In February 2007, a fraudster armed solely with Indiana residents' Marsha and Michael Shames-Yeakel's username and password was able to gain online access to their Citizens Financial Bank home equity line of credit, and proceeded to steal $26k - wiring it first to Hawaii, then to Austria. Chicago-based Citizens opted not to cover the loss on the grounds that Reg. E doesn't cover credit accounts like HELOCs, and that Reg. Z wouldn't apply because the couple had linked their small business account to the HELOC for payments and made some business purchases with it.
When the Shames-Yeakel's refused to repay the stolen funds, the bank played hardball, reporting the delinquency to national credit bureaus and allegedly threatening to foreclose on the couple's home. This being America, before long the Shames-Yeakel's became "plaintiffs," first appealing to the Office of Thrift Supervision (which sided with the bank) and eventually suing in district court, saying the bank's security practices were negligent.
By now Citizens Financial, and the rest of the industry, may be wishing they'd just let the $26k slide. In late August, an Illinois district court judge denied the bank's motion to dismiss the case, noting, "In light of Citizen's apparent delay in complying with FFIEC security standards, a reasonable finder of facts could conclude that the bank breached its duty to protect the Plaintiff's account against fraudulent access."
Two years later, you'd be hard pressed to find a bank just using username and password to secure online accounts. But this case has the potential to be much bigger than the just the rudimentary security and $26k at issue. The court's precedent-setting ruling opens the door to the possibility that the bank will be held liable for the loss because it hadn't kept up with security guidelines or industry best practices, despite the banking regulations that seem to protect banks from liability on business accounts. This could be a massively expensive proposition given that just about everyone agrees that even the multi-factor authentication called for in the FFIEC guidance can't protect business accounts, and fraud against businesses is exploding.
Or, as Gartner VP Avivah Litan puts it, "Nothing that goes through the browser can be relied upon. The man-in-the-browser attacks that are going on against these corporate cash management applications are all circumventing one-time password," she says. Litan's certainly not the only industry analyst who thinks so. "I would go as far as to say that multi-factor authentication as defined under FFIEC, isn't sufficient to meet the environment we're in," says Tom Wills, analyst at Javelin Strategy & Research.
That's not what banks want to hear. Those that can't afford to upgrade security are wondering what kind of software corporate customers can install on the user end. But if the Shames-Yeakel case goes in the plaintiff's favor, it could force banks to do more to secure under-protected business banking accounts. "Businesses won't put resources into security until they've been hit, or they're regulated into it," Wills says.