A federal appellate court recently held that a bank is potentially liable to a customer for failing to catch fraudulent money transfers totaling over $500,000. (Patco Construction Company v. People's United Bank, 1st Cir., July 3, 2012, http://www.ca1.uscourts.gov/pdf.opinions/11-2031P-01A.pdf). The court held the bank's security measures were not "commercially reasonable," thereby exposing the bank to possible liability for the fraudulent transfers to be decided by the trial court.
The decision is significant as it demonstrates the importance of people to security, and that effective data security is not just about the technology. The security system used by the bank was impressive, offering the following options:
UserID and Password* One-time-password (OTP) Tokens Out-of-band Authentication User selected image for recognizing the bank Customer Device Recognition by IP address and cookie* Transaction Risk Profiling* Challenge-Response based upon shared secrets* Dollar Amount threshold for invoking Challenge-Response* Access to intelligence from the eFraud Network including IP addresses of known hostile systems* Risk Scoring Reports * Implemented by the bank
The court's decision reveals that the crux of the problem was not with the technology, but with the decisions made by the bank personnel:
The bank decided to trigger challenge questions for any transaction over $1. This decision increased the frequency with which a user was required to enter the answers to his or her challenge questions, and accordingly increase the likelihood that the authentication information could be stolen by hackers, for example through a keylogger or other malware. When the system triggered warnings that fraud was likely occurring, the bank personnel neither monitored the transactions nor provided notice to customers before allowing the transaction to be completed. Bank personnel did not monitor the risk-scoring reports. The bank did not conduct any regular reviews of transactions that generated high risk scores. Bank employees should have been aware of the increased risk of compromise security because at the times in question keylogging malware was a persistent problem throughout the financial industry. Bank personnel should have understood that triggering the use of the same challenge questions for high-risk transactions as were used for ordinary...