Patco used online banking to make weekly payroll payments and claimed that cyber thieves had used a Trojan (ZeuS) to steal Patco’s online credential and then heisted $588,000 over the course of seven days. The bank managed to recover about $243,000 of the pilfered funds but held the small business responsible for the remainder. Patco’s suit was intended to find the bank responsible for the remaining $345k. The closely-watched battle in court is nearing an end, it seems.
On May 27th, a magistrate made a recommendation that, if adopted by a U.S district court in Maine, will make challenging the effectiveness of security measures employed by banks much more difficult for other small businesses and other victims. The recommendation, made after considering the legal issues and propounded analysis of what constitutes "commercially reasonable security", was to deny Patco’s motion for summary judgment and grant the bank’s motion. David Navetta, a founding partner of the Information Law Group, explained:
"Many security law commentators, myself included, have long held that reasonable security does not mean bullet-proof security and that companies need not be at the cutting edge of security to avoid liability".
Patco’s argument is, in part, that Ocean Bank failed to keep the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password.
The bank was relying on service provider Jack Henry to process bank-to-bank transfers. The authentication process it employed required customers to log in with a company ID, userID and password. Customers also had to provide answers to three "challenge questions" if the system scored a transaction as "high risk". The Jack Henry product utilized a scoring system developed but RSA’s Cyota and it rates the riskiness of transactions using various factors, such as the location of a user’s internet address and how a customer navigates the site and when and how often a user logs in, among others. The risk score is calculated on a scale between zero to 1000 and scores over 750 are considered "high risk". Until 2008, Ocean Bank has set the dollar amount threshold for automatically requiring the answer to a challenge question at $100,000. However, in July of that same year, the bank lowered the threshold to $1 due to ACH fraud at the bank that targeted low-dollar amount transactions. After the change, customers were required to answer a challenge question whenever they used the bank’s system.
Sari Green, Patco’s security expert, of Sage Data Security, told the court that by setting challenge questions to be asked on every transaction, Ocean Bank greatly increased the risk that a fraudster using a banking Trojan would be able to compromise the answers to the challenge questions. Patco further argued that having the questions posed for every person on every transaction didn’t actually provide any additional security.
As Navetta said, the magistrate considered the question of whether the bank’s security was sufficient. Security guidelines were established in 2005 by banking regulators at the FFIEC and they require the use of "multi-factor authentication" by incorporating at least two of three checks: Something the user knows (such as a password), something the user has (such as the passcode generated by a one-time token) and something the user is, such as a biometric identifier. The bank argued that the password-based scheme used by them was multi-factor as described in the FFIEC. According to Navetta , "To some degree the court acknowledged that the bank’s security could have been better. Even so, it was technically multi-factor as described in the FFIEC guidance in the court’s opinion, and ‘the best’ was not necessary." In fact, the ruling by the magistrate seems to suggest that the fault was actually with Patco for not securing its account credentials well enough.
Avivah Litan, fraud and bank security analyst at Gartner, called this suggestion “an outrage”.
"In my opinion, this is frankly an egregious injustice against small U.S. businesses," Litan said. "It is also a complete failure of the bank regulatory system in the United States, which should come as no surprise, given the history of the regulators in the 21st century."
One has to question the ethicality of a statement that suggest that "the best" security isn’t necessary for banks to employ. If the magistrate’s ruling is accepted by the court and Ocean Bank’s movement is granted, it will set precedence for liability challenges in the future, potentially leaving businesses without recourse when suffering a loss such as Patco’s. It remains to be seen what the Judge’s decision will be, though the court is not expected to overturn the ruling.
The implications of this ruling, should it be formally recognized by the court (and it most likely will be) are far reaching and should give any consumer pause. What’s really being decided here is bigger than Patco vs the bank. What is at stake here is future liability rulings: Who’s responsible for this type of heist: End users or Banks? If the banks aren’t going to be expected to have the "best" security available, protecting their own networks for malicious intrusion, what recourse will small business have in the event of a similar heist?
This news is especially interesting given today’s revelation that Citibank was hacked and the information of 200,000 users was compromised, and additionally because of LulzSecs recent antics showcasing the incredible security flaws of some of the biggest companies in the world.
There’s no doubt that security is a huge issue since we do so much online, and in fact are even rewarded for doing banking, shopping, etc online and penalized when wanting to speak with a human being, or go the old fashioned route of paying in person or with cash or checks. So the question is, since institutions are pushing for us to make their lives easier by doing everything online, should they be held to a higher standard of security?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.