A small legal case in Southern Maine could spell big trouble for banks, particularly since it suggests that even strong electronic security doesn't necessarily build a shield large enough to keep either crooks or plaintiffs away.
A federal appeals court late last week allowed a lawsuit by Patco Construction, a Maine-based firm, against Ocean Bank (since acquired by People's United Bank), to proceed, though it suggested the two parties settle out of court. The new ruling reversed a lower district court in Maine that found that the bank wasn't responsible for losses tied to a fraud attack that looted the construction firm's bank account.
What should be of interest to all banks is it appears Ocean's technology was sound, or at least in line with federal security guidelines. That means banks have to do more than deploy multi-factor authentication and other top-shelf security technology - in other words, deploy more human security staff -- to protect themselves from crooks and the courts, at a cost that may be prohibitive for smaller banks.
"Assuming the facts are correct here, it underscores that technology isn't the answer. The bank had the tech," says Vic Wheatman, a security analyst for Javelin Strategy & Research. "Tech isn't enough, it's also process and policies that a financial institution has to follow up on. If you do implement the latest and greatest security technology, that implies you are going to use it."
The trouble for Ocean Bank and Patco began in May of 2009, when attackers using Zeus malware obtained the construction company's identification data, password and answers to "challenge questions." The crooks used this information to authorize money transfers totaling about $589,000. The money was sent to accounts not previously tied to the construction firm, and the crooks used a computing device and IP address that were not typically used by Patco staff or customers. The bank was able to get about $243,400 of the stolen money back, but that left $345,000 in dispute.
Patco sued, claiming the bank didn't use "commercially reasonable" security. The U.S. District Court in Maine sided with the bank, saying the suit should be tossed, and pointed out the bank was following Federal Financial Institutions Examination Council (FFIEC) guidance for security. In its 2005-issued guidance (and subsequent update in 2011), the FFIEC doesn't endorse a specific method, but leans heavily on layered security processes such as a "second method" for authentication and authorization of transactions. That second layer increasingly makes use of a channel other than the one being used for the transaction; for instance, using SMS texts to confirm web transactions. But for many banks and credit card issuers over the years, that added layer has been a challenge question chosen by the customer, something like "your first pet's name," or "the location of your honeymoon."
In last week's ruling, the federal court said challenge questions as a second factor were simpler to use but less secure. The court also said that there's no way that a customer of the bank would know when an attacker had obtained and used the challenge question. In this case, the crime became apparent when the receiving banks rejected the transfers because of invalid account numbers. Ocean Bank also apparently ignored high-risk triggers from its existing fraud scoring engine. The first bad transfer, and subsequent bad transfers, registered a high score -- in some cases four times normal. But the bank didn't notify Patco, nor were there people monitoring high risk transactions, according to the court ruling. The bank has since begun calling customers to verify high risk transactions, according to the court. People's United Bank didn't comment to BTN on security protocols or the case.
While consumer accounts are typically protected from fraud, business account theft can often lead to disputes over who's culpable for the losses. "There's a lot of gray area. A lot of small business owners mix their accounts or mix their payments between personal and business accounts," says Wheatman.
Wheatman suggests banks anticipate fraud risks and produce a plan for different fraud or security risk scenarios that take into account the bank's staffing, technology and relationships -- such as whether the security tech is outsourced -- and come up with a plan that details the cost of staff and technology for both preventative and reactive purposes.
Shirley Inscoe, a senior analyst at Aite Group, says most banks are working on fraud protection strategies, but the cost can be prohibitive, particularly for smaller banks.
"One vendor may look at IP addresses, or at hard drives being used to log into the system, while another vendor may look for patterns of activity to flag suspicious transactions. But most small institutions can't afford to pay three or four vendors to provide all of the protection that they need," she says.
And that cost is just the technology, before the cost of people required to monitor and respond to the tech comes in. In the Ocean Bank case, the technology was working but was apparently not monitored. "If you look at any bank, the most expensive line item is people," Inscoe says. "Many banks have cut back people and that has impacted their ability to protect themselves in terms of internal controls and to monitor fraud prevention techniques. I don't know if that's what happened [with Ocean Bank], but I have talked to bankers that have had to cut staff. You have regulators on one side pushing you to protect more and have the budget on the other side saying you have to do it with less."