Monday, September 28, 2009

Another Lawsuit Against Weak Online Banking Authentication



Is this the beginning of the end of Usernames and Passwords?  Hope So!



Brian Krebs writes for the Washington Post and tells of another lawsuit filed claiming that poor online banking authentication and security protocols led to financial losses on the part of the consumer.  Who will be held liable?  Is this the beginning of a a flurry of lawsuits aimed at poor online banking log-in procedures?


There IS a better way.  The same way banks trust the withdrawal of cash in real time.  As of March 17th, 2009, there became one device in the entire  world which has been PCI 2.x certified and has the capacity to do exactly that in both an online banking AND e-commerce environment. 



Oh, did I mention that employing our solution is exponentially cheaper than the attorneys fees needed to defend against this and a "host" of other lawsuits that will crop up.  And that they (lawsuits) will!   Just as you can bet your bottom dollar that an NFL coach throws the red flag with 2:01 left to go in a game when their team needs a reversal.  They got nothing to lose and everything to gain.   Now that I think about it,  our solution is exponentially less expensive than the hit a bank would take to their reputation should they lose a case like this.  Oh, and now, I'm thinking of the hordes of customers flocking to a competitor, one who initiated a more secure online banking authentication platform.




Genuine Authentication must take place outside the browser space.  It must be done in such a way as to instantaneously encrypt the log-in details and use existing bank rails which coincide with KYC and AML requirements.  HomeATM has such as solution.  Here's a couple excerpts (in black)  from Mr. Krebs article:
Maine Firm Sues Bank After $588,000 Cyber Heist

A construction firm in Maine is suing a local bank after cyber thieves stole more than a half million dollars from the company in a sophisticated online bank heist.

On Friday, Sanford, Maine based Patco Construction Co. filed suit in York County Superior Court against Ocean Bank, a division of Bridgeport, Conn. based People's United Bank. The lawsuit alleges that Ocean Bank did not do enough to prevent cyber crooks from transferring approximately $588,000 to dozens of co-conspirators throughout the United States over an eight-day period in May.



People's United Bank spokeswoman Valerie Carlson declined to comment for this story, saying the company is aware of the lawsuit but does not discuss pending litigation.



According to the complaint, the fraudulent transfers began on Thursday, May 7,
when thieves who had hijacked the company's online banking credentials initiated a series of transfers totaling $56,594 to several individuals that had no prior businesses with Patco. The company alleges that this pattern of fraud continued each day of the following business week, during which time the thieves made additional batches of fraudulent transfers totaling $532,257.



Here's the crux of the matter (as I see it) in the legal case:




Commercial banks are governed under the Uniform Commercial Code, which holds that institutions must take "commercially reasonable" steps to protect customers against fraud.




For most banks, the bar for what is considered reasonable for online banking authentication was set by a 2005 document issued by the Federal Financial Institutions Examination Council,...





Editor's Note:  2005?  That's 100 years ago in terms to the progress made by hackers since then. Heck, online banking malware has INCREASED BY  - (4995%) SINCE 2007! and I don't know if they (password stealing trojans) even existed in 2005.  Look at the chart on the right (click to enlarge) to get an idea of the increase in web vulnerabilities since 2005 when the FFIEC last considered what was  "reasonable."   



...which concluded that banks should employ what's called "multi-factor authentication," which involves
requiring the customer to log in with a user name and password (that's bad) "in combination" with some other form of authentication, such as a single-use password or code generated by a token the customer has in his or her possession, or a special code sent via text message to the customer's mobile phone.



Editor's Note:  "requiring the customer to log in with a user name password" along with another form of authentication.  Well, we know that user name's and password's are not safe, so how does that even "count" as part of the "multi-factor" authentication?  So, those two being absolutely 100% useless, renders the next form of authentication as being the one that counts the most. 



Another "password" is useless, including "One-Time Passwords" because they can be keylogged in real time. (for all we know,  they can be Trojanned in real  time as well)   The fact remains, and there is a preponderance of empirical evidence proving that "anything" done to protect a user in a web browser is absolutely useless. 





Therefore, based on the evolution of hacking since 2005, combined with the fact that the FFIEC hasn't "REVISITED" their document SINCE 2005, I don't see how that business can be held liable.  2005?  C'mon, as I stated, that was 100 years ago compared to the progress hackers have made with Trojans such as Clampi, Zeus and a host (pun intended) of other ways to obtain online banking credentials.    If I'm the attorney, the graphic above is Exhibit One.  Do I need another?  Look at the dates and project 2005...the last time the FFIEC updated their document.  Now compare it to the first 6 months of 2009. 



If I'm Judge Johnny and I can B. Frank, I find for the plaintiff.  $588,000 plus interest, plus attorneys fees.  $0 in damages.  The real damages are going to be the loss of customers endured by banks who continue to put their customers into a position where their card information is swiped by the bad guys instead of by the consumers themselves. 



Continuing with Mr. Krebs story:


"Patco's lawsuit claims the bank failed to offer any form of token-based authentication, and that its multi-factor approach amounted to little more than requiring the entry *typing of yet another password. (which could be easily "swiped" by a Trojan)



The company said that for any transfer of more than $1,000, Ocean Bank commercial customers initiating ACH transfers are required to answer two "challenge" questions.




"Because almost every transfer Patco made exceeded the $1,000 threshold, Patco employees had to answer the challenge questions practically every time they initiated a direct deposit payroll via ACH transfer," the company charged in its complaint. "Because the low thresholds meant the challenge questions were used so often, the questions provided little to no additional security and were effectively no more than extensions of the employee's passwords."  (ooh...good argument dude!)





In addition, the suit alleges that while the bank represents to clients that it monitors customer online accounts for signs of unauthorized access, all of the fraudulent transfers were initiated from Internet addresses that Patco had never before used to conduct online banking. (ooh...two more points!)



"The statute we deal with in Maine is very specific and mentions a whole host of factors that the bank needs to have in place, and in this case we don't think the bank had in place commercially reasonable security procedures," Mitchell said.








 It will certainly be interesting to watch.  I will say this.  There is only one way for banks to win.  That is to provide a genuine two-factor log in procedure trusted by consumers. 



Until then, banks lose no matter what, because even if they win the lawsuit, they will scare the living bajeezes out of their existing online banking customers, who will flock to the bank that offers a log-in procedure that consumers trust.  I don't think there is ANY denying they have grown accustomed to "swiping their card" and "entering their PIN" whether it's to conduct a PIN based transaction at a retail location, or withdraw money from an ATM.  Fact is, it's the "MOST PREFFERED" way to pay, and if it's trusted by banks to dispense cash, we've got a winner here.





It's the way it's got to be...it's the way it will be...because it is the way it already is. 



Banks Are Known as Issuers for a Very Simple Reason:





Banks Issue Cards


Banks Issue PINs  
The time has come for them to complete the process and

Issue Card Reader/PIN Entry Devices for Online Banking/Transactions
 


  • Costs less than than the Useless Promotions Currently Conducted

  • Exorbitantly Cheaper than Losing 49% of Their Online Banking Customers

  • Significantly Cheaper than Hiring Attorneys  and Defending Against Lawsuits

  • Exponentially Cheaper than Losing these Lawsuits

  • Immensely Cheaper than the Costs of Ongoing fraud

  • Ridiculously Cheaper than Having Their Reputation Tarnished/Damaged

When a bank announces a requirement for their customers to accesss their online banking with the same security trusted by banks and consumers, the end result would be more than Image Enhancing and Customer Retention Driven..

it would also serve as a Customer Acquistion Magnet.







Customer Acquisition and Retention Top Priorities



Marketers’ top priorities for 2010 will be customer acquisition and retention
, followed by thought leadership, according to a survey by virtual events provider Unisfair.

Six in 10 marketers polled said Acquiring (A) new customers would be critical in 2010, while 48% would focus on Retaining (R) current customers—a particularly important effort in the recession.  (Editor's Note:  Let's do the math:  60% say Acquiring  and 48% say Retaining new customers is critical.  Total R&A:  108%!  So I would think banks would want to give 110% of their marketing efforts when it comes to putting together an R&A plan.




So, let's review:  Online banking is now the preferred by consumers according to the ABA, but according to ACI Worldwide, 49% would blow that pop-stand if they or someone they knew were victims of fraud, yet according to eMarketer, 2010 is the year to focus on customer "R&A."




Now, for fun...lets see if we can combine all three of these variables and connect the dots to create a marketing plan for these banks.  But first...there is one more important element in this equation.



Another Lawsuit...this one from the "consumer side."  It won't be the last one...



Court Allows Suit Against Bank Based on Poor Online Banking Log-In

The plaintiffs claim that by only requiring user names and passwords to authenticate customers at log in, Citizens failed to maintain state-of-the-art security standards. 



"At the beginning of this month, a US District Judge refused to grant summary judgement in favour of the financial institution, clearing the way for the court case to take place, stating in her judgement:



"In light of Citizens’ apparent delay in complying with FFIEC Security Standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access”
 
Reblog this post [with Zemanta]

Disqus for ePayment News