Printed from http://www.electronista.com

Appeals court finds bank liable for $588,000 ACH theft

updated 07:30 pm EDT, Fri July 6, 2012

Security used 'commercially unreasonable,' didn't meet federal standards

The US Federal Court of Appeals for the First Circuit has reversed a lower court's decision, and found Ocean Bank (now People's United) at fault for a $588,000 "virtual robbery" in 2008 against Sandord, ME-based Patco Construction Company. Calling the bank's security systems "commercially unreasonable," the Boston-based appeals court returned some specific aspects back to the original court and judge for review, but is encouraging both parties to settle the matter out of court.

In September 2008, the construction company filed suit against the bank. Patco used online banking to make weekly payroll payments. The banking login credentials were stolen from Patco in May 2009 by the ZeuS trojan. Using the lifted data, thieves removed $588,000 in several batches from the account in automated clearing house (ACH) transfers over a week.

Ocean Bank was able to block or retrieve $243,406 of the stolen funds, leaving the construction company with a loss of $345,445. To make up for the difference between the retrieved funds, and the lost funds, Ocean Bank drew $223,237 on Patco's credit to cover the transfers. Patco sued shortly thereafter, arguing that the bank didn't provide multi-factor authentications, as laid out by theFederal Financial Institiution Examination Council (FFIEC).

In the court's 43-page decision, the appeals court found Ocean Bank's fraud monitoring lacking overall. The statement clarified that "when it had warning that such fraud was likely occurring in a given transaction, Ocean Bank neither monitored that transaction nor provided notice to customers before allowing the transaction to be completed. Because it had the capacity to do all of those things, yet failed to do so, we cannot conclude that its security system was commercially reasonable."

Charisse Castagnoli, a bank fraud expert and security consultant, said the decision could open the door to lawsuits from small businesses similarly robbed because of inadequate or outdated security procedures. Furthermore, she said that the appeals court didn't address what the victim's obligations for maintaining security in the case that bank security fails, such as a requirement for timely balance checks and responses to bank notifications. "At the same time, you can't be a sloppy or naive customer," added Castagnoli, "as the court is clearly looking for the customer to behave with some understanding of what the bank is doing with their money."



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

JBL Synchros E40BT headphones

For all the different configurations of headphones on the market, it's always a tough choice for buyers to get something that is just ...

Razer Taipan mouse

The list of gaming devices is growing larger with each passing day. A large number of companies have entered the gaming input arena, a ...

Cambridge Audio DacMagic XS

Every computer with a microphone or headphone port has one -- a digital to analog converter (DAC). There are nearly as many chipsets a ...

Sponsor

toggle

Most Commented

 
toggle

Popular News