Banks Not Required to Utilize "The Best" Security?

Melanie Gross
Jun 9, 2011
Updated • Dec 15, 2014

In May of 2009 a Sanford, Maine based company, Patco Construction Co, filed suit against Ocean Bank, a division of Bridgeport, Conn. Based People’s United Bank.

Patco used online banking to make weekly payroll payments and claimed that cyber thieves had used a Trojan (ZeuS) to steal Patco’s online credential and then heisted $588,000 over the course of seven days. The bank managed to recover about $243,000 of the pilfered funds but held the small business responsible for the remainder. Patco’s suit was intended to find the bank responsible for the remaining $345k. The closely-watched battle in court is nearing an end, it seems.

On May 27th, a magistrate made a recommendation that, if adopted by a U.S district court in Maine, will make challenging the effectiveness of security measures employed by banks much more difficult for other small businesses and other victims. The recommendation, made after considering the legal issues and propounded analysis of what constitutes "commercially reasonable security", was to deny Patco’s motion for summary judgment and grant the bank’s motion. David Navetta, a founding partner of the Information Law Group, explained:

"Many security law commentators, myself included, have long held that reasonable security does not mean bullet-proof security and that companies need not be at the cutting edge of security to avoid liability".
Patco’s argument is, in part, that Ocean Bank failed to keep the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password.

The bank was relying on service provider Jack Henry to process bank-to-bank transfers. The authentication process it employed required customers to log in with a company ID, userID and password. Customers also had to provide answers to three "challenge questions" if the system scored a transaction as "high risk". The Jack Henry product utilized a scoring system developed but RSA’s Cyota and it rates the riskiness of transactions using various factors, such as the location of a user’s internet address and how a customer navigates the site and when and how often a user logs in, among others. The risk score is calculated on a scale between zero to 1000 and scores over 750 are considered "high risk". Until 2008, Ocean Bank has set the dollar amount threshold for automatically requiring the answer to a challenge question at $100,000. However, in July of that same year, the bank lowered the threshold to $1 due to ACH fraud at the bank that targeted low-dollar amount transactions. After the change, customers were required to answer a challenge question whenever they used the bank’s system.

Sari Green, Patco’s security expert, of Sage Data Security, told the court that by setting challenge questions to be asked on every transaction, Ocean Bank greatly increased the risk that a fraudster using a banking Trojan would be able to compromise the answers to the challenge questions. Patco further argued that having the questions posed for every person on every transaction didn’t actually provide any additional security.

As Navetta said, the magistrate considered the question of whether the bank’s security was sufficient. Security guidelines were established in 2005 by banking regulators at the FFIEC and they require the use of "multi-factor authentication" by incorporating at least two of three checks: Something the user knows (such as a password), something the user has (such as the passcode generated by a one-time token) and something the user is, such as a biometric identifier. The bank argued that the password-based scheme used by them was multi-factor as described in the FFIEC. According to Navetta , "To some degree the court acknowledged that the bank’s security could have been better. Even so, it was technically multi-factor as described in the FFIEC guidance in the court’s opinion, and ‘the best’ was not necessary." In fact, the ruling by the magistrate seems to suggest that the fault was actually with Patco for not securing its account credentials well enough.

Avivah Litan, fraud and bank security analyst at Gartner, called this suggestion “an outrage”.

"In my opinion, this is frankly an egregious injustice against small U.S. businesses," Litan said. "It is also a complete failure of the bank regulatory system in the United States, which should come as no surprise, given the history of the regulators in the 21st century."

One has to question the ethicality of a statement that suggest that "the best" security isn’t necessary for banks to employ. If the magistrate’s ruling is accepted by the court and Ocean Bank’s movement is granted, it will set precedence for liability challenges in the future, potentially leaving businesses without recourse when suffering a loss such as Patco’s. It remains to be seen what the Judge’s decision will be, though the court is not expected to overturn the ruling.

The implications of this ruling, should it be formally recognized by the court (and it most likely will be) are far reaching and should give any consumer pause. What’s really being decided here is bigger than Patco vs the bank. What is at stake here is future liability rulings: Who’s responsible for this type of heist: End users or Banks? If the banks aren’t going to be expected to have the "best" security available, protecting their own networks for malicious intrusion, what recourse will small business have in the event of a similar heist?

This news is especially interesting given today’s revelation that Citibank was hacked and the information of 200,000 users was compromised, and additionally because of LulzSecs recent antics showcasing the incredible security flaws of some of the biggest companies in the world.

There’s no doubt that security is a huge issue since we do so much online, and in fact are even rewarded for doing banking, shopping, etc online and penalized when wanting to speak with a human being, or go the old fashioned route of paying in person or with cash or checks. So the question is, since institutions are pushing for us to make their lives easier by doing everything online, should they be held to a higher standard of security?


Previous Post: «
Next Post: «


  1. loan said on November 20, 2011 at 11:25 pm

    I cherished up to you will obtain carried out right here. The comic strip is tasteful, your authored subject matter stylish. however, you command get bought an shakiness over that you want be turning in the following. unwell undoubtedly come further previously again since exactly the similar nearly a lot often inside of case you protect this hike.

  2. Erix Pizano said on July 5, 2011 at 6:09 pm

    Keep an eye on things of this sort because the way you log into your online banking services can today be radically changed. Here’s an example how with OpenID and biometrics user credentials can be secured once and for all in a very simple and convenient way:

  3. Simon B. said on June 24, 2011 at 11:59 am

    How could the bank fail to notice a theft of $588k or $84k per day? The recovered sum 244k translates to less than 3 days of transfers. Making the “extra questions” an everyday thing, whoever made that decision and anyone who didn’t object should NOT work in the banking sector until they get a clue about security. The bank, and the courts, may need a petition with lots of names on to understand this. Maybe the malwareresearchgroup or similar could go testify.

    The basic requirement should be that bigger transactions require some equipment not connected to the computer, since computers cannot be trusted as is repeatedly proven.

    GHacks could run an article on how to choose banks with acceptable security. Or — where are the online security companies when you need them? A rating of which bank is more safe than others would be very nice. Online transactions can be made almost as safe as over-the-counter transactions but that requires having bank staff actually look at transactions and actively build rules.

  4. Chris Pickard said on June 11, 2011 at 2:37 pm

    When I first heard about this case I thought it was unbelievable that such a decision had been made.

    This is a prime example of a magistrate not having enough understanding of an issue to make a valid or informed ruling.

    I understand that the client was found liable as “it had not better secured its account credentials” – this is nonsense. Our – and other independent research shows there is almost no way to secure a PC against financial malware using standard enterprise security products.

    None of this is news – the banks are fully aware of the nature of the risk their customers face when using their online banking services.

    We have been doing research in this space for a couple of years and published a report earlier this week which demonstrates the ineffectiveness of security applications against financial malware – including several which are recommended and promoted by banks as providing security for online banking.

  5. Berttie said on June 9, 2011 at 11:57 pm

    Yikes! Ocean Bank’s security measures may not be leading edge, but from the description given they seem more robust than my bank’s!

    Might be time to move the Berttie trillions (ZW$) to under the mattress. ;)

  6. Ashley Pearson said on June 9, 2011 at 10:49 pm

    Not the sort of topic I expected to see, but a good read however.

    Lulzsec is definitely causing some issues, and its surprising the banks and other networks such as .. umm.. oh yeh SONY, are still not making their other websites that have not been attacked yet secure as well. Its crazy. should of been made secure. The passwords were in plain text, weeks after PSN was hacked. Idiots.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.