August 8, 2011

A district court judge in Maine last week approved a pending decision that commercial banks which protect accounts with little more than passwords and secret questions are in compliance with federal online banking security guidelines.

Sanford, Maine based Patco Construction sued Ocean Bank in 2009, alleging poor security after a $588,000 cyber heist. Patco sued to recover its losses, arguing in part that the bank failed to live up to the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password. On May 27, a magistrate recommended that the court make Patco the loser by denying Patco’s motion for summary judgment and granting the bank’s motion.

On Thursday, the judge presiding over the lawsuit affirmed that recommended decision (PDF), ruling that no further proceedings were necessary. Patco’s attorney Dan Mitchell said the company has 30 days to file an appeal, but that it hasn’t yet decided whether to challenge the decision.

The decision comes as commercial account takeover victims in other states are challenging banks over the security of their online banking platforms. In June, a Michigan court ruled that Comerica Bank is liable for more than a half a million dollars stolen in a 2009 cyber heist against a small business. In July, A California real estate escrow company that lost more than $465,000 in an online banking heist last year sued its former financial institution, alleging that the bank was negligent and that it failed to live up to the terms of its own online banking contract.

These cases are being tried decided at the trial level in different federal districts. They are not “case law.” Case law requires a published decision at the appellate level, and is only binding on the courts in the district where it is made. Other district courts may consider and quote trial and appellate rulings, but they are not bound to follow them. Establishing a uniform national standard for judging all cases involving cyber theft would require a decision by the U.S. Supreme Court. Banks and organizations may not be willing to carry their appeals to this level, fearing that a national standard may not be in their best economic interests.

KrebsOnSecurity will continue to follow these cases and to bring you updates on new developments as they happen. Stay tuned.


56 thoughts on “Judge Nixes Patco’s eBanking Fraud Case

  1. Nicholas Weaver

    Why ANYONE with a business uses on-line banking at this point, I don’t know. The risk seems way too high unless you can convince the bank to give you a letter saying cyberattacks are their fault.

    1. Dave

      The “security” practices of US banks never cease to amaze me. A month or to back a friend of mine wanted to get her credit card replaced because the lettering on her existing one was partially worn off, but since it was a vanity replacement the bank was going to charge her for the new card. I suggested, entirely tongue-in-cheek, that she should use the card on her next business trip to the US, wait for the fraudulent charges to start appearing, and then get her bank to replace it.

      Two weeks after she got back from San Francisco, fraudulent charges started appearing from various locations in Oakland.

      How a banking system like that can continue to function is beyond me…

      1. brian

        The banking system is not to blame for that. Credit card numbers get pinched by dishonest people on the inside of various businesses every day.

        And the banking system isn’t responsible for your using their site from a machine that’s been compromised by a keylogger. I don’t care how many passwords they put in your way, you’re going to be vulnerable if you aren’t careful.

        1. Dave

          >The banking system is not to blame for that.
          >Credit card numbers get pinched by dishonest
          >people on the inside of various businesses every day.

          The US does seem to be awfully prone to this though. I do a lot of travelling worldwide (including eastern Europe, which isn’t exactly known for credit card security), and the only place I’ve had my card details lifted is in the US. I feel more nervous using my credit card in San Francisco than I do in St.Petersburg, arguably the capital of Russian cybercrime.

          >I don’t care how many passwords they put in
          >your way, you’re going to be vulnerable if you
          >aren’t careful.

          And again, that’s something that seems to be somewhat unique to the US banking system, that they don’t provide anything other than passwords for authentication. Since my bank uses SMS-based cryptographic transaction auth (to a non-smartphone, so you can’t trojan it), it doesn’t matter what’s on the PC because all that’s ever entered there is a crypto checksum to authenticate the transaction details sent via SMS.

  2. Steve Ledwith

    @Brian – are there any cases that have progressed past the district level? Are there any cases that have the potential to make it to that level right now?

    The Patco decision doesn’t make a lot of sense to me. How anyone can find the security that was in place is adequate, is just mind boggling.

    Keep up the great work.

    1. John

      Because the security in place is compliant with the current law.

  3. JBV

    @ Nicholas: Businesses and institutions use online banking because of its tremendous economy.

    The real questions are why customersdon’t have insurance and why they don’t pay attention to their financial institutions’ advice. Banks’ websites are loaded with information on avoiding intrusions and fraud. Many banks have seminars and all furnish recommendations to their customers when accounts are opened. Small businesses often don’t have the time or inclination to follow the guidelines. Larger businesses and organizations have IT departments – but, they aren’t perfect and can’t guard against all newly-emerging threats. That’s why insurance is an important backup. (No, I don’t sell insurance.)

    @ Steve: Losing parties are often unwilling to file an appeal because it is expensive and time consuming. An adverse appellate decision is binding and can have far-reaching consequences – as Brian notes, this may be an unacceptable risk.

    The FFIEC updated guidelines, which were not in effect when Patco suffered its loss, recognize the need to protect customers from newer threats, but stop short of endorsing any specific technology or approach. Instead, they call on banks to conduct more rigorous risk assessments, to monitor customer transactions for suspicious activity, and to work harder to educate customers — particularly businesses — about the risks involved in online banking.

    See: http://krebsonsecurity.com/tag/ffiec/

    1. Philip

      @JBV, you usually can’t get insurance to cover monetary losses caused by negligent computer security practices. I bet if you look closely, there is an exclusion in the fine print. There has to be. Otherwise, people would deliberately install ZBot on their office PCs, hand their banking password to their cousins abroad, and then ask them to empty the account…. what’s there to lose if the insurance company picks up the tab?

    2. Terry Ritter

      @JBV: “The real questions are why customersdon’t have insurance and why they don’t pay attention to their financial institutions’ advice.”

      Specifically what advice was offered and not followed that would have made a difference in this case?

      “Banks’ websites are loaded with information on avoiding intrusions and fraud.”

      Specifically what information was provided, or could have been provided, that would have prevented losses in this case?

      “Many banks have seminars and all furnish recommendations to their customers when accounts are opened.”

      Specifically what information and recommendations were provided, or could have been provided, that would have made a difference in this case?

      “Small businesses often don’t have the time or inclination to follow the guidelines.”

      Specifically what guidelines would those be, and to what extent would they have prevented losses?

      My technical involvement with “guidelines” and “recommendations” leads me to see them as little more than “cover my ass” legal BS for the banks. Guidelines cannot be trusted to provide security. While some guidelines may prevent some problems, they cannot prevent ALL problems, which is what is needed. Even doing all the right things always in the right way is NOT enough!

      What can be done:

      * The bank can check transfers and delay ones that look funny. The bank might use an “independent channel” to specifically detail each transaction and request authorization, but smartphone SMS bots have existed for some time.

      * The account holder may be able to design limits on which transfers are easily approved.

      * The computer owner and user effectively HAVE NO TOOLS AT ALL to reliably prevent, detect, or correct a bot infection in a conventional system. However, most systems can be secured by booting from a Linux LiveDVD like Puppy Linux.

      The best advice for small businesses is to use the drive-thru. Small businesses which must bank online should learn and use a LiveDVD. Small businesses which cannot do either must have very good insurance indeed.

      1. Matt

        “The computer owner and user effectively HAVE NO TOOLS AT ALL to reliably prevent, detect, or correct a bot infection in a conventional system. However, most systems can be secured by booting from a Linux LiveDVD like Puppy Linux. ”

        This is nonsense. Believe it or not, there are plenty of us who have never been compromised and don’t go to the extreme of booting off DVD. For example, running OS X with free Sophos anti-virus and Firefox w/noscript is pretty darn secure. You have to keep your software patched not be an idiot too, and that is where I see the most failures. There needs to be some evidence that the customer did their part too.

        1. Terry Ritter

          @Matt: “Believe it or not, there are plenty of us who have never been compromised and don’t go to the extreme of booting off DVD.”

          My belief is not required: Tools simply do not exist which can guarantee to find a hiding bot. That means YOU CANNOT KNOW whether or not you have been compromised. Virtually any system which boots from a hard drive can be infected.

          “For example, running OS X with free Sophos anti-virus and Firefox w/noscript is pretty darn secure.”

          “Pretty darn secure?” Just how would you know? Since no tool can certify that result, your claim is your personal belief, nothing more. Meanwhile, OS X is getting increasing attention from malware:

          * “Escalating privileges remains a problem on both operating systems, he says, with OS X having more potential soft spots than Win 7. But when it comes to network vulnerabilities, Apple is the loser.”
          http://www.computerworld.com/s/article/9218969/Black_Hat_Apple_does_well_Microsoft_better_with_enterprise_security?taxonomyId=17

          * “Security researchers warn of a newly identified Mac backdoor that was found in a malicious archive uploaded anonymously to Virus Total last month.”
          http://news.softpedia.com/news/New-Mac-Backdoor-Found-in-the-Wild-213532.shtml

          “There needs to be some evidence that the customer did their part too.”

          “The evidence” is that it is not enough for customers to “do their part.” Tools do not exist which can certify a system as safe for online banking. No customer can “do their part” to control something they cannot detect or correct.

          1. T.Anne

            While I would agree that generally there is no 100% fix… lets face it, both parties hold some responsibility.

            1. The customer/business – SHOULD do everything they can to be secure. Such as using a DVD or only using the computer for banking transactions and leaving it off otherwise (only turning it on otherwise to patch and update AV)… etc. The customer/business cannot be let off the hook if they choose to do NOTHING or use poor judgment – there is not a patch for human error. If they choose to do online banking they SHOULD do their research, know the risks, and do what they can to be secure.

            2. The banks – SHOULD do everything they can to TEACH the customer how to be secure and OFFER the best security they can. You have to remember – regardless of what is offered, unless the customer/business actually uses it correctly then the fault is not of the banks. There are many ‘secure’ solutions that need to implemented in a certain way if they’re not… then they’re open to more security flaws than it otherwise would be. If you choose to ignore the guidelines and do it your way – you could be leaving a door open that you didn’t know was there but the banks did (which is why they gave you the guidelines)… this is your fault, not their’s – they cannot control your actions.

            The banks CANNOT offer a 100% safe online banking experience… there are too many factors. They can offer some (just for argument we’ll say 60%) and the customer business has their part as well (just for argument we’ll say 20%)… however there’s always going to be that 10% (or whatever the number really is) that is possible to be breached. Even if we don’t know of a security flaw, that doesn’t mean it doesn’t exist… and it doesn’t mean that at some point in the future, someone will malicious intent won’t find it. Short of not banking online (and the actual bank could still be robbed too – they may have lowered the odds, but it’s still possible) – there is no end all be all cure to make it safe. There is ALWAYS a risk – even if you don’t see it. Together, the banks and customers/businesses need to be on top of things 100% of the time… someone trying to steal money only has to get lucky once… and even if one may give up by not being able to get in, that doesn’t mean another won’t try later.

            1. Terry Ritter

              @T.Anne: “The customer/business – SHOULD do everything they can to be secure.”

              Since there can be no absolute security, there is always something else which can be done, even if ineffective or counterproductive. Doing “everything” is not a solution.

              “The banks – SHOULD do everything they can to TEACH the customer how to be secure and OFFER the best security they can.”

              Despite claims to the contrary, teaching and learning does not guarantee security. Security is not a seminar, but a way of life. Customers are not going to change their way of life just to put their money in a bank.

              Online, often there simply is not enough information available to the user to identify an attack before it has occurred. That makes it impossible even for an expert to make the “right” decision every time, except for not going online at all.

              “If you choose to ignore the guidelines and do it your way”

              Specifically what guidelines would those be, which somehow convey the user to the magic realm of security? Upon closer examination, I suspect we will find those guidelines not only do not guarantee security, they probably do not even address the problem. Specifically in what way would those guidelines have prevented the losses in this article? Specifically how do “guidelines” stop the bot infection problem?

              “The banks CANNOT offer a 100% safe online banking experience…”

              WAIT, WAIT, WAIT! These would be the SAME banks which account for funds to the penny, who now are admitting that, say, 1 in 10 of their commercial customers may in fact lose hundreds of thousands of dollars, and that is somehow OK and a normal part of the banking business? No, that is NOT OK. If that is the best the banks can do, we need to shut down online banking completely.

              “(and the actual bank could still be robbed too – they may have lowered the odds, but it’s still possible)”

              Fortunately, if the actual bank is robbed, the bank is still responsible for customer funds. That is not happening here, and that is the main issue.

              It is NOT POSSIBLE for computer owners and users to be responsible for having a bot infection which their equipment inherently accepts, and which they cannot prevent, cannot detect, and cannot correct.

              1. T.Anne

                “It is NOT POSSIBLE for computer owners and users to be responsible for having a bot infection which their equipment inherently accepts, and which they cannot prevent, cannot detect, and cannot correct.”

                You mean to tell me if I get a virus on my computer which completely wipes my hard drive and I lose everything on it that I’m not responsible? Who would I hold accountable for that? Surely Dell, HP, Apple, etc aren’t willing to take the blame… but ultimately it’s their computer that allows me onto the internet and that allows my computer to be vulnerable to attack… or is it the internet’s fault for allowing the virus to be able to be delivered to my computer? Last I checked, if I got a virus by something I DID – I had to deal with the lost data, pay to have someone restore it (if it’s even restorable), and pay to fix my computer or buy a new one… Would it be convenient for me to say “Since there can be no absolute security, there is always something else which can be done, even if ineffective or counterproductive. Doing “everything” is not a solution.” and therefore I’m not responsible? Sure… is that reality – no. Yes their product has vulnerabilities, but they offer me patches to help and I make the CHOICE to use the best security methods I know how and am willing to do… those I know about and am not willing to do, I’m making that choice and risking it… those I don’t know about I am still responsible for because I am choosing to risk it and not look into what else I could be doing. And if, as you said, it’s “… impossible even for an expert to make the “right” decision every time…” then how can I expect the computer company, or bank, to offer a 100% safe solution for me?

                Just like the computer companies are not responsible for my actions – nor should the banks be responsible for their customer’s actions. You know the old saying, “you can lead a horse to water but you can’t force it to drink”… same thing applies here. They can lead the users to better security practices – but they cannot force them to “live” security (as you put it).

                “Specifically what guidelines would those be, which somehow convey the user to the magic realm of security? ”

                I’m not saying I know what they guidelines the bank gave the company were… my comment stemmed from your earlier comment of, “My technical involvement with “guidelines” and “recommendations” leads me to see them as little more than “cover my ass” legal BS for the banks.” I could be wrong – but there could also be some good intent in giving the guidelines… they could be helpful. A 100% fix no, but not something to just ignore either. Just because something isn’t a 100% fix doesn’t mean it should be ignored. Nothing is a 100% fix… that’s why layered security is so important.

                “Security is not a seminar, but a way of life. Customers are not going to change their way of life just to put their money in a bank. ”

                So because the customer isn’t willing try, the bank is ultimately responsible? I’m sorry if this sounds rude – but that sounds like an entitlement attitude to me… “I want to put my money in the bank and I want to access it online, but I don’t want change my normal online behavior just because I’m accessing my banking info”…

                Please don’t misunderstand my point… I do think the banks hold SOME responsibility… they should have good security measures in place. They should have some type of red flag for suspicious behavior on accounts. They should be quicker to react sometimes when things go wrong (as they inevitably will)… However – putting all the responsibility on the bank is not realistic. They could have the most state of the art security and someone could walk into a business and steal hard copies of their information and use it to commit fraud online… that’s no fault of the banks. The business cannot blame the bank for getting breached – it was their poor security that allowed it originally. Now YES – they can expect the bank to have additional fail-safes set up to help prevent issues… and they can expect the bank to work with them to recover costs or stop transactions when they’re found… but the bank cannot be responsible for the business’ poor security business practices. It needs to be a joint effort.

                Should the bank, in this case, perhaps have done more – very possible. I don’t know all the details behind what they did or didn’t do… nor do I know all the details of what the company did or didn’t do… all I am saying is that there should at least be some of the responsibility to the businesses themselves as well…

                I believe it’s the business attitude of “it’s not my responsibility” that leads to many of the regulations we have today (like PCI and HIPAA)… businesses have to secure the information they’re trusted with. Now that goes for ALL businesses – banks included. And yes, some have more responsibilities than others… but that doesn’t mean that one company can get out of all their responsibilities and give them to the bigger company. They should still use good security practices regardless if they’re going to go into business.

                This shouldn’t be a matter of “it’s not my fault – it’s theirs” – because the reality of the matter is, both parties are responsible for the issue.

                1. Terry Ritter

                  @T.Anne: “You mean to tell me if I get a virus on my computer which completely wipes my hard drive and I lose everything on it that I’m not responsible?”

                  Well, I suppose you would be responsible for the burst of insanity which drove you to buy a computer and try to use it on the Web as it is promoted for sale. But the issue here is not the customer computer, it is the customer’s money in the bank.

                  In the same sense that an automobile design which suddenly and without warning becomes dangerous to the driver is defective and recalled, current computers also become invisibly dangerous yet are not recalled. Yes, the manufacturers are responsible.

                  “Last I checked, if I got a virus by something I DID”

                  Sometimes one need do nothing at all, but most often one need only do something common and apparently innocuous. Just going to some sites, even respected sites, may be enough. That is not “doing something [wrong],” that is doing anything other than getting off the Web completely.

                  “if, as you said, it’s “… impossible even for an expert to make the “right” decision every time…” then how can I expect the computer company, or bank, to offer a 100% safe solution for me?”

                  This is not about the bank making decisions for you, it is about the bank keeping your money safe from theft. If they are happy with 10 percent of their customers being robbed from their own vaults, they could at least tell us beforehand.

                  “Nothing is a 100% fix… that’s why layered security is so important.”

                  “Layered security” is misunderstood. For this to work, each layer must attempt to be a complete security wall on its own, for, indeed, it may end up the last one standing. “Guidelines” are generally nothing like a complete wall, and do not constitute a “security layer.”

                  “the bank cannot be responsible for the business’ poor security business practices. It needs to be a joint effort.”

                  Oddly, the security practices small businesses would most need for a secure solution are not insisted upon by the bank. First among those would be to not use Microsoft Windows when banking online. When banks allow that, they are admitting that their customers simply have no way to prevent malware from being acquired or to certify their system as clean for online banking. The bank, having accepted that situation, should then be held responsible for the consequences.

                  Find me a bank which issues a Linux LiveDVD to customers, and then demands they use it, then we can talk about customer responsibility. I would not expect that bank to last long, however.

                  “ll I am saying is that there should at least be some of the responsibility to the businesses themselves as well…”

                  All *I* am saying is that THE TOOLS DO NOT EXIST which would allow the businesses to be responsible when using a hard-drive-boot operating system for online banking. IF and WHEN such tools become available and effective, THEN we can talk about business “responsibility” in using them.

                  1. T.Anne

                    I think this is a matter that we’ll have to agree to disagree on…

                    To me, just as the banks know there are risks with banking online – so should the businesses… they are wanting the convenience of banking online and should be aware of the risk.

                    I do think, in many, situations some banks cut corners to save money… and am in no way saying it’s appropriate to knowingly offer an option without explaining the risks… and IF they know there’s a big issue with the way they’re set up they should fix it (just like if a car is on the market and the breaks are found to be faulty they should be recalled). However, other businesses cut corners too. Some skimp on security and believe it should be someone else’s responsibility.

                    The sad truth is, some companies focus solely on their bottom dollar – and even if there is a problem, as long as it doesn’t impact a huge amount of their business – they may not see it as worth fixing. Just like the car company that didn’t recall a car with a known issue until after enough people died that people were coming after the company directly – ultimately hurting their bottom dollar and becoming a legal issue. However, originally they thought fixing the issue would cost more than it was worth – and they were talking human lives… sad but true. Until that mentality changes – I don’t think issues like the one Patco faces will change. Companies need to do more, to do what they know is right instead of trying to push responsibility off elsewhere. The banks try to blame the businesses and the businesses try to blame the banks… it’s not going to solve anything until both sides accept their role/part in the issue.

                    The responsibility of protecting one’s online bank account, in my opinion, does not lie 100% with the person who’s account it is nor 100% with the bank that holds the account. I do think the bank has more responsibility than the account holder – but both sides are responsible and should be held accountable.

                    Do I think the bank should’ve done more… yes – it doesn’t sound like they really had much security in place. However, that’s really more of a moral issue with their decision to not do more since at the time – they were meeting the legal requirements.

          2. Matt

            “Tools simply do not exist which can guarantee to find a hiding bot. That means YOU CANNOT KNOW whether or not you have been compromised. Virtually any system which boots from a hard drive can be infected. ”

            Ah yes, the zealotry of the typical security guy…either 100% secure or 0%. Newsflash…booting off a known clean ISO isn’t 100% either, the runtime can still get infected. And it’s a moot point, since very few people are willing to do it.

            ““Pretty darn secure?” Just how would you know?”

            Yes, it’s my opinion, but I do this for a living. Don’t get caught up in the OS, I prefer Windows actually. OS X is still less targeted, so safer from that perspective. In my experience, many malware infections are caused by user ignorance. They click links in phishing e-mails, they do “breaking news” image search and just blindly click on stuff. They have antivirus but the sigs expired 2 years ago. the point is, you can’t put all the blame and responsibility on the .

            “Tools do not exist which can certify a system as safe for online banking. No customer can “do their part” to control something they cannot detect or correct.”

            again, this is bull. This is like the old security adage, “the only secure computer is a disconnected one”. while true, it’s not helpful. It’s not about being 100% Trusted…even booting from ISO doesn’t do that. I’m saying let’s at least require that the customer made some effort to secure secure their environment.

            1. Terry Ritter

              Me: “Tools simply do not exist which can guarantee to find a hiding bot. That means YOU CANNOT KNOW whether or not you have been compromised. Virtually any system which boots from a hard drive can be infected. ”

              @Matt: “Ah yes, the zealotry of the typical security guy…either 100% secure or 0%.”

              Oh, no. This is not about security, this is about whether you can know whether your system is clean or not. That is yes or no, not maybe, not pretty sure. You cannot know.

              Infection occurs on the hard drives, then remains until the OS and apps are completely re-installed. At risk is not only your complete past on those drives, plus your online accounts, but also your complete future until the OS is re-installed. But a re-install will not happen until the bot is done with you and jumps up and punches you in the nose.

              “Newsflash…booting off a known clean ISO isn’t 100% either, the runtime can still get infected.”

              Now you can use your percentage argument: The main problem we have is bots, and in particular bot infections which restart on every session. By making infection difficult or impossible with a DVD boot, we can greatly reduce (not eliminate) bot activity. Malware acquired in operation only lasts until the end of that session. For online banking, we restart, then immediately bank.

              “again, this is bull. This is like the old security adage, “the only secure computer is a disconnected one”. while true, it’s not helpful. It’s not about being 100% Trusted…even booting from ISO doesn’t do that. I’m saying let’s at least require that the customer made some effort to secure secure their environment.”

              The only “bull” here is your claim that you have never been compromised and so need not boot from a DVD. Now you admit that there is a possibility, and in fact that exists on every session. So the little probability that you are wrong just keeps adding up, session by session. That is not security. Conventional systems which boot from a writable drive almost cannot be secure.

              It is crucial for banking personnel to understand that the “responsibility” they want customers to take is necessarily limited by the tools customers have. Tools simply do not exist to support the level of “responsibility” banks want customers to take. And banks apparently are happy with this. Banks are the side of the deal that offers the service for fee, banks have the greater technical expertise, and banks knowingly allow customers to connect with a known wildly secure interface. Banks are in control, and what they allow, they need to take responsibility for.

              It is important for small businesses to understand that they cannot be made safe by by installing a security package, and that “guidelines” will not prevent a bot infection which they will be unable to detect. Small businesses MUST have insurance, or use the drive-thru, or boot a Linux LiveDVD for online banking. If there is another safe option, I do not see it.

      2. Ray Butlers

        “The bank can check transfers and delay ones that look funny”

        Which transfers look funny?

        1. Jane

          Ask the credit card companies. They’re really good at it.

          Some of the stories Brian has posted here give good examples. New people on the payroll, payroll on a new day, dozens of overseas wire transfers from a company that has never done any overseas transactions before, flurry of payments right after disabling or rejecting alerts.

          1. Ray Butlers

            perhaps the bank should call you personally every time a transaction comes through lol

    3. Nicholas Weaver

      The problem is the security problem really does rest with the bank. They need to deploy two-factor TRANSACTIONAL authentication. There have been plenty of designs for both second-device (SMS based, already deployed by banks outside the US) and for dedicated hardware devices (eg, the IBM Zurich ZTIC device).

      But the banks refuse to because they don’t have the downside: with the liability hitting the customer, banks have no interest in deploying security systems which could mitigate or block these attacks.

      Instead, they have been deploying “regulatory 2-factor authentication”, systems which regulators call 2-factor but any security expert wouldn’t.

      And insurance is not the solution either: any insurance company which would cover this is frankly, foolish. The victim doesn’t have major control over mitigation/prevention, which means insuring is hard/impossible.

      Finally, the cost savings are illusionary. If you save $100, but have a 1 in 1000 chance of a $100K (potentially company-killing) loss, just straight math says its a bad bet. When you appropriately weight the downside risk (a 1 in 10,000 company killing risk is not worth $100/month), online banking for small business becomes just a risk nobody should take. And if there IS insurance you could take out on this, the cost/month is going to swamp your cost savings anyway!

  4. KFritz

    It would be interesting to know whether any of the commenters defending this dreadful court decision and the practices of the banking industry re online banking are employed by the industry. Also, any interest in or experience writing the software used by banks.

    I have no interest in any bank, any entity that’s lost money in the kinds of scams long described @ this blog, nor any law firm or PR firm representing any firm or bank mentioned in regard to these scams.

    1. KFritz

      Oops. Also re commenters’ interests, if anyone has a connection to law firms representing banks.

    2. Ray Butlers

      What’s dreadful about it? The customer failed to do their part. There is really nothing that the bank could have done. The technology and infrastructure do not exist. Personal responsibility. Learn it. Live it.

      1. Terry Ritter

        @Ray Butlers: “Personal responsibility. Learn it. Live it.”

        Exactly what is this “responsibility” in your view? Specifically, what things could this “person” have done, or done better, to have prevented the loss?

        1. Ray Butlers

          Monitoring and balancing ones accounts daily.

    3. Jane

      I almost wish folks would have taken this question seriously and answered it. Reading the comments for this post, I’m becoming a bit more suspicious than curious.

      ~I also have no interest in any bank, any entity that’s lost money in these kinds of scams, nor any law firm or PR firm of any kind.

      1. TJ

        “Reading the comments for this post, I’m becoming a bit more suspicious than curious.”

        Jane, I couldn’t agree with you more.

  5. Greg Sergienko

    I have a really technical small correction re your post. Trial court decisions *are* case law, but they aren’t binding, even on a different judge in the same court. By contrast, a decision from the court of appeals will be binding on all the trial courts from which an appeal can be taken to that court of appeals.

    As you suggest, although trial court decisions are not binding, they can serve as persuasive precedents. In practice, trial court decisions that are the first to get to a particular legal issue can be very influential, especially if they’re well reasoned.

    My opinion on this isn’t worth much–I’m mostly involved in different areas of law, and haven’t done anything with bankers–but it seems to me as a matter of first principles that the banks should have a lot more responsibility than these decisions give them. As a practical matter, it’s a lot easier for one bank to learn about effective banking security than it is for its thousands of customers to learn it, so the bank is what we’d call the least-cost avoider. Shifting that responsibility with boilerplate may be legally effective, but it does nothing to reduce the overall incident of theft, which is what the social goal is.

    1. JBV

      It seems that you are conflating “law of the case” with “case law.” The former is only binding on the parties to a specific case decision (unless appealed and overturned); the latter must be followed by the lower level courts in the district where the appellate decision was made.

  6. Paul Dittrich

    A brief search on the website for the Federal Financial Institutions Examination Council (www.ffiec.gov) gives several PDF documents intended to guide financial institutions on the requirements of Internet banking and authentication.

    To my reading, these documents are very specific about so-called “high-risk” transactions such as business/commercial banking. The guidance documents call for multi-factor authentication AND layered security ” … characterized by different controls at different points in a transaction process…”

    The judge’s decision in the Patco case seems to ignore the Federal rules, not uphold them.

    1. Helly

      You may have mixed up the new and old releases of the FFIEC Guidance on authentication. Per the old guidance they are indeed compliant, per the new one we can hope they would be found in compliant.

      1. Paul Dittrich

        My point exactly – by the newest “Supplemental Guidance”, Patco’s bank seems (at least to me) definitely NOT in compliance with Federal guidelines.

        1. helly

          You have the right of it, just from the legal perspective the new guidance doesn’t take effect until January 2012 I believe. At which point the company (I assume) would then be legally liable per the standards.

  7. emv x man

    It’s more than a little shocking that banks rather fund litigation with their own clients than put money into tech to do battle with criminals.

  8. Helly

    One of the common threads in these comments is how banks should be 100% liable for business losses related to malware. One of the chief complaints I have with this thought process stems from this argument:

    “THE TOOLS DO NOT EXIST which would allow the businesses to be responsible when using a hard-drive-boot operating system for online banking”

    If the tools don’t exist for the consumer, and malware has been an issue for 20+ years, how can the tools exist for banks who have only been dealing with this on a large scale for 3+ years? The simple answer is they definitely don’t. So we implement layered security to help mitigate this effort. Man people advocate contacting the customer for “odd” transactions. The simple reality of this is it doesn’t work, its no scalable, and how can you trust any process to perform this 100%? If there aren’t sufficient tools to detect infection how can I be sure the bank’s PCs aren’t infected and feeding inappropriate contact information to tellers?

    I know for certain that malware can coordinate between a phone and PC to steal true out of band authentication credentials so that really isn’t a trusted channel. I know malware can intercept phone calls or record conversations, so a phone call isn’t trusted. Email or other systems don’t really work because its the same channel as the origination. Perhaps a faxing system could be worked out, but it probably isn’t scalable for larger organizations. Sure a linux OS or an Ironkey type device might work, but again is it scalable and what would user acceptance be?

    The point being that implementing layered controls to detect this fraud isn’t exactly simple. Take a Title company for instance. They generate huge amounts of inbound/outbound transactions to extremely inconsistent locations. They also have incredibly strict demands on processing times if they are going to stay your customer. How do you implement a detection process that is going to identify “odd” transactions, and remain scalable so your customer simply doesn’t leave you for another less secure bank?

    Its easy to simply push the cost in these situations off to the bank, because they are the big company with deep pockets. And heck the vast majority of banks seem like pretty bad businesses. The reality is, is that these situations are generally a failure of both parties to ensure proper controls and measures are in place. I agree that a consumer doesn’t have the tools to detect malware… But a small business sure does, even if they choose not too. Banks are already being held to an evolving (although slowly) standard, bu so far there isn’t a standard for these businesses.

    Ideally I would like to see the cost of these losses split 50/50 when the bank had reasonable (per FFIEC) controls in place. I think its fine to hold banks to a standard, as long as the negligent business is as well. In cases where the bank is not FFIEC compliant, make them 100% liable.

    1. Terry Ritter

      @Helly: “If the tools don’t exist for the consumer, and malware has been an issue for 20+ years, how can the tools exist for banks who have only been dealing with this on a large scale for 3+ years? The simple answer is they definitely don’t.”

      Sure, but so what? The banks offer a service for hire. If they cannot protect it, they can still make the customer whole. But if the banks do not make the customer whole after a theft, the banks need to be very upfront about what kind of service they really offer and what the customer risk really is.

      “I agree that a consumer doesn’t have the tools to detect malware… But a small business sure does, even if they choose not too.”

      No. NO, NO, NO! Such tools DO NOT EXIST! For anybody, anywhere. Typical anti-vi may detect 70 percent of older malware, but almost no new malware, and modern malware may be re-done every few hours. Nothing we have can be relied upon to detect and prevent malware. Nothing.

      “Ideally I would like to see the cost of these losses split 50/50 when the bank had reasonable (per FFIEC) controls in place.”

      But why limit this to online banking? Wouldn’t it be much more fun if the customers paid “their half” of any bank robbery as well?

      The point is that the bank signed up to keep the funds safe. If they cannot do that, there really is no point to their service. The bank knows the risk, and especially the risk of allowing customers to use Microsoft Windows for online banking. Since the bank knows the risk and accepts it, that should be the end of that.

    2. Paul Dittrich

      The bank is ONE location that can be protected and audited, as opposed to applying those same controls to untold numbers of customers.

      Besides, if a robber walked into the bank and physically stole “my” money, would the bank expect me to make it good?

      1. KFritz

        Simple commonsense arguments mean nothing to software mavens in love w/ their own creations. Didn’t you know?–computers rock!

      2. c.cobb

        …in exactly the same way as simple, common sense workarounds are consistently ignored / down-voted by consumers who treasure convenience over security. Didn’t you know? — convenience rules!

        1. KFritz

          Do you see any distinction between banks and
          1)Stocks, bonds, mutual funds?
          2)Hedge funds?
          3) Casinos?

      3. helly

        A bank robbery really isn’t a good analogy in this case I think. Of course the customer wouldn’t take any lose from a bank robbery, in a bank robbery there is no customer influenced controls. Security of the bank’s physical location is 100% the responsibility of the bank. Aside from the reimbursing cash to customers for a robbery is a safety issue, not a monetary policy.

        I’m not sure you can easily draw a real world analogy for the situation that has arisen with internet banking. Malware is incredibly effective, and social engineering more so, there is a not a system in the world you can design that will be secure against these attacks. Part of a layered security approach has to be customer education, and to some degree responsibility.

        1. Terry Ritter

          @helly: “there is a not a system in the world you can design that will be secure against these attacks.”

          But… Practical, working examples of *greatly improved* security ALREADY EXIST in Linux LiveDVD designs. Clearly, good security CAN be designed.

          In most cases, if a customer could reboot into a secure system immediately before doing online banking, that would solve most of the bot problem, which result I would call “much better” security.

          “Part of a layered security approach has to be customer education, and to some degree responsibility.”

          I am unhappy with the idea that customer education should be seen as a bank “security layer.” It is always incomplete, implementation will be spotty, and it is not under bank control.

          The customer is not a junior partner with the bank, expected to join in on whatever the bank may decide. Instead the customer is buying a service to be rendered by the bank. The customer is not looking to take on increasingly onerous “responsibilities” for that service.

          Instead of trying to train people who do not want to be trained, with strategies unlikely to make much difference anyway, the easier and better road to security is to encourage customers to use more secure systems:

          * If customers use Microsoft Windows for online banking and lose money, they will not be made whole by the bank.

          * If customers use a Linux LiveDVD and reboot immediately before banking online and still lose money, they will be made whole by the bank.

          1. helly

            Pretty much agree with everything you said there. I would love the Windows/Linux Live CD approach personally. But it would pretty much have to be made an industry requirement over night for it to gain customer acceptance. Currently if we rolled that out, all but a select few customers would probably bail. They complain that the key fob authentication for transactions is too complex…

            The other thing to is customers have a VERY strong tendency to say, “whatever that thing is you did to my computer broke it, now you need to pay to have it fixed”. We know full well a LiveCD couldn’t possibly do anything, but the customer is always right (or they leave at the drop of a hat).

            Overall I think its an awesome idea, I just don’t see the practical road to getting it widely implemented.

          2. xAdmin

            @Terry Ritter,

            With all due respect, I have a secure system without any need to boot to a Live CD. Yes, it’s a Windows system, always has been. Yet somehow I’m able to balance security and convenience all at the same time while minimizing risk to malware. Been doing it for 15 years now! So, it’s possible. And it’s done by countless of us out here in the real world. I’d say a majority that we NEVER hear from!

            Also, the incessant preaching about Live CD’s and claiming “No tools exist” does not make your opinions any more valid. It also doesn’t help to repeatedly throw Windows under the bus so to speak. It just sounds like a fan boy. But, the real problem is that it all completely fails Law #10 of the Immutable Laws of Security; “Technology is not a panacea”.

            “Technology can do some amazing things. Recent years have seen the development of ever-cheaper and more powerful hardware, software that harnesses that hardware to open new vistas for computer users, and services that change our expectations for both, as well as advancements in cryptography and other sciences. It’s tempting to believe that technology can deliver a risk-free world if we just work hard enough. However, this is simply not realistic.

            Perfect security requires a level of perfection that simply doesn’t exist, and in fact isn’t likely to ever exist. This is true for software as well as virtually all fields of human interest. Software development is an imperfect science, and all software has bugs. Some of them can be exploited to cause security breaches. That’s just a fact of life. But even if software could be made perfect, it wouldn’t solve the problem entirely. Most attacks involve, to one degree or another, some manipulation of human nature, a process usually referred to as social engineering. Raise the cost and difficulty of attacking security technology, and bad guys respond by shifting their focus away from the technology and toward the human being at the console. It’s vital that you understand your role in maintaining solid security, or you could become the chink in your own systems’ armor.

            The solution is to recognize two essential points. First, security consists of both technology and policy—that is, it’s the combination of the technology and how it’s used that ultimately determines how secure your systems are. Second, security is a journey, not a destination—it isn’t a problem that can be “solved” once and for all, but a constant series of moves and countermoves between the good guys and the bad guys. The key is to ensure that you have good security awareness and exercise sound judgment.”

            http://technet.microsoft.com/en-us/library/hh278941.aspx

            1. Terry Ritter

              @xAdmin: “With all due respect, I have a secure system without any need to boot to a Live CD. ”

              Perhaps you have not read my responses, so I will repeat: THERE ARE NO tools which guarantee finding all hiding bots. Consequently, what you claim to know, you cannot support by measurement. That does not, of course, prevent your belief. But when belief becomes a substitute for fact, then, having belief, you need nothing else at all. And that is not the way to make progress.

              “Also, the incessant preaching about Live CD’s and claiming “No tools exist” does not make your opinions any more valid.”

              Those are facts, not opinions. If false, they are easily refuted by presenting tools which DO guarantee to find any hiding bot. (I expect that such a thing is theoretically impossible without system support not in our conventional computers.) To avoid facts is to not understand reality. Does that sound like a good thing?

              “It also doesn’t help to repeatedly throw Windows under the bus so to speak. It just sounds like a fan boy.”

              As of September 2010, about 99.4 percent of all malware was designed to run under Microsoft Windows. (Previously it was more like 99.9 percent.) Here is the quote and link:

              “The vast majority of malware – more than 99 per cent – targets Windows PCs, according to a new survey by German anti-virus firm G-Data.”
              http://www.theregister.co.uk/2010/09/13/malware_threat_lanscape/

              Is there anything–ANYTHING–about this disgusting fact which sounds good to you? Pointing out this nauseating embarrassment is not being a fanboi about anything. However, as a result, it should be obvious to anyone that the single most important thing someone can do to avoid malware online is to not be using a Windows system.

              “But, the real problem is that it all completely fails Law #10 of the Immutable Laws of Security; “Technology is not a panacea”.” “It’s tempting to believe that technology can deliver a risk-free world if we just work hard enough. However, this is simply not realistic.”

              In my comments I try to distinguish between available security and perfect security, which is never possible. However, right now, today, someone CAN make a free Puppy Linux LiveDVD for their Windows system and gain vastly improved security. Perfect? Hardly. Much, much, much better security? Yes. This is a technology fix, as opposed to the philosophy that since there is no perfect security, nothing need be done.

              “It’s vital that you understand your role in maintaining solid security, or you could become the chink in your own systems’ armor.”

              “Vital” or not, ordinary users will never have a deep understanding of communications security. Security is a way of life, not a book, not a seminar. But banks nevertheless intend to service that market, so if that is to be limited only to security-conscious users, there will not be much market at all. Which is why a technology fix is by far the most practical approach.

              “Second, security is a journey, not a destination—it isn’t a problem that can be “solved” once and for all, but a constant series of moves and countermoves between the good guys and the bad guys.”

              Microsoft has been taking most of us on their security journey for a decade or more. The unarguable results have been a vast increase in malware which is now vastly more dangerous. That is hardly a successful outcome for the “security journey” metaphor. Of course, the marketing advantage of a monthly “Patch Tuesday” interaction with each customer can hardly be overestimated.

              Those of us on this journey have experienced a rare proof-in-practice demonstration that finding a bug, patching that, finding another and patching that, simply does not work. If intended to solve the malware problem, it is a failed process, a failed policy. While no doubt necessary, patching has not defeated malware, and it never will. The philosophical part of this is the widespread disturbing assumption that there is no other choice, that nothing else can or should be done. That is false.

              Our malware problem is not philosophical, it is technological. It is not about a lack of education or awareness, it is about our computing platform, the equipment and software, being inherently vulnerable to the bot infections which are our most serious problem. Because this hardware and software vulnerability is a technological problem, there should be no surprise to find that it has a range of technological fixes, as I have been describing both here and on my site for almost two years.

              It is not necessary to retreat into the philosophy of security to justify doing nothing, simply because nothing can be perfect. Better malware prevention technology is possible, but that will not come from anti-vi scanning and patching. A technological fix is needed, and not security-educated computer operators. Currently, a Puppy Linux LiveDVD can make many systems vastly more secure than they are.

              1. xAdmin

                You keep insisting that the solution is a technological one. I guess you don’t believe in the definition of “immutable”. As such, there is simply no point in trying to debate with you. I have neither the energy nor the inclination. But, I made my point and will leave it at that. Happy trails. 🙂

              2. T.Anne

                “Our malware problem is not philosophical, it is technological… it is about our computing platform, the equipment and software, being inherently vulnerable to the bot infections which are our most serious problem. Because this hardware and software vulnerability is a technological problem…”

                But the technology can only be as good as the people who are writing the code and creating it. The issue is not technology – the issue is people are not perfect and therefore technology won’t be either. We have to find ways to account for human error – in the software/hardware/etc as well as the users.

                “As of September 2010, about 99.4 percent of all malware was designed to run under Microsoft Windows. (Previously it was more like 99.9 percent.) ”

                As of September 2010 about 88% of users were running Microsoft Windows – is it really that much a surprise that malware was being designed for the most popular OS? Would it have made sense to have more malware targeting Mac’s – which at the time was only about 7% of users worldwide?

                The % of malware written for a particular OS is irrelevant unless you’re taking the popularity of that OS into account as well. 99% of malware tagetting Windows doesn’t necessarily mean it’s the easiest – simply that it’s the most popular and therefore most profitable. Notice the increase in Mac malware as Apple is becoming more popular lately.

                Stats quoted are from http://www.w3schools.com/browsers/browsers_os.asp… the share of Windows users is also around 88% at http://www.w3counter.com/globalstats.php?year=2010&month=9, though Mac users do go up to almost 9% there.

                1. Terry Ritter

                  @T.Anne: “The % of malware written for a particular OS is irrelevant unless you’re taking the popularity of that OS into account as well.”

                  Surely we can agree that users on the Web may encounter malware attacks from time to time. While anti-vi may defeat some attacks, some portion will manage to slip through. But we can be pretty sure that even if malware does slip through, it will not run if it was not designed for that system.

                  The higher the proportion of malware which is targeted at your particular system, the more likely you are to encounter a malware will both slip through and run. This is independent of the proportion of such systems in the population, because you operate just one of those.

                2. Jane

                  I think that at least Brian is careful to maintain the distinction between “you should not bank with a general-use Windows PC” and “Windows is terrible because…”. He’s even posted about an incident where person was compromised when he “just one time” used his home Mac to log in to the business account.

                  It doesn’t really matter whether Windows is compromised so often because it’s targeted so much or because it’s full of holes (I’m one of those who think MS has come a long way). What does matter is that they ARE compromised so often that businesses should never bank with a general-use Windows computer. A general-use Mac might be slightly better, but a dedicated-use machine or Live disc would be best.

              3. Ray Butlers

                Has anyone ever told you that you’re kind of a dick?

  9. AlphaCentauri

    My company just added significant cybersecurity insurance, and we’re a shoestring operation, so it can’t be too prohibitive. When I did a search for companies selling it, it does cover breaches regardless of cause. You fill out a questionnaire about your security policies to get a quote. Just going through the questionnaire would be a good way for a company to improve their security, as it will make them get answers to questions they previously hadn’t considered.

    1. KFritz

      Any bank offering online banking ought to be required to provide this info to prospective business clients.

      IMLTHO, yours is the most productive, informative contribution to the discussion.

  10. mybankwashacked

    My recommendation to any victim of a cyber bank heist would be to tell the world about it; companies hate negative publicity regardless of who the courts ultimately decide is to blame. Simply telling the story to the world on Facebook, Twitter, various websites, creating a website, doing radio and TV interviews, etc is the best way to recover your losses. Simply telling the story about what happened without laying blame is provocative enough to create concern among the FI’s customer base and target market. Remember, it’s only defamatory if you unjustly point the finger. Keeping it simple like, “We banked at [bank name] and we had our money taken without our consent, and [bank name] did not cover the losses as they would had it been a personal checking account or consumer credit card.” Soon enough, many people will realize that banks are not created equal. Some banks, particularly the larger world banks have the resources to implement much better security than their smaller competitors. Even many of the large domestic banks that were getting hacked are starting to implement tighter security than what the government requires; not because of the threat from actual thieves, but from the trials taking place in the court of public opinion that ends of costing them more than if they would have simply refunded the banking customer and tightened up to begin with.

Comments are closed.