US Court of Appeals says bank security system wasn’t up to snuff, meaning it might be liable for some loses incurred by a hacked customer

The decision by the United States Court of Appeals for the 1st Circuit to overturn a lower court ruling that let a bank off the hook for losses incurred by a hacked customer has implications for both financial institutions (they need to do more) and their business customers (who typically lack legal protection from fraud that consumers enjoy).

While a lower court had granted Ocean Bank in Maine a summary judgment, saying it was not responsible for $345,000 that its customer Patco Construction lost in illegal bank transfers in 2009, the appeals court just reversed that judgment, saying the bank's security system was not "commercially reasonable," meaning Patco may indeed be able to go after the bank for some of the losses.

ROUNDUP: The worst security snafus of 2012 -- so far

Time will tell what happens next, but the case is instructive. First, the details in a nutshell (you can read the whole decision here).

Patco made weekly electronic funds transfers from the bank for payroll, always from a static IP address from computers at the company's offices in Sanford, Maine. The highest payment was always less than $40,000.

The bank, according to court records, had a system that created a risk profile for each customer based on "the location from which a user logged in ... how often a user logged in ... and the size, type, and frequency of payment order normally issued." Transactions generating risk scores over 750, on a range of 0-1,000, were considered high risk.

Beginning in May 2009, a hacker, logging in from an unrecognized device, from a different IP address at a different location, supplied the proper credentials of a Patco employee, including ID, password and the answer to three challenge questions, and started routing Patco money to a number of new accounts. The first transaction was for $56,594 and subsequent transfers jumped up to $90,000 and more.

"The risk-scoring engine generated a risk score of 790 for the [first] transaction, a significant departure from Patco's usual risk scores, which generally ranged from 10 to 214." But the bank wasn't monitoring the risk-scoring reports, the court says, and Patco wasn't set up to receive email alerts, a lose-lose scenario.

That, combined with the fact the bank had reduced the dollar level at which its system required challenge questions from $100,000 to $1 to snare low-value fraud, rendered the bank's system not commercially reasonable because the change meant answers were shared constantly, vastly increasing the chances of malware capturing the information before anti-malware tools could snoop out the intrusion. Traces of the Zeus worm were found on a Patco computer.

The key take-aways: For banks, having sophisticated systems in place doesn't do you any good if you don't make the associated process changes to capitalize on them; and for business customers, beware that banks don't cover you for fraud, but cases like this might begin to give you some leverage.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Dix

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place