Interesting story. A computer belonging to Joe Lopez is hacked and the hacker then transfers ninety grand to an account in Latvia.
Lopez is taking his bank (Bank of America) to court to recover his money, stating that the bank “knew the risks”.
While I sympathize with Mr. Lopez, it appears to me that the bank actually did nothing wrong. It was not the bank’s systems that were hacked, but Mr. Lopez’s machine. BofA did not actually commit any crime. Bofa maintains that since this is a business account with large sums of money going in and out, the wire did not trip any internal alarms.
“Bank of America knew of the coreflood virus,” said Lopez’s Lawyer, “Why not tell their customers?”. That statement shows a tenuous grip on reality – there are literally thousands of viruses and trojans out there, with more coming out every day – does he seriously expect BofA to inform their customers about every one? If they did, their customers would be deluged with “Chicken Little” warnings… and would ignore them. Sounds to me like he is looking for deep pockets.
$70k of Joe’s money is still frozen in a bank in Latvia. Any action to recover the funds would require “a request to Latvia’s Office of the Prosecutor for a criminal investigation”. This would be a whole lot easier for BofA than it would be for Joe, but since the bank has sustained no loss, it has no reason to do so, and if it did, it would set a precedent.
Of course, this should not have happened, but Mr. Lopez and his Lawyer are asking the wrong questions. The real question is whether or not BofA should have allowed a wire transfer to Eastern Europe to go unchallenged. If so, they are in the clear. If not, they are at fault. Trying to blame them for a user’s lack of security, however, is just plain wrong.
f nothing else, this has exposed several holes in the system. One quick and obvious way to avoid this sort of thing in future is to have the bank verify any automated transfer over a predetermined amount by calling the accountholder. While not foolproof, this would cut down a lot on this sort of thing.
Unfortunately this will not be popular with the Banks, who will have to eat the added expense of such a system.