Oklahoma pension fund reports $4.2 million cyber theft

[jcgriff2]

This story is from 2 years ago - 2019, but I just came upon it today -- and a solution to prevent these types of cybercrimes seems to be no closer today than two years ago.

The office of the Oklahoma Law Enforcement Retirement System is pictured Friday, Sept. 6, 2019, in Oklahoma City. Officials with the pension system for retired Oklahoma Highway Patrol troopers and other state law enforcement officers say the FBI is investigating after computer hackers stole $4.2 million in funds. (AP Photo/Sue Ogrocki)


OKLAHOMA CITY (AP) — The FBI is investigating after computer hackers managed to steal about $4.2 million in funds from a pension system for retired Oklahoma Highway Patrol troopers and other state law enforcement officers, state officials said Friday.
A notice posted on the Oklahoma Law Enforcement Retirement System website said the agency notified the FBI and couldn’t comment further on details of the breach.

“However, we are certain the stolen funds will be recovered,” the post said. “Most importantly, no pension benefits to members or beneficiaries have been impacted or put at risk.”

Duane Michael, the executive director of pension system, told The Oklahoman newspaper that the theft happened Aug. 26 after an employee’s email account was hacked. He said the funds were being managed by an outside investment manager on behalf of the pension system and that the agency was able to recover about $477,000 of the stolen funds.

More in link....

Oklahoma pension fund reports $4.2 million cyber theft

​

“However, we are certain the stolen funds will be recovered,” the post said. “Most importantly, no pension benefits to members or beneficiaries have been impacted or put at risk.”

I have no idea how he can say that with such certainty, given the $4.2 MM theft. Nothing is absolute or guaranteed. Perhaps he was referring to an insurance policy, but it does not sound like it.

The United States has at least 17 (yes - seventeen) known [by the public] intelligence agencies, like the CIA, NSA, DIA, etc.... in addition to who knows how many other covert intel agencies that also likely exist. We also have thousands of Federal, State, County, and Local law enforcement agencies that could contribute to an effort to curtail these types of thefts.

I do not understand why the most powerful, richest, and most technologically advanced country in the world cannot stop cyber theft, ransomware, and whatever other computer-related crimes go on involving both government and public (owned by entities like states, pension funds, etc... -- not people's private computers) systems.

The "Five Eyes" countries, as well as NATO, and insurance companies that cover this type of theft, if any, should be working on this intolerable criminal problem together to solve it. I would also suggest the UN, but as we know, some member nations of the UN are alleged to be involved in state-sponsored terrorism, making it likely that some may be involved (aiding) in these scams.

In reality, I think that the best and brightest minds in various walks of life residing in all Western countries [trusted] should form a huge task force, figure out a "fix", which would likely involve many more systems than just the actual breached system from which the funds were stolen/transferred from, then use some form of current or yet-to-be-invented super-encryption system/software to help assure that the source code put in place to patch the various systems involved cannot be deciphered, then distribute the fix(es) at no cost to those countries who cannot afford it.

I have read hundreds+ of articles about this type of scam/theft over many, many years now that has directly caused the absolute demise of thousands [many more, really] of public entities, private US businesses, and personal financial accounts of all sizes in most every single country of the world.

I guess that the only countries that are immune to all of this rampant theft would be those countries that keep all money/negotiable instruments/assets in-house (in-country) and are not connected to the Internet, like North Korea. Obviously, North Korea has an Internet connection as they seem to be regularly accused of perpetrating these financial cybercrimes on other countries, but what I've read tends to indicate that their Internet connection is severely restricted, perhaps limited to one or a handful of computers in a single secret location. I doubt highly that Internet hacking is a crime regularly encountered by the police authorities in North Korea. Maybe INTRA-net hacking is prevalent; no idea, really.

Anyway, existing security needs to be enhanced in addition to new procedures put in place to protect these accounts.

 

[Digerati]

I do not understand why the most powerful, richest, and most technologically advanced country in the world cannot stop cyber theft, ransomware, and whatever other computer-related crimes go on involving both government and public (owned by entities like states, pension funds, etc... -- not people's private computers) systems.

I do.

It is due to complacency, negligence, lack of training, no sense of urgency, bumbling responses, and perhaps most importantly, a total lack of accountability.

It needs to start with training and discipline. The best security in the world is worthless and easily thwarted and/or bypassed if the user simply opens the door and invites the bad guy in. So users need to be trained to recognize, or at least be very wary of and disciplined enough to avoid being "click-happy" on unsolicited links.

IT and security managers are failing to properly train company employees. It is NOT a "one and done" training process - but a constant, recurring, repeating training process that must be passed on to each and every employee over and over again, ad nauseum. Then next year, or maybe every 6 months or even every quarter, start over and do it again. And then again.

IT and security managers and C-Level execs must not be lazy, negligent and complacent. They must constantly be vigilant and of critical importance, apply security updates as soon as they become available. They must not procrastinate. And they must also have contingency plans for all possible scenarios in place, and know how to use. IT Managers and C-Level execs are failing across the board in these areas.

And finally, and most importantly, those IT and security managers must be held accountable - to include being held accountable for criminal negligence - when they fail to do their jobs.

I keep going back the massive Equifax breach because (1) it perfectly illustrates the problem, and disgustingly, (2) nothing has changed since!

If you look at almost all the big hacks, almost every single one could have been prevented. But those responsible did not even do what they could have or should have done with the budgets and resources they had at their disposal. Put simply, they failed to do their jobs!

In the massive Equifax breach,

...attackers exfiltrated hundreds of millions of customer records from the credit reporting agency.

It potentially affected 143 million people — more than 40 percent of the population of the United States — whose names, addresses, dates of birth, Social Security numbers, and drivers' licenses numbers were exposed. A small subset of the records — on the order of about 200,000 — also included credit card numbers

Note the report points out, among other problems, there was,

"...lax security",​

"...bumbling response" to the breach,​

"...top executives...corruption".​

So how did it happen?

The bad guys exploited an already known vulnerability! How? Because the IT and security managers responsible failed to apply the available patch. The program developers had previously identified, developed and distributed to Equifax, the critical update to fix and secure that vulnerability - months prior to the breach! They had the "critical" patch for months!!! But sat on it.

Also, all that compromised personal information was stored on the Equifax servers in the clear! It was not encrypted. Why not? Because those in charge, the IT and security, managers and the C-Level execs were too damn lazy, negligent and complacent to do their jobs!

And the Equifax breach is NOT a one-off anecdotal example. Again, if you look into other hacks, you will easily see that most were NOT due to bad buys exploiting "zero-day" vulnerabilities. No! They exploited "known" vulnerabilities that had patches already available to those responsible, but were never applied.

And was anyone held accountable for their negligence? NO!! Not one person! The only person who got into any legal trouble was one executive officer who spent a few days in jail for "insider trading". He hastily sold off his Equifax stocks before the prices tanked after learning about the breach a few days before it was publicly announced.

That lack of accountability with the Equifax breach (and countless other breaches) tells other C-Level execs, IT and security managers that they don't have to worry about security. This is because no one will be held accountable if they fail - even through total negligence - to secure our personal information.

So you ask why? It is because those responsible for security are never held accountable, so they have no incentive to give a sh!t!

 

[andrewlen]

I've always hated scammers of any type and am annoyed beyond description when innocent (particularly elderly) people are scammed and told they have no recourse because it was 'their own fault', their money is gone and there's nothing that can be done about it. In a world of traceable electronic transactions, I content and maintain that's a total lie and is an immeasurable copout on behalf of those that can do something about it every single time it happens.

Point in case, After reaching out to, and speaking with the victim myself, I published this rant about a case here in Australia because what happened to him, and the response he got from his bank got my blood boiling to the point where my blood pressure went up. Scammed? How good is your bank when you need their help the most? The Bank involved was Westpac, but I consider all financial institutions worldwide to be no better than each other, treating their clients with contempt and only willing to act and help their customers when faced with publicity that could be damaging to them through losing huge amounts of money invested by regular folks who might jump ship to somewhere else, secure in the knowledge that taking any legal action against them is unaffordable by the vast majority of their customers.

I've been fighting scammers in my own little ways for many years, which I admit, has probably had little effect, but it serves to make me feel better and I wish more people would do that same. Scammers are the lowest of the low when it comes to theft of money in my opinion, and they don't care who they target. I'd like to put them all up in front of a shooting squad and I'd be the first to pull the trigger on each and every one of them!

A well-read article I published far and wide on that topic to try and raise awareness is this one: Scamming the Scammers: Turning the tables. My article was even picked up by a reporter from a local newspaper that was active in my local community at the time. I got positive feedback from dozens of people for that article but I'm doubtful it stayed in their minds for longer than a day or two if that. It seems that until it happens to them personally, scamming is not really a problem that's worth devoting any serious time to make it worth fighting. Sigh.

 

[Wrench97]

So it's been 2 years have they recovered the money?..........................

 

[andrewlen]

So it's been 2 years have they recovered the money?..........................

Yes, it took a few months, but happily, Michael advised me that he eventually had the money replaced in his account. But I credit the Media's involvement for that result, certainly not Westpac's efforts!

Whether or not Westpac traced the scammer that stole this poor guy's lives savings, or just decided to wear to the cost themselves to avoid further bad publicity, I was never able to confirm. I later contacted Westpac for comment, citing my independent journalist membership and union number, but got no response, neither by phone nor even a general statement by email. During my call to them, they just cited "Privacy" as the reason why they couldn't reveal how they were able to refund his stolen funds to me. Bloody liars in my opinion and as I am freelance and didn't represent any main source media corporation, probably didn't think it worth the effort to respond to me anyway!

 

[Digerati]

In a world of traceable electronic transactions, I content and maintain that's a total lie and is an immeasurable copout on behalf of those that can do something about it every single time it happens.

Really? This is an incredibly naïve comment. That is NOT meant as a criticism, just a simple observation.

First, I 100% agree with your sentiment. I too hate scammers and crooks who prey on the innocent. Especially those who prey on the downtrodden - like disaster victims or the elderly who are barely scraping by and depend on their savings.

But several of your facts are simply wrong. Not all electronic transactions are traceable "end to end" - especially across international borders. "Point to point", maybe, but not "end to end".

You state in your EE article that all (your bold) electronic transactions are possible to reverse. That simply is not true either. That would be like saying all sent emails can be pulled back. Nope!

Banks are able reverse transactions ONLY if the receiving end cooperates. Inside the US and most likely inside most other countries, that is easy because there are laws that say it is illegal to keep funds you received when you know for a fact you are not entitled to them. For international transactions, it may be possible in some cases, "IF" there are already agreements in place between the two countries to provide mutual cooperation.

But if the funds are transferred to another country where no such mutual agreement exists, good luck getting the money back. Or, if the receiving end has already transferred those those funds to another party, or if the bad guy already pulled those funds from the receiving end, the originating bank can't reverse that transaction. And for sure, the bad guys tend to withdraw those funds quickly just for that reason - then they leave town and set-up shop elsewhere.

And sadly, as with most bank scams like that, that bank likely was right! It most likely was that senior citizen's fault. The bank was not hacked. The pensioner gave the bad guys his account information. Yeah, he was tricked into giving the bad guys that information - and that is truly sad and unfortunate. But that was not the bank's fault, or their responsibility to compensate that pensioner for his losses.

Now I personally believe banks are evil and should be highly regulated, non-profit organizations. But that's for a different discussion. Banks are businesses and I believe in commerce and capitalism too. That means I don't believe a business is responsible to compensate a customer who suffers damages brought on by the customer, through no fault of the business.

If the bank was hacked, that would be different. If the loss was due to deceptive practices by the bank, that would be different. If the senior citizen walked into the bank to empty his savings while a guy in a ski mask was sticking something into the customer's back, and the teller did nothing, that would be different too. But that's not what happened here.

 

[fireweed]

Government and regulators need to do more to deal with these kinds of things in the aftermath. Too often the company is not held accountable or punished properly for the loss of money or customer data. In the ideal world there would be legislation to outline the steps companies must do after an incident and the responsibilities a company/agency has to protect data or money, as well as proper penalties or punishments for not following that (i know that sort of legislation does exist in some places.). the FTC can fine a company but is that really enough? Equifax was fined 700M yes, but it has a revenue of several billion! And the people effected by the equifax breach could face issues for the rest of their lives.
Equifax should have been broken up and the worst offenders at the company jailed, in my opinion. (Though that does sound similar to what China does, minus the executions)

To me it feels similar to how little drug manufacturers get punished for causing someone's death. What is the true cost of a life, or your personal data?

Who knows, but currently Canada and the USA I don't feel like the people in charge care enough about these issues. And we all know that government can be the worst offenders for having terrible IT security.

 

[Digerati]

Government and regulators need to do more to deal with these kinds of things in the aftermath.

Yeah, well, sadly, and why I don't know, but protecting private citizens from wrong doings is a hot-button political issue with one side of the aisle opposed to any regulations on the banking industry, despite history showing us over and over again that they are incapable of regulating themselves. But as noted above, that is for a different discussion.

 

[jcgriff2]

It needs to start with training and discipline. The best security in the world is worthless and easily thwarted and/or bypassed if the user simply opens the door and invites the bad guy in. So users need to be trained to recognize, or at least be very wary of and disciplined enough to avoid being "click-happy" on unsolicited links.

True... Like the DNC chairman in 2016 who used "password" as his actual password and got hacked; his emails ended up on Wiki-leaks.

And finally, and most importantly, those IT and security managers must be held accountable - to include being held accountable for criminal negligence - when they fail to do their jobs.

I am not big on criminal liability. If criminal charges are brought for a mistake or even negligence, it opens up the door for criminal charges in other industries - like the airline industry. Only in extremely very rare cases of passenger "heavy" jet crashes that I'm familiar with would I want to see the pilots, co-pilots, flight engineers (if these 3 survive a crash), Air Traffic Control, etc... prosecuted criminally and imprisoned post-crash like Argentina and some other countries do.

However, if one in such a position has lied on their job application, makes false or misleading statements - then yes.

The bad guys exploited an already known vulnerability! How? Because the IT and security managers responsible failed to apply the available patch. The program developers had previously identified, developed and distributed to Equifax, the critical update to fix and secure that vulnerability - months prior to the breach! They had the "critical" patch for months!!! But sat on it.

Even this I would not want to see people going to prison for years. The problem in private corporations is that all serve at the pleasure of the Board of Directors who very well could have piled work on them thus leaving no time for implementing the patch. It happened at E. I. DuPont de Nemours & Co., and Hertz Rent-A-Car all the time.

Imagine getting a sales/use tax increase letter from New Jersey stating effective the 1st of next month, the tax rate is increasing from 6% to 7% and tax division holds on to it because of instructions from a VP and member of the board, never passing/informing tax systems division of it to change it in the then hard-coded system code. Tax continues to be collected at 6%. Whose fault is it?

Mine, of course! I was the head of both tax law and tax systems divisions. But I'm not going to prison over this BS!! So, adjustments were made and 'we'll worry about the audits later, if ever'.

Government and regulators need to do more to deal with these kinds of things in the aftermath.

I would change that to "BEFORE the aftermath" at the end!

Prevention is what is needed, IMHO.

Yeah, well, sadly, and why I don't know, but protecting private citizens from wrong doings is a hot-button political issue with one side of the aisle opposed to any regulations on the banking industry, despite history showing us over and over again that they are incapable of regulating themselves. But as noted above, that is for a different discussion.

[Save yourself an hour of drama and skip to the next one! ).... OR. . . .
Banks need some regulations.

Remember the days in the 1980s where banks were "state" and not "federal"? You COULD NOT use you new ATM CARD (introduced in mid-late 1970s...?) that you got in one state in another state -- even if the bank name was the same.

I worked for E. I. DuPont during the early-mid-1980s on "co-op" (a 6-month work/study program instituted by Drexel University, Philadelphia, Pennsylvania) 3x.

I had bank accounts with Girard Bank, PHL, later bought by Mellon Bank (you can look up where they were & now after 100 mergers! - now they are "Bank of New York Mellon). Mellon had banks all over in many states. For me - New Jersey, Pennsylvania, Delaware. I had accounts in each state at Mellon.

DuPont did not offer us lowly co-ops direct deposit in 1982/3/4. So, back then, if I deposited my MONTHLY DuPont payroll check drawn on WSFS (Wilmington Saving Fund Society) or Bank of Delaware -- both in Wilmington, Delaware, into my Mellon PA account, it would take 5-7 business days to clear (usually 10 full days). For argument purposes, assume the payroll check amount was $8,000 NET payroll for the MONTH. Getting paid while in college working 40+ hours per week (and commuting 60 miles round-trip per day - with gas nearly at $2.00/gallon), rent, etc... no way could I wait until the 10th of the month to start paying bills BY CHECK and MAILING them. I'd be late every month on most items. (I know.... save up a month, then you'll never be behind! - IMPOSSIBLE!)

So... I would go into Mellon Bank, Wilmington, DE, and with the utmost drama by bank officials EVERY SINGLE MONTH telling me that Mellon Bank, DE, is not the same bank - or even affiliated with (BS, BS, BS), Mellon Bank, PA., they would eventually always cash the check "this time only", but they ended up doing so for all 18 total months over 3 years that I worked for DuPont as a co-op, then full-time after graduating Drexel University and attending

I would then take the $8,000, drive up north on I-95 (today, I'd be stopped on I-95 and police would seize the cash under CAF - Civil Asset Forfeiture!), get off local exits and make my way home, stopping at Mellon Bank, PA, and (please don't scream and curse at me as I cannot believe that I was ever this stupid and naive either!) deposit the $8,000 in hundred dollar bills into the ATM.

Does anyone care to guess what happened to the $8,000 cash one of those times?

A few weeks later, I got a bill from my checking account credit line saying that I owed about $7,500 on the credit line. I called Mellon PA's automated bank number and found that my checking account had $8.37 balance.

I went to Mellon PA the next morning with my ATM and deposit slip receipt and asked for a bank statement and/or a 30-day daily transaction report. My $8,000 cash deposit was nowhere to be found, of course.

The bank manager said there was no way for them to know whether I did the ATM transactions for an $8,000 cash deposit and/or whether there was anything in the sealed envelope containing the cash and the ATM receipt#1 was placed into the ATM or if I just placed an empty envelope into the ATM.

The bank manager and the lady then stood there over me smiling. I asked to use the phone; they said they were busy.

I went outside to my car, which contained a pre-cell, hard-wired actual mobile phone and I called the police. My grandparents had lived in this town (grandmother still alive) since 1939 and she knew all of the cops. I knew most of them from my car detailing business that I did on the side. (I drove the police's personal vehicles and marked police units to my grandmother's house to work on them). They came to the bank right away.

The bank manager was NOT pleased at all saying that "WE could have amicably worked this out, officer". I think not. Police called in fraud detectives and upon their arrival, they demanded all of my Mellon bank records going back to the opening of the accounts in 1979, ATM video - external and internal (where the armored car guards processed cash in a small room), the names and personnel files of all armored car guards and anyone else that would have handled money from that particular ATM as well as anyone else that had access to the ATM in any way, cops dusted the ATM for fingerprints after putting up the neon-yellow crime scene tape, and just about anything else you can think of. I had called DuPont telling them I'd be ~2 hours late, but now - probably 4 or 5 hours late.

They took us all, including bank tellers who were in the bank the day after I made the deposit (which was around 11-midnight) to the police station in separate cars and seated a few of us in those tiny rooms with video and audio and 1-by-1 took our statements. They took me back to the bank (ATM drive-through) to do a re-enactment with a blank envelope that they marked beforehand.

By 2 pm, the police were done with me and the Chief of Police himself drove me the 1-2 miles back to the bank simply saying not to worry, that if in fact, I did deposit $8,000 in cash, they will get to the bottom of this matter quickly. He went on to ask me about my grandmother, work, and school.

A full week goes by; I get a call from the police asking me if I can come in at 9 am the next day. I had to clear it with DuPont first; DuPont said OK; I told police "see you at 9 am at police station".

9 am - police building is rather crowded. They took us in a conference room and pointed out seats for me and the bank people across from me. There were piles of 8.5x11 pics, very large sheets of paper with diagrams, etc...

A police Colonel or Major (??) began. They showed us/put up on the board -
- pic of me in Mellon bank, DE, cashing the check
- pic of Mellon bank DE teller handing me the envelope w/money
- pic of teller verification that the check and cash were both for $8,000
- pic of the back and front of the canceled DuPont payroll check clearly showing the amount and the date cashed
- still pic from a video showing me/my car entering I-95 North at ? time
- still pic from a video showing me exiting I-95 onto surface streets (I went back to look for this camera - could never find it!)
- the last 2 pics had timestamps on them showing, based on time and mileage, that I made no stops or detours
- a few more still pics w/timestamps of me in car
- pics from ATM at the drive-through Mellon-PA bank
--- police created a summary sheet showing distance from Bank in PA to DuPont in DE
- police actually did several drives at the same time I did to obtain an average drive time using the same roads that I did (there are at least 4 or 5 different I-95 exits you can take and snake your way through many different surface streets at that time. Today, I-476 cuts all of that out and I-476 runs from I-95 to an exit within 1-2 miles of my grandmother's old home. I-476 was held up for ~40 years due to birds or turtles or something like that. A FED judge one day said "ENOUGH... BUILD IT".

- Anyway, my arrival time at ATM was within the average drive-time from my Delaware office to the Bank ATM drive through; no stops or detours anywhere

- pics at/from ATM along with transaction info from the ATM show me in my car obtaining the 1st ATM receipt after I punched in 8000.00 into the keypad
- pics show a large amount of cash and a bulging envelope (could see "100" partially on a few bills)
- pics show me placing ATM receipt #1 into envelope; licking it shut
- ATM pics continue to show me with a sealed bulging envelope placing it into the ATM
- ATM transactions show receipt of the envelope and [internal bank docs] show the weight of the envelope (I never knew banks did this)
- the weight of my envelope was consistent with the weight of an envelope + 80 $100 bills + ATM deposit receipt (this was done by the FBI the records showed)
- the handwritten ATM log -- 2 employees there, 1 writes down "empty envelope with $8,000 deposit ATM receipt"

Well.... wouldn't you think that whoever was the supervisor or manager at the bank in that township or in Philadelphia where all of this ended up at would have called or written to me saying "you attempted to deposit $8,000, but the cash or negotiable instrument(s) were missing"?? Or something like that??

I mean how often does that happen? We're now going on around 3+ weeks since deposit.

Other bank records/reports from the bank ATM employees said "24 envelopes expected; only 23 found" - or similar.

So which was it? The bank people were still adamant at this point that I had committed fraud and demanded the police to arrest me because they were pressing charges. The top-cop was like "hold on a second". Which part did you not understand here? We went back to January 1982. Mr. Griffith leaves work in Delaware around 5 pm as he goes to a second job at 6:30 pm. He 'overshoots' that 2nd job by 6.8 miles on the last working day of the month, which is pay-day at DuPont. Other nights, he goes directly to that 2nd job's store, but not on these nights -

- they put up a list of 1982,3, [maybe]1984 which shows the date and time of my cash ATM deposits. ALL are within 10-15 minutes of each other and all are on DuPont payroll day.
- Bank then says "sue us then" looking at me
- the Chief of Police gets up and says to the bank people "you're here this morning as representatives of the bank?"
- bank mgr - "I am the branch manager of [***] location
bank - other - I am the (??) manager and report to Mr. *** [bank mgr]
- Chief: "So you are then acting as officers of the bank?"
- bank mgr - "Yes"
- Chief - reads off their names, hands them arrest warrants; "you are under arrest"
- bank "FOR WHAT?"
Chief - "Fraud to start with. This young man works hard for his money to pay for school, etc... We have extensively investigated him/background. Every month he goes through this routine with your bank in Wilmington, Delaware, who tell him every single month that they are not affiliated with you, which I can prove otherwise and they always initially refuse to cash his payroll check. We've talked to everyone at Mellon Wilmington DE branch."

It went on and on with the bank people calling their bosses who authorized the return of my money.
They asked "how do you want it [the cash]"
I said to deposit it in my checking account, pay off the credit line after deleting all of the interest (prime rate was 20-22% then remember); then I should have a p[positive balance in the account.

The next month - I deposited the DuPont check into my PA account. It took 11 days to clear, which is awful.
I borrowed $$ from my grandmother and promptly paid her off when my check cleared.

DO NOT EVER DEPOSIT CASH INTO AN ATM!!

First, I 100% agree with your sentiment. I too hate scammers and crooks who prey on the innocent. Especially those who prey on the downtrodden - like disaster victims or the elderly who are barely scraping by and depend on their savings.

I honestly do not understand at all how anyone can fall for some of these scams.

When I was in Palm Springs, CA, in 2007 at my step-dad & mom's house, the phone rang at 2 am one night. It was my step-sister a few towns over. She's all excited, can hardly talk, but does manage to say "get my dad, there are guys with guns here".

So, I knock on the master BR door, my step-dad opens it, I said "V**** [his daughter] is on the phone (he immediately starts to slowly close the door....) and she said there are guys with guns......"

My step-dad said "wonderful, John. This sh** goes on every night with her and the b******** she's married to. Tell her to call the police. That will shut her up."

So, I do - and it did [shut her up]

She said "OK, tell him I'll be by tomorrow".

I do not know her voice as I only met her 2 or 3 times in 25 years. I wondered if it was a scam or not. She came by the next day though.

John

 

[Digerati]

I am not big on criminal liability. If criminal charges are brought for a mistake or even negligence,

Humans make mistakes. Mistakes happen. I am not suggesting criminal liability for mistakes. Negligence, however, is a different manner - especially when innocent people suffer damage from it.

In law, negligence is "a failure to use reasonable care, resulting in damage or injury to another."

Of course, that leads to the question, what is "reasonable"? That's for a jury to decide on a case by case (literally) basis. And I'm okay with that. The definition should not be absolute.

In the Equifax breach, there was clear negligence. In fact, it was a totally different and more serious level of negligence - "willful" negligence. Those IT managers didn't put off applying that critical patch they received Friday afternoon until the following Monday. No! They put it off for months! In fact, indefinitely and made no attempt to apply until after the breach occurred. It was their job to apply critical patches in a timely manner and they made a conscious decision not to apply it! And millions of people suffered, in some cases, irreparable damages from it.

They knew about the patch. They had the patch in their possession. They knew of its importance. They had ample time and opportunity to apply it. Everyone was fully trained and aware of their responsibilities. But they didn't care! And instead, they made the willful decision not to do their jobs. And people got hurt. Absolutely criminal liability applies.

In aircraft maintenance, FOD control is of critical importance. If a mechanic leaves a wrench inside an engine, if lucky, only the $million engine will be destroyed. If not so lucky, people will die. For this reason, two-person maintenance crews are used and at the end of every job, each person is responsible for inventorying and accounting for each and every tool (and nut and bolt too). If the mechanic and his or her partner are rushing to get to Happy Hour at their local watering hole and decide to skip the required inventory, and someone gets hurt, absolutely criminal liability applies. They knew their jobs. They were fully trained and qualified. But they made the willful decision not to do their jobs.

***

I suspect most of us have horror stories dealing with "out of state" banks back in the day. I even remember many stores refusing to accept non-local, as in "out-of-town" checks - even when in the same state.

Try living in a different country! I was an American living in the UK. I got paid in US dollars but my bills, for example to BT (British Telephone) had to be paid in British Pounds. I had a Barclays MasterCard from my Barclays banks account, and another credit card from the Pentagon Federal Credit Union where my direct deposit pay check went - in US dollars.

Not only that, the address for PFCU was in Alexandria, VA. But, my address, as printed on the checks, was a PO Box in APO, New York. Lots of places refused to take checks with PO boxes as the address. And try finding APO (or FPO) on a map! Dealing with all that, and currency exchange rates - which change daily - was a genuine PITA.

Try living in another country where they speak a different language!

Side note: I also remember back in the day I had my full name, DOB, address, work and home phone numbers and my SSN printed on my blank checks - just so I didn't have to write them in at the check out counters. Times have changed a little bit since!

I honestly do not understand at all how anyone can fall for some of these scams.

I find it very puzzling too because many of these victims are highly educated, intelligent people. But then, so are many of the silver-tongued bad guys. I guess that's why they are "con" artist - where con is short for confidence.

 

[andrewlen]

Really? This is an incredibly naïve comment. That is NOT meant as a criticism, just a simple observation.

First, I 100% agree with your sentiment. I too hate scammers and crooks who prey on the innocent. Especially those who prey on the downtrodden - like disaster victims or the elderly who are barely scraping by and depend on their savings.

But several of your facts are simply wrong. Not all electronic transactions are traceable "end to end" - especially across international borders. "Point to point", maybe, but not "end to end".

I've had a think about this and still don't agree with you.

Please explain a scenario where a transaction that has not yet been withdrawn into cash can't be traced "end to end" and reversed.

Even if 1,000 transfers are made to different financial institutions all over the world, then someone, somewhere, must end up with those funds. Once they do, you have your culprit that can be prosecuted to the full extent of the law. So for what reason do you think electronic transactions are not traceable? As the saying goes, just follow the money trail.

Once a transaction turns into "cash" then no, it's no longer electronically "reversible". But while it still exists in electronic format, then of course it can be reversed. It just takes financial institutions co-operating with one another. That's why I also said in my article that "at the very least 50% of scammed fund transfers should be able to be easily reversed and recovered."

No money should be transferred to any financial institution that does not keep a record of where a transfer came from, and where it went. If they fail to do so or fail to co-operate with their counterparts to reverse fraudulent transactions, then they should become liable for the lost funds.

Also, though I've not researched it, I feel quite sure that when "Clare Wainwright [found] herself $24.5 million richer and her mortgage paid off", all it took was a couple of phone calls from the Bank Manager at the St George Bank (that wrongly transferred the funds), to the Bank Manager at the National Australia Bank who received the funds, in order to have the error corrected.

Why are such efforts not made for Bank customers? An entire department could be created for that specific purpose, giving everyday Banking customers an out if they can show they've been scammed out of their funds. It would no doubt cost a lot to finance such protection, but that would just mean a smaller profit margin having to be reported to the shareholders each year.

The point I'm making is that Banks almost always say that electronic transactions are not reversible (or recoverable if you're more comfortable with that word). I still maintain that until those funds are withdrawn into cold hard cash and spent, then that's just a cop-out statement made by Banks and other Financial institutions alike that the vast majority of consumers have been fed and subsequently swallowed. I still say it's a fallacy.

You state in your EE article that all (your bold) electronic transactions are possible to reverse. That simply is not true either. That would be like saying all sent emails can be pulled back. Nope!

I think that's a poor attempt at an analogy. You can't compare emails to electronic financial transactions. The mechanisms are completely different and transferring email is in no way regulated.

You could also compare it to sending a correctly addressed letter via snail mail and having it delivered to the wrong address at the other end. In such a case, the Postal Service can be held accountable and liable for damages.

As for the rest of your reply, I think we're both on the same page, with the proviso that if suitable agreements between international bordered Banks can't be reached, then (your, my, his, her) Bank should not transfer to such an institution.

Best, Andrew