Thefts from a construction company in Sanford, Maine might be the catalyst for much-needed improvements to banking security. The US First Circuit Court of Appeals reversed a decision that said that a bank was not at fault in a theft. Even better, the appeals court encouraged both parties to settle the matter amongst themselves.
Here’s a summary. In May, 2009, the Sanford, Maine construction company PATCO Construction had its on-line banking credentials stolen, most likely through the ZeuS malware. The thieves stole US$588,000 from PATCO’s accounts at Ocean Bank, now People’s United Bank. The thefts were batched in automated clearing house withdrawals over seven days.
Ocean Bank recovered US$243,406 of the losses, leaving PATCO with losses of $345,445. To add insult to injury, the withdrawals exceeded the cash on hand that PATCO had in their account and Ocean Bank gave them an automatic line of credit to cover the theft, charging them interest on the losses as well.
In 2010, PATCO sued Ocean Bank for the losses, claiming that among other things Ocean Bank did not follow the existing US banking requirements for multifactor authentication, relying on a simple password to authenticate and verify transactions.
Should you want more information, Brian Krebs has an excellent article covering many details on his blog. Tracy Kitten of Bank Info Security has another excellent article. The gory details are in the forty-three page decision itself. There are many good details in Matthew J. Schwartz’s article in InformationWeek and in William T. Repasky’s article in FISMA News as well.
The ruling is important because it states that Ocean Bank was “commercially unreasonable” in what it offered to PATCO. Under the Uniform Commercial Code, not only must we customers be responsible, but the banks must meet the new (where new means 2005) guidelines of the FFIEC. Ocean Bank was using the Cyota system through a service, but did not offer out-of-band authentication, tokens, or monitoring.
While this is a US ruling, the basics apply to the UK as well. Ross Anderson has been noting for years that UK banking requires proper authentication and without it, the bank must eat the losses. He has even documented how he sued his bank to recover a loss on his own account in his article, “How to get money back from a bank ”.
If you’re with a financial institution, make sure you offer good authentication. Read the articles I’ve linked to. Call us at Entrust, we’ve been helping financial institutions with these systems throughout the English-speaking world. If you don’t want to call us, call someone else. It’s not hard to do, you just have to do it.
If you are a commercial customer of a financial institution, find out if your bank is offering you the proper things. In some cases, this should be easy - if they haven’t given you multifactor authentication, out-of-band verification, and so on, they should. The Bank Info Security article had a great rundown of what the US FFIEC (Federal Financial Institutions Examination Council) requires. None of us want to be the victim of theft. None of us want to have to sue our bank as PATCO or Dr. Anderson did. If your bank isn’t securing you properly, find one that will.
The good news for us all is that the courts are upholding the banks’ obligation to protect our money. But it also behoves us to be an active partner, and that means asking questions and moving our money to the people who are responsible custodians of it.