Court Allows Suit Against Bank Based on Poor Online Banking Log-In

I was working on a post I decided to entitle "Don't Say I Didn't Warn You" (upcoming) when this came across the wires.  The PIN Payments Blog will follow this case closely as the ruling will set a precedent, as all rulings do.  This could be a game-changing ruling when it comes to how banks provide authentication.  As I've stated for the past 18 months, Don't Type...Swipe!  This case could result in banks being subjected to the risk, as opposed to their customers which might provide more motivation for them to take the extra steps necessary to securely authenticate their online banking customers with a 2FA 3DES DUKPT E2EE PCI 2.x Certified approach.  





This was first reported by David Johnson's Digital Media Lawyer Blog which spoke a little about the the largest precedential impact. 

"The aspect of the case that may have the largest precedential impact was its decision on the plaintiffs' negligence cause of action. (Fn1) A major basis for their negligence claim was the theory that financial institutions have a common law duty to protect their members' or customers' confidential information against identity theft. While the Court could not find controlling State precedent on point (Indiana law applied), it noted that Indiana courts have held that a bank has a duty not to disclose information concerning one of its customers unless it is to someone who has a legitimate public interest. The Court then stated, "If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts."

Editor's Note:  If Citizens loses this case..."citizens everywhere win".... as banks will be forced to increase the security of online banking.  There is no safer way to authenticate the user than to utilize the same trusted security banks use to dispense cash at ATM's.  HomeATM provides the only 2FA 3DES DUKPT E2EE PCI 2.x Certified Solution  in two hemispheres.  The average phishing attack is $352 and that hasn't yet got the banks moving.  Maybe the threat of losing $100k+ every time one of their online customers fall victim to fraud caused by weak authentication will motivate them to invest $12.00 or so, and protect themselves AND their customers.   We'll keep ya posted!





Finextra: Court allows suit against bank for poor online security

The plaintiffs claim that by only requiring user names and passwords to authenticate customers at log in, Citizens failed to maintain state-of-the-art security standards.  

A US couple who had thousands of dollars stolen from their online account have been given the go-ahead by a court to sue their bank for failing to provide adequate security.





In 2007 Marsha and Michael Shames-Yeakel fell victim to an ID thief who gained access to their Citizens Financial Bank online account and stole $26,500 from a home equity credit line.  The money was transferred, via a bank in Hawaii, to a financial institution in Austria. The Austrian bank refused to return the funds, prompting Citizens to inform the couple that they would be liable for the loss.



The Shames-Yeakel's refused to pay, leading the bank to report their account as delinquent to the national credit bureaus and threaten to foreclose on their residence. In response, the couple sued the bank on several grounds, claiming violations of the Electronic Funds Transfer Act and the Fair Credit Reporting Act, in the northern district of Illinois.   They also accused the bank of negligence under state law for failing to adequately protect their online accounts.

"In light of Citizens' apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access." - US District Judge Rebecca Pallmeyer

The Judge also states: "If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts."

Thursday, July 30, 2009

Is Logging In with Username/Password "Careless and Negligent?"

I had to bring you an excerpt from a story in today's AsiaOne Business entitled "Credit Card Stolen? Mind the Pitfalls."   I especially liked the quote from the bank that did not want to be named.  (enlarged below)

BANKS in Singapore are standing by their policy of holding customers responsible for transactions made on their lost or stolen cards if they do not report the missing card in time.  Consumers who cry foul may have no leg to stand on, as the policy is stated in the fine print on the contract they have signed.

A check with seven banks and two credit card companies has found that those who hold Singapore-issued cards are liable for any unauthorized transaction made before the loss is reported.



Some, like DBS Bank and Citibank, will at most review cases individually.



One bank that did not want to be named told The Straits Times it was unfair for banks to take the blame and shoulder the cost when cardholders themselves in most cases are careless or negligent. There may also be fraud involved.



So let me get this straight.   The consumer should take the blame because they are careless and negligent.  I wonder when banks will consider typing a "username and password" into a box on their online banking website "careless and negligent."  I wonder when banks will consider using a credit/debit card for an online purchase, by typing their card number into a box on a website "careless and negligent."  

Related articles by Zemanta

• Computerworld: Court allows suit against bank for lax security (boxofmeat.net)


•  


• Nothing Phishy About PCI 2.0 Certified "Card Present 2FA" (pindebit.blogspot.com)


• Torpig: "One of the Most Advanced Pieces of Crimeware ever Created".' (pindebit.blogspot.com)