Now Mark Patterson, president of PATCO Construction Inc., the commercial customer in the case, says he's weighing his legal options. "Things are not always fair, and we have to decide how long we want to fight the fight," Patterson says. "We do feel very strongly about this issue, but how far do we want to go?"
At issue for PATCO is whether banks should be held responsible when commercial accounts, like PATCO's, are drained because of fraudulent ACH and wire transfers approved by the bank. How much security should banks and credit unions reasonably be required to apply to the commercial accounts they manage?
"Obviously, the major issue is the banks are saying this is the depositors' problem," Patterson says, "but the folks that are losing money through ACH fraud don't have enough sophistication to stop this."
PATCO PrimerIn May 2009, PATCO, a construction company based in Maine, had its account taken over by cyberthieves, after malware hijacked online banking log-in and password credentials for the commercial account PATCO held with Ocean Bank. More than $500,000 in fraudulent ACH transactions from PATCO's account was approved for transactions by the bank.
The business was able to recover only $230,000 of the stolen funds, but sued Ocean Bank for failing to detect and prevent the bogus transfers.
PATCO sued Ocean Bank in 2010, and the bank quickly responded with motions to seal court documents and request a summary judgment. [Ocean Bank is owned by bank corporation People's United Bank.] The magistrate who recently reviewed the case now recommends that the cross motions filed by PATCO and Ocean Bank be considered moot.
David Navetta, an attorney who specializes in IT security and privacy, says the magistrate's recommendation, if accepted by the judge, could set an interesting legal precedent about the security banks are expected to provide. And unless PATCO disputes the order, Navetta says it's unlikely the judge will overrule the magistrate's findings. PATCO has between 14 and 21 days to respond.
"Many security law commentators, myself included, have long held that reasonable security does not mean bullet-proof security, and that companies need not be at the cutting edge of security to avoid liability," Navetta says. "The court explicitly recognizes this concept, and I think that is a good thing: For once, the law and the security world agree on a key concept."
Bank's Security 'Not Optimal'In the disposition, the court notes that Ocean Bank's security could have been better. "It is apparent, in the light of hindsight, that the Bank's security procedures in May 2009 were not optimal," the order states. "The Bank would have more effectively harnessed the power of its risk- profiling system if it had conducted manual reviews in response to red flag information instead of merely causing the system to trigger challenge questions."
But since PATCO agreed to the bank's security methods when it signed the contract, the court suggests then that PATCO considered the bank's methods to be reasonable, Navetta says. The law also does not require banks to implement the "best" security measures when it comes to protecting commercial accounts, he adds.
"Patco in effect demands that Ocean Bank have adopted the best security procedures then available," the order states. "As the Bank observes, that is not the law."
Patterson argues that Ocean Bank was not complying with the Federal Financial Institutions Examination Council's requirement for multifactor authentication when it relied solely on log-in and password credentials to verify transactions. Navetta agrees, but the court in this order does not.
"The court took a fairly literal approach to its analysis and bought the bank's argument that the scheme being used was multifactor, as described in the [FFIEC] guidance," Navetta says. "The analysis on what constitutes multifactor and whether some multifactor schemes [out of band; physical token] are better than others was discussed, and, to some degree, the court acknowledged that the bank's security could have been better. Even so, it was technically multifactor, as described in the FFEIC guidance, in the court's opinion, and "the best" was not necessary."
Navetta says the court's view of multifactor does not jibe with common industry understanding. Most industry experts, he says, would not consider Ocean Bank's authentication practices in 2009 to be true multifactor. "Obviously, the 'something you have' factor did not fully work if hackers were able to remotely log into the bank using their own computer," he says. "I think that PATCO's argument was the additional factors were meaningless since the challenge question was always asked anyway, and apparently answering it correctly worked even if one of the factors failed. In other words, it appears that PATCO was arguing that the net result of the other two factors failing was going back to a single factor."
Other corporate account takeover cases, which also involved fraudsters' ability to get around transactional authentication, include:
- Experi-Metal Inc., which in December 2009 sued its former bank, Comerica, after losing more than $550,000 in fraudulent wire transfers;
- Village View Escrow of Redondo Beach, Calif., which in March lost $465,000 to an online hack;
- Choice Escrow, which in November 2010 sued its bank, BankcorpSouth, alleging inadequate security measures;
- Hillary Machinery, which in January 2010 was sued by its bank, PlainsCapital Bank, after a legal battle over ACH fraud liability. The suit was later settled for undisclosed terms;
- The Catholic Diocese of Des Moines, Iowa, which in August lost $600,000 in fraudulent ACH transactions.
For Patterson, the court's lack of knowledge about the prevalence of keylogging malware, such as Zeus, crippled the magistrate's ability to sufficiently evaluate the merits of the case. "The magistrate says the bank had dual authentication because they had a password and a challenge question; but anyone who understands the system knows that is not really dual authentication," he says.
Regardless of how the court ultimately falls on the multifactor debate, Navetta says the court closely aligned its decision with online authentication guidance recommended by the FFIEC. "The FFEIC guidelines were hugely important in this case, and the bank was able to point to the fact that its multifactor authentication scheme was designed with those guidelines in mind," he says.