Specifically, the appeals court reversed the summary judgment granted to Ocean Bank. It found that this order relied upon a finding that the security offered by Ocean Bank was "commercially reasonable." a finding which the appeals court rejected.
This is an important decision. It brings this case into agreement with the decision in Experi-Metals v. Comerica, a case based upon similar facts and law, in which the court held for the plaintiff. It reduces the probability that The Supreme Court would grant certiari for a further appeal. It upholds the provisions of Article 4A of the Uniform Commercial Code (UCC) which govern the rights, duties, and liabilities of banks in commercial wire transfer. The default under this provision is that if the transaction is "not authorized," the bank stands the loss. This is also consistent with the bank's common law responsibility to ensure that transactions are authorized.
Most of what I wrote stands up pretty well after a year and in light of the verdict on appeal The exception was my expressed hope that the case would NOT be appealed. I was concerned that it might accept as fact the finding of the lower court that the security procedures were "commercially reasonable" and thereby establish a bad precedent. Mark Patterson, co-owner of PATCO thought better of it, did appeal, and was vindicated. Fortunately for all, the appeals court revisited that question as a matter of law.
decision is informative, instructive, and easy to read. Even if one were to dispute it, the decision sets forth a clear record of both facts and law for our consideration, discussion, and enlightenment. I commend it to all bankers, small to medium businesses and municipalities, information assurance professionals, and those engaged in computer forensics. One need not be a lawyer or a security professional to appreciate it. This
The facts, documented in and relied upon by the decision, describe the security options available to Ocean Bank in NetTeller, the e-banking application software from Jack Henry & Associates. These include:
- UserID and Password
- One-time-password (OTP) Tokens*
- Out-of-band Authentication*
- User selected image for recognizing the bank*
- Customer Device Recognition by IP address and cookie*
- Transaction Risk Profiling
- Challenge-Response based upon shared secrets
- Dollar Amount threshold for invoking Challenge-Response**
- Access to intelligence from the eFraud Network including IP addresses of known hostile systems
- Risk Scoring Reports
Ocean Bank implemented more than half of these features but there was a problem with those they chose not to implement. First, they did not implement the user selected image, a shared secret, intended to help the customer distinguish between the bank's system and a spoof of it before exposing his credentials. This feature is sufficiently widely used that false bank sites are not a preferred attack.
However, they also failed to implement the measures most effective against the favored attack, credential re-play, i.e., out-of-band or one-time-password authentication, and transaction risk scoring and monitoring.
One of these features they mis-used. The court agreed with testimony of an expert witness that, by lowering the transaction threshold for invoking challenge-response from only those transactions above $1000- to all transactions above $1-, the bank increased the probability that the responses would be compromised and thereby weakened the system.
The court accepted expert testimony that "at the time in question keylogger malware was a persistent problem throughout the financial industry." Therefore, the risk that the userID, password, and challenge responses would all be simultaneously captured was foreseeable.
As a result of this decision, we now know some things with confidence approaching certainty that were in question after the original decision. These include:
In electronic wire transfer, risk for unauthorized transactions lies primarily with the bank, not the customer. the burden of proof is on the bank, not the customer.
Some things are still in doubt, and some questions still open. For example,The requirement of the UCC that security be "commercially reasonable," trumps the Federal Financial Institution Examination Council, the FFIEC, Authentication Guidance. Literal compliance with the Guidance may not be 'commercially reasonable."The court heard testimony on the pervasiveness of key-loggers and concluded that the risk of credential replay is "foreseeable." Therefore, by default, "strong authentication" to resist such re-play is indicated.
The record is not clear as to whether "alerts" were offered or accepted.
The advice that we as information assurance and forensic professionals give our principals must reflect this decision.
This is not "rocket science." NetTeller and other commercial-off-the-shelf (COTS) software offer both strong authentication options and software for scoring the risk of a transaction.
We should make it clear to our business clients that, while the bank must take the risk for an unauthorized transaction, the bank is not responsible for consequential damages. Moreover, the bank will try to transfer this fundamental responsibility to them by contract. They should choose their banks carefully, ensure that the bank offers "commercially reasonable" security, and understand and comply with their agreement with the bank. Specifically, they should reconcile their accounts in a timely manner, and reconcile variances promptly. By default, "timely" equates to daily. Finally, they must resist compromise of their systems and credentials. I use my iPad for e-banking and recommend to my clients that they use a dedicated and locked down system for e-banking.
It should be clear from the facts and findings in this case that both the bank and the customer, both acting in good faith, did counter-productive, not to say "stupid," things. Neither our bank or our small business clients are experts in security. Left only to their own resources, they are vulnerable to costly, not to say fatal, errors. They are dependent upon us. We owe them diligence and competence if we are to be called professionals and be paid the big bucks.