Federal appeals court raps bank over shoddy online security

The case marks another sign that banks are being taken to task for inadequate wire transfer systems

A U.S. construction company may stand a greater chance of recovering some of the US$345,000 it lost in fraudulent wire transfers that it blames on poor online banking practices of its bank.

Patco Construction Company, based in Sanford, Maine, sued Ocean Bank, now called People's United Bank, after fraudsters made six wire transfers using the Automated Clearing House (ACH) transfer system amounting to more than $588,000 in May 2009. About $243,000 was recovered.

In its suit, Patco alleged among other claims that Ocean Bank's online security was not commercially reasonable under Article 4A of the Uniform Commercial Code (UCC), a federal code governing contractual disputes that has been adopted into most U.S. states' laws.

The UCC does not allow claims such as negligence, fraud and breach of contract. The code makes it potentially costly for small businesses to sue financial institutions over cybercrime-related fraud. Even if a small business wins a lawsuit, under the code the financial damages are limited only to the money stolen plus interest.

In a significant twist, a three-judge federal appeals court panel found on Tuesday that Ocean Bank's online security measures were not "commercially reasonable," reversing a lower court ruling from May 2011.

It doesn't mean that Patco will be refunded. The appeals court said further hearings will be needed to determine what responsibilities Patco may have had to protect itself during online banking transactions. The court also advised that despite its ruling, Patco and Ocean Bank may want to try to settle the issue out of court.

But the latest ruling is a sign that small businesses are having greater success at shifting liability towards banks in online security meltdowns, including out-of-court settlements.

Patco maintains the fraudulent transfers were caused by the Zeus malware, which can capture authentication credentials enabling fraudsters to initiate their own illegitimate transfers.

In its decision, the appeals court cited a critical mistake made by Ocean Bank as ACH fraud had become more prevalent. In June 2008, Ocean Bank decided to initiate "challenge questions" for any transactions for its customers valued at more than $1.

Challenge questions are often used in authentication systems and require a user to enter additional information aside from a login or password, such as the name of the first street a person lived on or the model of their first car.

Since the answers to the challenge questions were displayed every time Patco made a transfer, this "increased the risk that such answers would be compromised by keyloggers or other malware that would capture that information for unauthorized uses," according to the ruling.

The court also found that Ocean Bank was not monitoring its transactions for fraud nor notifying customers before a suspicious transaction was allowed to proceed, both capabilities that it did possess with its security system.

Patco used the ACH system to process its weekly payroll in amounts never exceeding $37,000. The fraudulent transfers, however, were in much higher chunks: $56,594, $91,959, $99,068, $111,963, $113,647 and $115,620.26.

All of the transactions were "uncharacteristic in that they sent money to numerous individuals to whom Patco had never before sent funds, were for greater amounts than Patco's ordinary third-party transactions, were sent from computers that were not recognized by Ocean Bank's system, and originated from IP addresses that were not recognized as valid IP addresses of Patco," the ruling said.

Send news tips and comments to jeremy_kirk@idg.com

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts