Wednesday, July 11, 2012

Decision on Appeal of Patco v. Ocean Bank

On July 3, 2012 the United States Court of Appeals, First Circuit, returned a decision in the appeal of PATCO CONSTRUCTION COMPANY, INC., Plaintiff, Appellant (the customer) v. PEOPLE'S UNITED BANK, d/b/a Ocean Bank, Defendant, Appellee (the bank).  This decision reversed material findings of the lower court and remanded the case to the lower court for processing.  

Specifically, the appeals court reversed the summary judgment granted to Ocean Bank.  It found that this order relied upon a finding that the security offered by Ocean Bank was "commercially reasonable." a finding which the appeals court rejected.  

This is an important decision.  It brings this case into agreement with the decision in Experi-Metals v. Comerica, a case based upon similar facts and law, in which the court held for the plaintiff.  It reduces the probability that The Supreme Court would grant certiari for a further appeal.  It upholds the provisions of Article 4A of the Uniform Commercial Code (UCC) which govern the rights, duties, and liabilities of banks in commercial wire transfer.  The default under this provision is that if the transaction is "not authorized," the bank stands the loss.   This is also consistent with the bank's common law responsibility to ensure that transactions are authorized.  

When I read that this verdict had been reversed, I went back to my blog, to review what I had written on the case.  Most of what I wrote stands up pretty well after a year and in light of the verdict on appeal  The exception was my expressed hope that the case would NOT be appealed. I was concerned that it might accept as fact the finding of the lower court that the security procedures were "commercially reasonable" and thereby establish a bad precedent.   Mark Patterson, co-owner of PATCO thought better of it, did appeal, and was vindicated.  Fortunately for all, the appeals court revisited that question as a matter of law.  

Patterson struck a powerful blow for small and mid-size businesses in their asymmetric relationship with their banks.  He says, "It is great news for victims out there who are going after banks that have not been keeping their customers' money secure, (It's) a wake up call."  Kudos to Patterson.

I continue to be impressed with the ability of the courts to sort out these very complicated issues.  This decision is informative, instructive, and easy to read.  Even if one were to dispute it, the decision sets forth a clear record of both facts and law for our consideration, discussion, and enlightenment.  I commend it to all bankers, small to medium businesses and municipalities, information assurance professionals, and those engaged in computer forensics.  One need not be a lawyer or a security professional to appreciate it.  

The facts, documented in and relied upon by the decision, describe the security options available to Ocean Bank in NetTeller, the e-banking application software from Jack Henry & Associates.   These include:
  • UserID and Password
  • One-time-password (OTP) Tokens*
  • Out-of-band Authentication*
  • User selected image for recognizing the bank*
  • Customer Device Recognition by IP address and cookie*
  • Transaction Risk Profiling
  • Challenge-Response based upon shared secrets
  • Dollar Amount threshold for invoking Challenge-Response**
  • Access to intelligence from the eFraud Network including IP addresses of known hostile systems
  • Risk Scoring Reports
Some of these features and implementations are licensed from the security firm, RSA/Cyota. 

Ocean Bank implemented more than half of these features but there was a problem with those they chose not to implement.  First, they did not implement the user selected image, a shared secret, intended to help the customer distinguish between the bank's system and a spoof of it before exposing his credentials.  This feature is sufficiently widely used that false bank sites are not a preferred attack.  

However, they also failed to implement the measures most effective against the favored attack, credential re-play, i.e., out-of-band or one-time-password authentication, and transaction risk scoring and monitoring.  

One of these features they mis-used.  The court agreed with testimony of an expert witness that, by lowering the transaction threshold for invoking challenge-response from only those transactions above $1000- to all transactions above $1-, the bank increased the probability that the responses would be compromised and thereby weakened the system.

After Patco became a customer, Ocean Bank offered out-of-band (e-mail) alerts of all activity on an opt-in basis (Preferences, alerts).  Patco claims that it was unaware of the offer and did not opt-in.  I would argue that out-of-band alerts and confirmations are so efficient that they should be on by default.

Other  facts not in dispute include that Patco hired an "IT Consultant" who ran a "malware scan" against the machine in question.  The scanner, which was intended for remedial rather than forensic use, contaminated the machine and destroyed some evidence.  I hope that none of my audience would have made such gross errors as hiring someone unqualified to do forensic work or failing to conserve evidence.  

The court accepted expert testimony that "at the time in question keylogger malware was a persistent problem throughout the financial industry."  Therefore, the risk that the userID, password, and challenge responses would all be simultaneously captured was foreseeable.  

As a result of this decision, we now know some things with confidence approaching certainty that were in question after the original decision.  These include:

In electronic wire transfer, risk for unauthorized transactions lies primarily with the bank, not the customer.  the burden of proof is on the bank, not the customer.  

The requirement of the UCC that security be "commercially reasonable," trumps the Federal Financial Institution Examination Council, the FFIEC, Authentication Guidance.  Literal compliance with the Guidance may not be 'commercially reasonable."  

"Commercially reasonable" is a higher threshold than previously thought; higher than the banks have pretended.  

The court heard testimony on the pervasiveness of key-loggers and concluded that the risk of credential replay is "foreseeable."  Therefore, by default, "strong authentication" to resist such re-play is indicated.

However, such authentication is not enough.  In determining whether or not a transaction is "authorized," and again by default, banks must look beyond the credentials accompanying it to whether the transaction is reasonable for the customer in question. 

Some things are still in doubt, and some questions still open.  For example, 

We think we know that there was a key-logger on the Patco machine.  However, because Patco's agent corrupted the machine, we will never know to a certainty. 

The record is not clear as to whether "alerts" were offered or accepted.

Finally and most importantly, we still do not know what obligations, if any, Patco had if the security offered by the bank is "commercially unreasonable."  Under Article 4A there is an alternate to "commercially reasonable" security as a means for the bank to shift some or all of the liability to the customer.  Only the first was actually litigated in Patco v. Ocean Bank.  The second, authorization by means of an agreed upon security procedure, was not reached or considered by the lower court.  Under the remand, this question may arise.  There is a difference between the Patco and the bank as to whether there was such an agreement, what it called for, and whether or not Patco met its responsibility under such an agreement. 

The advice that we as information assurance and forensic professionals give our principals must reflect this decision.  

This is not "rocket science."  NetTeller and other commercial-off-the-shelf (COTS) software offer both strong authentication options and software for scoring the risk of a transaction.  

We should make it clear to our business clients that, while the bank must take the risk for an unauthorized transaction, the bank is not responsible for consequential damages.  Moreover, the bank will try to transfer this fundamental responsibility to them by contract.   They should choose their banks carefully, ensure that the bank offers "commercially reasonable" security, and understand and comply with their agreement with the bank.  Specifically, they should  reconcile their accounts in a timely manner, and reconcile variances promptly.  By default, "timely" equates to daily.  Finally, they must resist compromise of their systems and credentials.  I use my iPad for e-banking and recommend to my clients that they use a dedicated and locked down system for e-banking.  

It should be clear from the facts and findings in this case that both the bank and the customer, both acting in good faith, did counter-productive, not to say "stupid," things.  Neither our bank or our small business clients are experts in security.  Left only to their own resources, they are vulnerable to costly, not to say fatal, errors.  They are dependent upon us.  We owe them diligence and competence if we are to be called professionals and be paid the big bucks.


  1. With the help of this site,we can easily understand that what is justice and how to react with people if they have done any mistake,So thank you for this blog. expert witnesses

  2. The new updated FFIEC is pushing banks for better security, but puts way too much burden on the bank now. Any fault on the client's side, I.E, visiting malware-infected websites, unknowingly downloading Trojan file, etc, is no longer client's fault. ..
    But we need banks to step up their game. hoorah

  3. Hi there! Have you ever been involved such a position when someone has stolen any of your articles? Can't wait to see your reply.