Judge Sides With Bank In $500k Hacker Case

[HardOCP News]

This is a rather interesting case. A company had its account taken over by crooks through no fault of the bank. The crooks then drain $500k from the victim's account. Victim sues bank for not stopping the transfers.

At issue for PATCO is whether banks should be held responsible when commercial accounts, like PATCO's, are drained because of fraudulent ACH and wire transfers approved by the bank. How much security should banks and credit unions reasonably be required to apply to the commercial accounts they manage? "Obviously, the major issue is the banks are saying this is the depositors' problem," Patterson says, "but the folks that are losing money through ACH fraud don't have enough sophistication to stop this."

 

[pgwalsh]

I think if a Bank is compromised it's entirely responsible. My bank wont let me do a wire transfer without a written confirmation and then they have a security call that calls me and asks random questions that only I would know. This is for my business account.

 

[fenixv]

Sad. The judge said the Bank's security wasn't the "best" but that it met the standard of other similar banks, and therefore the Bank should not bear the responsibility.

I would have argued that the Bank was in the best position to bear the responsibility and loss, moreso than a small family owned construction company. I also would have argued that the bank could have prevented this by implementing technology that flags large electronic transfers coming from IP addresses not in the area. A lame example, but on point, is the coin lock feature in "Rift". If a game can do it...why can't a bank...

 

[arentol]

I always thought that as long as you notified the bank of the fraudulent transfer within 30 days it was all on them. I though their security was pretty much irrelevant to this.

 

[iTYPE]

Probably half that drainage is his

 

[messerchmidt]

appeal time, and also time for better legal counsel...

 

[TechLarry]

Oh, this is a bad BAD decision, and I hope it goes to the Supreme Court.

If we can't hold banks responsible for safeguarding our money, we are truly farked.

Time to get out the coffee can's and the shovels again like in the old days.

 

[pgwalsh]

Sad. The judge said the Bank's security wasn't the "best" but that it met the standard of other similar banks, and therefore the Bank should not bear the responsibility.

I would have argued that the Bank was in the best position to bear the responsibility and loss, moreso than a small family owned construction company. I also would have argued that the bank could have prevented this by implementing technology that flags large electronic transfers coming from IP addresses not in the area. A lame example, but on point, is the coin lock feature in "Rift". If a game can do it...why can't a bank...

Perhaps we should have video game companies become our new banks.

In all seriousness, there's been so many security issues recently, it makes me think twice about doing any transactions online.

 

[mickster]

Makes me seriously consider withdrawing my millions from them since they are not liable

 

[mickster]

...and obviously NOT safe

 

[Exavior]

Did anyone read the article? I have to side with the bank on this one, it isn't their fault its the dumb fuck customer.

This company got a virus on their computer that stole their bank user name and password. The person that had the account information then logged in and transfered $500,000 of their money. They are pissed that better security wasn't in place to let the bank know that wasn't really them logging in and wasn't really them transfering the money.

How is the bank at fault there? Their system wasn't hacked, they just processed a valid transfer being done by somebody that shouldn't have been logged into the account.

 

[WBurchnall]

Did anyone read the article? I have to side with the bank on this one, it isn't their fault its the dumb fuck customer.

This company got a virus on their computer that stole their bank user name and password. The person that had the account information then logged in and transfered $500,000 of their money. They are pissed that better security wasn't in place to let the bank know that wasn't really them logging in and wasn't really them transfering the money.

How is the bank at fault there? Their system wasn't hacked, they just processed a valid transfer being done by somebody that shouldn't have been logged into the account.

That's a common technology to prevent this called 'coinlocking'. My bank's website (Royal Bank of Canada) uses this. When I login from my home, after providing my username and password, it goes 'ohh that IP', go ahead Sir and voila, I'm in.

When I login from overseas, while on business trips or elsewhere, it stops and looks at the IP address, goes '...Manila? Why would Mr. ____ of ____, Canada be logging in from Manila?' and then proceeds to ask me additional identification questions(IE secret questions, etc).

If this bank used the same technology, $500k of this customer's money would not have been lost as the hacker's ip address would have likely been outside the customer's usual ip range.

Secondly, as already pointed out in the thread, a lot of banks require written confirmation when doing large wire transfers + an employee from bank security will call you and verify its you over the phone via some questions before doing the wire transfer.

That's the 'standard' that most banks do. This bank's security "wasn't really the best" ie no verification or coinlocking or large transfers but they did have a username/password. So the bank did well enough to protect the customer's money? Most of the people in the thread are disagreeing that the bank's security is below standard and not 'up to the standards of similar banks' as the judge put it.

Its almost akin to the websites that send you your password as 'plain text' on emails versus an encrypted password/hash code. The industry standard agreed on by security experts is that passwords should be hashed. Tons of websites though send plain text passwords in emails all the time which is very unsafe. Should they be held responsible should something go wrong? If this judge was deciding, negligence is ok as long as there's other people being negligent too(up to the standard of similar websites)...

 

[fenixv]

^ This

I'm the first critic of people doing stupid things like downloading a trojan from an e-mail. However, while I feel the employee may have been an idiot, it could have been prevented very easily if the bank had implemented "better" security.

 

[fenixv]

And yes, I read the article in its entirety.

 

[Exavior]

Did your banks have that technology a few years ago? My bank does that also where it ask me when i log in from another computer to verify who I am, but back in 2009 when this happen to that company that wasn't normal practice then. You have to look at cases based on what was the standard then, not now.

 

[Helicopter]

Did anyone read the article? I have to side with the bank on this one, it isn't their fault its the dumb fuck customer.

This company got a virus on their computer that stole their bank user name and password. The person that had the account information then logged in and transfered $500,000 of their money. They are pissed that better security wasn't in place to let the bank know that wasn't really them logging in and wasn't really them transfering the money.

How is the bank at fault there? Their system wasn't hacked, they just processed a valid transfer being done by somebody that shouldn't have been logged into the account.

I'm going to have to agree with you.

But since PATCO agreed to the bank's security methods when it signed the contract, the court suggests then that PATCO considered the bank's methods to be reasonable, Navetta says. The law also does not require banks to implement the "best" security measures when it comes to protecting commercial accounts, he adds.

It's not the bank's fault that "the customer" logged in and processed some transactions.

 

[Zangmonkey]

Do not create predictable credentials.
Do not store credentials digitally unencrypted.
Do not reuse credentials.

Magically, most of your online fraud problems will be resolved.

 

[munkle]

While the bank could have prevented it, I don't think they are liable. Not their fault someone else used a customers password/username. I guess we are in the age of placing blame on everybody else but ourselves.

 

[pgwalsh]

While the bank could have prevented it, I don't think they are liable. Not their fault someone else used a customers password/username. I guess we are in the age of placing blame on everybody else but ourselves.

There should be additional verification's for amounts that large. A simple phone call to verify the transfer is all that's needed. I can 't even move 30K without going through additional verification and that goes for my personal and business accounts.

 

[MavMange]

His computer was taken over with some type of data gathering trojan/malware. People need to take responsibility for their own problems.

If you choose to use online business banking with a bank that offers limited fraud protection beyond that of a simple user authentication, then if your login credentials are compromised, there will be problems. The same applies if you choose to do business with Sony and you're reusing passwords, then there will also be more problems.

Some of the better banks offer their business customers two-factor authentication with something such as the RSA SecurID tokens. Some banks will even offer a 100% fraud insurance for their online banking.

 

[xorbe]

we lack 2-factor auth for banks here in America ... this just isn't possible in other parts of the world

 

[Arcygenical]

When I login from overseas, while on business trips or elsewhere, it stops and looks at the IP address, goes '...Manila? Why would Mr. ____ of ____, Canada be logging in from Manila?' and then proceeds to ask me additional identification questions(IE secret questions, etc).

My RBC account asks me the same damn questions each time I've been given a new IP, go to a new place, or just every so often, randomly.

It's safe to assume a keylogger could be active for *weeks* and get the answers to just about any security question.

 

[lord_emperor]

My bank says this directly under the login boxes:

You will receive 100% reimbursement in the unlikely event account losses occur resulting from unauthorized activity.

 

[Concillian]

I think if a Bank is compromised it's entirely responsible. My bank wont let me do a wire transfer without a written confirmation and then they have a security call that calls me and asks random questions that only I would know. This is for my business account.

It's not clear in reading the article that the bank was compromised. If you read the article it seems to be that some dumbass at PATCO got keylogged through malware and got his companies account drained as a result.

If the bank was hacked, they would have drained more than one account. This was very likely a situation where the law made the right decision and the reporting was inadequate or trying to incite opposition.

 

[WBurchnall]

My RBC account asks me the same damn questions each time I've been given a new IP, go to a new place, or just every so often, randomly.

It's safe to assume a keylogger could be active for *weeks* and get the answers to just about any security question.

True, there is that potential. How often do you have your IP address change? Mine changes only about once every six months to a year. It would take them ages to find the information to all my secret questions. Even then, I'd sitll have the phone call I get from a 'security' or whatever branch employee at my bank calling my registered phone number on file to verify the transaction. Aka an offline backup system/failsafe.

Now if your going to say the hackers are going to keylog my computer for a few years and then install a local switch in my phone line so they can pickup incoming calls from my bank and impersonate me....Yes, I'd agree the bank is not at fault. By not having the backup/failsafe system though, it seems like this bank went through the absolute minimum and doesn't even bother to verify 'relatively large' amounts of money transfers with the account owner.

 

[WBurchnall]

It's not clear in reading the article that the bank was compromised. If you read the article it seems to be that some dumbass at PATCO got keylogged through malware and got his companies account drained as a result.

If the bank was hacked, they would have drained more than one account. This was very likely a situation where the law made the right decision and the reporting was inadequate or trying to incite opposition.

Its not about the bank being hacked or not. Its that most banks have a backup system which is what the original poster you quoted was trying to get to. If the OP's computer has hacked and his passwords/usernames stolen, it would be rather useless to you. You could go onto his banks website and do the same $500k wire transfer and his bank BEFORE doing the transfer would make a 2 minute phone call to the OP's phone number saying:

'Hey, can I verify your ___ ____ and __ personal info and your secret question? Great. Now did you mean to authorize this $500k transaction to the Caymen Islands? No? I didn't think so. Let me help you go through the process of changing your password. Your account info has been compromised.'

Boom, customer with a 2 minute phone call has been saved $500k. However, that same bank could save $6,000.00 a year by not paying some high school graduate to make a phone call a few times a day and cutting 5 hours a week of his work time. Bank says $6,000.00 a year. Customers lose $500k+ in fraudulent wire transfers. Sounded like a good deal to the bank in the article. Not so much to the OP's bank you replied to.

Banks should be both coinlocking + after direct phone verification. At least for amounts of $100k or greater. Honestly, it only takes 3 minutes of time and I'm sure there are some employees who spent a small bit of their time 'idle' whom could make these calls such as bank tellers during the off-hours/slow periods.

 

[necrosis]

This whole thing sort of reminds me of shitty BofA.

I go to the SuperFresh I go to well ALL THE TIME for the last almost 5 years and spend around $150 on food which is what I normally spend. Then go to the same Royal Farms I go to damn near EVERY MORNING before work 5 min later and spend around $70 (gas and smokes). Bank locks card. Thank god I had another.

Few weeks later I write a check for $54k (new car using a PERSONAL check FRI) and $10k (loan to friend on a PERSONAL check SUN). Both clear on the same day (MON) with no issue.

Banks and their security make zero sense.

 

[TwistedAegis]

Keep in mind bank liability is very different for commercial customers. A commercial enterprise is supposed to have more sophistication than the average consumer.

And all that regulators require of a bank is "commercially reasonable" security precautions. As long as they can make the case that their setup is indeed "commercially reasonable" then they should be safe from liability in the event the breach came from the customer's end, which it appears Ocean Bank has done.

That being said, the regulators are expected to release much more stringent "regulations" around online security, customer authentication, etc, fairly soon. After a reasonable implementation period, if banks don't meet the more stringent requirements the liability will fall on them.

 

[Exavior]

My bank says this directly under the login boxes:

Some do that, some won't. All depends on that bank, also depends on the time. As i pointed out a few post above, this didn't happen 2 weeks ago or 2 days ago, it was 2 years ago that this person lost this money.

It's not clear in reading the article that the bank was compromised. If you read the article it seems to be that some dumbass at PATCO got keylogged through malware and got his companies account drained as a result.

If the bank was hacked, they would have drained more than one account. This was very likely a situation where the law made the right decision and the reporting was inadequate or trying to incite opposition.

No, the article was very clear about it. The bank wasn't hacked, everything happen on the customer end, as you said they got malware on their computer which logged all their bank information.

True, there is that potential. How often do you have your IP address change? Mine changes only about once every six months to a year. It would take them ages to find the information to all my secret questions. Even then, I'd sitll have the phone call I get from a 'security' or whatever branch employee at my bank calling my registered phone number on file to verify the transaction. Aka an offline backup system/failsafe.

Now if your going to say the hackers are going to keylog my computer for a few years and then install a local switch in my phone line so they can pickup incoming calls from my bank and impersonate me....Yes, I'd agree the bank is not at fault. By not having the backup/failsafe system though, it seems like this bank went through the absolute minimum and doesn't even bother to verify 'relatively large' amounts of money transfers with the account owner.

My IP changes every time my DSL modem resyncs. That said, what matters if the bank only did the minimum? Yes they could have had some more stuff in place to make things safer. They could hire a staff of people to call and verify every single debit card swipe, every single check processed, every electronic transfer... They could make you come in, give a blood sample, hair sample, finger print every time you try to put money in or take it out of your account. If somebody has a keylogger on your computer, they could see what your IP is, and then spoof that to make them think it is your current ip.

Like the judge said, this company knew what security was in place or not in place and they were happy with that when they signed the contracts. If you dont' like how insecure your bank is then change banks. As long as they are meeting minimum requirements though you can't punish them for.

It really sucks that this happen to them, and it sucks that nothing was in place to fully protect them. But you get to choose your banks so you can find and select one that will offer you the best coverage and protection for stuff like this.

Its not about the bank being hacked or not. Its that most banks have a backup system which is what the original poster you quoted was trying to get to. If the OP's computer has hacked and his passwords/usernames stolen, it would be rather useless to you. You could go onto his banks website and do the same $500k wire transfer and his bank BEFORE doing the transfer would make a 2 minute phone call to the OP's phone number saying:

'Hey, can I verify your ___ ____ and __ personal info and your secret question? Great. Now did you mean to authorize this $500k transaction to the Caymen Islands? No? I didn't think so. Let me help you go through the process of changing your password. Your account info has been compromised.'

Boom, customer with a 2 minute phone call has been saved $500k. However, that same bank could save $6,000.00 a year by not paying some high school graduate to make a phone call a few times a day and cutting 5 hours a week of his work time. Bank says $6,000.00 a year. Customers lose $500k+ in fraudulent wire transfers. Sounded like a good deal to the bank in the article. Not so much to the OP's bank you replied to.

Banks should be both coinlocking + after direct phone verification. At least for amounts of $100k or greater. Honestly, it only takes 3 minutes of time and I'm sure there are some employees who spent a small bit of their time 'idle' whom could make these calls such as bank tellers during the off-hours/slow periods.

Have bank tellers call people when they are not on the clock? yeah they will like that. Point isn't what they can or can't do, or should or shouldn't do. It is what is their requirement by law to do, what they are they forced to be responsible for. If banks aren't required by law to do that and they can choice to do that or not, then guess what you find the bank that has the best security and let the ones that won't do that go away.


One thing to keep in mind is that the bank did give this company back about half the money they lost so it isn't like they said fuck you have a nice day. They did do something to make up for it some, they just didn't give them back all the money which is what this company is now pissed about. But if the bank never agreed to protect them 100% for fraud, and the law doesn't state that they have to. Then there is nothing wrong on their end, yes they could have done more, yes they should do more, but if they don't then people can go to another bank.

 

[beowulf7]

He should've kept his $ under the mattress.

 

[beowulf7]

we lack 2-factor auth for banks here in America ... this just isn't possible in other parts of the world

2-factor auth. is not the panacea. Look at the flak EMC has taken b/c of their compromised SecurID tokens (which they've since addressed).

 

[Helicopter]

Its not about the bank being hacked or not. Its that most banks have a backup system which is what the original poster you quoted was trying to get to. If the OP's computer has hacked and his passwords/usernames stolen, it would be rather useless to you. You could go onto his banks website and do the same $500k wire transfer and his bank BEFORE doing the transfer would make a 2 minute phone call to the OP's phone number saying:

'Hey, can I verify your ___ ____ and __ personal info and your secret question? Great. Now did you mean to authorize this $500k transaction to the Caymen Islands? No? I didn't think so. Let me help you go through the process of changing your password. Your account info has been compromised.'

Boom, customer with a 2 minute phone call has been saved $500k. However, that same bank could save $6,000.00 a year by not paying some high school graduate to make a phone call a few times a day and cutting 5 hours a week of his work time. Bank says $6,000.00 a year. Customers lose $500k+ in fraudulent wire transfers. Sounded like a good deal to the bank in the article. Not so much to the OP's bank you replied to.

Banks should be both coinlocking + after direct phone verification. At least for amounts of $100k or greater. Honestly, it only takes 3 minutes of time and I'm sure there are some employees who spent a small bit of their time 'idle' whom could make these calls such as bank tellers during the off-hours/slow periods.

Except that it wasn't a $500K transfer, it was several transfers amounting to $500K ...

More than $500,000 in fraudulent ACH transactions from PATCO's account was approved for transactions by the bank.

I know our shop makes hundreds of transactions in a week, and all three of our businesses can spend over a million in a month. Rolling in a bunch of bogus transfers in random amounts probably wouldn't even be noticed if the company did lots of business with a bunch of differnet vendors until they realized the money was missing. It would be a real pain in the ass for the bank to call us everytime they did a payment.

 

[Elf_Boy]

This whole thing sort of reminds me of shitty BofA.

I go to the SuperFresh I go to well ALL THE TIME for the last almost 5 years and spend around $150 on food which is what I normally spend. Then go to the same Royal Farms I go to damn near EVERY MORNING before work 5 min later and spend around $70 (gas and smokes). Bank locks card. Thank god I had another.

Few weeks later I write a check for $54k (new car using a PERSONAL check FRI) and $10k (loan to friend on a PERSONAL check SUN). Both clear on the same day (MON) with no issue.

Banks and their security make zero sense.

You can call BofA and have then stop triggering alerts for gas purchases. Sad but true the #1 place people go when they have a stolen card is the gas pump.

 

[LonerVamp]

1. This is not a *consumer* vs bank issue. This is a business vs bank issue. The coverage and guarantees are completely different. Yes, as an individual you can have fraudulent charges guaranteed back to you. Business does not enjoy this same benefit.

2. The bank wasn't hacked or attacked. It just did its business as asked by the user.

3. The business had a system infected with malware that was used to normally log into the banking site. A pretty classic case of a keylogger in action.

4. The real issue is centered around whether the bank has "good enough" security. In particular, whether the bank truly has 2-factor authentication (i.e. some combination of 2 of the following: password, biometric, key/token). If it does not have 2-factor, it's typically not considered "good enough."

Just layin' it out for some people.

 

[LonerVamp]

2-factor auth. is not the panacea. Look at the flak EMC has taken b/c of their compromised SecurID tokens (which they've since addressed).

Unfortunately, they haven't addressed it. But the threat to most businesses using SecurID tokens is still not *that* high. For high value targets (i.e. defense contractors), the risk is significant, for various reasons.

Remote, 2-factor auth isn't all that bad, especially considering what other alternatives there may be, in relation to the improvement, cost, false positive/negative rates, etc.

 

[Concillian]

'Hey, can I verify your ___ ____ and __ personal info and your secret question? Great. Now did you mean to authorize this $500k transaction to the Caymen Islands? No? I didn't think so. Let me help you go through the process of changing your password. Your account info has been compromised.'

It didn't say there was one $500k transaction. It easily could have been 50 $10k transactions. Businesses make $10k ACH transfers all the time.

 

[beowulf7]

Unfortunately, they haven't addressed it. But the threat to most businesses using SecurID tokens is still not *that* high. For high value targets (i.e. defense contractors), the risk is significant, for various reasons.

Remote, 2-factor auth isn't all that bad, especially considering what other alternatives there may be, in relation to the improvement, cost, false positive/negative rates, etc.

What do you mean EMC didn't address it? My company, which uses SecurID, got a new batch of replacement of SecureID tokens. I don't see why they would've done that if the vulnerability still exists.

 

[TheWeazmeister]

If this bank used the same technology, $500k of this customer's money would not have been lost as the hacker's ip address would have likely been outside the customer's usual ip range.

Secondly, as already pointed out in the thread, a lot of banks require written confirmation when doing large wire transfers + an employee from bank security will call you and verify its you over the phone via some questions before doing the wire transfer.

Yeah, no shit this^^^. Using BofA's system it has the same mechanics. For my own company, where I used to send 500k+ every other week, it went through multiple security layers to be able to send the wire. I used to have to generate a file for each computer I wanted to use my corporate account's wire transfer feature on, and then if the IPs didn't fall within a certain range as expected, it automatically asked for another layer of security questions. I think this was another case of a judge who doesn't know enough making a ruling on a technology (not a banking issue imo) case.

 

[Spooony]

Should teach the fucker to stop being a lazy arse and get in his car or the bus or jump on a bicycle and go stand in a bank que or use a atm. Security products are always behind the exploits. If your working with your hard earned cash keep your personal shit of the Internet.

 

[Spooony]

True, there is that potential. How often do you have your IP address change? Mine changes only about once every six months to a year. It would take them ages to find the information to all my secret questions. Even then, I'd sitll have the phone call I get from a 'security' or whatever branch employee at my bank calling my registered phone number on file to verify the transaction. Aka an offline backup system/failsafe.

Now if your going to say the hackers are going to keylog my computer for a few years and then install a local switch in my phone line so they can pickup incoming calls from my bank and impersonate me....Yes, I'd agree the bank is not at fault. By not having the backup/failsafe system though, it seems like this bank went through the absolute minimum and doesn't even bother to verify 'relatively large' amounts of money transfers with the account owner.

actually they hit the banks webpage with XSS exploits with a hidden link. Everyone that clicks on it a XXX amount of money is transferred to the hackers account. so its you and your ip transferring money to another guys account without you knowing it. To the bank it looks like your doing a normal transfer until the vulnerability gets discovered