The question does not get any blunter. When cyber-criminals empty a bank or share draft account, who is left holding the losses?
The answer to the question has financial industry security experts buzzing about a recent ruling handed down by a federal appeals court in Maine that, in many ways, is “a game changer,” said George Tubin, senior security adviser for Trusteer.
“Financial institutions had believed that as long as they provided generally accepted security they would be covered. The Maine court disagreed,” said Tubin.
In the early July ruling of Patco Construction vs. People’s United Bank (formerly Ocean Bank), the appellate court said the community bank had generally followed accepted best practices but that these were simply not good enough.
The bank could have done more, ruled the appellate court, and it is therefore on the hook for the nearly $590,000 that was looted from Patco over seven days in 2009.
“The perpetrators correctly supplied Patco’s customized answers to security questions. Although the bank’s security system flagged each of these transactions as unusually ‘high-risk’ because they were inconsistent with the timing, value and geographic location of Patco’s regular payment orders, the bank’s security system did not notify its commercial customers of this information and allowed the payments to go through,” the court wrote in its decision.
Ocean Bank was able to block or recover about $243,000, leaving a residual loss to Patco of about $345,000.
The court’s decision has sent shock waves through the security community.
“The Patco ruling absolutely should change how financial institutions behave,” said Tubin.
But maybe not so much at credit unions, said some experts. In one respect, credit unions can breathe easily because the decision appears to apply only to commercial and business accounts, not to the consumer accounts that are the lifeblood of the credit union industry.
However, it also seems that matters are not that clear cut and all accounts may well face a raised security bar if the Patco decision stands, said many experts.
In the case of Ocean Bank, it had bought a suite of security products (mainly from Jack Henry) and only chose to implement certain ones. The court raised questions about how good the bank’s implementation process had been, blaming the institution’s IT staff and not its vendors.
Longtime financial industry security expert, Bill Murray, who now blogs on the topic, recently explained, “There was a problem with those [products that Ocean Bank] chose not to implement. First, they did not implement the user-selected image, a shared secret, intended to help the customer distinguish between the bank’s system and a spoof of it before exposing his credentials. However, they also failed to implement the measures most effective against the favored attack, credential re-play, i.e. out-of-band or one-time-password authentication and transaction risk scoring and monitoring.”
The bank also misused a common security feature, according to the court, by lowering the threshold for requiring a challenge question from transactions above $1,000 to those above $1, thereby increasing the probability that the system would be compromised, said Murray in an interview.
Experts expect the decision will be appealed, so it is not yet engraved in stone. But they also suggest that it will serve as a precedent for rulings in similar cases. That means security demands will be lifted for all financial institutions and puts them on notice that they just may be held responsible for customer and member losses, despite their efforts to safeguard accounts.
“It’s not good enough just to meet compliance guidelines. The court is asking, how good are your defenses at actually preventing fraud,” said Tubin.
“What this means is that financial institutions have an obligation to properly authenticate transactions. You cannot just check off the boxes and say you did enough,” warned Jon Callas, chief technology officer at Entrust. “Security too often is done as a ‘check the box thing,’ as a way to pass the buck. The court said that is not good enough.”
Ken Citarella, managing director of the investigations and cyber forensics practice at Guidepost Solutions, said, “The decision creates a dilemma for financial institutions. The court said a generic, one size fits all solution is not sufficient, but who said what is sufficient?”
Citarella suggested that one consequence of the ruling may be raised security demands for clients at financial institutions. “If this decision stands, every transaction may have to involve more inconvenience,” he said.
But that is its own slippery slope, said Rob Ayoub, technical marketing manager at Fortinet, who explained that the more required security alerts and measures, “the more likely we are to ignore them.”