According to a report in BankInfoSecurity earlier this week, Maine judge John Rich ruled that Ocean Bank (owned by Peoples United) was not responsible for allowing hackers to steal more than $300,000 from Patco Construction Company's online account, saying the customer should have done more to protect the account credentials.The case raises questions about how much security financial institutions may be reasonably required to provide commercial customers. It could set a precedent for liability in circumstances where customer systems are hacked and banking credentials are stolen. Small and medium-sized businesses around the United States have lost hundreds of millions of dollars in recent years to such activity, known as fraudulent ACH (Automated Clearing House) transfers.
Patco, a family-owned business in Sanford sued Ocean Bank after discovering that hackers were siphoning about $100K per day from its online account. The hackers sent a malicious e-mail to employees allowing them to install a password-stealing trojan on an employee computer. The hackers then used the credentials to initiate a series of electronic money transfers. Nearly $600K was transferred before Patco noticed.
After being notified of the fraud Ocean Bank was blocked about $240,000 in transfers. Patco was unable to retrieve the rest, so sued the bank for failing to notice the fraudulent activity and stop it. It argued that the out-of-character transactions should have drawn attention in the bank, who didn’t notice and let them go through. Ocean did not use multi-factor authentication. Ocean maintained that it had done its due diligence in verifying that the ID and password used were authentic.
The judge agreed the bank could have had better security, but said the law doesn't require “best” security measures available, and that the bank informs customers at sign up about the level of security it provides and the amount of liability it will assume if money is stolen.
Posts
0 comments:
Post a Comment