A small legal case in Southern Maine could spell big trouble for banks, particularly because it suggests that even strong electronic security doesn't necessarily build a shield large enough to keep either crooks or plaintiffs away.
A federal appeals court late last week allowed a lawsuit by Patco Construction, a Maine-based firm, against Ocean Bank (since acquired by People's United Bank), to proceed, though it suggested the two parties settle out of court. The new ruling reversed a lower district court in Maine that found that the bank wasn't responsible for losses tied to a fraud attack that looted the construction firm's bank account.
The case was one of at least two court decisions that had relied on the 2005 guidance by the Federal Financial Institutions Examination Council to determine whether banks had enough protections in place when hundreds of thousands of dollars in fraudulent transfers occurred.
What should be of interest to all banks is it appears Ocean's technology was sound, or at least in line with federal security guidelines. That means banks have to do more than deploy multifactor authentication and other top-shelf security technology. In other words, they must deploy more human security staff to protect themselves from crooks and the courts at a cost that may be prohibitive for smaller banks.
"Assuming the facts are correct here, it underscores that technology isn't the answer. The bank had the tech," says Vic Wheatman, a security analyst for Javelin Research. "Tech isn't enough; it's also process and policies that a financial institution has to follow up on. If you do implement the latest and greatest security technology, that implies you are going to use it."
The trouble for Ocean Bank and Patco began in May 2009, when attackers using Zeus malware obtained the construction company's identification data, password and answers to "challenge questions."
The crooks used this information to authorize funds transfers totaling about $589,000, and they sent the funds to accounts not previously tied to the construction firm. The crooks used a computing device and IP address that were not typically used by Patco staff or customers. The bank was able to get about $243,400 of the stolen funds back, but that left $345,000 in dispute.
Patco sued, claiming the bank didn't use "commercially reasonable" security. The U.S. District Court in Maine sided with the bank, saying the suit should be tossed, and pointed out the bank was following Federal Financial Institutions Examination Council guidance for security.
In its 2005-issued guidance (and subsequent update in 2011), the council doesn't endorse a specific method but leans heavily on layered security processes such as a "second method" for authentication and authorization of transactions. That second layer increasingly makes use of a channel other than the one being used for the transaction; for instance, using SMS texts to confirm web transactions. But for many banks and credit card issuers over the years, that added layer has been a challenge question chosen by the customer, something like "your first pet's name," or "the location of your honeymoon."
In last week's ruling, the federal appeals court said challenge questions as a second factor were simpler to use but less secure. The court also said there's no way a customer of the bank would know when an attacker had obtained and used the challenge question.
In this case, the crime became apparent when the receiving banks rejected the transfers because of invalid account numbers. Ocean Bank also apparently ignored high-risk triggers from its existing fraud scoring engine.
The first bad transfer, and subsequent bad transfers, registered a high score¬–in some cases four times normal. But the bank didn't notify Patco, nor were there workers monitoring high-risk transactions, according to the court ruling. The bank has since begun calling customers to verify high-risk transactions, according to the court. People's United didn't comment on security protocols or the case.
Consumer accounts are typically protected from fraud, but business-account theft often can lead to disputes over who's culpable for the losses. "There's a lot of gray area. A lot of small-business owners mix their accounts or mix their payments between personal and business accounts," says Wheatman.
Wheatman suggest banks anticipate fraud risks and produce a plan for different fraud or security-risk scenarios that take into account the bank's staffing, technology and relationships, such as whether the security tech is outsourced, and come up with a plan that details the cost of staff and technology for both preventative and reactive purposes.
Shirley Inscoe, a senior analyst at Aite Group, says most banks are working on fraud-protection strategies, but the cost can be prohibitive, particularly for smaller banks.
"One vendor may look at IP addresses, or at hard drives being used to log into the system, while another vendor may look for patterns of activity to flag suspicious transactions. But most small institutions can't afford to pay three or four vendors to provide all of the protection that they need," she says.
And that cost is just the technology, before the cost of staff required to monitor and respond to the tech comes in.
In the Ocean Bank case, the technology was working but was apparently not monitored.
"If you look at any bank, the most expensive line item is people," Inscoe says. "Many banks have cut back people, and that has impacted their ability to protect themselves in terms of internal controls and to monitor fraud prevention techniques. I don't know if that's what happened [with Ocean Bank], but I have talked to bankers that have had to cut staff. You have regulators on one side pushing you to protect more and have the budget on the other side saying you have to do it will less."