Avivah LitanA magistrate has recommended that a U.S. District Court in Maine deny a motion for a jury trial in a money transfer case that Patco Construction Inc. filed against its bank, Ocean Bank in 2010. In May 2009, the construction company had its account taken over by cybercriminals and lost more than half a million dollars. Only $230,000 was recovered. For more information on this decision see http://www.bankinfosecurity.com/articles.php?art_id=3705&rf=2011-06-07-eb
In my opinion, this is an injustice against small U.S. businesses, whose health is critical to the economic recovery in this country. It is also a failure of the U.S. banking regulatory system to act quickly and proactively.
The regulators should not leave these matters in judges’ hands to decide and should protect U.S. businesses from cyberattacks that compromise the safety and security of their accounts, just as consumers are protected under Regulation E.
While subject to many different interpretations, I don’t believe this magistrate correctly interpreted the 2005 FFIEC authentication guidance, “Authentication in an Internet Banking Environment,” which is the last guidance issued on this matter.
On Page 1 of that guidance, the FFIEC states:
“Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services.”
Clearly, the methods used by Patco’s bank’s processor (and many other banks who experienced similar incidents) at the time did not successfully thwart the risks associated with online business banking in 2009. Zeus, browser based Trojans and other modern-day threats are known to circumvent all the methods that were being used to protect Patco’s account.
Unfortunately, the 2005 FFIEC guidance referred to examples of relatively basic online theft techniques that were commonplace in 2004 and 2005. The cybercriminal of 2011 has long ago bypassed and surpassed those old techniques. Still, the basic premise of the guidance as transcribed above remains sound and I think should have been interpreted differently by the judge. Again the operative phrase in the guidance is on page 1 “….the … techniques employed by the financial institution should be appropriate to the risks associated with those products and services.”
The FFIEC was on the verge of releasing updated guidance at the end of last year that was supposed to clarify the new and stronger types of multi-layered defenses required in 2011. They were also supposed to have explained in the update that the examples of strong online banking security measures which they listed in 2005 have been rendered useless and obsolete by next generation cybercrimes. It’s very disappointing that that much-needed update was never issued, no doubt because of politics and disagreements among the regulatory agencies.
But better yet, the legislature should simply make banks responsible for unauthorized access and activity in business bank accounts, just as they are responsible for such activities in consumer accounts.
I see this as a failure of government to protect the banking system by creating the right laws, guidance and incentives. Current laws protect consumers, probably because legislators realized long ago that they couldn’t necessarily protect themselves. Small businesses especially have the same issues – the threats have moved beyond small business ability to stop them via most commercially available anti-virus software and personal firewalls.
Banks will justifiably do what’s in their own interest, and for now, are covered by contractual agreements with their business customers. Most businesses, on the other hand, need specific tools and methods – that their banks instruct them to use as necessary and appropriate – if they are to be responsible for what happens inside their bank accounts.
Otherwise, banks should hang out a big shingle on their online banking web site that reads “Businesses: bank at your own risk.”
Category: Uncategorized Tags:
5 responses so far ↓
1 Midwest IT Survival » On-line Banking Security on Trial Again June 8, 2011 at 3:17 pm
[...] off the hook to do anymore than with is contained in the outdated FFIEC guidance guidelines. As one industry analyst wrote “Businesses: at your own [...]
2 jfbauer June 8, 2011 at 3:25 pm
Avivah,
I think there are challenges on both sides of the bank versus on-line customer equation when it comes to authentication security. I recently posted my thoughts on my blog here: http://bit.ly/kQYN8G
If you don’t mind, I referenced your concluding statement linking users back here to your post.
3 Gemalto | Our blog | Fujitsu’s biometric palm authentication will be a step too far for most users June 13, 2011 at 11:25 am
[...] Biometric authentication is undoubtedly a growing area of our industry, and advances like this are to be applauded. However, we must remember that authentication at this level is unlikely to be adopted on a mass-market scale, so innovations like this one will probably never directly affect many of us. The reason for this is simple: all authentication must be risk-appropriate. [...]
4 Banks vs. Defrauded Businesses: Who’s Defending Who? « Silver Tail Blog June 15, 2011 at 3:35 pm
[...] recent blog post by Avivah Litan, vice president and distinguished analyst at Gartner, raises the following [...]
5 Gemalto | Our blog | Citi data breach shows need for new FFIEC regulations June 16, 2011 at 1:09 pm
[...] using corporate banking products online and, as a consequence, likely not be covered under Reg E. Like many small organisations, they are particularly vulnerable to any monetary loss and lack the technical know-how to [...]