« B2B Cyber Security Lawsuit | Guerrilla Publicity Dogs Bank Online | Main | Reasonable, Proportionate ESI Demand »

February 24, 2010


Feed You can follow this conversation by subscribing to the comment feed for this post.

Benjamin Wright

Jim Woodhill, http://www.authentify.com, asked me to post the following comment on his behalf . . .

I commend the following "thought experiment" to one and all. Imagine that the "Customer" was not Brian Krebs' "Victim of the Day" (it's Wednesday, 2/24/10 so it's Little & King of Merrick, NY which is going to go bankrupt because TD Bank allowed cyber-thieves to make off with $164,000 of its cash. The owner, Karen McCarthy, was in tears when she spoke with Mr. Krebs on the phone yesterday. REF:


Now imagine, if you will, that the name of the owner was not "Karen McCarthy, but "Jackie Marie Clegg". What do you *guess* TD bank would have done?

HINT: Ms. Clegg is the wife of Christopher Dodd, the Chairman of the Senate Banking Committee.

See what I mean? Even better, what if the victim was named "Barney Frank for Congress"? (Mr. Frank is the chairman of the House Committee on Financial Services.)

Rather than perusing your critical exegesis of UCC 4A, I suggest that your readership compare the membership counts of the American Bankers Association (ABA) and the American Federation of Independent Businesses (AFIB). How would new legislation "balance" the interests of these two organizations? My guess is the same way that "balance" was struck in the case of identity theft victims in the The Fair and Accurate Credit Transactions Act of 2003 (FACTA)!

Not that Congress *needs* reasons to "Do Something", mind you, but note that good and sufficient reasons to move all the risk of online banking fraud to the financial services institutions have already been articulated by the estimable Bruce Schneier in his critique of Shames-Yeakel vs. Citizens Financial Bank. REF:


Benjamin, this issue is not about ordinary "commercial agreements". The targets of the cyber-assaults Brian Krebs so ably documents are the victims of *crime*, and what to do about crime, especially, as you so insightfully documents above when you say, "The rash of stories that Krebs is publicizing is unprecedented in the 20-some-odd-year history of UCC 4A." is always and everywhere a political question.
In Authentify's opinion, this question should settled quickly and cheaply on the Hill rather than slowly and laboriously in courts across the country. I really doubt that the argument that authentication and in-process fraud controls that allow cyber-thieves to make off with customer money are, somehow, nevertheless still "commercially reasonable", will fly on the Hill.


The common thread in these types of cases seems to be that the banks are using authentication methods that have long been known to be insecure, and calling them "commercially reasonable." This is absurd when the fix for the problem doesn't have to be that expensive, relatively speaking.Checking IP addresses would stop many of these attacks, and a verification phone call or sms text message would put a stop to many more.

I know that any security system can be beat by someone with enough resources and determination, but that's no excuse for not raising the bar at all.


Ben -

You refer to "advance written restrictions" as a final out by the customer as a protection against loss. I'm reminded of rock star contract riders like the legendary Van Halen one that reads "There will be no brown M&M's in the backstage area, upon pain of forfeiture of the show, with full compensation."

I'd imagine that there might be some similar reasonable advance written restriction that you could place that would be straightforward to agree to and to put into place but that would be difficult for a criminal to mimic. E.g. it could be a simple reporting requirement like "a notice of any transfer of greater than $1000 must be delivered via fax to (number) and email to (number) within 24 hours of the transaction". And while this would not prevent fraud from happening, it would put the burden back on the bank.

The comments to this entry are closed.

Wright's Online SANS Education

Jackson County Case Study

IT Administrators


  • Follow benjaminwright on Twitter

Custom Professional Training

Local ARMA Quote

  • "The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.
My Photo


  • Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

  • "The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training


  • No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

    The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

    Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

    Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

    The only person responsible for Mr. Wright's words is Mr. Wright.

    Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

    Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

    Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

    Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

    Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

Search Wright's Blogs

Find More on This Blog


Become a Fan

Find More on This Blog