It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
There’s an interesting post over at Krebs On Security talking about some poor company that is going bankrupt because TD Bank allegedly will not give them their money back after it was stolen out of their account. Now, I wish I could say this concept is totally foreign to me, but unfortunately this isn’t the first time I’ve heard this story. I’m under NDAs not to describe the people involved, or the bank involved, but the important details are nearly identical to this story. Why is this happening?
There is a little known code call the UCC (Uniform Commercial Code) that essentially says that if you are a business and you want to do wire transfers you are essentially to be treated as a bank. You are probably wincing right now, because it’s just as stupid as it sounds. Note that this is not true for consumers - but even if your business consists of even one person, you still are treated as a bank.
Sounds exactly right. I’m now pentesting full time in support of bank auditors, and doing a bit of incident reponse. We’re seeing this all of the time–banks claiming that the customer was loose with their login credentials, and so it’s not the bank’s fault. The perfect storm is, with AV only catching ~25% of variants, together w/drive-by download attacks infecting users, many more PCs are infected than we realize. Zeus and other sophisticated bots have killed the effectiveness of any two-factor authentication on infected machines through man-in-the-middle capabilities.
After speaking with all of my financial institutions about this, I have decided to buy a bigger mattress for my business accounts–none of them will accept responsibility for the integrity of my funds.