From the AEGIS e-Journal, Volume 14 Number 7, July 2011
and the liability for losses suffered by their client from hacking and phishing.
Economics uses the hypothetical “rational man” as a foundation for explaining human action, with the understanding that the rational man will always attempt to solve problems by expending as little effort and as few resources as possible to achieve their objective.
In three recent court cases, we are watching how the courts interpret “rational” behavior when electronic banking safeguards are breached. These three cases delve into areas of “good faith” as well as the contractual meaning of the claims “safe” and “secure.” As online banking continues to struggle with providing “multifactor‐ authentication” to their clients, the courts must also determine what strategies for authentication are in compliance with regulations mandating this type of system.
Case #1. PATCO Construction Inc. vs. Ocean Bank
In May 2009, PATCO sued Ocean Bank for more than $345,000 they lost after their account with Ocean Bank was hacked. PATCO argues that Ocean Bank was not complying with existing multifactor‐authentication requirements. A U.S. District Court disagreed. In May of this year, a District Court found that Ocean Bank did meet the legal requirements for multifactor‐authentication, while noting that their online security at the time of the incident should have been better.
Could have been better indeed! Ocean Bank apparently allowed customers to access their accounts using only a username and password for authentication. In this case, the court agreed with Ocean Bank that their procedures complied with FFIEC from ‐ kohlhof.de from ‐ scrapshipbreaking.com guidelines for multifactor‐authentication. The courts conclusion was not based upon current practices within the industry, it was only based upon the ambiguity of a regulation that was outdated on the day it became law.
Case #2. Experi-Metal Inc. v. Comerica Bank
EMI filed suit against Comerica in November 2009, after Comerica approved almost $2 million in fraudulent wire transfers from EMI’s account in January 2009. In this case, EMI, who had made no wire transfers in over a year‐and‐a‐half, suddenly made 90 in one day ‐‐ and the person who allegedly authorized the wires had no authority to do so.
Comerica recovered most of the transfers that made it through their system, but held EMI liable for the balance of unrecovered funds. EMI filed their action against Comerica seeking recovery of about $560,000.
In June of this year a United States District Court in Michigan ruled that Comerica must cover the losses by EMI. Judge Patrick J. Duggan stated, “There are a number of considerations relevant to whether Comerica acted in good faith with respect to this incident.” adding that “A bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier.”
In this case there was evidence presented that Comerica had knowledge of ongoing phishing attacks aimed at their clients (but what bank doesn’t?) The court found that Comerica should have identified and disallowed the fraudulent transactions based on EMI’s wire‐transfer history, and should not have passively approved transfers to overseas accounts.
The court concluded that Comerica had not acted in good faith when making promises to their clients about safety and security.
Case #3. Village View Escrow Inc. vs. Professional Business Bank
In this case of online hacking, Village View Escrow of California filed suit against Professional Business Bank in June of this year regarding a March 2010 incident where they claim to have lost $465,000 after hackers accessed their online account. Village View is seeking reimbursement of all direct losses from the incident.
This suit, like the EMI suit, raises the issues of good faith, industry standards, and compliance with existing guidelines. Village View’s complaint alleges that the Bank failed to put procedures in place for the recovery of stolen funds, and that it ignored numerous warnings from regulators about online vulnerabilities and the incidence of account takeovers.
Conclusion ‐‐ being rational is not enough. Whether you are providing online banking services or are simply an online client, you’re courting disaster if you are expending as little effort as possible.
It is interesting to note that in the above disputes the banks do not believe that they are being robbed ‐‐ it is their customer’s accounts that are being robbed. The banks assert that the client’s account was accessed at the bank, not the banks general funds. It is the customer’s problem, not a bank liability.
Stunning ‐‐ truly stunning.
7. Subscription/Unsubscription/Copyright Information
•• ÆGIS is supported and maintained by voluntary efforts. This publication is owned, published, and copyright © 2011 by The Aegis Journal, LLC. It is edited jointly by L. Burke Files (LBFiles@feeinc.com), Gregg Lowney (Greg@feeinc.com) and Shaun Hassett (SHassett@lubrinco.com).
LUBRINCO provides services in three high‐threat areas, too specialized to be dealt‐ with in‐house, that can adversely affect domestic and international bottom lines.
• International asset location and due diligence. • Anti-money laundering, financial fraud, and anti-corruption program development and training. • Risk Assessment and statutorily mandated AML independent examinations and program reviews for financial institutions and gatekeepers. • Investigation and location of missing or concealed assets, related to fraud, theft, and divorce. • Due Diligence to prevent fraud and loss, as well as validate potential business partners, counterparties or potential business acquisition or merger targets. LUBRINCO has significant expertise in performing Due Diligence in China, Central and Eastern Europe, Central and Southern Asia, the offshore financial centers, Latin America, and the Caribbean. • Identification, valuation, and protection of intellectual assets and critical information. • American businesses lose more than $300 billion in revenues annually to competitive intelligence, economic espionage, inappropriate disclosure, and information theft. • LUBRINCO provides private sector consulting access to OPSEC, the government-standard process for identification, valuation, and protection of intellectual property and critical information. • Implementing an OPSEC program is likely to increase revenues for an at- risk operating group by $75 million. • Protection of executive management, staff, and families. • In the high-threat environments of Latin America, Africa, the Mid-East, and Southeast Asia. • When traveling or living overseas • When transporting items of substantial value.
LUBRINCO identifies and quantifies threats and vulnerabilities, and their associated risk, then manages the vulnerabilities so you can transfer or live with the residual risk. We prevent disastrous financial loss to your company, and physical harm to you, your family, and your staff.
For information on LUBRINCO and its services, or for the archive of all past issues of ÆGIS in PDF format, please go to http://www.aegisjournal.com/.
Subscription to ÆGIS is available for $15 per year in North America and $25 per year outside of North America.
To sign up to receive a complimentary subscription to ÆGIS or the ÆGIS PDF notification list, send an email to subscribe@aegisjournal.com.
To be removed from the subscription list, send an e‐mail to unsubscribe@aegisjournal.com.
If you know of anyone else who should be receiving ÆGIS, please send their e‐mail address to subscribe@aegisjournal.com.
If there is a topic that you would like to know more about, please send your request to editor@aegisjournal.com and the editors will consider it as the topic for an article in an upcoming issue.
We welcome readers who wish to submit a short article for publication in ÆGIS: If you would like to submit an article for publication in ÆGIS, please send it as an attachment to an e‐mail to editor@aegisjournal.com. Submission of an article for publishing consideration certifies that: (a) all information in the article is in the public record, or (b) that you are authorized to release any personal or corporate proprietary information contained in the article, and (c) that none of the article has previously been copyrighted. The submission of materials for publication in ÆGIS constitutes a license to LUBRINCO, and/or Financial Examinations and Evaluations, Inc., their assigns, associates, or affiliates, to abridge and/or edit said submission, and to copyright and publish/republish any submitted materials in whatever written and/or electronic form they may choose. If you would like to go beyond normal fair‐use in reproducing articles from this issue of ÆGIS, you may do so freely as long as appropriate source, copyright, accreditation, and link to the ÆGIS Web site is included.
ÆGIS is a forum for the exchange of information, ideas, operating styles, theories, and related topics for corporate managers who make decisions about threats typically outside the expertise available in‐house, yet which have the potential to affect their company’s domestic and international bottom lines. Nothing appearing in ÆGIS should be construed as legal advice. The information provided is “general information,” not “specific advice.”
The solution to any problem is highly dependent upon the precise facts involved. Thus, before making any reliance upon anything said here, you should consult with an appropriately skilled professional. Opinions expressed by contributors are not necessarily endorsed by the publisher, and may be presented to encourage a dialogue among subscribers. The publisher and any re‐publisher cannot be held responsible for any loss incurred as a result of the application of any information published in ÆGIS.
Please be safe, and be smart.