Business Swindled Online - Who is to Blame?

Create a vendor selection project & run comparison reports
Click to express your interest in this report
Indication of coverage against your requirements
A subscription is required to activate this feature. Contact us for more info.
Celent have reviewed this profile and believe it to be accurate.
21 October 2009
Jacob Jegher
I recently blogged about why Businesses Require Better Protection Online. The writeup was based on a warning from the FDIC that was aimed at businesses who bank online. Last week, a firm called Genlabs Corp. had $437,000 fly out of their account. Username, password, and token were compromised as fraudsters gained access to the account. Yesterday evening, Brian Krebs from the Washington Post blogged about the story and provided some additional updates. Turns out a Genlabs computer became infected with a trojan horse that, "allowed the attackers to re-write the bank's login screen as displayed on the employee's computer, so that the credentials were intercepted before they could be sent on to the bank's actual Web site." A forensics expert who examined the computer determined that standard Windows-based scanning tools were unable to detect the infection. This raises some interesting questions about who is responsible for this mishap. The fraudsters are obviously the criminals, but catching them and recovering the funds is another story. In the meantime, who is responsible for the loss of funds?
  • If Genlabs had software protection (that did not spot the infection) should they be held responsible? Would it matter if their software was up-to-date?
  • Should the anti-virus/malware software company be responsible if their tool was unable to detect the infection, but a competing software tool could (hypothetical)?
  • Should the bank be held responsible since their online security had been compromised?

It's an interesting discussion topic, and I invite you all to express your thoughts.


  • You can't really hold the Bank responsible if security was compromised at Genlabs. That would be like blaming the locksmith if someone stole your house keys out of your pocket on the subway. Sure, you could force banks to beef up their security and add extra layers of authentication, but in the end, thieves will always find a way to steal things. That's what thieves do, and they'll always be there.

    I keep my car locked, in a private parking garage, with an alarm and an engine kill switch. Does that mean someone can't steal my car? Do I need to do anything more to absolve myself of responsibility should my car be stolen? I don't think so. I have insurance, which I pay for, to protect me in the event of theft. That's what companies like Genlabs should have to protect their bank accounts (and any other financial assets) from identity theft. The more security they implement, the cheaper the insurance should be, giving incentive to both companies like Genlabs and their banks to beef up their security. There shouldn't be any fault assigned if everybody followed standard security procedures, as no company (not Genlabs, the security software provider, nor the bank) can ever guarantee zero capability of theft.

  • You are assuming though that everyone followed "standard security procedures." In most incidents however, that simply isn't the case. In fact, there are studies that show that businesses, small ones in particular, rarely have adequate protection. A bank may not want to refund a business if they haven't taken the right steps. And your example of insurance - an insurer may not want to refund a car owner if the owner was negligent. In other words, the insurer will push back on reimbursement if the car door is left open with the keys in the ignition...

  • [...] of the rash of business online banking fraud that has hit the market (see my blog entries on this here and here). I asked the panel if their financial institution had contacted them recently to make [...]

Insight details

Insight Format
Geographic Focus
Asia-Pacific, EMEA, LATAM, North America