A decision handed down by a federal appeals court this week may make it easier for small businesses owners victimized by cyberheists to successfully recover stolen funds by suing their bank.
The U.S. Federal Court of Appeals for the First Circuit has reversed a decision from Aug. 2011, which held that Ocean Bank (now People’s United) was not at fault for a $588,000 cyberheist in 2009 against one of its customers — Sanford, Me. based Patco Construction Co. The appeals court sent specific aspects of the earlier decision back to the lower court for review, but it encouraged both parties to settle the matter out of court.
The appeals court in Boston called the bank’s security systems “commercially unreasonable,” reversing a lower court ruling that Ocean Bank’s reliance on passwords and secret questions was in line with guidance set out by federal banking regulators. A copy of the decision is here (PDF).
Charisse Castagnoli, a bank fraud expert and independent security consultant, said the decision could open the door lawsuits from small businesses that have been similarly victimized with the help of outdated security procedures at their banks.
“What this opinion offers is a strong basis for victims to challenge the security implementations of their banks regardless of whether they agreed that the implementation was ‘commercially reasonable’ at a single point in time in a ‘shrink wrap’ type contract,” Castagnoli said.
THE CASE
In September 2009, Sanford, Maine based Patco Construction Co. filed suit against Ocean Bank, a division of Bridgeport, Conn. based People’s United Bank. Pacto used online banking primarily to make weekly payroll payments. Patco said that in May 2009, cyber thieves used the ZeuS trojan to steal its online banking credentials, and then heisted $588,000 in batches of fraudulent automated clearing house (ACH) transfers over a period of seven days.
In the weeks following the heist, Ocean Bank managed to block or claw back $243,406 of the fraudulent transfers, leaving Patco with a net loss of $345,445. Because the available funds in Patco’s account were less than the total fraudulent withdrawals, the bank drew $223,237 on Patco’s line of credit to cover the transfers. Patco ended up paying interest on that amount to avoid defaulting on its loans.
Patco sued to recover its losses, arguing in part that Ocean Bank failed to live up to multifactor authentication requirements set forth by the Federal Financial Institutions Examination Council (FFIEC).
THE TECHNOLOGY
Ocean Bank relied on service provider Jack Henry to process bank-to-bank transfers, and it selected an authentication process that required customers to log in with a company ID, user ID and password. Customers also were asked to provide answers to three “challenge questions” that would be asked if the system scored a transaction as “high risk.”
The Jack Henry product came with a risk scoring system developed by RSA‘s Cyota, which rates the riskiness of transactions by using several factors, such as the location of a user’s Internet address, when and how often the user logs in, and how the customer navigates the site. Challenge questions were prompted when the risk score for a transaction exceeded 750 on a scale of zero to 1,000 (RSA considers transactions generating risk scores in excess of 750 to be high-risk). Ocean bank also kept track of customer “device IDs,” an amalgamation of attributes from the customer’s PC that could be used to create a unique fingerprint for that machine.
Until 2008, Ocean Bank set its dollar amount threshold — transfer amounts that would automatically require the answer to a challenge questions regardless of the Cyota fraud score — at $100,000. But in July 2008, the bank lowered that threshold to $1. The bank told the court that it did so to enhance security following ACH fraud at the bank that targeted low-dollar amount transactions. After the change, customers were forced to answer a challenge question whenever they used the bank’s system.
THE RULING
In its 43-page decision, the appeals court took a dim view of Ocean Bank’s decision to lower its fraud threshold to $1.
“In our view, Ocean Bank did substantially increase the risk of fraud by asking for security answers for every $1 transaction, particularly for customers like Patco which had frequent, regular and high dollar transfers,” the court observed. “Then, when it had warning that such fraud was likely occurring in a given transaction, Ocean Bank neither monitored that transaction nor provided notice to customers before allowing the transaction to be completed. Because it had the capacity to do all of those things, yet failed to do so, we cannot conclude that its security system was commercially reasonable.”
The court emphasized that it was these collective failures taken as a whole — rather than any one single failure — which rendered the bank’s security system commercially unreasonable.
A spokesperson for People’s United Bank declined to comment for this story. Mark Patterson, Patco’s president, said he was pleased with the decision.
“I hope we can give some assistance to those [companies] that are suing their banks, and I hope this makes it so that it works in their favor,” he said.
What does this mean in practical terms for banks, customers and lawmakers? Castagnoli said the decision seemed to emphasize that banks cannot take blanket security approaches, but instead need to consider the customer’s individual risk.
“That I think is helpful…and should put banks on notice that they need to be more vigilant,” Castagnoli said. “At the same time, you can’t be a sloppy or naive customer, as the court is clearly looking for the customer to behave with some understanding of what the bank is doing with their money.”
Castagnoli said the appeals court also left open what the victim’s obligations and responsibilities are in the event that the bank’s security measures fail. For example, a court might declare reasonable the requirement commercial customers check their bank balance every day, and thus find Patco partially liable.
“I’d say this is a pretty big wakeup call to all parties to be more careful, and hopefully we will see more education from banks to their users on the part of computer security and online banking risk,” she said.
While I believe Patcobears some responsibility with what happened here, I tink the bank bears a greater responsibility in making sure they are protected and they are protecting their clients against fraud. It seems nowadays the banks are wanting to be able to have you do more banking with less humna interaction and rely more on mahines to serve their clients needs, while this might be the future I do think the banks owe it to their clients to make sure that those systems are secure as possible and updated on a frequnt basis. I wonder when the last update to their security features were at the bank Patco was using took place? And where they upgraded enough to reasonable defend against attacks like this? Banks are great at a lot of things but they are notorious for not spending the money if they dont need to. I have a friend who moved to work on corporate security for one of the 4 biggest banks, we had met up one evening for dinner and we talked about things that were going on within our industry. I asked him how the job was going and he told me it was good but that their were a lot of areas where the banks could due a lot better at protecting themselves and their clients against fraud way better. He had proposed ideas but they were stuck in red tape within the banks upper ranks or they were simply shot down over the cost of implmenting them. As we were sitting finishing our drinks, my friend said ” The banks are progressing their securityprotocols, but not at the rates the criminals are to defeat them… they are more reactive than procactive. That to me is just scary to think.
The appeals court decision is a sensible one.
For litigation to help provide incentives to manage risk, a duty of care needs to sit with any party who is in a position to help control the risk. For the bank, this means that the mechanisms it designed and operated need to be suitable for the assets at risk given the cost of countermeasures. If all the banks had to aim for was compliance then all we will get is yesterday’s solution regardless of today’s cost-benefit equation. The ruling makes clear that cost-benefit trumps compliance.
From another perspective, Ocean bank provided a banking service. Is it not unreasonable for Patco to expect Ocean bank to be experts in banking (and the security measures it includes)? Patco should be entitled to rely on the service offered by Ocean bank as being fit for purpose. What’s the alternative? All small companies hire banking security experts and perform their own security review and cost-benefit analysis? This wouldn’t be efficient and it wouldn’t scale.
I’m guessing that the outcome will be some kind of shared liability where the client (Patco) takes some responsibility for allowing its system to be infected by malware.
Seems like the right decision. Seems like the customer should have some liability at least for the first transaction. The bank was negligent in not reviewing high risk transaction. They appear to have just purchased a solution to check the compliance box.
I’m not sure I agree how important setting the threshold to $1 was though. Really, how hard would it be for an attacker to trick the risk profiling system into thinking the risk is elevated and challenge the user anyway? The box is owned. Delete the device identification cookie, modify the user-agent, proxy the request, etc and the user will get challenged. Are your keystrokes are belong to us.
ZeuS doesn’t just steal passwords. It puts itself in the middle of the transaction in real time. It causes the information passed back and forth between customer and bank to be altered, so the customer thinks one type of transaction is occurring, and the bank “thinks” something else is occurring. The customer will jump through whatever type of verification hoops the bank sets up, because the customer initiated a transaction and is trying to complete it. The customer thinks he is talking to the bank, and the bank “thinks” it is talking to the customer. But each is “talking” to ZeuS, which relays the message and can alter it without the parties being aware of it.
For example:
Customer, logged into bank via internet: “I’d like to transfer $1000 from savings to checking.
ZeuS, spoofing the bank webpage and controlling the customer’s browser: “I’d like to create 20 new employees with accounts at 10 different banks and pay their salaries by direct deposit, $9500 each.”
Bank: “What’s your password?”
ZeuS: “What’s your password?”
Customer: “Xd7%ghH8”
ZeuS: “Xd7%ghH8”
Bank: “Ok, I’ve created your 20 employees and paid them by direct deposit, debiting your account $190,000.”
ZeuS “Ok, I’ve transferred $1000 from savings to checking.”
Customer: Ok, I’m finished. Log me out.
Now, if during this transaction, the bank had said, “This transaction is for over $5000; you’ll have to answer your security question,” ZeuS could have relayed the request for the answer to the question, but the customer hopefully would have said, “Wait, my bank never asks me to do this for a $1000 transaction. Something is wrong.” If the dollar amount that triggers the request is $1, then the bank will always ask the question and the customer will expect to answer it. It defeats the purpose.
While I don’t disagree with the court’s ruling that Ocean Bank should have a better mechanism in place to help prevent fraud, I think quite a few customers act in a way to circumvent the security banks put in place because the customer consider the procedures ‘annoying’.
I work at a bank with corporate and retail customers. The system our customers use doesn’t actually allow the customers to transfer funds out like a wire transfer or ACH but fraudulent transactions can be created that, if not caught by the customer, can lead to losses. In addition, this program is accessed through the same system that does allow ACH and wire transfers; it is simply another module that is available to customers. We do not charge our customers for creating access id or re-setting passwords, etc.
The problem: it isn’t uncommon to find that instead of requesting another user ID for a new user, customers will often just share the ID & password with a new user. They also often do not tell us when users have left the company or changed to a position that no longer requires access to this system. We recently had a case where the administrator (the CFO) for the company retired, we all knew her for many years and knew of the change within the company. So when she left, we disabled her ID and changed the level of her replacement to the new administrator. Over the next few days all hell broke loose in the company; suddenly many people both at this company and several of their vendors could no longer process work they needed to do on this system. Yes, you guessed it, the old Admin had given her ID and password to her assistant and either the assistant or administrator had passed this info around … to 19 different users, 16 of whom worked for vendors at different companies. And this was the administrator ID that could approve wires, ACH, and change access and security levels for any company users. And everyone of these users had complete details on the business. The company was extremely angry at us for eliminating the ID and causing the delays and problems because users couldn’t access the system. We almost lost the customer over this, as they considered our action ‘unreasonable’.
But in this case, you must have some rules and regulations statement that the customer had to acknowledge at first logon stating that the user would not share their password with anyone and probably some other text that defined actions the user could and could not do. So the user was in violation of your established rules and put their own accounts at risk. That doesn’t mean your bank shouldn’t establish strong safeguards. In fact, with the change in this ruling, I wonder if banks will start making stronger requirements of their customers, including requiring that the customer use a standalone computer whose only purpose is to connect to your bank. Then if the customer uses that computer for something other thank banking, thereby opening themselves up to Trojans and viruses, then they have limited their recourse if they are compromised.
+for having your security hat on and aiming to remove access on termination. – on how it was handled….Your bank should have contacted the business to understand the impact before disabling any IDs, especially an admin level account.
Yes, the bank should have contacted the business, but not to “understand the impact” as that is the customer’s responsibility.
They should have said to this CFO something like: Congratulations on your retirement! We will of course be disabling your account, what new account(s) need to be created or what new access needs to be granted to existing user(s)?”
Sounds like a customer you should be happy to lose. There is a certain amount of risk a bank should be willing to take with a customer. If they really are a large fish and are that lax with their internal security practices, they are a loss waiting to happen.
If they are a large enough chunk of your deposits to be that important to you, they need to understand that their security practices also need to be held to a higher standard.
I’m not really following why courts should discourage security mechanisms like secret questions for all banking transactions. What I do follow is that the bank in this situation failed to monitor high-volume transactions.
The sort of argument that the court seems to have held is that it was too onerous to have secret questions and security for transactions. In these days of online banking and the perseverance of malware, all I’m hearing is another court that just doesn’t understand the risks involved in online transactions.
Before the days of online payrolls, there were people going to banks and fetching cheques and the like. That could take a while depending on how far the bank was and what time of day it was. So to argue that strong authentication isn’t necessary when ALWAYS dealing with the bank, is not unreasonable to me. Instead of the travel, there now may be the SMS and the other device that needs to authenticate. Yes, the court seems to have held the ruling turned on the facts of the case, but that does not mean other banks won’t be criticised for being too onerous in online banking, not yet anyway.
The bank failed to provide a multi-factor authentication. Shame on them. But banks need to provide MORE security, not less, on all transactions.
If we assume the purpose of the challenge questions is primarily to prevent credentials stolen via key logging from being useful, then asking the challenge questions every time a user authenticates is reducing overall security and should not be done.
Hi Cherry, you say you’re not sure why “courts should discourage security mechanisms like secret questions for all banking transactions”.
The point is that Ocean bank had a system for detecting unusual and high risk transactions which was supposed then to ask for extra assurance. By making the extra security assurance mandatory for all transactions it removed the effectiveness of the measure. It meant that key-loggers could capture the extra security answers on normal transactions. Sometimes more isn’t really more, its less.
In the words of the court ruling that you say “just doesn’t understand the risks”:
“Patco’s argument is supported by both evidence and by common sense. Patco’s expert testified that at the times in question, keylogging malware was a persistent problem throughout the financial industry. It was foreseeable, against this background, that triggering the use of the same challenge questions for high-risk transactions as were used for ordinary transactions, was ineffective as a stand-alone backstop to password/ID entry. Indeed, it was well known that setting challenge questions to be asked on every transaction greatly increases the risk that a fraudster equipped with a keylogger would be able to access the answers to a customer’s challenge questions because it increases the frequency with which such information is entered through a user’s keyboard.
…According to RSA/Cyota, the challenge questions should be triggered only selectively, when unusual or suspicious activity is detected…
…When Ocean bank lowered the dollar amount rule from $100,000 to 1, it essentially deprived the complex Jack Henry risk-scoring system of its core functionality. “
So here we have the crux of Ocean bank’s failing laid bare by the appeal court. The bank had a sophisticated means of identifying high risk transactions but did nothing with it since it had effectively been sabotaged by the $1 limit for extra questions.
They are not discouraging use of security questions. They are discouraging misuse of those questions.
Security Questions are a valid security layer when used properly, just as tokens are. When they are overused or used improperly, however, they are dangerous in that they create a false sense of security which can result in lackadaisical behavior on the customer’s and the bank’s part.
Not only banks, but I think merchants who legitimately try to protect their customer’s data (even if it means hiring a Forensic Investigator to prove this), yet still have a breach, should go after Visa, Mastercard, et all . I see it as equally their (card brands) responsibility to protect card holders. They have the technology to detect these CPPs, but choose to let them slide as it’s a profitable business to them. Does anyone know what happened in this case?
http://www.wired.com/threatlevel/2012/01/pci-lawsuit/
A ‘yea’ and a ‘nea.’
The ‘yea,’ based on this case officially says what all have unofficially known for years, namely, … counsel, step out into the hall and settle this matter … because your worst settlement is likely to be better than my best ruling … ugg.
The ‘nea’ is the 1st Circuit serves only as a precedent within the 1st Circuit but arguably constitutes as a ‘collateral potential ruling’ for the other circuits. Ruling conflicts between the federal circuits serve as a potential basis for the Supremes granting cert. to both cases [which obviously must be timely made.]
One should not forget that one can file an appeal not only to the federal circuit that was involved BUT INSTEAD may choose to file with the US Court of Appeals for the DC Circuit [the ‘mini’ Supreme Court.]
I was hoping to see some mention of “four passwords” vs. “multi-factor authentication.”
Brian is summarizing a 43-page reversal of a 70-page trial court ruling. The Court of Appeals for the 1st Circuit did indeed take up the issue of whether a “single-factor twice” (or, in this case, four times) is equal to “two-factor”. Refer to the reasoning that begins in the middle of page 31 in http://krebsonsecurity.com/wp-content/uploads/2012/07/First-Circuit-Order-070312.pdf.
If you watch my (5-minute) June 1, 2012 testimony before the Subcommittee on Capital Markets of the House Committee on Financial Services (http://www.youtube.com/watch?v=DAXgMDcaoYM), you will see me predict that the American Bankers Association’s (ABA’s) doctrine of “Shared Responsibility” would not hold up in court long-term. However, I would never have guessed it would only make it to July 3! The URL for the overall hearing is http://financialservices.house.gov/Calendar/EventSingle.aspx?EventID=296813.
While the decision of the Court of Appeals has gotten the most ink, Silicon Valley Law Group’s prevailing on behalf of Village View Escrow on June 19 (http://krebsonsecurity.com/2012/07/court-ruling-could-be-boon-to-cyberheist-victims/) could be just as significant because SVLG is signaling that it is eager to take more ACH fraud cases on contingency. The reason that the banks have had 12 lawsuits to deal with rather than 1,200 is really just that UCC-4A appears to limit recovery in such a suit to the amount stolen plus interest. However, SVLG appears confident that it has found a legal theory under which a recovery large enough to cover their fees+expenses. I see support for this starting on page 40 of the 1st Circuit’s opinion.
“Court Ruling Could Be Boon to Cyberheist Victims”. The big caveat here is if they themselves demonstrate responsibility.
The quotes from Castagnoli at the end seem to get at where the court is coming from: “…should put banks on notice that they need to be more vigilant….At the same time, you can’t be a sloppy or naive customer, as the court is clearly looking for the customer to behave with some understanding of what the bank is doing with their money.”
In the long run this may be a win for the banks. For an alternative take see:
http://www.bankinfosecurity.com/interviews/how-patco-ruling-could-benefit-banks-i-1594
More legal commentary:
Federal court of appeal’s decision raises new on-line banking uncertainty
http://www.lexology.com/library/detail.aspx?g=e5a0bec7-21fe-47fe-aee0-e83ab2242240
What a true “win for the banks” would look like is the American Bankers Association (ABA) giving up the ghost on its doctrine of “Shared Responsibility” and supporting legislation that places the responsibility for securing online banking on the organization that actually runs the information technology that provides it. For the ABA’s 5,000 or so smallest members, that would be the 13 processors to which they outsource this function.
I called for this legislation in my appearance before the Subcommittee on Capital Markets on June 1: http://www.youtube.com/watch?v=DAXgMDcaoYM. My fellow panel members (sometimes inadvertently) did more than a good enough job of making the case that America’s churches, school districts, public libraries, medical practices, charities, and small businesses cannot accomplish what the Pentagon has failed at–securing Microsoft Windows. I added that it is not reasonable to ask America’s small- and medium-sized banks to secure online banking either. Even if they had the security expertise (or could acquire it), we want these guys out making loans to organizations that will use it to expand employment.
URL for the overall hearing: http://financialservices.house.gov/Calendar/EventSingle.aspx?EventID=296813.
Brian:
> is it any more realistic that small businesses that
> may have been with a bank for many years suddenly
> disrupt their operations and move to another bank?
In my June 1 testimony before the House Subcommittee on Capital Markets, I call for people with a fiduciary relationship to *taxpayer* dollars to honor their oaths of office by not risking public funds by having them on deposit at any financial services institution whose policy is that they are not responsible for them not being stolen. I commend this advice to everyone in any organization that has money on deposit anywhere but at the five largest U.S. financial services institutions.
In information security there is always a next attack. A Live CD will prevent a malware-based attack on http://www.krebsonsecurity.com/'s bank account, but what about a *true* man-in-the-middle attack via, say, some zero-day attack on the Domain Name Service (DNS)?
Besides, if, somehow, there *was* some way to get the word out to 30 million or so U.S. organizations with commercial checking accounts that they should do online banking on Linux and even (again, “somehow”) find a way for them to acquire the technical facility to do that, such a huge diversion of American organizational time and effort is in itself a victory for the criminals. We at yourmoneyisnotsafeinthebank.org believe that the only group that should be forced to change their ways is the criminals.
Of course, there is no way to get the word out. In the written version of my June 1 testimony, I mention that it took TWENTY YEARS for American gastroenterologists to switch over to using antibiotics to treat peptic ulcers. But three+ orders of magnitude more American churches, school districts, public libraries, medical practices, charities, and small businesses are going to switch to Live-CD-based browsing for online banking? How long would you estimate that such a conversion would take?
Fortunately, we don’t have to guess. The answer has been given to us by God Himself. Really. As is well known, there are three men on Earth who, because of their exalted positions, are privileged to talk directly to Almighty God. Those three men are:
– Barack Obama, because he is President of the United States and leader of the Western World,
– Benjamin Netanyahu, because he is Prime Minister of Israel and leader of God’s Chosen People,
and
– Doug Johnson because he is VP, Fraud and Risk Management at the American Bankers Association (ABA), and as such is responsible for explaining commercial account takeover fraud to members of the House and Senate.
As it happens, all three men, driven to distraction by their various problems called upon their special relationship to the LORD while I was in Washington, D.C. for the hearing:
– Barack Obama, stung by the criticism he is receiving over the state of the economy, said, “LORD, will I ever get Americans to understand that just because one in seven Americans are on Food Stamps does not mean the economy has not doing fine?”
… And God answered him! “Not in YOUR lifetime!”
– Bejamin Netanyahu, angered by the latest rocket attacks from Gaza, said, “LORD, will I ever have a stable and just peace for your people Israel here in the Middle East?”
… and God answered him! “Not in YOUR lifetime!”
– Doug Johnson, asked by his superiors for a specific timetable for beating commercial account takeover via “user education, said, “LORD, will I ever be able to get all Americans to bank online using Live-CD Linux?”
… and God answered him! “Not in MY lifetime!”
Jim, just curious what are your credentials as a Cyber Security Expert? Not trying to be a jerk or anything, it’s just that other people are going to read these comments and make an opinion off of them. It is always helpful to know the context of the source…
http://www.linkedin.com/in/jimwoodhill
Don’t see anything on here that doesn’t have the word “marketing” in it…