Business Swindled Online - Who is to Blame?
21 October 2009
I recently blogged about why Businesses Require Better Protection Online
. The writeup was based on a warning from the FDIC that was aimed at businesses who bank online. Last week, a firm called Genlabs Corp. had $437,000 fly out of their account. Username, password, and token were compromised as fraudsters gained access to the account. Yesterday evening, Brian Krebs from the Washington Post blogged about the story
and provided some additional updates. Turns out a Genlabs computer became infected with a trojan horse that, "allowed the attackers to re-write the bank's login screen as displayed on the employee's computer, so that the credentials were intercepted before they could be sent on to the bank's actual Web site." A forensics expert who examined the computer determined that standard Windows-based scanning tools were unable to detect the infection. This raises some interesting questions about who is responsible for this mishap. The fraudsters are obviously the criminals, but catching them and recovering the funds is another story. In the meantime, who is responsible for the loss of funds?
- If Genlabs had software protection (that did not spot the infection) should they be held responsible? Would it matter if their software was up-to-date?
- Should the anti-virus/malware software company be responsible if their tool was unable to detect the infection, but a competing software tool could (hypothetical)?
- Should the bank be held responsible since their online security had been compromised?
It's an interesting discussion topic, and I invite you all to express your thoughts.