The decision by the United States Court of Appeals for the 1st Circuit to overturn a lower court ruling that let a bank off the hook for losses incurred by a hacked customer has implications for both financial institutions (they need to do more) and their business customers (who typically lack legal protection from fraud that consumers enjoy).
While a lower court had granted Ocean Bank in Maine a summary judgment, saying it was not responsible for $345,000 that its customer Patco Construction lost in illegal bank transfers in 2009, the appeals court just reversed that judgment, saying the bank's security system was not "commercially reasonable," meaning Patco may indeed be able to go after the bank for some of the losses.
Time will tell what happens next, but the case is instructive. First, the details in a nutshell (you can read the whole decision here).
Patco made weekly electronic funds transfers from the bank for payroll, always from a static IP address from computers at the company's offices in Sanford, Maine. The highest payment was always less than $40,000.
The bank, according to court records, had a system that created a risk profile for each customer based on "the location from which a user logged in ... how often a user logged in ... and the size, type, and frequency of payment order normally issued." Transactions generating risk scores over 750, on a range of 0-1,000, were considered high risk.
Beginning in May 2009, a hacker, logging in from an unrecognized device, from a different IP address at a different location, supplied the proper credentials of a Patco employee, including ID, password and the answer to three challenge questions, and started routing Patco money to a number of new accounts. The first transaction was for $56,594 and subsequent transfers jumped up to $90,000 and more.
"The risk-scoring engine generated a risk score of 790 for the [first] transaction, a significant departure from Patco's usual risk scores, which generally ranged from 10 to 214." But the bank wasn't monitoring the risk-scoring reports, the court says, and Patco wasn't set up to receive email alerts, a lose-lose scenario.
That, combined with the fact the bank had reduced the dollar level at which its system required challenge questions from $100,000 to $1 to snare low-value fraud, rendered the bank's system not commercially reasonable because the change meant answers were shared constantly, vastly increasing the chances of malware capturing the information before anti-malware tools could snoop out the intrusion. Traces of the Zeus worm were found on a Patco computer.
The key take-aways: For banks, having sophisticated systems in place doesn't do you any good if you don't make the associated process changes to capitalize on them; and for business customers, beware that banks don't cover you for fraud, but cases like this might begin to give you some leverage.