> I doubt this will change until/unless the banks
> end up with a larger slice of the liability, either
> through a change in laws, or when angry corporate
> customers band together and sue for better
> protection or restitution.

The law definitely needs to be changed, but not to give America’s small- and medium-sized banks more of the liability. As I have noted in previous posts in this thread, Silicon Valley Law Group (with whom I am in no way affiliated other than as a fan) will be happy to stick any bank whose failure to follow The Krebs Rule with regard to its security procedures with 300% or more of the liability, and the courts have been cooperative. That is, the banks are liable *now*, under *current* law.

As the Advocate for the Victims, I find myself in the strange position of being the Advocate for America’s Small- and Medium-Sized Banks as well. These organizations are victims too. Today, I am assured by their industry associations, they eat the losses in the majority of cases. But more importantly, it makes no more sense to expect community bankers to become cybersecurity experts than it makes sense to expect a Primary Systems, Inc. to do what the Pentagon and Sandia Labs have proven themselves unable to do–keep enemy malware out of networks that include PCs running Microsoft Windows.

Nor is it good public policy to even wish that they could. We need our “Enterprise Banks” funding enterprises not hiring cybersecurity experts that are not there to be hired anyway, and our “Primary Systems”s adding employees in their line of business, not trying to defend themselves in cyberspace. And America *sure* does not need its SMEs to do what PATCO Construction has done, abandon online banking altogether and go pack to paper checks and in-person deposits.

In any case, giving responsibility to stop this crime to the banks, which is what the courts have really already done, *won’t stop the crime*. American money will still be flowing the eastern Europe to fund next-generation cyberattackware. Only the online banking outsourcers are positioned to stop the crime, but the FFIEC Guidance does not apply to them.

This is a problem for the political branches to solve, not the courts, nor the regulators (who lack the necessary statutory authority).

– Jim Woodhill, Advocate for the Victims

“Authentication”, as in “logon authentication” is an unfortunate and very persistent terminological confusion in information security as it applies to online banking. A simple userid+password is fine to log on, as long as the ADD PAYEE transaction is protected with totally out-of-band *transaction confirmation* backed by fraud-detection analytics that are able to figure out that a small Springfield, Missouri company like Choice Escrow could not possibly intend to send the entire contents of a title account to the island of Cyprus in a single transfer over a weekend.

Commentators on this thread are not wrong that requiring two-factor authentication for transactions as common as a new payment to an old, known-valid old payee, much less the logon transaction is onerous. But such heavyweight security measures are only needed on ADD PAYEE and a few account-control transactions to stop fraud. These are very few in number for the typical small- and medium-sized enterprise online banking customer.

Words matter. I discuss the terminology problem financial services information security (including the FFIEC 2005 and 2011 Guidances) has at greater length in my June, 2012 testimony before the Subcommittee on Capital Markets of the House Committee on Financial Services, which can be found through:

http://financialservices.house.gov/Calendar/EventSingle.aspx?EventID=296813

– Jim Woodhill, Advocate for the Victims

> But again, IANAL,

Me neither, though I sure have been spending a lot of time with them lately! (A patent troll is suing all the big storage vendors claiming to have invented data deduplication when, the lawyers reminded me just recently, *I* did back in 1991.)

Anyway, it would seem to me that the logical thing for non-lawyers to do, especially since the banks have gotten uniformly creamed in the courts on “Shared Responsibility”, is to say that consumer accounts are protected by Regulation E while commercial accounts are protected by UCC-4A. The banks have been asserting in court that UCC-4A offers protections inferior to Regulation E, but, so far, have not been able to win on that assertion.

Julie Rogers and/or Kim Dincel of Silicon Valley Law Group might be able to help you word the above better. As allowed by the opinion of the Court of Appeals for the First Circuit in PATCO vs. People’s United, SVLG’s pleadings in cyber-bank-robbery cases have gone well beyond UCC-4A’s provisions, which have allowed recoveries in settlements far beyond those provided for in UCC-4A.

– Jim Woodhill, Advocate for the Victims

According to the opinion of the trial court in BankCorp South’s counter-suit against Choice Escrow, in which BankCorp South pled a similar defense (customer rejection of a superior security procedure in favor of an inferior (but easier-to-use) security procedure), the fault is with the bank.

As with Brian Krebs, IANAL either, but consider: can a given set of security policies and procedures truly be “commercially reasonable” when if the bank’s commercial customers were aware of them and their implications in the current threat cyberthreat landscape, that bank would *have* no commercial customers?

Banks that truly believe in their doctrine of “Shared Responsibility” should disclose to their commercial customers the risks the latter are taking by doing online payments at all. The free market could then be the judge of “commercial reasonableness”, rather than people in long black robes. But there is no effective disclosure, so all the victims are caught completely by surprise.

Look. Elizabeth Warren won over Scott Brown. Her Consumer Financial Protection Bureau (CFPB) brainchild has started writing regulations. Banks that don’t get with the program and adopt the Krebs Rule and stand behind it with a money-back guarantee are now taking regulatory risks as well as losing in the courts to Silicon Valley Law Group, for multiples of the amounts stolen.

– Jim Woodhill, Advocate for the Victims

Blame needs to be assigned to both the customer and the bank in this case.

It’s my understanding that none of the decisions so far are binding on any other court, so a court could review the whole issue of good faith and reasonable security de novo, or decide that those issues don’t need to be addressed at all. But again, IANAL, so I’d welcome any other folks who know these decisions to weigh in as well.

RE:

> Under “Regulation E” of the Electronic Funds Transfer
> Act (EFTA) consumers are not liable for financial losses
> due to fraud — including account takeovers due to lost
> or stolen usernames and passwords — if they promptly
> report the unauthorized activity. However, entities that
> experience similar fraud with a commercial or business
> banking account do not enjoy the same protections and
> often are forced to absorb the losses.

You have been including this statement in stories about malware-based corporate account takeover/ACH fraud since your WASHINGTON POST days, but recent the outcomes of recent legal actions show that it is no longer true, if it ever really was. Since Silicon Valley Law Group’s settlement of Village View Escrow vs. Professional Business Bank and, especially, the Federal Court of Appeals for the First Circuit’s angry reversal of the only case the banks have won on their doctrine of “Shared Responsibility” in PATCO vs. People’s United Bank, proved the correctness of the prediction of DC District Court judge John M. Facciola at RSA 2012 that the future of lawsuits over this crime (especially since the issuance of the FFIEC 2011 Guidance) has been “summary judgment for the plaintiff”.

So you are correct that bank accounts tied to a federal TaxID are not covered by EFTA, but incorrect that they are not protected by UCC-4A and other legal provisions such as the common law that the First Circuit ruled are “consistent” with UCC-4A.

You should therefore advise all the victims you encounter to call Julie Rogers & Co. at Silicon Valley Law Group if their bank does not immediately take responsibility for violating the “Krebs Rule” of online banking (that all ADD PAYEE transactions must be confirmed via a means independent of the Windows computer through which they were initiated). As you yourself noted in:

http://krebsonsecurity.com/2012/06/bank-settles-with-calif-cyberheist-victim/

BANK SETTLES WITH CALIF. CYBERHEIST VICTIM

> Last week, Village View announced that it had reached
> a settlement with its bank to recover more than just
> the full amount of the funds taken from the account
> plus interest for Village View Escrow.

Indeed SVLG got a LOT more money out of Professional business Bank than anyone would ever think possible who was familiar with the limitations of recovery in UCC-4A. This was because SVLG got creative on causes of action, and employed novel pleadings that were endorsed immediately afterwards by the (unrelated) decision of the Court of Appeals for the First Circuit in its reversal of PATCO vs. People’s United Bank.

Victims today *do* have recourse to the courts, without reference to EFTA / Regulation E, and without being able to sustain the huge up-front legal expenses that trail-blazing PATCO did. They just need the right law firm.

Julie Rogers, Esq.
Kim Dincel, Esq.

Silicon Valley Law Group 25 Metro Drive, Suite 600 San Jose, CA 95110
Tel. (408) 573-5700
Fax (408) 573-5701
http://www.svlg.com/

– Jim Woodhill, Advocate for the Victims

“Computer crime is a GROWING problem and that growth will not even be SLOWED until a major revamp of people’s notions of security are altered. And like any sort of ‘mass change’, that’s highly unlikely until the situation is dire enough to FORCE people to change their belief system. Cheezburger.”