A magistrate recommendation that is likely to become an official ruling could set a legal precedent welcome to banks all over the US, saying they are are not accountable for the fraudulent draining of commercial accounts if they have provided “reasonable” security measures to prevent it.
The recommendation was issued in the case initiated by Maine-based, family-owned construction company PATCO Construction Inc. against Ocean Bank, the bank with which they had an account.
In May 2009, the company’s account was hijacked by cyber crooks, who in the course of several days managed to initiate a number of fraudulent ACH transactions that resulted in the transfer of over half a million dollars to the crooks’ account. After realizing that the money is gone, the company alerted the bank, which managed to stop some of the transfers and retrieve around $230,000.
The cyber thieves seemingly managed to get their hands on the online banking log-in and password credentials for the account by introducing an information stealing Trojan into the company’s computers.
PATCO argues that the bank has not provided adequate security to protect its account and that it failed to notice the fraudulent activity in time, even though the transfers have triggered the bank monitoring system to ask a security question in order to allow the transfer.
According to Bank Info Security, the magistrate judge took Ocean’s side. He said that the bank uses authentication methods used by many other banks, that the law doesn’t require it to use the “best” security measures that exist, and that when the company signed the contract with the bank, it knew what security measures it provides.
Even though the Federal Financial Institutions Examination Council requires financial institutions to use multifactor authentication methods – and Ocean’s use of login credentials and security questions can be technically seen as such – many security experts are likely to argue some multifactor authentication methods are better than others, and this one belongs to the latter group.
But, the magistrate judge didn’t see it that way. “The magistrate says the bank had dual authentication because they had a password and a challenge question; but anyone who understands the system knows that is not really dual authentication,” PETCO’s president commented the decision, but has still not said whether they would lodge an appeal to it.