Thursday, September 24, 2009

Does Weak Online Banking Log-In Make the Bank Liable for Losses Incurred when Fraud Occurs?



I felt compelled to share this article from  Kelly Jackson Higgins.   As followers of this blog are aware, I believe it is a no-brainer that banks should utilize the HomeATM device to authenticate online banking sessions.  Banks give away grills, toasters, space heaters, radios, DVD players, oscillators, $100,  (the list goes on and on) to get customers to enroll in their more profitable online banking programs, and none of the aforementioned does anything to protect their customers.   HomeATM's device would no only protect them, but as this article hypothesizes, might wind up protecting the banks. 





It doesn't matter who wins or loses this case.  What matters is that there IS a loser.  The way banks do it now,  the only winners are the bad guys...




Couple's Lawsuit Against Bank Over Breach To Move Forward Case raises questions about banks' liability in breach of customers' online accounts




Sep 23, 2009 | 03:27 PM By Kelly Jackson Higgins

DarkReading



A U.S. District Court ruling in a lawsuit against a bank over a hacked online account has raised thorny questions about who's ultimately responsible for the breach of a customer's account.





An Illinois district court denied Citizens Financial Bank's request to dismiss a lawsuit that charges the bank was negligent in protecting a couple's bank account after their user name and password were stolen and used to pilfer $26,000 from their account.



The ruling lets the couple, Marsha and Michael Shames-Yeakel, continue with their lawsuit, mostly based on their allegations that the bank failed to properly secure their account.



The bank has held the couple responsible for the money that was stolen after an attacker used their online banking credentials to secure a loan on the account, first depositing it in the couple's business bank account, then wiring it to a bank in Hawaii, and then to a bank in Austria. By the time the couple reported the fraud to Citizens Financial, there was no way to retrieve the money from the Austrian bank, which refused to return it.



Experts are split over whether the couple has a chance of winning the case. But either way, the lawsuit has raised the thorny question of whether a bank should be held liable if a customer's account is breached.



In the court opinion (PDF) obtained by Wired, the couple maintains that Illinois-based Citizens Financial Bank "failed to guard access to Plaintiff's account with adequate security features at the time of the theft," with only a user name and password rather than a more secure multifactor authentication method. They argued the bank should have offered them token authentication.



The court document says the bank stood by its online banking disclaimer that exempts the bank from any liability: "We will have no liability to you for any unauthorized payment or transfer including wire transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice."



But whether the lawsuit holding the bank responsible for the couple's loss will stand up in court is unclear. John Pescatore, vice president and distinguished analyst at Gartner, says he doesn't expect the couple to win the case. "I don't see that this has much chance of succeeding. The real issue is the user's responsibility to protect their passwords, just as it is the car driver's responsibility to protect the car keys. If you leave the keys in the ignition and someone steals your car, suing the car manufacturer for negligence isn't going to work," Pescatore says.





And the argument that the bank should have offered two-factor authentication is moot, he says, because regulation from the Federal Financial Institutions Examination Council (FFIEC) only calls for "risk-based authentication" and doesn't specify it as two-factor authentication. (Editor's Note:  That is strictly a legal defense, not a common sense one)



Plus, consumers for the most part have resisted tokens and stronger authentication, while banks for the most part have avoided forcing the issue and "eaten" losses from account breaches, Pescatore says. (Editor's Note:  Maybe back in 2006 they may have resisted, but I'd bet my bottom dollar that today it would be welcome)  In fact, in a PIN Payments News Blog survey, almost 75 out of 100 people said they would "PREFER IT." (click graphic below to enlarge)









"It's not going to be simple to prove negligence of the bank," he says. "And if they [the attackers] got their banking passwords, they probably got a lot of [their] other passwords, too."



Bruce Schneier, meanwhile, argues that the customer should not be held responsible for this type of bank account breach. "The banks don't want to be liable," Schneier says. "But it makes no sense that the customer should be responsible for [banking] fraud...The only way to improve security is for the person with the ability to mitigate it [like a bank] to take responsibility for this. Even if it's the customer's fault, the bank should be liable."



Schneier, who also blogged about the case yesterday, says banks should have to follow the same type of rules as credit-card companies when it comes to customer losses from a breach.



The ruling, meanwhile, did grant the bank's motion for a summary judgment on other charges by the couple, including one that sued the bank for reporting the couple's account as delinquent and for leaving out information in its reports.



And a similar lawsuit was filed late last week by Sanford, Maine-based Patco Construction against Ocean Bank after the company's bank account there was pillaged by cybercriminals earlier this year for $588,000, according to a report by The Washington Post. The company alleges that the bank didn't do enough to protect its account.

Reblog this post [with Zemanta]

Disqus for ePayment News