Discussion
In neither case is the builder negligent unless what happens is reasonably foreseeable. If the builder has no reason to foresee that the person who borrows the van is a crook, why is the builder at fault?
You also miss the point that negligence liability for economic loss is quite strictly limited by the case law. Thus it is very doubtful that there is even a duty of care, let alone a breach thereof. You could try an implied contractual term, but would fail on the Moorcock test, and in any event on the facts as described above.
Others who may have IT expertise (not sure) suggest that the builder is not to blame for the tech security breach. Can a builder be expected to have Pentagon level e-defences?
You also miss the point that negligence liability for economic loss is quite strictly limited by the case law. Thus it is very doubtful that there is even a duty of care, let alone a breach thereof. You could try an implied contractual term, but would fail on the Moorcock test, and in any event on the facts as described above.
Others who may have IT expertise (not sure) suggest that the builder is not to blame for the tech security breach. Can a builder be expected to have Pentagon level e-defences?
Edited by anonymous-user on Saturday 25th July 11:35
Breadvan72 said:
In neither case is the builder negligent unless what happens is reasonably foreseeable. If the builder has no reason to foresee that the person who borrows the van is a crook, why is the builder at fault?
You also miss the point that negligence liability for economic loss I quite strictly limited by the case law. Thus it is very doubtful that there is even a duty of care, let alone a breach thereof. You could try an imlied contractual term, but would fail on the Moorcock test, and in any event on the facts as described above.
Others who may have IT expertise (not sure) suggest that the builder is not to blame for the tech security breach. Can a builder be expects to have Pentagon level e-defences?
Prudent behaviour to secure email etc is not rocket science.You also miss the point that negligence liability for economic loss I quite strictly limited by the case law. Thus it is very doubtful that there is even a duty of care, let alone a breach thereof. You could try an imlied contractual term, but would fail on the Moorcock test, and in any event on the facts as described above.
Others who may have IT expertise (not sure) suggest that the builder is not to blame for the tech security breach. Can a builder be expects to have Pentagon level e-defences?
It's regularly covered in the mass media, business and specialist press
http://www.bbc.co.uk/news/uk-21724773
http://www.telegraph.co.uk/sponsored/technology/4g...
http://www.theguardian.com/technology/2015/mar/06/...
http://www.zdnet.com/article/how-much-do-we-love-o...
Windows even warns you when connecting to Wifi
The whole thing does sound a bit strange.
The emails sent claiming to be from the brother will have headers and other info in them which will give some idea where they came from - this may or may not be useful.
I have to say it does seem like a lot of co-incidences and "what if's" on the timing for this to have happened.
The emails sent claiming to be from the brother will have headers and other info in them which will give some idea where they came from - this may or may not be useful.
I have to say it does seem like a lot of co-incidences and "what if's" on the timing for this to have happened.
b
hstewie said:
hstewie said: The whole thing does sound a bit strange.
The emails sent claiming to be from the brother will have headers and other info in them which will give some idea where they came from - this may or may not be useful.
I have to say it does seem like a lot of co-incidences and "what if's" on the timing for this to have happened.
So you also think (untroubled by the complete absent of evidence to support the hypothesis) that the builder may be trying to get paid twice? Pretty dumb plan, as a bit of investigation would blow the attempted grift wide open. The emails sent claiming to be from the brother will have headers and other info in them which will give some idea where they came from - this may or may not be useful.
I have to say it does seem like a lot of co-incidences and "what if's" on the timing for this to have happened.
This situation sucks for the customer, but it also sucks for the builder. The only one laughing is the crook.
Breadvan72 said:
So you also think (untroubled by the complete absent of evidence to support the hypothesis) that the builder may be trying to get paid twice? Pretty dumb plan, as a bit of investigation would blow the attempted grift wide open.
This situation sucks for the customer, but it also sucks for the builder. The only one laughing is the crook.
No I simply mean what I said which is that the whole thing is rather strange and the email headers will shed a lot of light on where the email originated from.This situation sucks for the customer, but it also sucks for the builder. The only one laughing is the crook.
I'll probably get ragged to s
t for saying this but I don't think people help themselves by running a business using (at best) consumer level services such as AOL - you see it all the time, a grand spent sign-writing a van only for it to have "oxfordbuilder247@hotmail.co.uk" all down the side of it.Use Gmail or something accountable and you have a proper audit trail of what has happened including when and where anyone accessed your account as well as very robust controls over who can sign in and where from.
Easy to say after the fact but there is a lot you can do to help avoid this kind of thing - though I accept that perhaps the "man on the street" doesn't know how.
The IT experts may perhaps be in danger of applying their enhanced standards of RTFM perfection to a bloke who does jobbing builder work and smokes about in a stbox van. Yes, the use of an AOL account is a sure sign that the guy hasn't a clue about IT*, but, err, he's a brickie, and being a perpetual nooooooob doesn't make him liable for some crook steaming in and hijacking a payment. Remember, kids, 100% of all crimes are committed by criminals, and they are the ones to blame (along with Society, their mum, the Tories, ITV, the EU, yadda yadda, etc, but you get what I mean). Bear in mind that studies show that 127% of internet users are still looking for the any key.
* I seem to recall that I half-heartedly ragged the OP about that very point about 87 pages ago, but CBA to scroll back to check.
tbox van. Yes, the use of an AOL account is a sure sign that the guy hasn't a clue about IT*, but, err, he's a brickie, and being a perpetual nooooooob doesn't make him liable for some crook steaming in and hijacking a payment. Remember, kids, 100% of all crimes are committed by criminals, and they are the ones to blame (along with Society, their mum, the Tories, ITV, the EU, yadda yadda, etc, but you get what I mean). Bear in mind that studies show that 127% of internet users are still looking for the any key. * I seem to recall that I half-heartedly ragged the OP about that very point about 87 pages ago, but CBA to scroll back to check.
Breadvan72 said:
The IT experts may perhaps be in danger of applying their enhanced standards of RTFM perfection to a bloke who does jobbing builder work and smokes about in a stbox van. Yes, the use of an AOL account is a sure sign that the guy hasn't a clue about IT*, but, err, he's a brickie, and being a perpetual nooooooob doesn't make him liable for some crook steaming in and hijacking a payment. Remember, kids, 100% of all crimes are committed by criminals, and they are the ones to blame (along with Society, their mum, the Tories, ITV, the EU, yadda yadda, etc, but you get what I mean). Bear in mind that studies show that 127% of internet users are still looking for the any key.
* I seem to recall that I half-heartedly ragged the OP about that very point about 87 pages ago, but CBA to scroll back to check.
I have a lot of sympathy for that view, but even if you're a builder smoking about in a stbox van. Yes, the use of an AOL account is a sure sign that the guy hasn't a clue about IT*, but, err, he's a brickie, and being a perpetual nooooooob doesn't make him liable for some crook steaming in and hijacking a payment. Remember, kids, 100% of all crimes are committed by criminals, and they are the ones to blame (along with Society, their mum, the Tories, ITV, the EU, yadda yadda, etc, but you get what I mean). Bear in mind that studies show that 127% of internet users are still looking for the any key. * I seem to recall that I half-heartedly ragged the OP about that very point about 87 pages ago, but CBA to scroll back to check.
tbox fan, if you're sending emails asking for £40K then how you do it does matter, IMO.I'm sure AOL will say they weren't "hacked", and from their point of view they haven't if someone logged in with the correct credentials having obtained those credentials through wifi or through some malware on his PC to steal them.
That's the difficult part here, any headers on the email or other info that AOL may have might show where the email originated from, and show any logins, but god knows how you prove how the credentials were stolen in the first place.
Then again ignoring the electronic aspect, a scammer could just send a paper letter on a faked letterhead.
As you're a lawyer I'd be curious to know who the heck would be liable in either scenario and how you'd ever prove it.
Martin4x4 said:
You have no idea about IT security, you think you do, hence dropping the buzz phrases but you don't. Pay attention and you might actually learn something.
There is already ample information to determine to pretty high certainty exactly how this 'hack' was carried out and it is in no way sophisticated. B used public wifi to access his email over http and compromised his email account, his customer was spear phished using the details he exposed, the receiving bank account will almost certainly also be a victim of payment/over-payment fraud.
All because B failed to properly secure their email account.
A prudent person doesn't use (unencrypted) email for financial transactions; or use public (unencrypted) wifi, or (unencrypted http) webmail. This fraud was possible because they did all of these. If they had followed just one of these golden rules this fraud would not have been possible that is what makes them negligent.
Blaming the ISP or email providers is simply asinine.
You can access AOL mail using IMAP and SMTPS. How do you know he was using HTTP? Unlikely as the AOL login redirects to HTTPS. Also an iPad was mentioned in which case the AOL app could have been used. Do you think that will be using HTTP to fetch email when their servers support IMAP and SMTPS? You have made the assumption that he was using unsecured HTTP when there are two viable alternatives. You say he used public wifi. There is nowhere where this is mentioned. The only thing mentioned is that he tried to access his email from abroad. He could be using an iPad with a 3/4g data sim or he could be using a hotel guest WiFi which requires a pass code to connect. There is already ample information to determine to pretty high certainty exactly how this 'hack' was carried out and it is in no way sophisticated. B used public wifi to access his email over http and compromised his email account, his customer was spear phished using the details he exposed, the receiving bank account will almost certainly also be a victim of payment/over-payment fraud.
All because B failed to properly secure their email account.
A prudent person doesn't use (unencrypted) email for financial transactions; or use public (unencrypted) wifi, or (unencrypted http) webmail. This fraud was possible because they did all of these. If they had followed just one of these golden rules this fraud would not have been possible that is what makes them negligent.
Blaming the ISP or email providers is simply asinine.
There is no where near enough information to jump to the conclusion you do.
plasticpig said:
You have made the assumption that he was using unsecured HTTP when there are two viable alternatives. You say he used public wifi. There is nowhere where this is mentioned. The only thing mentioned is that he tried to access his email from abroad. He could be using an iPad with a 3/4g data sim or he could be using a hotel guest WiFi which requires a pass code to connect.
There is no where near enough information to jump to the conclusion you do.
Thanks for pointing this out, At no point did I say email had been sent using public wifi.There is no where near enough information to jump to the conclusion you do.
Original email was sent from office computer, which uses a password protected router.
He changed his passwords using iPad while on holiday using my mothers password protected router, she lives overseas and part of my brothers holiday was a few days with her.
plasticpig said:
You have made the assumption that he was using unsecured HTTP when there are two viable alternatives. You say he used public wifi. There is nowhere where this is mentioned. The only thing mentioned is that he tried to access his email from abroad. He could be using an iPad with a 3/4g data sim or he could be using a hotel guest WiFi which requires a pass code to connect.
There is no where near enough information to jump to the conclusion you do.
Thanks for pointing this out, At no point did I say email had been sent using public wifi.There is no where near enough information to jump to the conclusion you do.
Original email was sent from office computer, which uses a password protected router.
He changed his passwords using iPad while on holiday using my mothers password protected router, she lives overseas and part of my brothers holiday was a few days with her.
Quattromaster said:
Thanks for pointing this out, At no point did I say email had been sent using public wifi.
Original email was sent from office computer, which uses a password protected router.
He changed his passwords using iPad while on holiday using my mothers password protected router, she lives overseas and part of my brothers holiday was a few days with her.
I am sure the IT expert will be along to explain how you brother is still negligent.Original email was sent from office computer, which uses a password protected router.
He changed his passwords using iPad while on holiday using my mothers password protected router, she lives overseas and part of my brothers holiday was a few days with her.
Quattromaster said:
I look forward to that, as we are both very interested in how we can improve email security.
My advice would be to register a domain name and look at something such as Google Apps and enable 2 factor authentication.The domain name gives you a brand, OK you don't need it you could just go get a free gmail address but for a tenner a year it's a no brainer IMO.
2 factor authentication makes it impossible for someone who's stolen your password to login to your account because it needs something you know (your password) along with something you have, a token, which these days is typically an app on your smartphone.
It means that even if someone has your password they cannot access your account as they don't have the token.
Google make it very difficult to access your email using anything other than SSL (encrypted) which ensures the communication is cannot easily be intercepted.
If you're using your ISP provided email (maybe pop3 and smtp or imap) there's a strong chance it isn't encrypted which means it's going over the internet as plain text - that's where the potential for someone to "sniff" your credentials if you happen to use public wi-fi would come into it.
Google also offer some info on what IP addresses have been used to access your email.
Even if you do all of the above it's difficult to stop someone simply spoofing an email claiming to be from you, there is stuff you can do to minimise this happening, but the bottom line is simply that email isn't 100% secure as it was never designed to be.
Microsoft do something very similar with Office 365, but I don't have enough familiarity with how their 2 factor authentication works vs. Google's.
Just to add as well, as some general things to keep in mind:
Windows and Office updates - they happen for a reason, make sure you install them.
Adobe Flash Player - piece of st in security terms but a bit of a necessity still so ensure you keep it up to date.
Java - less of a necessity but if you have it, keep it up to date.
Run antivirus and run something such as Malwarebytes occasionally for a second opinion.
Use strong and unique passwords - choose something strong for your email and don't use it anywhere else.
Also consider using Google Chrome, broadly speaking it's more secure than Internet Explorer and updates tend to be much more frequent to deal with any issues when they arise.
Windows and Office updates - they happen for a reason, make sure you install them.
Adobe Flash Player - piece of s
t in security terms but a bit of a necessity still so ensure you keep it up to date.Java - less of a necessity but if you have it, keep it up to date.
Run antivirus and run something such as Malwarebytes occasionally for a second opinion.
Use strong and unique passwords - choose something strong for your email and don't use it anywhere else.
Also consider using Google Chrome, broadly speaking it's more secure than Internet Explorer and updates tend to be much more frequent to deal with any issues when they arise.
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff