Banks Not Required to Utilize "The Best" Security?
Patco used online banking to make weekly payroll payments and claimed that cyber thieves had used a Trojan (ZeuS) to steal Patcoâ€™s online credential and then heisted $588,000 over the course of seven days. The bank managed to recover about $243,000 of the pilfered funds but held the small business responsible for the remainder. Patcoâ€™s suit was intended to find the bank responsible for the remaining $345k. The closely-watched battle in court is nearing an end, it seems.
On May 27th, a magistrate made a recommendation that, if adopted by a U.S district court in Maine, will make challenging the effectiveness of security measures employed by banks much more difficult for other small businesses and other victims. The recommendation, made after considering the legal issues and propounded analysis of what constitutes "commercially reasonable security", was to deny Patcoâ€™s motion for summary judgment and grant the bankâ€™s motion. David Navetta, a founding partner of the Information Law Group, explained:
"Many security law commentators, myself included, have long held that reasonable security does not mean bullet-proof security and that companies need not be at the cutting edge of security to avoid liability".
Patcoâ€™s argument is, in part, that Ocean Bank failed to keep the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password.
The bank was relying on service provider Jack Henry to process bank-to-bank transfers. The authentication process it employed required customers to log in with a company ID, userID and password. Customers also had to provide answers to three "challenge questions" if the system scored a transaction as "high risk". The Jack Henry product utilized a scoring system developed but RSAâ€™s Cyota and it rates the riskiness of transactions using various factors, such as the location of a userâ€™s internet address and how a customer navigates the site and when and how often a user logs in, among others. The risk score is calculated on a scale between zero to 1000 and scores over 750 are considered "high risk". Until 2008, Ocean Bank has set the dollar amount threshold for automatically requiring the answer to a challenge question at $100,000. However, in July of that same year, the bank lowered the threshold to $1 due to ACH fraud at the bank that targeted low-dollar amount transactions. After the change, customers were required to answer a challenge question whenever they used the bankâ€™s system.
Sari Green, Patcoâ€™s security expert, of Sage Data Security, told the court that by setting challenge questions to be asked on every transaction, Ocean Bank greatly increased the risk that a fraudster using a banking Trojan would be able to compromise the answers to the challenge questions. Patco further argued that having the questions posed for every person on every transaction didnâ€™t actually provide any additional security.
As Navetta said, the magistrate considered the question of whether the bankâ€™s security was sufficient. Security guidelines were established in 2005 by banking regulators at the FFIEC and they require the use of "multi-factor authentication" by incorporating at least two of three checks: Something the user knows (such as a password), something the user has (such as the passcode generated by a one-time token) and something the user is, such as a biometric identifier. The bank argued that the password-based scheme used by them was multi-factor as described in the FFIEC. According to Navetta , "To some degree the court acknowledged that the bankâ€™s security could have been better. Even so, it was technically multi-factor as described in the FFIEC guidance in the courtâ€™s opinion, and â€˜the bestâ€™ was not necessary." In fact, the ruling by the magistrate seems to suggest that the fault was actually with Patco for not securing its account credentials well enough.
Avivah Litan, fraud and bank security analyst at Gartner, called this suggestion â€œan outrageâ€.
"In my opinion, this is frankly an egregious injustice against small U.S. businesses," Litan said. "It is also a complete failure of the bank regulatory system in the United States, which should come as no surprise, given the history of the regulators in the 21st century."
One has to question the ethicality of a statement that suggest that "the best" security isnâ€™t necessary for banks to employ. If the magistrateâ€™s ruling is accepted by the court and Ocean Bankâ€™s movement is granted, it will set precedence for liability challenges in the future, potentially leaving businesses without recourse when suffering a loss such as Patcoâ€™s. It remains to be seen what the Judgeâ€™s decision will be, though the court is not expected to overturn the ruling.
The implications of this ruling, should it be formally recognized by the court (and it most likely will be) are far reaching and should give any consumer pause. Whatâ€™s really being decided here is bigger than Patco vs the bank. What is at stake here is future liability rulings: Whoâ€™s responsible for this type of heist: End users or Banks? If the banks arenâ€™t going to be expected to have the "best" security available, protecting their own networks for malicious intrusion, what recourse will small business have in the event of a similar heist?
This news is especially interesting given todayâ€™s revelation that Citibank was hacked and the information of 200,000 users was compromised, and additionally because of LulzSecs recent antics showcasing the incredible security flaws of some of the biggest companies in the world.
Thereâ€™s no doubt that security is a huge issue since we do so much online, and in fact are even rewarded for doing banking, shopping, etc online and penalized when wanting to speak with a human being, or go the old fashioned route of paying in person or with cash or checks. So the question is, since institutions are pushing for us to make their lives easier by doing everything online, should they be held to a higher standard of security?Advertisement