Judge: Not Having The Best Security Not Illegal; Defrauded Company Can't Blame Bank

from the required-security? dept

An interesting ruling coming out of Maine. A judge has sided with a bank, in a case in which a company tried to blame its bank for not having better security, after it was hit by a trojan horse password stealer on one of its computers and subsequently had scammers transfer about $600k out of its account. The judge agreed that the bank did not have particularly good security, but also noted that there is no legal requirement that the bank have the absolutely best security. This is definitely the right decision, even if some may have a gut reaction the other way. To some extent, the company has to take some responsibility for its own actions, and on the flip-side, one would hope that market pressures would drive the banks to implement better security. For example, in this case, the bank itself -- Ocean Bank -- is getting a ton of bad publicity about its really poor security due to this lawsuit. So, even if it's won the lawsuit, that hardly means the bank comes out of it unscathed.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: banks, fraud, liability, security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Scote, 8 Jun 2011 @ 10:20pm

    The **bank's** money was stolen, not the customer's money.

    This is a complex issue, but the banks will never put up proper security procedures so long as they aren't held liable for their failures. This decision gives banks an unreasonably broad exemption from responsibility and removes any serious motivation to properly protect customer's accounts.

    This Michell and Webb radio skit demonstrates through humor just how silly the bank's position can be:

    http://www.youtube.com/watch?v=CS9ptA3Ya9E

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jun 2011 @ 5:32am

      Re: The **bank's** money was stolen, not the customer's money.

      This is a complex issue, but the banks will never put up proper security procedures so long as they aren't held liable for their failures. This decision gives banks an unreasonably broad exemption from responsibility and removes any serious motivation to properly protect customer's accounts.

      The banks are actually moving in the other direction. I used my card in a restaurant the other day and I didn't have to use my PIN, sign something or anything beyond just handing them my card. They said that for under a certain amount they no longer have to do any of those things; the card number is enough.

      link to this | view in chronology ]

      • icon
        Josh in CharlotteNC (profile), 9 Jun 2011 @ 6:34am

        Re: Re: The **bank's** money was stolen, not the customer's money.

        I used my card in a restaurant the other day and I didn't have to use my PIN, sign something or anything beyond just handing them my card.

        They put it through as "credit" instead of debit. No one has cared about signatures on receipts for a very long time.

        link to this | view in chronology ]

        • icon
          FormerAC (profile), 9 Jun 2011 @ 7:03am

          Re: Re: Re: The **bank's** money was stolen, not the customer's money.

          No one has cared about signatures on receipts for a very long time.

          I actually did a test on this a year or two ago. For two months, I signed all my credit card slips/screens with Mickey Mouse, RU Looking, X, WTF or some other ridiculous signature. I made sure it was actually readable, and not just a scribble. Not once was I questioned.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 9 Jun 2011 @ 11:37am

            Re: Re: Re: Re: The **bank's** money was stolen, not the customer's money.

            My brother has signed "X" for 25 years now and nobody has said anything.

            link to this | view in chronology ]

            • icon
              crade (profile), 9 Jun 2011 @ 2:34pm

              Re: Re: Re: Re: Re: The **bank's** money was stolen, not the customer's money.

              Technically signing 'X' is still legit as long as he's the one who signs it isn't it?

              link to this | view in chronology ]

        • identicon
          Anonymous Coward, 9 Jun 2011 @ 10:49am

          Re: Re: Re: The **bank's** money was stolen, not the customer's money.

          No one has cared about signatures on receipts for a very long time.

          They just keep getting more secure all the time, don't they?
          /s

          link to this | view in chronology ]

      • icon
        Sean T Henry (profile), 9 Jun 2011 @ 7:55am

        Re: Re: The **bank's** money was stolen, not the customer's money.

        Thats the companies policy not the bank, when I setup the credit service at my office the agreement states if a signature on a receipt is requested and we cannot provide it a penalty of $20 will be assessed.

        link to this | view in chronology ]

    • identicon
      ChimpBush McHitlerBurton, 9 Jun 2011 @ 9:34am

      Re: The **bank's** money was stolen, not the customer's money.

      I don't care who was at fault for the password security. To me that's almost irrelevant. What bugs me, and should bug any business banking customer, is a bank policy that allows a $600,000 transfer from one bank to another bank with no more than a simple online set of keystrokes.

      That amount of money should be signed for, in person, with proper ID checks and personal verification by a bank representative who knows the business customer. Is that really so hard?

      If I was the chief officer of a bank, I would know the first name of every customer who had at least $600,000 in my bank. I'm sure this bank did too.

      So, they basically had a bank policy (forget security, it's a non-starter) that allowed over half a million dollars to pass through it's walls with no human oversight.

      Criminal.

      CBMHB

      link to this | view in chronology ]

      • identicon
        JEDIDIAH, 9 Jun 2011 @ 9:41am

        Re: Re: The **bank's** money was stolen, not the customer's money.

        Good point.

        There are special forms that have to be sent to the federal government for transactions over $10k. Any large transaction triggers extra government oversight even in the absence of any extra security implemented by the bank.

        link to this | view in chronology ]

      • icon
        crade (profile), 9 Jun 2011 @ 2:37pm

        Re: Re: The **bank's** money was stolen, not the customer's money.

        you aren't forgetting security, this sort of policy is just part of security.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Jun 2011 @ 10:42pm

    Bailout

    So, essentially, the bank was defrauded and the judge ruled that the bank can make the customer pay for it. Sounds about right.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jun 2011 @ 5:20am

      Re: Bailout

      So, essentially, the bank was defrauded and the judge ruled that the bank can make the customer pay for it. Sounds about right.

      Of course, because the customer didn't do enough to protect the bank. Don't you know that it's everyone's responsibility to protect the banks from losses? That's why they get taxpayer bailouts. The judge was acknowledging that.

      link to this | view in chronology ]

  • identicon
    That Anonymous Coward, 8 Jun 2011 @ 11:31pm

    Looking at the story it was the company who was at fault.

    The company got hit with the trojan that stole their info.
    They felt the bank should have caught it sooner, and made it harder for this type of thing to work.

    Well they should have used multifactor authentication!
    Maybe you should have opted to find that in a bank when you made your selection if it was that important.

    Maybe teaching employees to not open random emails and execute code should be step 1.

    link to this | view in chronology ]

  • identicon
    Mr. Smarta**, 8 Jun 2011 @ 11:37pm

    Nice double standard there

    Sure, a bank can have crappy security that gets hit with a trojan, steals passwords and $600k, and no problem with lawsuits. But if someone connects to your wireless router and shares 80 million songs and movies because your router wasn't 'secure', you're liable. How nice...

    I wonder what would've happened if the hackers had been sharing music and movies through the bank and what the MPAA and RIAA would've said... "Oh, well it's obvious that it wasn't intended, so we'll just overlook that. Not like it was a home router or anything..."

    link to this | view in chronology ]

  • icon
    fairuse (profile), 8 Jun 2011 @ 11:48pm

    Bank Robbery via ACH transfers

    I agree with the ruling;
    A) Bank had security on par with other banks.
    B) Bank performed due diligence informing customer of policy at signup.
    C) Customer allowed the account authorization credentials to be stolen by poor (maybe none) email virus protection.

    This begs the question; Does the bank and customer get the same treatment by insurance as a bank robbery by person walking into the physical location and stealing physical bank notes?

    It is a really big problem but the cops do win now and then.

    International Cooperation Disrupts Multi-Country Cyber Theft Ring (ACH transfer Theft)

    link to this | view in chronology ]

    • identicon
      GGuppy, 9 Jun 2011 @ 12:25am

      Re: Bank Robbery via ACH transfers

      If I go to your bank, attempt withdraw all your money and your bank complies to this, is the bank liable?

      In essence this is the same scenario: Someone orders actions on someone else's account and the intermediate party allows. All other parts of of the story are window dressing. The banks authentication failed, it identified someone as the company while it was not the company.

      I'm not convinced there is enough incentive for the bank to upgrade security. Sure, it may take a hit in reputation, but this is only effective if a customer has options. Where I live there are fout banks and all of them have the same level of security.

      Security expert Bruce Schneier wrote on the issue:


      Information security isn't a technological problem. It's an economics problem. And the way to improve information technology is to fix the economics problem. Do that, and everything else will follow.

      source: http://www.schneier.com/blog/archives/2004/11/computer_securi.html

      Conclusion is that maybe currently the bank is not liable, but it should be.

      link to this | view in chronology ]

      • icon
        fairuse (profile), 9 Jun 2011 @ 1:54am

        Re: Re: Bank Robbery via ACH transfers

        The bank's authentication did not fail but the bank's response to the unusual ACH transfer was not good enough. The system flagged the transfer as unusual and presented additional query question. In hindsight, holding the transaction for human review would have stopped it.

        So, in order to not hassle customers with transfer holds the system asks the same old question every password system asks, including asking you the name of your cat. Much has been said about how easy it is to beat that secondary security method.

        It falls on the user of online systems to protect their passwords & other such high value targets. All email must be scanned for viruses. Hell, the easiest way not to get hit by email borne trickery is to require all email to be text only when opened. Yes, no html. Yes, no pretty pictures. Yes, obvious spam is trapped.

        link to this | view in chronology ]

        • identicon
          GGuppy, 9 Jun 2011 @ 2:22am

          Re: Re: Re: Bank Robbery via ACH transfers

          For the bank you have the authority to perform certain actions on your account. The purpose of authentication is to ensure you are who you say you are. In this case someone was identified as the company while they were not. That is an authentication failure.

          When someone gets an account it is that person that is authorized to use that account, a user account is a representation of the person in the system. It is assumed the real world user and the system user match. Someone else providing the correct responses to the challenges does not negate the fact that matching the real world person the the system representation failed.

          There are perhaps discussions possible as to what level it is reasonable for the system to ensure a correct match, but at its core this case is about a bank that assumed someone was somebody they were not.

          link to this | view in chronology ]

          • icon
            fairuse (profile), 9 Jun 2011 @ 2:49am

            Re: Re: Re: Re: Bank Robbery via ACH transfers

            The bank assumed nothing. The criminal gave the proper answers to the queries, therefore, the bank software has no choice. Correct answers to; name, password & security query equal the real account holder.

            Since the year 2009 I would bet all banks have better security but that cannot be said about the users of online banking.

            link to this | view in chronology ]

            • icon
              The eejit (profile), 9 Jun 2011 @ 3:37am

              Re: Re: Re: Re: Re: Bank Robbery via ACH transfers

              I'd argue that upto 90% of successful malware attacks are completed through socialk engineering (419 scams, "account violation" e-mails asnd the like.)

              link to this | view in chronology ]

              • identicon
                Kirk, 9 Jun 2011 @ 2:18pm

                Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers

                Most happen through vulnerabilities in web browsers.

                link to this | view in chronology ]

                • icon
                  crade (profile), 9 Jun 2011 @ 2:42pm

                  Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers

                  but only after you trick someone into going to your malware site somehow through the above methods.

                  link to this | view in chronology ]

                  • identicon
                    Kirk, 9 Jun 2011 @ 2:50pm

                    Re: Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers

                    Or by compromising a legitimate site and inserting malicious code within it. This happens all the time... Patch your browsers people.

                    link to this | view in chronology ]

            • identicon
              GGuppy, 9 Jun 2011 @ 4:34am

              Re: Re: Re: Re: Re: Bank Robbery via ACH transfers


              Correct answers to; name, password & security query equal the real account holder.


              Except that this was not the case, was it? Someone entered the correct name, password & security query and it was not the company in question.

              I'm not saying this absolves users from managing their own security, but the system fails because the bank assumes anyone entering the users name, password and answer actually is the user.

              link to this | view in chronology ]

              • icon
                Chronno S. Trigger (profile), 9 Jun 2011 @ 4:49am

                Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers

                How would you suggest they improve the security? Have a human call and confirm everything over six digits? Limit the amount transferable per day? Both of those would do more harm then good; adding days if not weeks to the process.

                Think of your personal account. If you get a virus and someone takes your money, do you blame the bank? No, you blame the asshole who did it and file a report with the bank.

                link to this | view in chronology ]

                • identicon
                  GGuppy, 9 Jun 2011 @ 5:23am

                  Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers

                  By taking your money the bank has accepted the responsibility of handling it and allowing only you to decide what happens to it.

                  In this case the bank allowed someone to decide what happen to your money other than you. It doesn't matter he provided the correct responses, he could even look exactly like you, have your passport and everything. In the end all that matters is that he is not you.

                  In the end it is a matter of responsibility. It is your responsibility to keep your authentication tokens secret and safe. It is the bank's responsibility to make sure you are the only one with access to your money.

                  Your failure to secure your credentials does not excuse the failure of the bank to give somebody else access. In the same way it would not excuse you from securing you credentials if the bank fails.

                  Think of it as your landlord allowing a thief in your apartment because he through he was you.

                  link to this | view in chronology ]

                  • icon
                    fairuse (profile), 9 Jun 2011 @ 5:53am

                    Re: Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers

                    There is no magic solution to ACH transfer theft. In this case a human reviewing all the transfers could have made a difference. In reality there are too many transfers for such a review; that is why flagged transfers get reviewed.

                    If you read the press release by the FBI you would realize these criminals are very smart and have the tech support to make their theft successful.

                    That is all I have. Deal with it.

                    link to this | view in chronology ]

                    • icon
                      jjmsan (profile), 9 Jun 2011 @ 8:13am

                      Re: Re: Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers

                      It's called hiring more employees. You have enough people to do the job you are alleged to be doing. You know like reviewing signatures on title transfers.

                      link to this | view in chronology ]

                      • identicon
                        Anonymous Coward, 9 Jun 2011 @ 10:52am

                        Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers

                        It's called hiring more employees. You have enough people to do the job you are alleged to be doing. You know like reviewing signatures on title transfers.

                        But that would reduce profits! How would they afford those sky-high CEO salaries then?

                        link to this | view in chronology ]

                  • icon
                    Greg G (profile), 9 Jun 2011 @ 6:41am

                    Re: Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers

                    Sounds to me like you're trying to absolve yourself (and all end users) or all responsibility.

                    "It's not MY fault that I opened that strange email and had my PII jacked! The bank! That's who should have known it wasn't me at that keyboard entering my username, password and answer to my security question!"

                    Let's get real, here. You are the first line of defense when it comes to your money. And you fail if you open that attachment or click that strange link, even if the email appears to be from someone you know.

                    link to this | view in chronology ]

                    • identicon
                      GGuppy, 9 Jun 2011 @ 8:33am

                      Re: Re: Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers

                      In my view the chain of responsibility starts with the user. Ultimately it is the user money so their responsibility.

                      The user then delegates a part of the responsibility (holding it) to a bank . The bank in its place delegates some responsibility back toward the user in the form of credentials the user must keep secret.

                      So in the case of credentials compromise the first failure is that the secret between bank and user is compromised.

                      This failure feeds back into the bank because is delegated some responsibility to somebody (the user) and that failed, compromising the larger responsibility of keeping the money in the bank.

                      Then ultimately the owner of the money is responsible for placing it in the bank in the first place.

                      All conversations here seem to reflect that the user is liable because the user fails to guard the credentials. As a leader is responsible for the actions of his followers, so would the bank still be responsible for the task it delegated and through the bank the user again for dealing with the bank.

                      So in my view the user revealing the credentials is a lesser responsibility then the bank promise to allow only the user to access the money, which again isa lesser responsibility then the user choosing to delegate to the bank.

                      The liability should be in proportion to the level of responsibility. So the user becomes liable for some amount for failing to guard its secret, above a certain threshold the bank has responsibility and for some higher amount the user is again responsible because he really should not have trusted that much money to that bank (Or a single bank at all probably).

                      The user credentials are part of the authentications system of the bank which in turn is part of the task of handling money.

                      The part I find interesting is that for the most part only the lowest level of responsibility is considered. And as I stated before I do not believe the user failing in his responsibility absolves the bank for failing in its responsibility.

                      link to this | view in chronology ]

                      • identicon
                        Anonymous Coward, 9 Jun 2011 @ 11:07am

                        Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers

                        Ultimately it is the user money so their responsibility.

                        I see, so it's the user's fault for putting their money in the bank in the first place. If they hadn't done that, it could never have been stolen from the bank. Yeah, I see how that works.

                        The user then delegates a part of the responsibility (holding it) to a bank . The bank in its place delegates some responsibility back toward the user in the form of credentials the user must keep secret.

                        If the bank can "put responsibility" back on the user, why not put it all back? "I'm sorry, but we made some Wall Street investments with your money that didn't quite pan out and your money is all gone. If you want your money back, go talk to Wall Street because we don't have it anymore. Not our problem".

                        The liability should be in proportion to the level of responsibility. So the user becomes liable for some amount for failing to guard its secret,

                        Exactly. Kind of like how a woman "becomes liable" to some degree for getting raped if she dresses or walks the wrong way.

                        (Or a single bank at all probably)

                        ANY bank, actually. See? It's all the customer's own fault.

                        link to this | view in chronology ]

                • identicon
                  Anonymous Coward, 9 Jun 2011 @ 6:07am

                  Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers

                  How would you suggest they improve the security? Have a human call and confirm everything over six digits? Limit the amount transferable per day? Both of those would do more harm then good; adding days if not weeks to the process.

                  Days or weeks to make a phone call? Really? Do you own bank stock or something?

                  Think of your personal account. If you get a virus and someone takes your money, do you blame the bank? No, you blame the asshole who did it and file a report with the bank.

                  If someone robs the bank while my money is there, I expect the bank to take the loss, not me.

                  link to this | view in chronology ]

              • identicon
                Michial Thompson, 9 Jun 2011 @ 5:10am

                Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers

                OK Mr Guppy;

                You sure are quick to claim that the system failed because the person on the keyboard wasnt the person owning the account..

                EXACTLY how the hell does your simple mind think that there is any other way to authenticate the person to the account????

                Maybe lick your monitor, and jack off into the keyboard for DNA Analysis???????

                link to this | view in chronology ]

                • identicon
                  Anonymous Coward, 9 Jun 2011 @ 5:26am

                  Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers

                  EXACTLY how the hell does your simple mind think that there is any other way to authenticate the person to the account????

                  Maybe lick your monitor, and jack off into the keyboard for DNA Analysis???????


                  You may find this hard to believe, but some people actually use their hands for other things, like making *signatures*.

                  link to this | view in chronology ]

                • identicon
                  GGuppy, 9 Jun 2011 @ 5:56am

                  Re: Re: Re: Re: Re: Re: Re: Bank Robbery via ACH transfers

                  Mr Thompson,

                  I'm not really certain I should respond to a message like yours. Is this subject really so emotional to you?

                  There are several other or additional ways of authenticating, but it is always a tradeoff. More security also implies more inconvenience. Also even though they probably can do better, no form authentication is a 100% certain.

                  At some point the system will fail. The debate is about who's responsibility it is that the system failed. On one side there is you who is simply you and on the other side is the bank who designed the very system, handed you your credentials and acts as the custodian for your money.

                  So the point is not how prevent failure of the system (though less failure is obviously better), but how will we handle the inevitable failure.

                  link to this | view in chronology ]

        • identicon
          JEDIDIAH, 9 Jun 2011 @ 9:44am

          Re: Re: Re: Bank Robbery via ACH transfers

          > So, in order to not hassle customers with transfer holds

          Avoiding a hassle.

          This is the DEATH of security regardless of what sort of security you are talking about. This same sort of stupidity applies to physical security with armed guards too.

          "Avoiding a hassle" simply isn't a good reason to be sloppy.

          link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jun 2011 @ 5:49am

      Re: Bank Robbery via ACH transfers

      A) Bank had security on par with other banks.

      Customer had security on par with other customers?

      B) Bank performed due diligence informing customer of policy at signup.

      Was it negotiable? Was it the customer's policy as well?

      C) Customer allowed the account authorization credentials to be stolen by poor (maybe none) email virus protection.

      Email virus protection company failed. Bank allowed stolen credentials to be used. How is either one the customer's fault?

      This begs the question; Does the bank and customer get the same treatment by insurance as a bank robbery by person walking into the physical location and stealing physical bank notes?

      What insurance? The customer's insurance would not likely pay in the case of the bank getting robbed and the bank's own insurance would not likely pay anything since the bank didn't suffer a loss.

      link to this | view in chronology ]

      • icon
        fairuse (profile), 9 Jun 2011 @ 5:54am

        Re: Re: Bank Robbery via ACH transfers

        OK.

        link to this | view in chronology ]

      • icon
        fairuse (profile), 9 Jun 2011 @ 5:58am

        Re: Re: Bank Robbery via ACH transfers

        Redo I hit the wrong button.

        Ok, I guess that is an answer. I really don't know how the banking insurance works. Not talking about the FDIC stuff but all the other insurance a business like a bank could have.

        link to this | view in chronology ]

      • icon
        Any Mouse (profile), 9 Jun 2011 @ 8:27pm

        Re: Re: Bank Robbery via ACH transfers

        You know how banks 'negotiate' their policies? Don't like their policy, use a different bank. If the customer signed the policy, then yes. It was the customer's policy, too.

        As to banks 'allowing' stolen credentials to be used, how are they to know they were stolen? Pixie dust?

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 10 Jun 2011 @ 12:08am

          Re: Re: Re: Bank Robbery via ACH transfers

          You know how banks 'negotiate' their policies? Don't like their policy, use a different bank.

          You know the name for that? "Non-negotiable".

          If the customer signed the policy, then yes. It was the customer's policy, too.

          No, that just indicates that the customer signed off on the non-negotiable policy. It still doesn't mean that they came up with it.

          As to banks 'allowing' stolen credentials to be used, how are they to know they were stolen? Pixie dust?

          Perhaps they should use more reliable credentials. A name is a credential. Should someone be able to walk into a bank and provide a name and remove funds from the associated accounts with no further checks? No signatures, no photo ID, nothing. By your reasoning it would seem so. Excuse me while I disagree.

          link to this | view in chronology ]

          • icon
            Any Mouse (profile), 11 Jun 2011 @ 8:07am

            Re: Re: Re: Re: Bank Robbery via ACH transfers

            'Perhaps they should use more reliable credentials. A name is a credential. Should someone be able to walk into a bank and provide a name and remove funds from the associated accounts with no further checks? No signatures, no photo ID, nothing. By your reasoning it would seem so. Excuse me while I disagree.'

            Do you give them a signature when you make an online purchase? Or do you just supply the numbers on your card? Don't try to put words in my mouth. Thanks.

            link to this | view in chronology ]

  • identicon
    Kirk, 9 Jun 2011 @ 12:18am

    Bank Security

    Bank's are required to have regular security analysis, and testing. Their networks are some of the most secure you will find in a private company. It is a requirement for their insurance (FDIC).

    In this case, the customer failed to protect their accounts. Their account passwords were compromised on their own systems. The customer was claiming that the bank should be responsible for the loss, because they did not stop the fraudulent transactions.

    The bank took proper security precautions, the customer did not. The customer wanted the bank to pay instead of them for the loss of their account credentials.

    It's like expecting the bank to reimburse you, because you lost your wallet.

    link to this | view in chronology ]

    • identicon
      Danny, 9 Jun 2011 @ 5:39am

      Re: Bank Security

      Bank's are required to have regular security analysis, and testing. Their networks are some of the most secure you will find in a private company. It is a requirement for their insurance (FDIC).
      This is true. The FDIC has the juice to shut a bank down for not being in compliance.


      It's like expecting the bank to reimburse you, because you lost your wallet.
      Or I guess in this case expecting the bank to reimburse you because someone stole your wallet and spent your money. How's the store where the spent the money gonna know it wasn't you (we're talking cash)?

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jun 2011 @ 5:56am

      Re: Bank Security

      In this case, the customer failed to protect their accounts.

      Isn't that what the bank is supposed to do?

      The bank took proper security precautions...

      Really? So it's proper to let people make unauthorized withdrawals from other people's accounts?

      ...the customer did not.

      So bank security is now the customer's responsibility?

      The customer wanted the bank to pay instead of them for the loss of their account credentials.

      No, the customer still had their credentials. They didn't want to repay the bank for the bank's losses in getting robbed.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jun 2011 @ 5:59am

      Re: Bank Security

      It's like expecting the bank to reimburse you, because you lost your wallet.

      It's like the bank expecting you to reimburse them because they got robbed. No, on second thought, it's not *like* that, it *is* that. And the judge said that's the way it should be.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jun 2011 @ 12:51am

    Guys, this is a REALLY slippery slope for logic here.

    I had some co-workers go to the UK and use an ATM while they were on an extended business trip. The ATM was compromised, but they had no idea how. Less than a few hours after they used the ATM, their bank accounts were completely drained.

    Their banks all claimed to have a limit on ATM withdrawals, but they still allowed the perps to surpass the limit. In fact, my coworkers had to fight with them nonetheless to get their accounts credited for the hacked losses.

    In this case, I agree, the corporation needs to prove they had adequate protection against keylogging. Unless it was a custom program, most antivirus suites would have picked this up.

    However, the bank shouldn't be allowed to get off the hook just because they didn't review what was already flagged by suspicious behavior. That's negligence. Worse yet, the bank was robbed and the customer is being asked to pay for it.

    By this ruling, if someone who looks like me steals my identity and walks into my bank, I'm liable if they trick the teller into emptying my account?

    Yikes, America.

    link to this | view in chronology ]

    • identicon
      Danny, 9 Jun 2011 @ 5:47am

      Re:

      By this ruling, if someone who looks like me steals my identity and walks into my bank, I'm liable if they trick the teller into emptying my account?
      The problem comes into play because in your example the question is who is responsible? Is it you because you didn't stop your double from going into the bank to clean you out or is it the bank for not somehow recognizing that your double was a fake despite passing any security checks they have?

      Banking is a very iffy industry because banks like to draw in customers by telling them that everything will be alright and if something bad happens and its the bank's fault they will have you covered. Problem by their logic nothing (or nearly nothing) is ever their fault.

      I work at a bank myself and have seen a few times where tellers goofed on someone's deposit, meaning it did not get deposited, causing them to go NSF (iNSufficient Funds, the account didn't have the funds to pay an item) an get charged. Do you think the bank waived that fee? Nope that customer still had to give up that NSF charge ($32.50).

      link to this | view in chronology ]

      • icon
        nasch (profile), 11 Jun 2011 @ 9:55pm

        Re: Re:

        My bank erroneously charged me NSF fees once and I wrote them a letter about it, and they wrote me back that they had reversed the charges, no argument. So not all banks are always dicks about everything. Talk about damning with faint praise, huh?

        link to this | view in chronology ]

  • icon
    G Thompson (profile), 9 Jun 2011 @ 2:07am

    I read this and immediately thought WTF, then read about how the company itself was hacked not the bank, and the funds were removed via using the password and userID of the actual company.

    I absolutely agree with the courts decision here too, since at the time (pre 2009) what the bank was doing was reasonable and standard across the board in relation to security compliance.

    Though the bank might have some fault if the same thing happened today, since fraud detection algorithms are a lot more robust, there is SMS authorisation ability for major transactions, and other pro-active measures. Even so the bank would most likely only be at most 30-50% at fault even today.

    It really means you as a customer and holder of the authorisation need to be pro-active in regards to your own security and processes. I am still amazed how most Small & Medium enterprises do not have any security protocols in place in dealing with Electronic Transactions or Internet/Intranet usage, though on the bright side I guess having to be reactive to their inability to be pro-active keeps me in steady employment.

    On a better note in regards to Banks, found this gem over at the Volokh Conspiracy the other day in relation to the Bank of America (BoA).
    Homeowner forecloses on bank
    “They’ve ignored our calls, ignored our letters, legally this is the next step to get my clients compensated, ” attorney Todd Allen told CBS.

    Sheriff’s deputies, movers, and the Nyergers’ attorney went to the bank and foreclosed on it. The attorney gave instructions to to remove desks, computers, copiers, filing cabinets and any cash in the teller’s drawers.

    After about an hour of being locked out of the bank, the bank manager handed the attorney a check for the legal fees.

    If you aren't laughing and pumping the air in glee you are not normal! ;)

    link to this | view in chronology ]

    • identicon
      Bengie, 9 Jun 2011 @ 5:16am

      Thanks for the clairification

      "a company tried to blame its bank for not having better security, after it was hit by a trojan horse "

      "it" is referring to the last subject which was the bank.

      This is how I read this sentence: "a company tried to blame its bank for not having better security, after the bank was hit by a trojan horse"

      "it" should be changed to "the company"

      link to this | view in chronology ]

  • identicon
    FuzzyDuck, 9 Jun 2011 @ 2:32am

    Correct judgement

    These kind of lawsuits are typical of trying to blame someone else for your mistakes. The judge made the right call.

    That said, there should be some increased security standards that banks have to meet.

    Paypal has similar low level security, how many spam mails don't people get trying to pry their Paypal creds from them? I distrust Paypal as a result.

    link to this | view in chronology ]

  • icon
    MrBeck (profile), 9 Jun 2011 @ 4:28am

    Has the Bank changed its on-line security?

    If I were the plaintiff, I'd watch the Bank's on-line security carefully, the instant they "improve" the security I'd re-instigate the suit with new evidence, that the Bank has seen it necessary to implement different security.

    link to this | view in chronology ]

    • icon
      sheenyglass (profile), 9 Jun 2011 @ 7:57am

      Re: Has the Bank changed its on-line security?

      Not sure if this applies in Maine as well, but generally changes to safety precautions are not admissible evidence for demonstrating the original methods were flawed, the rationale being that to allow that type of evidence would discourage companies from improving safety for fear of increasing their liability.

      link to this | view in chronology ]

  • identicon
    NullOp, 9 Jun 2011 @ 5:50am

    No surprise

    Of course there is no law requiring banks to have any certain level of security. Banks and other businesses are held to the lowest possible level of responsibility by the law. Otherwise the government would be "interfering" in business. BTW, it's OK for business to muck with government.

    Another interesting point is you can't find out your bank's level of security. If you were to ask you might find yourself talking to cops.

    link to this | view in chronology ]

    • identicon
      Kirk, 9 Jun 2011 @ 2:13pm

      Re: No surprise

      Of course there is no law requiring banks to have any certain level of security. Banks and other businesses are held to the lowest possible level of responsibility by the law.


      Banks are required to be "High Security" environments, and to meet the industry standards as such. If a bank fails to provide adequate security, their regulatory agency (FDIC) can, and will shut them down. In the wake of the subprime mortgage collapse it is happening most frequently because of financial issues, but it can happen as a result of inadequate security. They must be regularly audited, and tested by security professionals. They must address all recommendations made as a result of the audit.

      This particular theft was carried out using credentials stolen from the customer's computer. The bank allowed access because the transaction occurred using the agreed upon verification parameters.

      With the current online banking authentication model in place for most institutions this problem will happen again. The current model is single factor authentication. Single factor authentication is only based on something you know, ie. a username and password. Multi factor authentication is based on something you know, and something you are or have ie. username/pass and the current number on a digital key fob, or a fingerprint/retinal scan. Multi factor authentication is not currently required, but should be if you need secure identification.

      link to this | view in chronology ]

  • icon
    Matthew (profile), 9 Jun 2011 @ 6:40am

    WoW

    My World of Warcraft account has better security than my bank account.

    W...T...F

    link to this | view in chronology ]

  • identicon
    Aon, 9 Jun 2011 @ 6:46am

    This should be a warning call to anyone who has an account at that bank that your money is not safe. I know I would immediately take my money out of that bank and find a more secure bank where my money would be protected.

    This is going to cost that bank a lot of money.

    link to this | view in chronology ]

  • identicon
    taoareyou, 9 Jun 2011 @ 7:13am

    My car was stolen

    I left my key in the car and my car got stolen. I am holding Ford Motor Co. responsible because they should have known it was not ME turning the key.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jun 2011 @ 11:14am

      Re: My car was stolen

      I left my key in the car...

      In most states that's illegal. Way to go.

      I am holding Ford Motor Co. responsible because they should have known it was not ME turning the key.

      Was your car was in the possession of Ford at the time when someone stole it using an illegitimate key copy? Did they leave it out in the open overnight where just anyone could get to it?

      link to this | view in chronology ]

  • identicon
    Kibomaster, 9 Jun 2011 @ 7:30am

    Established Case Law

    I wrote a research paper about a year ago on this very subject.

    There was a landmark case that established a test to determine the standard of care for the tort of negligence. Briefly, a tugboat company was moving a barge and encountered severe weather and sank. The owner of the barge sued the tugboat company for negligence on the basis that the tugboats lacked radios and did not receive weather reports the day they sank. The tugboat company argued that very few companies had radios on their tugs at the time and it was not considered an industry best practice.

    The court stated that “reasonable prudence is not necessarily common prudence.” It doesn’t matter what everyone else is doing. The court agreed that the tugboat company was negligent in its failure to adopt new radios in their tugboats.


    Judge Learned Hand found the tugboat companies liable because they did not use readily available technology, the radio receivers, to listen for broadcast weather reports, even though the use of radios was not yet standard industry practice.



    http://itlaw.wikia.com/wiki/T.J._Hooper

    United States v. Carroll Towing Co., 159 F.2d 169 (Circuit Court of Appeals, Second Circuit. 1947).

    The T. J. Hooper, 287 U.S. 662; 53 S. Ct. 220; 77 L. Ed. 571; U.S. LEXIS 387 (U. S. Court of Appeals, 2nd Circuit 1932).

    link to this | view in chronology ]

    • icon
      sheenyglass (profile), 9 Jun 2011 @ 8:21am

      Re: Established Case Law

      The problem is that the magistrate's decision (the judge has to approve the order before it has legal force) dismisses the negligence cause of action as being preempted by the UCC (Uniform Commercial Code), which requires only "commercially reasonable" efforts. (Statutes take priority over the common law).

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Jun 2011 @ 11:21am

        Re: Re: Established Case Law

        The problem is that the magistrate's decision (the judge has to approve the order before it has legal force) dismisses the negligence cause of action as being preempted by the UCC (Uniform Commercial Code), which requires only "commercially reasonable" efforts. (Statutes take priority over the common law).

        And since the purpose of commerce is profit, anything which would increase costs and thus decrease profits can be considered not "commercially reasonable" under the UCC. The UCC has all sorts of stuff in it that is pro-business, anti-consumer. No wonder, since it was written by business lobbyists as a way to protect themselves from consumers under common law.

        link to this | view in chronology ]

  • icon
    Gene Cavanaugh (profile), 9 Jun 2011 @ 9:12am

    Judge absolves bank with poor security

    Before people "pile on" with negative comments, as an attorney (though I no longer practice litigation), Mike is RIGHT!
    There needs to be a balance between personal responsibility and public responsibility. Here, if you don't "vet" a bank (or a broker, or a realtor, or ...) you likely deserve what you get.
    Even with violent video games (yes, Mike, unbiased research now shows it promotes violence, and my personal experience reinforces that), banning them really puts a responsibility on the public that should belong to the individual.

    link to this | view in chronology ]

    • icon
      jjmsan (profile), 9 Jun 2011 @ 9:34am

      Re: Judge absolves bank with poor security

      Except individuals are reimbursed, businesses are not so it is not simply a matter of personal responsibility.

      link to this | view in chronology ]

    • identicon
      Scote, 9 Jun 2011 @ 9:44am

      Bank should have watched for anomoulous account activity

      "There needs to be a balance between personal responsibility and public responsibility. Here, if you don't "vet" a bank (or a broker, or a realtor, or ...) you likely deserve what you get."


      Bullshit. Ordinary customers are not in a position to vet a bank's security measures. And password stealing viruses/Trojans/keyloggers are a common and **known** security issue, so while passwords (and "secret questions") may be sufficient for low level transactions they are not a sufficient security practice where larger sums are at stake.

      As stated earlier in this thread, the fact is that banks have little economic incentive to make their transactions truly secure. The transaction in question should have been flagged as questionable through automatic behavioral analysis. Even your credit card company will call you if something out of the ordinary happens, such as unusual charges from out of the country. Draining the entire bank account of $600,000 clearly qualifies as unusual. You think the bank shouldn't do the same due diligence over $600,000 as your credit card company does over a $200 charge in Europe?

      Security has to be much more than passwords. It is too easy to steal/intercept/forge credentials. Behavioral metrics must also be used.

      link to this | view in chronology ]

    • icon
      crade (profile), 9 Jun 2011 @ 2:50pm

      Re: Judge absolves bank with poor security

      lol, there is unbiased research out there somewhere amongst all the opposing research that shows violent video games promote violent behavior? I suppose I shouldn't be surprised, they have studies that are for and against everything these days.

      This isn't about personal or public responsibility though, it's about a bank not doing it's job. Wtf is the point of putting your money in a bank if they give it away?

      link to this | view in chronology ]

      • icon
        crade (profile), 9 Jun 2011 @ 3:09pm

        Re: Re: Judge absolves bank with poor security

        I lend someone money, they give it to someone else and the law says we're even steven because that guy was pretending to be me and knew my cat's name?

        link to this | view in chronology ]

    • icon
      nasch (profile), 11 Jun 2011 @ 10:04pm

      Re: Judge absolves bank with poor security

      Gene, got any links to that video game research?

      link to this | view in chronology ]

  • identicon
    Jes Lookin, 9 Jun 2011 @ 10:05am

    Seems Simple

    It's like most business 'security' items - there needs to be a choice, disclosure, and responsibility. That applies stuff like transaction security to DRM.
    The bank chose more lax security, has no responsibility for disclosure, and so is responsible for its losses. The customer did not lose the money, the bank did. So it owes the amount, interest, and (hopefully) penalties.

    link to this | view in chronology ]

  • identicon
    chuck, 9 Jun 2011 @ 12:31pm

    If I wanted to withdraw MY money from MY account and was able to supply the information that the bank required from me in the agreement we had made during my opening of that account, I would expect the bank to honer that. This is all they did.
    If I wanted to withdraw My money from MY account and a bank wanted to put me through an endless series of hoops to get it, I would do as they request and then find another bank.

    Banks know this.
    They want to keep customers, and the best way to do that is to make banking with them effortless.
    It seems obvious that if you hand over the keys or they are taken it does not make a difference, they will still open the lock.

    link to this | view in chronology ]

    • icon
      nasch (profile), 11 Jun 2011 @ 10:05pm

      Re:

      So you're one of the people demanding lax security from your bank. Just curious, why do you prefer convenience over security when money is involved?

      link to this | view in chronology ]

  • identicon
    Scote, 9 Jun 2011 @ 12:39pm

    "Banks know this.
    They want to keep customers, and the best way to do that is to make banking with them effortless."

    And banks know that the bank will hand out money to the wrong people. And so long as the banks aren't held liable they will **never** fix the problem--which is why this ruling is bad for bank security and consumers.

    link to this | view in chronology ]

  • identicon
    Kirk, 9 Jun 2011 @ 2:45pm

    Single vs. Multi-factor authentication

    As a bank security expert, after reading a few articles about this decision, I defended the bank because the security breach did not occur on the systems in their control. The customer did not secure his credentials, and someone else was able to use them.

    However, since reading the comments I think that more responsibility rests with the bank than it initially appears.

    The bank established the parameters for authentication. They told the customer his money would be safe using the security measures they established. The bank relied upon a single-factor authentication process. This is known to be inherently insecure because it is based only on something you know (username/pass). In order to be truly secure, identity must be verified using multi-factor authentication. Multi-factor authentication is based on something you know (username/pass) and on something you have (digital key fob, access card, etc.) or something you are (finger print, retinal scan, DNA, etc.).

    If the bank had established a multi-factor authentication process the customers money would not have been stolen. The customer trusted the bank, and relied upon the authentication process they put in place. As a result, he lost his money.

    My company worked with a bank that wanted to setup a multi-factor authentication system. In addition to knowing the username/pass combination, you had to type it in using the same pattern each time. Everyone types in patterns that are unique to them, in the same way a signature is. These patterns were analyzed and stored. If someone attempted to use the username/pass to authenticate, but typed it in differently than the original user, it would not allow access.

    This multi-factor model was based on something they are, it is not something that is easy to replicate.

    The system worked well, but was never implemented. The bank cut the project at the end of development, because no one else was doing it yet. They still use single-factor authentication.

    Unless people demand tighter security protocols, this kind of theft will continue to proliferate.

    link to this | view in chronology ]

    • icon
      Bnesaladur (profile), 9 Jun 2011 @ 7:48pm

      Re: Single vs. Multi-factor authentication

      Kirk I would be extremely interested in seeing data on this pattern typing security system and the company that is developing it. I argue regularly with my bank over authentication security which I view as not really as good as they seem to think. They seem to believe you mistyping a password three times causing it to shut down the online access is enough security to protect your account. Next they feel that since it is sooooo secure, they only allow 42-bit passwords.

      I think this concept is very cool, though I would be interested in seeing the results of this concept being put up against some serious penetration testing by industry experts while undergoing some intense real world testing to ensure it works consistently for its users. Hopefully the outcome being that it remains secure and has the client being able to access their accounts without encountering the system refusing them access. The main problem I see is that with a password, if you type in the wrong one all you have to do to get access is type in the right on. With this, by design, even if you type in the right characters it may still refuse you based on you not typing them in the right pattern. The problem being that you simply may not know what your pattern is.

      I would also like to see how it compares with other forms of multi-factor authentication systems. Two ideas I am interested in are RSID keychains (that come with shielding sleeves and a built in USB reader maybe) and USB fobs with an encrypted keyfile with specific software that inhibits copying to protect it, (or perhaps an encrypted keyfile with a rotating password algorithm.)

      Thoughts?

      link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.