SAN FRANCISCO -- When attackers hack right into a business' checking account and empty the account of millions of bucks, can the business sue its bank and successfully win reimbursement? Two courts within the U.S. decided such cases differently, ruling in favor of the business in a single case and in favor of the bank inside the other. In keeping with a panel such as two attorneys, a judge and a bank representative at RSA Conference 2012 this week, the 2 different decisions reflect the present state of court rulings when businesses sue their banks for money lost from a hacked bank account.
Court finds multifactor authentication sufficient
In the case of Patco Construction Co. Inc. versus People's United Bank, hackers employed the Zeus Trojan to capture answers to Patco's checking account security challenge questions, and then used that information to log in to Patco's checking account and transfer greater than a half million dollars to the hackers' accounts in Eastern Europe. Patco sued People's United Bank, however the U.S. District Court in Maine ruled in favor of the bank. The court found the bank had exercised “commercially reasonable†security practices, noting the bank's use of 2-factor authentication.
The court requires banks to present reasonable security, not the appropriate security.Hoyt Kesterson,
Terra Verde Services
People's United Bank trusted a software-based device ID cookie -- a cookie the hackers had captured and used to hold out their attack. Patco argued the bank must have used a physical cookie, but this argument didn't sway the court. “The court requires banks to present reasonable security, not the correct security,†said Hoyt Kesterson, senior security architect for Scottsdale, Ariz.-based Terra Verde Services.
Court looks for good faith by the bank
In the case of Experi-Metal Inc. versus Comercia Bank, the U.S. District Court for the Eastern District of Michigan also searched for commercially reasonable security by the bank in determining if the bank was responsible for stolen funds. Yet thus, the court went a step further to make a decision if the bank had acted in good faith when processing transactions that transferred millions of dollars from Experi-Metal's account to a variety newly opened accounts in a single weekend. The court ruled the bank had not acted in good faith and Experi-Metal was capable of recover among the lost funds from Comercia.
According to panelist John Facciola, U.S. Magistrate for the U.S. District Court for the District of Columbia, the definition of fine faith in cases of this kind continues to be unclear and should be a subjective observation made by the court.Â
Advice for SMB security pros
With these two different court decisions, how can security pros plan to offer protection to their business' financial assets? The panelists inside the RSA Conference session, entitled Whose fault is it? I didn't realize it wasn't you, offered some advice for small- and medium-size businesses that will not have enough security resources to supervise all aspects in their bank's security processes.
Business owners are required to sign a freelance with the bank after they open a commercial account, and in line with Kesterson, it is the primary opportunity for security pros to get curious about protecting their business. He advised security pros to feature alerting requirements to the bank's standard contract.
“Set up a plan where the bank alerts you whenever it receives a request to process a transaction of a undeniable level or type,†Kesterson said. “And don't depend upon text alerts, which may themselves be intercepted. Have the bank pick up the telephone and make contact with you, even though it delays the transaction.â€Â
David Navetta, founding partner of recent York-based Info Law Group, concurred. He explained that banks are generally willing to just accept such modifications to their standard contract due to the competitive nature of the banking industry.
Navetta also emphasized the significance of security education for workers, noting that the attack on Experi-Metal's account got its start from a phishing email. “Be aware about your personal security because that's where almost all these cases start,†Navetta said.
Ken Baylor, vp of antifraud for Wells Fargo Bank, reminded fellow panelists that banks are doing their best to take care of account security, but they're depending on the safety products they deploy. “Small banks depend upon vendor claims because the basis for his or her contractsâ€, Baylor said.
The two cases discussed by the panel were decided by their respective courts in 2011, and security pros and attorneys are currently examining the cases as likely indicators of future court decisions.
Judge Facciola concluded the RSA panel session on a promising note for security teams. “The courts are coalescing upon a distinctive viewpoint,†Facciola said. “The trend may actually point in favor of liability of the banks.â€Â
View all of our RSA 2012 Conference coverage.Â
Nessun commento:
Posta un commento
Comments links could be nofollow free