What’s a “commercially reasonable” amount of security for a bank?
We got one answer last week when a federal appeals court reversed a lower court’s ruling on the Automated Clearing House (ACH) fraud dispute between Patco Construction and Ocean Bank. Patco sued Ocean Bank for having “commercially unreasonable” security in place after Patco lost more than $500,000 after fraudsters made six transfers over ACH wire transfer system.
The court agreed with Patco and said the security Ocean Bank had in place at the time of the theft was “commercial unreasonable.”
A little background: Ocean Bank decided to initiate “challenge questions” for any transactions for its customers valued at more than $1. So every single time Patco employees wanted to make a transaction, they would have to answer a challenge question. This opened up Patco even more to fraud, because keylogging software (in this case, a Zeus attack) was waiting for those answers.
Then, when alerted to possible fraud, Ocean Bank did nothing. According to the ruling, “Although the bank’s security system flagged each of these transactions as unusually high-risk because they were inconsistent with the timing, value, and geographic location of Patco’s regular payment orders, the bank’s security system did not notify its commercial customers of this information and allowed the payments to go through.”
The court also said that there were many other security solutions available that Ocean Bank chose not to implement. Amongst these solutions noted are highly secure tokens. A physical device like a smart card or a one-time password generating token gives the bank assurance that the person making the transaction is authorized to do so.
These collective failures, taken as a whole, rendered Ocean Bank’s security procedures “commercially unreasonable.”
Ok, now that we have gone through all of the “legal-ese” of the case, what does it really mean for banks? In all, I think the Patco v Ocean Bank ruling is going to be a wake-up call for banks – the minimum is not enough.
Some thoughts for moving forward:
First, banks need to not just implement strong security, but use it and use it correctly. Ocean Bank failed to respond when transactions were flagged.
Second, banks need to be looking at all of the security solutions available – not just those offered by one vendor – and implement several layers of security. For example, these transactions would never have gone through if commercial banking customers were required to use a physical device like a smart card or token.
Third, banks need to always be taking an active role in security. Threats continue to evolve, and so should their security solutions. Bank security officials need to stay educated, and update to new security solutions when necessary.