randulo wrote: > This brings up a side issue. Banks on the Internet have had to provide > a sort of insurance that allows the customer to be protected if > someone hacks in to his or her account. ITSP will need to think > carefully about having a similar policy that protects people from an > attack to the provider, no? > > What do those of you who sell these services thing about liability? > Has anyone come up with a statement on this? > > /r > >
The customer IS protected because it's excellent marketing for the bank or credit card provider. If someone steals my card number and racks up a bunch of charges, I'm often not liable for those charges (dependent, of course, on bank policy). However, the seller who was duped into selling those items because the bank approved the charges on the card? They're simply out of luck. They're charged any relevant charge-back fees AND are out any fees for services or product losses they may have incurred. The bank still gets its money. In the end, SOMEone has to pay. As an end-point ITSP, I can assure you, it would be us who's assessed the requisite charges. If someone uses a fraudulent card, we're required to pay. If someone uses a three letter password on his account, and it's hacked into and uses to rack up charges, we have to pay. In the purely virtual sense, as we're often selling to people we've never met via the Internet, it becomes difficult to say with any certainty if the person who logged into the account and used up the account's money is a hacker or just the account holder who doesn't want to own up to the charges. It puts us in a difficult position. Obviously, in some cases, this becomes more obvious. If the account holder is in the UK and the calls come in from China or Nigeria or Turkey or some such, it would be more likely to be suspect and if the account holder challenged the charges, we might be more liable to work with him or her. However, for the most part, we require a certain 'strength' of password to be used, and we rely on safeguards and monitors on the site itself to try and avoid brute force hacks. With no evidence for a brute force attempt or some other security failure on our side, we're somewhat at the mercy of logic to assume that calls from a customer's premises using a customer's account actually came from the customer, and I think we might be hard pressed to simply ignore said charges. If the security failure is clearly ours, though, I don't think it would be at all reasonable to expect the customer to accept responsibility. I'd be especially wary of a company that blamed the customer for its own security failings. -- Neil Fusillo CEO Infinideas, inc. http://www.ideasip.com _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users