Posts Tagged: Sari Green

Jun 11

Regulators Issue Updated eBanking Security Guidelines

Federal banking regulators today released a long-awaited supplement to the 2005 guidelines that describe what banks should be doing to protect e-banking customers from hackers and account takeovers. Experts called the updated guidance a step forward, but were divided over whether it would be adequate to protect small to mid-sized businesses against today’s sophisticated online attackers.

The new guidance updates “Authentication in an Internet Banking Environment,” a document released in 2005 by the Federal Financial Institutions Examination Council (FFIEC) for use by bank security examiners. The 2005 guidance has been criticized for being increasingly irrelevant in the face of current threats like the password-stealing ZeuS Trojan, which can defeat many traditional customer-facing online banking authentication and security measures. The financial industry has been expecting the update since December 2010, when a draft version of the guidelines was accidentally leaked.

The document released today (PDF) recognizes the need to protect customers from newer threats, but stops short of endorsing any specific technology or approach. Instead, it calls on banks to conduct more rigorous risk assessments,  to monitor customer transactions for suspicious activity, and to work harder to educate customers — particularly businesses — about the risks involved in banking online.

“Fraudsters have continued to develop and deploy more sophisticated, effective, and malicious methods to compromise authentication mechanisms and gain unauthorized access to customers’ online accounts,” the FFIEC wrote. “Rapidly growing organized criminal groups have become more specialized in financial fraud and have been successful in compromising an increasing array of controls.”

The 2005 guidelines drew little distinction between precautions a bank should take to protect consumer and commercial accounts, but the supplement makes clear that online business transactions generally involve much higher level of risk to financial institutions and commercial customers. It calls for “layered security programs” to deal with these riskier transactions, such as:

-methods for detecting transaction anomalies;

-dual transaction authorization through different access devices;

-the use of out-of-band verification for transactions;

-the use of “positive pay” and debit blocks to appropriately limit the transactional use of an account;

-“enhanced controls over account activities,” such as transaction value thresholds, payment recipients, the number of transactions allowed per day and allowable payment days and times; and

-“enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.”

Continue reading →

Jun 11

Court: Passwords + Secret Questions = ‘Reasonable’ eBanking Security

A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a U.S. district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks.

In May 2009, Sanford, Maine based Patco Construction Co. filed suit against Ocean Bank, a division of Bridgeport, Conn. based People’s United Bank. Pacto used online banking primarily to make weekly payroll payments. Patco said cyber thieves used the ZeuS trojan to steal its online banking credentials, and then heisted $588,000 in batches of fraudulent automated clearing house (ACH) transfers over a period of seven days.

In the weeks following the incident, Ocean Bank managed to block or claw back $243,406 of the fraudulent transfers, leaving Patco with a net loss of $345,445. Because the available funds in Patco’s account were less than the total fraudulent withdrawals, the bank drew $223,237 on Patco’s line of credit to cover the transfers. Patco ended up paying interest on that amount to avoid defaulting on its loans.

Patco sued to recover its losses, arguing in part that Ocean Bank failed to live up to the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password. On May 27, a magistrate recommended that the court make Patco the loser by denying Pacto’s motion for summary judgment and granting the bank’s motion.

David Navetta, a founding partner of the Information Law Group, said that Patco has about another week to dispute the magistrate’s recommendations, but that it is unlikely that the judge overseeing the case will overturn the magistrate’s findings.

Navetta said the magistrate considered the legal issues and propounded an analysis of what constitutes “commercially reasonable” security.

“Many security law commentators, myself included, have long held that reasonable security does not mean bullet-proof security, and that companies need not be at the cutting edge of security to avoid liability,” Navetta said. “The court explicitly recognizes this concept, and I think that is a good thing.”

But Avivah Litan, a fraud and bank security analyst at Gartner, took strong exception to the way the magistrate arrived at the recommended decision, calling it “an outrage.”

“In my opinion, this is frankly an egregious injustice against small U.S. businesses,” Litan said. “It is also a complete failure of the bank regulatory system in the United States, which should come as no surprise, given the history of the regulators in the 21st century.”

Continue reading →