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

    Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

Search Wright's Blogs

Find More on This Blog

  • Google+

« B2B Cyber Security Lawsuit | Guerrilla Publicity Dogs Bank Online | Main | Reasonable, Proportionate ESI Demand »

February 24, 2010

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e553eadb2788340120a8ce830d970b

Listed below are links to weblogs that reference EFT Law | 4A-202 | 4A-203:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Benjamin Wright

Jim Woodhill, http://www.authentify.com, asked me to post the following comment on his behalf . . .

I commend the following "thought experiment" to one and all. Imagine that the "Customer" was not Brian Krebs' "Victim of the Day" (it's Wednesday, 2/24/10 so it's Little & King of Merrick, NY which is going to go bankrupt because TD Bank allowed cyber-thieves to make off with $164,000 of its cash. The owner, Karen McCarthy, was in tears when she spoke with Mr. Krebs on the phone yesterday. REF:

http://www.krebsonsecurity.com/2010/02/n-y-firm-faces-bankruptcy-from-164000-e-banking-loss/

Now imagine, if you will, that the name of the owner was not "Karen McCarthy, but "Jackie Marie Clegg". What do you *guess* TD bank would have done?

HINT: Ms. Clegg is the wife of Christopher Dodd, the Chairman of the Senate Banking Committee.

See what I mean? Even better, what if the victim was named "Barney Frank for Congress"? (Mr. Frank is the chairman of the House Committee on Financial Services.)

Rather than perusing your critical exegesis of UCC 4A, I suggest that your readership compare the membership counts of the American Bankers Association (ABA) and the American Federation of Independent Businesses (AFIB). How would new legislation "balance" the interests of these two organizations? My guess is the same way that "balance" was struck in the case of identity theft victims in the The Fair and Accurate Credit Transactions Act of 2003 (FACTA)!

Not that Congress *needs* reasons to "Do Something", mind you, but note that good and sufficient reasons to move all the risk of online banking fraud to the financial services institutions have already been articulated by the estimable Bruce Schneier in his critique of Shames-Yeakel vs. Citizens Financial Bank. REF:

http://www.schneier.com/blog/archives/2009/09/eliminating_the.html


Benjamin, this issue is not about ordinary "commercial agreements". The targets of the cyber-assaults Brian Krebs so ably documents are the victims of *crime*, and what to do about crime, especially, as you so insightfully documents above when you say, "The rash of stories that Krebs is publicizing is unprecedented in the 20-some-odd-year history of UCC 4A." is always and everywhere a political question.
In Authentify's opinion, this question should settled quickly and cheaply on the Hill rather than slowly and laboriously in courts across the country. I really doubt that the argument that authentication and in-process fraud controls that allow cyber-thieves to make off with customer money are, somehow, nevertheless still "commercially reasonable", will fly on the Hill.

bert

The common thread in these types of cases seems to be that the banks are using authentication methods that have long been known to be insecure, and calling them "commercially reasonable." This is absurd when the fix for the problem doesn't have to be that expensive, relatively speaking.Checking IP addresses would stop many of these attacks, and a verification phone call or sms text message would put a stop to many more.

I know that any security system can be beat by someone with enough resources and determination, but that's no excuse for not raising the bar at all.

twitter.com/vielmetti

Ben -

You refer to "advance written restrictions" as a final out by the customer as a protection against loss. I'm reminded of rock star contract riders like the legendary Van Halen one that reads "There will be no brown M&M's in the backstage area, upon pain of forfeiture of the show, with full compensation."

I'd imagine that there might be some similar reasonable advance written restriction that you could place that would be straightforward to agree to and to put into place but that would be difficult for a criminal to mimic. E.g. it could be a simple reporting requirement like "a notice of any transfer of greater than $1000 must be delivered via fax to (number) and email to (number) within 24 hours of the transaction". And while this would not prevent fraud from happening, it would put the burden back on the bank.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

MY BLOGS HAVE LOADS OF CONTENT. SEARCH! ↓

Audio Invitation

Become a Fan

E-mail Mr. Wright

  • Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly, formally agree that the relationship is being formed. He does not give advice to non-clients.

    Contact Form

Find More on This Blog