Bank’s shoddy security was to blame for $588,851 online robbery, US appeals court rules

US appeals court holds bank liable for online security breach

Bank robber. Image from ShutterstockA Maine construction company that saw its online bank account fraudulently drained of about $589,000 might get some of it back due to what a US federal court has deemed shoddy security systems at its bank.

Patco Construction Company, based in Sanford, Maine, sued Ocean Bank – later acquired by People’s United Bank – after thieves put through six wire transfers using the Automated Clearing House (ACH) transfer system in 2009.

A three-judge federal appeals court panel last Tuesday agreed with Patco, finding that Ocean Bank’s online security measures were not “commercially reasonable,” reversing a lower court ruling from May 2011.

Over the course of seven days in May 2009, the criminals pilfered $588,851.26 from the construction company’s account.

Ocean Bank managed to block or claw back $243,406.83 of that, leaving Patco $345,444.43 in the red.

It’s not that Ocean Bank’s security system didn’t flag these transactions. On the contrary, each of the six transfers were flagged as high risk, given that they didn’t match the timing, value and geographic location of Patco’s typical payment orders.

Regardless of the high-risk flags, the bank failed to notify Patco, allowing the bogus transfers to flow unchecked.

Patco’s suit alleged that a) Patco hadn’t agreed to the transactions and that b) the bank’s security systems were feeble, therefore c) the bank itself should suck up the loss, citing Article 4A of the Uniform Commercial Code (UCC) (here’s Maine’s version), which governs wire transfers.

The Federal Financial Institutions Examination Council (FFIEC) in August 2006 issued supplemental guidance [PDF] on the subject of how financial institutions should go about achieving strong authentication.

The problem was, Ocean Bank, like other banks, eschewed multiple security measures suggested by the FFIEC’s guidance to achieve strong authentication.

Appeal court ruling

According to the appeals court’s ruling [PDF], Ocean Bank could have implemented these measures but did not:

  • Out-of-Band Authentication. This is a method of risk mitigation wherein a bank goes beyond the technological boundaries of a typical transaction by, for example, calling or emailing a customer to get approval for a transaction.
  • User-Selected Picture. Banks use customer-chosen images to identify their legitimate sites, ensuring visitors that they haven’t been redirected to a bogus site by a phisher hoping to steal the information that they enter.
  • Tokens. Tokens are physical devices such as USB tokens, smart cards, or password-generating tokens. Ocean Bank’s online banking provider didn’t provide these at the time of the theft, but plenty of other financial institutions managed to get them from other sources, the ruling said.
  • Monitoring of Risk-Scoring Reports. The banking system was sending risk reports, but Ocean Bank was apparently ignoring them.

This final item struck the court as one of the most negligent omissions. From the ruling:

In May 2009, the bank had the capability to conduct manual review of high-risk transactions through its transaction-profiling and risk-scoring system, but did not do so. The bank also had the ability to call a customer if it detected fraudulent activity, but did not do so.

In fact, the bank only began to manually review high-risk transactions in late 2009, following the theft.

The first that Patco knew of the thievery was when one of the transfers bounced. After the crooks wired it into an invalid account, a “return” notice was sent to Patco principal Mark Patterson, via US mail, six days after the withdrawals began.

ZeusIn the ensuing investigation, Patco discovered that a system had been infected with the Zeus/Zbot banking Trojan, which steals banking information via keystroke logging and form grabbing – an advanced method of snaring web form data within browsers.

The hypothesis is that the thieves captured a Patco employee’s keystrokes when she entered answers to challenge questions – questions that came up every time the company initiated a transfer, thanks to Ocean Bank’s having pegged the challenge questions to any transfer of $1 or more.

Therein lies a large part of the bank’s liability, according to the ruling:

In our view, Ocean Bank did substantially increase the risk of fraud by asking for security answers for every $1 transaction, particularly for customers like Patco which had frequent, regular, and high dollar transfers. Then, when it had warning that such fraud was likely occurring in a given transaction, Ocean Bank neither monitored that transaction nor provided notice to customers before allowing the transaction to be completed. Because it had the capacity to do all of those things, yet failed to do so, we cannot conclude that its security system was commercially reasonable.

By finding the bank’s security system “commercially [un]reasonable,” the court has agreed that it did, in fact, violate Article 4A of the UCC.

That still won’t get Patco back its money, though.

The court declined to award damages, instead suggesting that the parties settle out of court.

The judges noted that Article 4A is a sticky wicket that needs to be untangled vis-a-vis a bank customer’s responsibilities in protecting its own systems. The UCC doesn’t allow claims such as negligence, fraud or breach of contract.

Bank sign. Image from ShutterstockAs IDG’s Jeremy Kirk pointed out, that makes it expensive for small businesses to sue their financial institutions over cybercrime-related fraud, given that even if a small business wins a case, the code limits financial damages to the money stolen plus interest.

This ruling well might represent a turnaround for small businesses, which have been forced to swallow losses and liabilities in online security breaches.

As it now stands, liability for financial damages due to hacking is a hot-potato lobbed from businesses to financial institutions and back again.

Of course, as the judges made clear, responsibility for strong security doesn’t reside only with financial institutions. Customers, be they individuals or businesses, must do their part.

But the security missteps brought to light in this ruling shine a clear light on exactly what second-rate security looks like. It’s not that Ocean Bank didn’t spend money on its security, mind you: the bank bought the Premium offering from its vendor.

It didn’t offer premium follow-through, however.

Notifications of high-risk transactions aren’t worth the e-paper they’re emailed on if nobody bothers to raise a red flag when they come in.

The bank has obviously learned a lesson, given that it has initiated manual reviews of high-risk transactions following the theft.

I would suggest that the fair price for that lesson might well be to give Patco back the money that the thieves breezed through challenge answers to get.

Sneaking thief and modern bank sign images, courtesy of Shutterstock.