When Online Accounts Are Robbed, Should Banks Pay?
If a robber cleans out your bank's vault in a stick-up and takes all your money, your bank is responsible for paying you back.
But should that principle apply if the robber becomes a hacker and goes online to clean out the same account?
If a judge's recent ruling in a Maine civil case is any indication, the answer is no — at least not if you're a small business.
Patco vs. Ocean Bank
The story started in 2009, when cybercriminals using the notorious Zeus Trojan hijacked Sanford, Maine-based Patco Construction's online banking credentials.
They siphoned more than $500,000 from Patco's commercial account at locally based Ocean Bank using routine bank-to-bank transactions.
Ocean Bank, which is owned by People's United Bank of Bridgeport, Conn., helped the family-owned construction company recover more than $200,000 of the stolen funds, BankInfoSecurity reported.
But that left Patco still out roughly $345,000.
Patco then sued (pdf), contending that Ocean Bank approved the fraudulent transactions even after bank employees grew suspicious. Patco also said Ocean Bank's network security did not adequately protect customers from cybercrime.
Banks have a choice
It may seem shocking that Ocean Bank didn't fully compensate Patco. But Julie McNelley, senior risk and fraud analyst with the Boston-based financial consulting firm Aite Group, said the bank was well within its rights not to do so.
"When consumers get defrauded, the bank is the one that eats those losses when they make the consumer whole," McNelley said.
"[But] they don't have the same obligation on the business side," she explained. "In corporate cases, the bank has a choice. When the losses are big enough, sometimes they make the choice to stick by their contract and make the business eat the loss."
Bank security was adequate, court says
Maine Magistrate Judge John Rich apparently agreed. On May 27, he recommended that the U.S. District Court in Maine grant Ocean Bank's motion to dismiss Patco's complaint.
The judge ruled that Ocean Bank's security at the time of the hack was adequate. Specifically, it followed established guidelines for multifactor authentication in online banking set forth by the Federal Financial Institutions Examination Council (FFIEC) in 2005.
According to security blog Krebs on Security, Ocean Bank required customers to log in with a company ID, a user ID and a password, and then answer three "identity challenge" questions.
The ruling said that it was Patco, and not the bank, that had failed to protect its online banking credentials.
Or was it?
"We don't believe the magistrate has a true understanding of what dual-layer authentication is," Mark Patterson, co-owner of Patco Construction, told SecurityNewsDaily. "Anyone who's familiar with security can tell you that having two security questions is not enough."
Avivah Litan, vice president and distinguished analyst for Potomac, Md.-based Gartner Research, supports Patterson's claim.
"The FFIEC policy says banks must assess the risk and implement measures commensurate with that risk," Litan said.
The judge in the Patco case, Litan said, focused on examples of technologies that could be used to strengthen authentication, "but not the principle of the guidance."
Patco speaks up
Of his dealings with the bank and its lawyers, Patterson is understandably frustrated.
"We tried to sit down with the bank and come to some sort of a compromise, but they weren't willing," Patterson said. "They said, 'This is your problem.'"
"It was certainly an eye-opening experience," he added. "It was amazing. Obviously this bank is not concerned about how their depositors feel about the safety of their bank."
Patterson said his conservative financial approach means he's not had to lay off any employees from the company he's run for 26 years.
But "given the current economic building climate, it was something we didn't need to go through," he said. "It hurt us badly."
Old policy still in effect
McNelley said Ocean Bank complied with requirements by employing multifactor authentication. The rules, she explained, say only that "single-factor authentication is not enough."
"It leaves it wide open from there," she added.
Threats to online banking, however, are very different today than from what they were in 2005, when the FFIEC policy was put into effect, McNelley said.
This gets to the heart of why Patco sued, and why it may ultimately come out on the losing end.
As Litan said, "Look, the risks have changed. You've got to step up your measures."
The FFIEC is currently drafting new guidelines that will "considerably raise the bar as to what is required for corporate transactions," but McNelley doesn't expect them until the fall.
Patco has between 14 and 21 days from May 27 to respond to the judge's ruling.
McNelley said there are many existing cases very similar to Patco's in which small businesses are suing their banks after cybercrime incidents.
She noted the cases of Choice Escrow, which sued BankcorpSouth, and Michigan-based Experi-Metal, which sued Comerica in December 2009.
Why are cases like these on the rise?
According to McNelley, the cybercriminals are preying on targets they know they can exploit.
"The bad guys deploying the malware are going after weakest links in the chain," she said. "Sometimes the weakest links are small businesses with fairly-sizable accounts, [but] they aren't paying attention to cybersecurity. They're just trying to make it from one payroll to another."