Who's at fault in an online stickup?
Thanks to the Internet, millions of us use personal computers as a branch office of the local bank. So who's to blame when there's a stickup?
A businessman in Florida says Bank of America is at fault, after his company lost more than $90,000 in an electronic scam. No way, replies Bank of America. A suit has been filed and unless it's settled early, a Florida court will probably decide the matter. One rather hopes it goes all the way, because the case raises issues that are worth resolving.
It all started last April when Joe Lopez, manager of Ahlo Inc., a computer supply business in Miami, logged onto Bank of America's online portal to check his company's accounts. Lopez was astonished to see a wire transfer order to send $90,000 of his money to a bank in Riga, Latvia. He phoned the bank and urged them to prevent the transfer, but too late. The money was gone. The Latvian bank froze the account, but not before the thieves had withdrawn about $20,000.
Lopez demanded a refund from Bank of America, saying the bank should never have allowed the transfer. Bank of America officials replied that they weren't at fault; all proper safeguards were in place, and whoever had taken the money had somehow used the right passwords and procedures. The Latvian bank won't free up the other $70,000 while the matter remains unresolved.
The US Secret Service, addition to guarding the president, is responsible for investigating computer fraud. Agents examined Ahlo's computer and found it infected with Coreflood, a ''Trojan horse" computer virus that installs a ''back door" in any infected machines. This lets a bad guy get in and do pretty much whatever he likes. Collecting passwords, for instance.
According to Lopez's attorney, Ralph Patino, all of this is Bank of America's fault.
''They should have notified my client that there was such a virus out there in the first place," Patino said. ''It's like, you put your money in the bank and the banker knows somebody else has the key to the bank, but doesn't tell you about it."
Patino notes that in late July 2004, three months after the Lopez rip-off, Bank of America sent its customers a letter urging them to tighten up their computer security practices.
''Had we received this letter prior to the incident obviously we would have complied," Patino said.
How? By using antivirus software as the bank suggested? Patino said his client already did so. That means Lopez already knew enough to take this elementary precaution, regardless of any warning from the bank. But if Ahlo used an antivirus program, it's hard to see how his machine got infected. The offending virus, Coreflood, was first reported in 2002. Almost immediately, standard antivirus programs like Norton AntiVirus were configured to detect it, with ease. Of course, antivirus programs are no good unless you use them regularly, and keep them updated. Did his client do so? Perhaps, but millions of PC users rarely think about it.
Besides, Bank of America spokeswoman Shirley Norton says that the July letter wasn't the first time customers were warned to secure their computers.
''At the time he set up the account he was given all the information he would need," Norton said. ''It is the customer's responsibility to make sure that he or she has the appropriate safeguards on their end."
Lopez has other arguments on his side. He claims, for instance, that the bank blew him off at first, not even trying to halt the money transfer until the next day. If true, that sounds like negligence. And one might have expected someone in the bank to question the transaction. Latvia's in Eastern Europe, a region notorious for Internet scam artists, and Ahlo had never before done business there. Credit card companies routinely call their customers to ask about unusual purchases that might indicate fraud. Why didn't someone at Bank of America do a double-check on this transfer?
These arguments might sway a Florida jury. But it's hard to quarrel with Bank of America's assessment that it's not responsible for the infection that brought Lopez to grief. It was his company's computer, not the bank's, that proved insecure, which makes it the customer's problem. A court ruling affirming this would at least have the benefit of showing the public that when it comes to personal computer security, we're on our own.
That means installing antivirus software, updating it daily, and running it just as often. It means setting up a decent firewall, not the toy version that comes with Microsoft Corp's Windows XP, but a full-featured program that can identify programs trying to transmit your data over the Internet. For some consumers, it means getting a Net account with a company that provides these services for free, as AOL has begun doing. And it means protecting all of your vital online banking and credit card data behind clunky, confusing passwords that are hard to guess --and then changing those passwords once or twice every year.
You probably don't do all of these things; hardly anyone does. And chances are that even after reading Mr. Lopez's tale of woe, you'll persist in your laxity. At least you won't be able to sue the Globe. We've warned you.
Hiawatha Bray can be reached at bray@globe.com. 