If my credit card company can manage to shut down my credit card and not reinstate it until they talk to me because I make $300 worth of charges on vacation, it should be reasonable to expect a bank to provide that kind of anti fraud protection on commercial accounts. The difference is who is liable - if the banks were liable like they are with credit cards they'd certainly be much more diligent.
Banks, after all, pushed online banking with minimal client protections because it was cheaper than paying staff.
The risks may have been minimal when online banking rolled out, but the world has changed significantly in the last five years. The client is not secure, and it is borderline unreasonable to expect them all to be in this day and age. Pretty much any client machine will fall to a persistent targeted attack. Two factor authentication should be mandatory for electronic transfers outside of the institution.
It's kind of crazy. I know that my battle.net account is more secure than a lot of people's online banking credentials: not only do I need a user name and password to access my bnet account, but my account is linked with a mobile app that gives me time-sensitive one-time-use 8-10 security code.
Recently I had to wipe my phone without being able to get the serial number information from the bnet app. It was kind of a pain, but I had to actually scan and send in an image of my drivers license for them to release the old authenticator from my account so I could attach a new one.
Think about that. An online gaming company is more secure about account authorization than a lot of banks are.
The law doesn't care about their game's fictional currency. They have more incentive to protect it than a bank has to keep real money as secure as possible.
Blizzard pays support costs when player's accounts get hacked and are motivated to keep the players as happy paying customers.
Many banks seem to regard deposit holders as merely some kind of annoying obligation necessary to participate in FDIC programs (and occasionally as a source of absurd fees).
See my comment. This is all in the above-and-beyond category. HOWEVER note that the profits Blizzard is seeing from battle.net may be more than the profits of that entire bank. They have more clients, need a reputation, and are in fierce competition. That bank may not be.
It is overall saddening that Blizzard, a game company, protects user data better than a bank. HOWEVER note that this happened in 2009. I doubt Blizzard was this secure back then. Also iPhone and Android were not as big then as they are today, and they were more up-and-coming than anything.
This is a tad off topic, but the iPhone authenticator was added early in 2009 (see: http://wow.joystiq.com/2009/04/03/battle-net-mobile-authenti...) and the hardware fob was already in use well before that, with the same stringent identity verification methods in place in case the authenticator was lost.
Blizzard offers the best of both worlds in my opinion: the authenticator is cheap/free and optional so you can choose how secure you want your account to be. Though, as noted, it's expensive for Blizzard to restore all the hacked accounts so they have incentives (free Corehound pet, for example) if you opt-in to have an authenticator on your account.
Chase is similar. Username and password, and to login from a new device (web, iphone app, etc) requires putting in a time-sensitive code sent to your phone by SMS or email. An actual dedicated mobile app is somewhat a bad design since many people do not have smart phones and it makes it client dependent vs. account dependent.
Why is it a stretch? The bank is liable for funds stolen through a bank robbery, a much more aggressive criminal action. Why is the bank supposed to protect your funds in one instance but not another?
From reading over the court filings, it looks like Ocean Bank's defense was built around the ACH/eBanking agreements that Patco signed before they commenced the service.
In these agreements, Patco "agreed to, among other things,
assume all liability and responsibility to monitor its commercial checking account (“Account”) on a daily basis. See Modified eBanking Agreement § XIII.B; ACH Agreement §§ 11 and 12(a). Patco further agreed that it would indemnify Ocean Bank from any suits arising from its failure to abide by the terms of the Modified eBanking Agreement and the ACH Agreement"
This is one of those situations where the many pages of fine print came back to bite an innocent victim. The bank did not have adequate security, but they came armed with abundant proof that Patco violated its terms of service. I am Canadian, so I don't know a huge amount about US civil law, but I'm pretty sure that the US has a mitigation requirement on any torts. Patco would have violated this.
I've got to tell you, reading that .pdf makes me want to keep my money under my mattress.
Contract clauses that waive a bank's standard of due care for online security should not be enforceable. All sorts of other clauses are declared unenforceable all the time. This clearly should be one of them. It is practically the whole charter of a bank to protect funds from unauthorized access. If your contract waives that responsibility, you shouldn't be allowed to have the word "Bank" in your name.
I agree with you completely - I would give you +1000 if I could.
The part I find the funniest is that the judge actually agreed that the bank's security was lax, yet still dismissed because Patco was in violation of the agreements.
I wonder how many new business customers Ocean Bank has signed up since this suit went public? The good old free market is (hopefully) doing its thing.
No, because even using countermeasures that meet or exceed industry best practices, a malicious employee could be expected to gain access to the account. Unlike this case, the internal fraud would be entirely outside the bank's control.
There is a difference in the fact that the bank is fully aware that the robbery is not a normal transaction.
The bank cannot be expected to be aware of normal transactions conducted with a fraudulent intent. Assuming they take some precautions (like they do if the suddenly see 15 quick purchases from Russia when you live in Oregon), there's only so much liability they can be expected to shoulder.
All major banks have systems whose job is to have a notion of normal and abnormal transactions. Any bank operating at the level of the majors should be able to pick out the $100k electronic funds transfer, which is probably the only customer-not-present paperless ACH transaction of that size in the history of the relationship for a regional construction firm, and require callback authorization for it. That's all they had to do.
The point isn't that the bank should be universally responsible for fraud. It's that the responsibility for fraud does not end exactly at the login prompt.
Agreed and this is something that you can't say you are aware of because banks do not communicate of internal security measure checks.
As an example : I paid 1c on my own website via paypal while doing paiement integration test, and the transaction was blocked. I received a text message that told me to call the bank to authorize the paiement. I asked if it would block again for another test, but they have consigns to not answering that kinds of questions and I'm glad they did ;)
There are things that are baseline law and things that are above-and-beyond. Statistical analysis on usage patterns of your account appear to be above-and-beyond.
Your bank (a decent bank presumably) obviously gives a shit about this because they want customer loyalty which comes with not getting identity stolen and they don't want to pay up. However that is not the law.
There is no industry wide law that requires statistical analysis on financial transactions as a anti-fraud methodology. Frankly this bank may get hit with people pulling business from them because they don't protect their clients, but that is another story.
If you actually RTFA, it was the client that was hacked, not the bank. The client's passwords were compromised, and then the bank's services were accessed normally with the compromised passwords.
The client's logic is that the bank should take the loss for this. I know we all hate the banks but seriously? You get hacked and suddenly the service I provide to you being compromised is my fault?
A bank is in a better position to protect electronic access to the account than the consumer is. This bank provides simple username/password authentication to an Internet service that allows transfers of hundreds of thousands of dollars at a time to entities that a business has never worked with in the past. Offering that service with that level of protection without assuming any liability for the result is borderline negligent.
So? Linode is in a better position to prevent misuse of my VPS than I am. They can cut it off from the network and they have staff which would notice if it suddenly sent 40,000 emails. Does that make them liable if my server gets rooted because of software I install (say Apache 1.3.1 or something) and whoever rooted it installed a mail server on it to send spam from?
I don't see the analogy here at all. The whole point of Linode is to allow you to take responsibility for your own random software. The point of bank security --- in fact, a good part of the point of banks, period --- is to limit access to your funds.
Imagine if instead of passwords, the typical bank required a four-digit PIN. Imagine the bank did everything reasonable to meet best practices standards for validating PINs (for instance, requiring reset of PIN after N incorrect entries). Would anyone think it was reasonable for a bank to stake an entire business cash flow on a four digit PIN?
In 2011, the password is only marginally more secure than the PIN. That this is for reasons outside the bank's control is no more relevant than it would be with four-digit PINs.
The bank should in all cases be responsible for deploying electronic security measures generally recognized by those skilled in the art as reasonably effective. The bank is in all cases responsible for taking "due care" with the security of its accounts. Leaving them exposed to wild high-value money transfers should, and probably does, contravene the due care standard.
There is nothing that the bank was doing that was so far from the normal practice of securing a website that constitutes negligence. They were even following a published standard.
It's unreasonable to expect the bank to be so overly concerned with their customer's security and excuse the business for not being so with their own.
Whoah. Hold on. Just because the bank runs a Java app on an Apache server running Linux does not make the bank just a Java app.
Hold the bank only as accountable as delicious or Digg for its website. But the security of the bank accounts needs to be held to a higher standard. Having worked with multiple banks on online security, I actually believe they are held to a higher standard (that of "due care"), but that there's a combination of "commercial account" and "insufficiently informed judge" acting against that standard in this case.
1. There was an agreement between the two parties to use this service to access the accounts; it specifically covered the liability of the bank regarding this very situation.
2. At no time where the bank's existing systems compromised technically.
3. The transactions were completed in a manner that the owner of the account themselves did not notice for a period of time. That alone suggests that they were sufficiently "normal" that the bank could not detect them.
4. When the bank did become aware of the unauthorized access, it immediately acted and froze transactions in place and prevented all further transactions from occurring.
Because of all of this, there is simply no way you can find the bank acted negligently unless you just have a hate on for the banks. The only negligent party here was the plaintiff, and that's who should eat the loss.
But first, let me help you out with some research. Here is the FIRST SENTENCE of the SUMMARY OF KEY POINTS section on the FIRST PAGE of the FFIEC's _Guidance on Authentication in Online Banking_. Wait for it. Wait... for... it...
The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
Now then:
(1) A fine-print clause waiving the banks responsibility for any protection of funds in an account beyond providing a working login prompt should be found unconscionable.
(2) That the compromise in question here didn't occur in a fashion that you recognize as a "technical compromise" doesn't actually make it not a security failure on the part of the bank. By creating a security system that revolved around a security mechanism that literally every bank of Keybank's size and above recognizes and loudly proclaims is inadequate, the bank fielded an inadequate technical countermeasure to attacks and cannot lean on semantic games to hide that fact.
(3) It seems obvious to me that customers should not be expected to be better at tracking anomalies than banks, who spend tens of millions of dollars every year on systems to profile and analyze transactions. Regardless, it does not follow from a customer delay in noticing fraud that the bank couldn't or shouldn't have been expected to see the fraud earlier!
(4) How does it change anything that, once fraud was detected, further fraud was halted? There'd be no dispute at all if the bank continued to allow online criminals to siphon out of a known compromised account. The entire debate is what the standard should be before all parties acknowledge fraud.
You say there's "simply no way I can find the bank acted negligently unless I have a hate on for the banks". Well, I don't have a hate on for the banks. We do work for banks. There are many banks I like. My comments are not motivated out of irrational bank hatred.
† They aren't, by the way, "facts of the case"; each is your interpretation of the facts we're aware of in the case. They are as "factual" as your bald assertion that disagreement with you must imply irrational hatred of banking.
2. At no time where the bank's existing systems compromised technically.
This isn't really true. Banks don't view their systems as servers -- rather a "system" is the technical bits, plus the controls and overall policies. If a bank allows someone else to use your credentials and transfer funds, it's a compromise. They have a responsibility to authenticate the user, not the credentials.
As tptacek points out, the bank was in violation of the FFIEC mandate for strong online authentication. They didn't have sufficient controls to correctly authenticate the client for this level of a transaction.
To be precise, I don't think the FFIEC has a "mandate" for two-factor auth, and I'm not sure how toothy any such mandate would be. But the bank is required by the UCC to exercise commercially reasonable controls, and I don't think you can consider "commercially reasonable" controls that are:
(a) Specifically called out by the FFIEC as inadequate to the task of protecting ACH transfers
(b) Roundly decried as inadequate by practically every large regional bank in the country
(c) The technical focus of massive deployments of reputational and two-factor systems at banks around the country.
Bruce Scheiner said this many many times: it is the transactions that needs to be authenticated, not the client. This is what credit card companies do (sometimes overzealously). The transactions mentioned in the article sound very unusual, a trivial authentication mechanism would have caught them.
The judge is right, since he rules by looking at current laws, but the current laws themselves seem out of date.
Along those same lines, if a hacker took advantage of a vulnerability in the banks application, but only after gaining access to that vulnerability through credentials stolen from a client/customer, is the client responsible for weak credentials protection in that instance as well?
Expecting people who know nothing about security to make an informed decision is unreasonable. It's much like expecting people to choose a building that won't fall over in an earthquake when they aren't architects - the responsibility lies with the architect for claiming that the security is good enough, not with the customer for trusting the expert.
You're suggesting that if I place a lock on your door, and you and I both agree that it is adequate, that it is my fault that you lose your keys and have your TV stolen because I should have known that a lock is not good enough and you should have had an alarm system as well....
Seriously, have some bit of personal responsibility.
The degree of "personal responsibility" you're alluding to here is unreasonable to apply to a regional commercial construction firm. It is simply not feasible for most businesses to keep a password-only protected online bank login secure using general-purpose operating systems, and particular not with Windows.
You're commenting because you know that:
* The firm could have dedicated a machine to do nothing but provide access to the bank account, perhaps from a single-use VM
* The firm could have structured its bank accounts so that only a minimal amount of its cash flow would be exposed to any single compromise
* The firm could have aggressively monitored transfers in and out on a better than daily basis
I'm telling you that (a) getting these things set up is a 5-figure consulting project that no bank tells its client base it needs to do, (b) that it is vanishingly unlikely that the bank made sure the client was informed that it needed to take these steps, (c) that failing to do that and leaving accounts exposed only to simple passwords is probably an example of a failure of due care, and (d) that the simplest and most reasonable way to solve all of these issues would be for the bank to simply strengthen its authentication mechanisms for commercial accounts.
You are placing a ridiculous expectation on the service provider while excusing the client using any form of security at all!
Sorry, but in 2011 it is not beyond reasonable expectation that a password be kept secret. Getting hacked sucks, certainly. Your company being hacked however is not the liability of your service providers, even if they are banks.
Speak to the people deploying multifactor and reputational authentication at major banks, and to a one, they will tell you that it is not considered a reasonable expectation that Windows systems be kept intact in order to secure bank accounts.
Banks can't come out and simply say that because of market realities (there are lots of market realities involving software security that terribly impact your day to day life) and concomitant liability.
The banks we talk to are certainly aware that a significant percentage of the customer-provided client machines are pwned by malware (and not just dumb keyloggers either). The Zeus trojan in particular is currently one of the most-discussed topics in online banking security.
tptacek is referring to that I work for PhoneFactor and we sell a multi-factor auth product to secure against these types of things. You're probably right, and thanks for the input.
It's hard to know when to worry about not disclosing affiliations and when to worry about sounding like a product name-pusher. I felt like I was on such basic facts in this comment that it wasn't so relevant, but I did mention it in a later comment in this thread.
At least in the US, if you didn't put a stern warning about doing up the zipper/velcro in the vest's instruction manual, I'd be willing to bet there'd be plenty of lawyers who would gladly sue you on behalf of Mr. Smith's estate. Sadly, there would probably be some juries who would find in the estate's favor, too.
This is very common. By law, a bank is not responsible for theft from commercial bank accounts. Personal accounts however, are protected.
From what I've seen based on other cases:
#1. Never use a small/local bank. These guys are the worst and have generally pathetic or rarely enforced security policies in place.
#2. Do your banking off a boot disk if your not certain about your system's integrity. (Why are you using a questionable machine in the first place is a whole other story.)
#3. Try to avoid letting your business checking account get unnecessarily fat.
The fact is banks lose money. Going back to #1, most of the at risk banks in the United States are the small local ones (The FDIC is still regularly seizing banks.) Forget hackers, you could very well have $300k "stolen" out of your bank account if the FDIC shuts your bank down one Friday afternoon.
If you want to read more about this, I'd recommend krebsonsecurity.com. Brian Krebs has done a great job of covering this issue for quite some time -- in fact he has his own opinion of this court case written up now.
Is it not that simple. Commercial accounts do not have the same protections as personal accounts, but under UCC § 4A-202:
[... presuming a relationship between customer and bank, then..] a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders [... so long as the bank is acting in good faith.]
And then, in the very next clause:
(c) Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated.
The stuff this bank didn't do that it was supposed to do appears to be spelled out directly in the UCC, but the bank got off because the court chose to find a fine-print clause that waived these rules enforceable.
Clark Howard (the consumer radio personality) recommends that businesses use a separate computer for all bank related transactions. And that computer isn't used for email or other web access.
You should also contact your bank and request double or dual authentication on any wires. If your bank doesn't offer this, then get a different bank.
My bank has fairly lax login requirements (account ID, some random digits of a N digit PIN, some random letters of a longish password.
But to make payments to new accounts, you have to add that account to your approved list, which involves inserting your debit card into a little calculator-style reader, entering your (different) PIN, and then doing CHAP style auth with a random number supplied on the webpage, which is (hopefully decently crypto) mangled by the device, giving you a confirmation code.
It's a bit of a hassle when you need to send some money to someone quickly and can't find the little machine, but otherwise, I think it's a pretty decent level of security.
What if the malware on the PC lets you log in and then takes over the session? Yeah, it happens.
I develop on a system (PhoneFactor) where the bank now confirms the details of a transaction (amount, dest account number, etc) over an out-of-band channel.
I really think this is where the world is moving. The current concept of login sessions is going away, e.g., mobile phones keep browser sessions open practically forever. Login credentials will eventually only protect the viewing of data, things that could cost money will be subject to additional authentication.
But the party who's interests are most protected will be the party that's purchasing and deploying the authentication system. This is usually not the party with the most to lose, and almost never the end user.
Although it seems that whoever got that info used it for poking into defence contractors, rather than banks. Still,
I imagine it's perfectly possible they could have used it to defeat some multi-factor logins for large bank accounts.
I wonder how long the recall and replacement will take; there's got to be a lot of those tokens out there.
ACH is still stuck in the 1970's (along with banking mentality).
You should definitely be able to whitelist and blacklist ACH transactions on your bank account but nope, anyone can just take the magic digits off the bottom off any one of your checks and help themselves.
But why the heck doesn't a bank have software that sets off alerts when more than $100k is drawn from an account, even $10k transactions have to be reported to the government, so why not also notify the customer and bank management?
Also, why in 2011 does it take 5 days officially to clear ACH?
Most banks do have something in place for whitelisting transfers, but adding new recipients is often protected by the same regime that the Zeus bot controllers have already broken.
I don't think they CHOSE to ignore them, it was more that their response was not the best. (It trigger challenge/response questions versus the better option of a manual review)
INAL, but in dealing with some banking software, the situation was explained to me as "Devil take the hindmost." In other words, no bank wants to be the one that implements the worst security, or security that is dramatically worse than "average," whatever that might be.
So for example if all the banks offer four digit PINs, there's not much need to offer six, eight, or ten digit PINs. But if a sufficiently large number of banks start offering ten digit PINs, no bank wants to be left behind, because at some point a customer will sue them and claim that they knowingly have lower standards.
This is purely anecdotal, but this is how it was explained to me when the product managers for a new product were trying to balance ease of use and accessibility against strength of security.
On one hand, I hate banks. They treated me like shit when I was penniless, now that I have a couple to rub together they won't let me cash a check without trying to suck-up their way into some new type of account. Ocean Bank failed to protect their customer's money; I don't to see the difference between the FDIC protection afforded depositors in case of physical robbery and the protection that depositors should have from digital robbery.
On the other hand, there's no law, case or otherwise, that makes the bank specifically liable. So the judge has no basis on which to hold the bank accountable.
They "should" be liable, but it's an ethics issue, not a legality issue. I'm not about to expect a bank to be ethical.
This kind of thing makes me thankful for Wells Fargo. Their fraud/theft detection system is tops and has saved us from fraudulent charges in at least two instances.
> They treated me like shit when I was penniless, now that I have a couple to rub together they won't let me cash a check without trying to suck-up their way into some new type of account.
Haha, I thought it was just me. "Why are you people being so nice to me all of a sudden???"
With regards to the article, I think that they ignored the alarms is important. I once took out $5K cash for a transaction where I had to show some money and an internal this-is-not-normal alarm went off. While it was an inconvenience, I'm glad that the bank did not let me walk out with the money without checking up on me. So I think that the bank from the article was very irresponsible.
I hope that the soon-to-be-ex-customer of the bank publicizes this issue with the media even more. This is the only check on their carelessness.
> I once took out $5K cash for a transaction where I had to show some money and an internal this-is-not-normal alarm went off. While it was an inconvenience, I'm glad that the bank did not let me walk out with the money without checking up on me. So I think that the bank from the article was very irresponsible.
I agree 100%; I know it can be done because I've had similar experiences with WF. We have been traveling and I've gotten phone calls from them within 5 minutes of a transaction saying, "hey, we just want to make sure this is legit."
The fact that they ignored the alarms is important and I agree, negligent. But it doesn't look like it was enough for the judge to find them liable and more importantly, make it stick and not get flipped on appeal.
The article states that the banks automated systems were triggered for suspicious activity and the bank ignored them. One would think that at the very least that would make the bank negligent. Of course there is probably more to it than that.
In this case the "physical robbery" parallel would be losing your key to a safety deposit box, and then suing the bank when your stuff is stolen. Don't get me wrong, I don't love banks either, but here the bank's security didn't get compromised.
I think it may be more like, you lost your key and the person finding it went to the bank. While there they presented ID, per the banks normal process, and even though the presented ID was suspicious the bank allowed the transaction to continue.
It's the bank's fault simply because this system has been broken for at least a decade, they know damn well it is broken, but they don't make as much profit if they invest in fixing it.
This won't change until it becomes more expensive for them to leave it unfixed - either by market forces, or by regulation.
Clearly the bank's customer has some responsibility here.
But it's not clear that the bank gave its customers the backup they needed in the event that an account is compromised. And accounts will be compromised.
Only the bank can improve the security of large electronic transactions. And if the bank is not held responsible, they have no incentive to do so.
IANAL, but I would suspect that the construction company has a mediocre/inexperienced lawyer. Maybe this could be covered by check forgery statutes or something that works by analogy. Back in the last century a friend of mine won a case in CA where he was actually negligent himself. He was remoddeling his house and set up an account that the contractor could draw on. The contractor took the money and ran. My friend sued the bank for negligence. He won because the contractor had pulled the same scam before at the same bank.
Maybe this guy sued in the wrong court. US District court vs Maine state court.
Some background: unlike PCI, which has very large specs for how to protect cardholder data, banks have very little mandated requirements for protecting online banking.
Really the only guidance they've received is the document "Authentication in an Internet Banking Environment", released by the FFIEC in 2005. [1]
The mandate boils down to: "Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services."
So, if a FI provides basic personal online banking -- with no money transfer abilities -- perhaps a username/password pair combined with pretend-MFA ("What's your favorite secret color?") is appropriate.
If you allow your customers to originate ACH or wire transfers, it's simply negligent to not provide true MFA, and their auditors should have caught this earlier.
Banks in Germany are required to use two-step authentification and one-time passwords for money transfers. Measures like this would have prevented that 'hack'.
I actually lived in the US for a while and the so called security of American banks was completely incredible to me. It is true, Steam, Battle.net and Google accounts are significantly better protcted than the US bank accounts I had access to.
FTA: "But [the judge] nonetheless concluded that the law does not require the bank to implement the “best” security measures available and that the bank is clear to customers when they sign up about the level of security it provides and the amount of liability it will assume if money is stolen from a customer account."
Banks, after all, pushed online banking with minimal client protections because it was cheaper than paying staff.
The risks may have been minimal when online banking rolled out, but the world has changed significantly in the last five years. The client is not secure, and it is borderline unreasonable to expect them all to be in this day and age. Pretty much any client machine will fall to a persistent targeted attack. Two factor authentication should be mandatory for electronic transfers outside of the institution.