Florian Weimer
Sat, 05 Jul 2008 10:19:34 -0700
* Stephan Neuhaus: > This article: http://www.spiegel.de/wirtschaft/0,1518,563606,00.html > (sorry, German only) describes a judgment made by a German district > court which says that banks are liable for damages due to phishing > attacks. "District court" may be a bit misleading, it's the entry-level court for this particular type of dispute, at the lowest place in the hierarchy. > In the case in question, a customer was the victim of a > keylogger even though he had the latest anti-virus software installed, The "latest" part is not clear. I'm also puzzled that forensics could not recover the actual malware. (A keylogger alone is not quite good enough--you need to disrupt transmission of the one-time password to the bank's server if you want to to use the password later on. OTOH, the disruption component does not necessarily appear in AV descriptions.) > and lost 4000 Euro. The court ruled that the bank was liable because > the remittance in question had demonstrably not been made by the > customer and therefore the bank had to take the risk. Well, the open question is not whether the bank has to take the risk (after all, the transaction has been successfully disputed, even before the case went to court), but if the customer was negligent and needs to share some of the damage. For instance, if a computer takes 15 minutes to boot, constantly displays pop-up ads, and sporadically shows error messages during browsing, I would hope that it's reasonable to assume that the machine is not safe for on-line banking--no matter what the anti-virus says about the state of the machine. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]