funsec mailing list archives
Re: ruling: liability for providers who don't act on clients' illegal activities?
From: nick hatch <nicholas.hatch () gmail com>
Date: Tue, 8 Sep 2009 11:23:24 -0700
On Mon, Sep 7, 2009 at 10:37 PM, Nick FitzGerald <nick () virus-l demon co uk>wrote:
Rob Thompson wrote:This is akin to closing down a freaking bank, because they cashed a fraudulent check.No -- to stick with your grievously weak analogy, it is much more like very heavily (punitively -- get it?) fining a bank and its manager for repeatedly cashing fraudulent checks _from one known fraudster_.
As someone who works in the financial industry, I can tell you both that your analogies are terrible. For one, no bank would knowingly cash bad checks because the clearing model for checks leave the bank holding the bag when the fraud is discovered. When that check comes back (NSF, as fraudulent, etc), the bank has the funds revoked. Part of the reason that regulations for ACH, check clearing, etc are so complicated is because they very specifically define where the liabilities are in the system for n days after the transaction. So, lets leave check cashing out of this. If you want to use a financial analogy, a much better one can be found in the Banking Secrecy Act. Everyone knows about the Currency Transaction Reports you see in movies, on TV, etc for transactions which involve $10,000 or more. However, banks are required to make similar filings (called Suspicious Activity Reports -- or SARs) for transactions involving as little as a few thousand dollars. Make several $3k cash deposits in a row? It looks like structuring, and the bank will likely file a report. Bring in $8k and fumble a good answer when the "friendly" teller makes "small talk" and asks where the funds are from? A SAR is on its way to the treasury on your behalf. Bring is cash that smells like drugs? Instant SAR. Bring in $10k and abort the deposit when your teller informs you that you'll need to file a CTR? You'll get a SAR instead. ... notice the irony that an act called the Banking SECRECY Act requires this behavior by your bank. As a provider of network services, when was the last time someone required you to /proactively/ look for signs of criminal activity by your users? Banks are required to do just that on a daily basis. -Nick
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: ruling: liability for providers who don't act on clients' illegal activities?, (continued)
- Re: ruling: liability for providers who don't act on clients' illegal activities? Valdis . Kletnieks (Sep 08)
- Re: ruling: liability for providers who don't act on clients' illegal activities? Nick FitzGerald (Sep 08)
- Re: ruling: liability for providers who don't act on clients' illegal activities? David M Chess (Sep 08)
- Re: ruling: liability for providers who don't act on clients' illegal activities? John Bambenek (Sep 08)
- Re: ruling: liability for providers who don't act on clients' illegal activities? Ned Fleming (Sep 08)
- Re: ruling: liability for providers who don't act on clients' illegal activities? der Mouse (Sep 08)
- Re: ruling: liability for providers who don't act on clients' illegal activities? Paul M Moriarty (Sep 08)
- Re: ruling: liability for providers who don't act on clients' illegal activities? Nick FitzGerald (Sep 08)
- Re: ruling: liability for providers who don't act on clients' illegal activities? der Mouse (Sep 08)
- Re: ruling: liability for providers who don't act on clients' illegal activities? John Bambenek (Sep 08)
- Re: ruling: liability for providers who don't act on clients' illegal activities? nick hatch (Sep 08)