funsec mailing list archives

Re: ruling: liability for providers who don't act on clients' illegal activities?

From: nick hatch <nicholas.hatch () gmail com>
Date: Tue, 8 Sep 2009 11:23:24 -0700

On Mon, Sep 7, 2009 at 10:37 PM, Nick FitzGerald
<nick () virus-l demon co uk>wrote:

Rob Thompson wrote:

This is akin to closing down a freaking bank, because they cashed a
fraudulent check.


No -- to stick with your grievously weak analogy, it is much more like
very heavily (punitively -- get it?) fining a bank and its manager for
repeatedly cashing fraudulent checks _from one known fraudster_.

As someone who works in the financial industry, I can tell you both that
your analogies are terrible.

For one, no bank would knowingly cash bad checks because the clearing model
for checks leave the bank holding the bag when the fraud is discovered. When
that check comes back (NSF, as fraudulent, etc), the bank has the funds
revoked.

Part of the reason that regulations for ACH, check clearing, etc are so
complicated is because they very specifically define where the liabilities
are in the system for n days after the transaction. So, lets leave check
cashing out of this.

If you want to use a financial analogy, a much better one can be found in
the Banking Secrecy Act. Everyone knows about the Currency Transaction
Reports you see in movies, on TV, etc for transactions which involve $10,000
or more. However, banks are required to make similar filings (called
Suspicious Activity Reports -- or SARs) for transactions involving as little
as a few thousand dollars.

Make several $3k cash deposits in a row? It looks like structuring, and the
bank will likely file a report.

Bring in $8k and fumble a good answer when the "friendly" teller makes
"small talk" and asks where the funds are from? A SAR is on its way to the
treasury on your behalf.

Bring is cash that smells like drugs? Instant SAR.

Bring in $10k and abort the deposit when your teller informs you that you'll
need to file a CTR? You'll get a SAR instead.

... notice the irony that an act called the Banking SECRECY Act requires
this behavior by your bank. As a provider of network services, when was the
last time someone required you to /proactively/ look for signs of criminal
activity by your users? Banks are required to do just that on a daily basis.

-Nick

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: ruling: liability for providers who don't act on clients' illegal activities?, (continued)
- - - Re: ruling: liability for providers who don't act on clients' illegal activities? Valdis . Kletnieks (Sep 08)
    - Re: ruling: liability for providers who don't act on clients' illegal activities? Nick FitzGerald (Sep 08)
    - Re: ruling: liability for providers who don't act on clients' illegal activities? David M Chess (Sep 08)
    - Re: ruling: liability for providers who don't act on clients' illegal activities? John Bambenek (Sep 08)
    - Re: ruling: liability for providers who don't act on clients' illegal activities? Ned Fleming (Sep 08)
    - Re: ruling: liability for providers who don't act on clients' illegal activities? der Mouse (Sep 08)
    - Re: ruling: liability for providers who don't act on clients' illegal activities? Paul M Moriarty (Sep 08)
    - Re: ruling: liability for providers who don't act on clients' illegal activities? Nick FitzGerald (Sep 08)
    - Re: ruling: liability for providers who don't act on clients' illegal activities? der Mouse (Sep 08)
    - Re: ruling: liability for providers who don't act on clients' illegal activities? John Bambenek (Sep 08)
    - Re: ruling: liability for providers who don't act on clients' illegal activities? nick hatch (Sep 08)