Dag-Erling Smørgrav wrote:
Michelle Sullivan <miche...@sorbs.net> writes:
User gets an email saying his banking details are compromised, and to
update them now. User clicks the link and gives banking details to
phishing site as well as having a keylogger and rootkit installed
during the process. User has bank account hacked. Where did the bank
go wrong?
Banks and financial institutions have whole teams working 24/7
Not out side of Europe (and those that do are not large.)
, usually
in cooperation with national authorities, to detect, investigate and
shut down phishing campaigns, and to warn customers (either directly or
through mass media) of particularly large or well-executed campaigns.
No.
In the EU and EEA, banks are liable for losses in excess of €150 unless
the customer acted “with intent or gross negligence”, but the definition
of “gross negligence” is fluid. Legal precedent in Norway is to hold
the customer liable only if the email was “an obvious forgery”, for some
definition of “obvious”.
Maybe that will change stuff.
TL;DR: yes, banks are held liable for losses attributable to phishing.
No, and I can tell you I had a discussion with some un-named bank (but
very well known, very very very well known) online security managers and
I said to them, hold the users responsible for 419 type spams. The
response was a resounding 'no', and not because of regulation, but
purely because they were worried about losing market share to other
banks through bad publicity!
Source: I do this for a living (although not at a bank).
DES
So do I, have been in the business I am since 2000, and a lot of what I
do and who for I can't even mention. What I can tell you is I built
SORBS, I still run SORBS and I still work closely with LEOs and Banks
(amongst others) dealing with online security for the company that now
owns SORBS.
This is getting way off-topic though. The topic is about forcing the
use of https over http in the name of 'securing' an inherently insecure
and compromised network, in the name of privacy for a couple of people.
Wrong solution, for the wrong reasons, svn over https is already
available those people that believe it gives security should use it and
get out of other peoples business. If they really want to make an
impact on the perceived problem they should target the malicious actors
and the use of Tor as a pseudo secure platform (ie the few that would
use http over Tor for downloading source that don't know the dangers
should probably learn or not use Tor in the first place!)
Regards,
Michelle
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
