Last updated: 18 December 2019
Several weeks of harsh headlines explaining the tough battle of customers versus bank lawsuits and cybercrime.
In early June, a court in Maine ruled in favor of Ocean Bank in an ACH fraud lawsuit, stating that, “having verified IDs, passwords and requested challenge response questions, it acted in good faith by processing the ACH payments and Patco (the customer) was to blame for letting its details become compromised.” Recently, however, it appears that the opposite has occurred, when a ruling from a Texan judge favored the business which had been the victim of fraud.
In one of the most recent cases, the customer (Experi-Metal) was a victim of an apparent real-time phishing scam that resulted in almost 100 wire transfers (worth $560k) being processed after both their Comerica user credentials AND security token password were compromised. The judge stated, “a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier.”
There are a few things worth noting in these scenarios. First, neither of these banks are major financial institutions – this means attackers are looking further afield for potential victims. By targeting smaller organizations, they obviously believe that they will be more likely to find the weak link in the security chain, wherever it may be. This means that every institution, large or small should invest in the proper security solutions and take the necessary precautions to avoid these situations. Second, no one wins from a lawsuit like this – there is no scenario where a bank should say “we won that one!” Whether a judge decrees it or not, it is the responsibility of the institution to provide a safe banking environment for customers, period.
Third, the ruling shows that our current laws do not understand, or even agree on, what actions need to be taken in order to provide justice. One judge ruled that questions while another answers were sufficient enough to protect the customers information and another ruled that the bank should have detected a mere 100 wire transfers from an account after IDs, passwords, and its OTP token password were compromised.
While I’m no legal expert, I still feel I can have the opinion that the judge in Texas got it right because it shows an understanding of the potentially dangerous environment that can exist when proper protections are not taken. Further, it illustrates again that security is an evolutionary process, not a destination – you do not “deploy and forget” your security. It must be continually scrutinized and analyzed for vulnerabilities and inadequacies from within – because the criminals are doing the same thing on the outside.
Finally, it is important to note that protections that can prevent these attacks and solutions are both available and affordable. Online banking is now a critical piece of the delivery chain for banks of every size and, when a lawsuit like this happens, it calls attention to a growing problem. Coupled with recent attacks aimed at huge companies like Lockheed and Citibank, there is a real danger that customers may start to EXPECT to be compromised, and just avoid the channel entirely as a result. And that is the last thing that banks would want to happen.