Inside the PATCO Fraud RulingCourt Decision Details Flaws in Bank's Security Plan
One cannot overstate the significance of a federal appeals court's recent decision favoring PATCO Construction Inc. over the former Ocean Bank in a dispute resulting from ACH/wire fraud. (See PATCO ACH Fraud Ruling Reversed.)
See Also: 2020 Cyberthreat Defense Report
"This is a big deal, because it's a ruling handed down by a federal court," says Avivah Litan, a distinguished analyst at Gartner Inc. and a recognized industry expert on incidents of ACH and wire fraud.
But the ruling is more than just the latest chapter in the ongoing debate about the responsibilities financial institutions and commercial customers bear when it comes to ensuring online security.
In fact, the 43-page ruling by the First Circuit Court of Appeals offers a fascinating look at exactly which online security procedures Ocean Bank, now People's United Bank, did - and did not - offer to commercial customers such as PATCO.
Facts of the Case
PATCO, a Maine-based construction firm, made news in 2009 when it revealed that fraudsters had drained more than $580,000 in a series of bogus transactions from the firm's commercial account with the former Ocean Bank.
In 2010, PATCO sued Ocean Bank for the funds it lost in the account takeover incident. PATCO argued that Ocean Bank did not comply with existing FFIEC requirements for multifactor authentication when it relied solely on log-in and password credentials to verify transactions.
In May 2011, a U.S. District Court ruled in favor of the bank, denying PATCO's motion for a jury trial. In its ruling, the court noted that Ocean Bank's security could have been better. But because PATCO agreed to the bank's security when it signed its contract with Ocean Bank, the court assumed PATCO considered the methods to be reasonable.
The federal appeals court disagreed. In its July 3 ruling, the court called Ocean Bank's security procedures "commercially unreasonable," reversing the lower court's ruling and further recommending that the two parties pursue an out-of-court settlement.
In support of its ruling, the court reviews in detail the available security measures the bank did and did not implement.
What Ocean Bank Offered
In 2007, to address then-new authentication demands outlined by the FFIEC in its 2005 Authentication in an Internet Banking Environment guidance, Ocean Bank integrated a multifactor authentication system provided by Cyota Inc., an RSA Security Company, into its NetTeller online banking platform provided by Jack Henry & Associates.
According to the court record, the package Ocean Bank implemented included six security and authentication features from Jack Henry's "premium" NetTeller package:
- User ID and Password. PATCO employees were required to enter a company ID/password, as well as a user-specific ID and password to access online banking.
- Device Identification. The system used "cookies" to create a log of known devices customers used to access accounts. If the cookie changed or was new, it could impact the risk score, potentially triggering challenge questions.
- Risk Profiling. Jack Henry's adaptive monitoring provided a risk score for every log-in attempt and transaction based on a multitude of data, including IP address, device cookie identification, geo location and transaction history. If a user's transaction varied from the usual profile, then the transaction might be scored as high risk. Scores were issued on a scale of 0 to 1000, and scores above 750 triggered challenge questions.
- Challenge Questions. Upon initial log-in, users were required to establish three challenge questions and responses, which could come into play for various reasons, as detailed above. If the user failed to answer the questions in three attempts, then that user would be blocked from online banking.
- Dollar Amount Rule. The Jack Henry system allowed the bank to set transaction thresholds, above which challenge questions would be triggered - even if user ID, password and device cookies all were valid. In 2008, Ocean Bank set the transaction threshold at $1, ultimately requiring every transaction to be approved through responses to challenge questions. "This was a bad practice," Gartner's Litan says. "Requiring challenges on every transaction doesn't distinguish risk, and it's easily broken."
- eFraud Network. Jack Henry's "premium" package also included a subscription to the eFraud Network, which provided Ocean Bank an avenue for information-sharing about fraud. Through the network, financial institutions report IP addresses or other characteristics that have previously been connected to fraud. Thus, if access to a NetTeller account were attempted by an entity linked to fraudulent characteristics, such as a bad IP address, that attempt would automatically be blocked.
What Ocean Bank Didn't Offer
The court ruling notes several other security measures that were available, but which the bank chose not to implement. These measures include:
- Out-of-Band Authentication. Ocean Bank did not avail itself of Jack Henry's out-of-band options. The court does not specify which options were available, but out-of-band generally refers to transactions authenticated via telephone, e-mail or SMS/text message to a customer.
- User-Selected Picture Functions. The use of user-selected pictures for authentication was available, but Ocean Bank declined the option.
- Tokens. Physical devices such as USB, smartcard or password-generating tokens were not available from Jack Henry, but were offered by other vendors. Ocean Bank did not offer tokens until after the PATCO fraud incidents.
- Monitoring. At the time of the fraudulent transactions, bank personnel did not monitor the risk-scoring reports they received, the court says, nor did the bank conduct any ongoing review of transactions that generated high-risk scores. The bank had the ability to manually monitor high-risk transactions through its transaction-profiling and risk-scoring system, but chose not to do so until late 2009, after PATCO had already been hit. The bank also had the ability to call customers if it detected fraudulent activity, but never did.
With the security measures Ocean Bank had in place, the fraudulent transfers that hit PATCO's account in 2009 should have raised red flags, the court says.
PATCO had primarily used its Ocean Bank account for payroll, with its highest transaction being approximately $36,000. The six fraudulent wires out of PATCO's account - although using the valid user ID, password and challenge-question answers of a PATCO employee - went to numerous individuals PATCO had never paid before. The perpetrators also logged in from devices and IP addresses never used by PATCO.
On the first transaction, which hit May 7 and totaled $56,594, Ocean Bank's scoring system gave the payment a risk score of 790; PATCO's usual risk scores ranged between 10 and 214. Despite that high score, the bank did not notify PATCO.
Six days and six transactions later, on May 14, PATCO notified the bank to say the transactions had not been authorized. Ocean Bank then blocked a portion of the transactions and recovered approximately $243,000 of the nearly $600,000 that had been fraudulently wired.
In its reversal of the district court decision, the appellate court says Ocean Bank's security was "commercially unreasonable" for a few reasons. For one, requiring every $1 transaction to be approved via challenge questions substantially increased PATCO's fraud risk.
"When Ocean Bank lowered the dollar amount rule from $100,000 to $1, it essentially deprived the complex Jack Henry risk-scoring system of its core functionality," the court states. "The $1 dollar amount rule guaranteed that challenge questions would be triggered on every transaction, unless caught by a separate eFraud Network, which depended on the use of known fraudulent IP addresses."
The court also notes that Ocean Bank's transaction-monitoring practices and lack of standardization for notifying customers when high-risk transactions were detected were unreasonable.
The "one-size-fits-all" approach to monitoring and authenticating high-dollar transactions exposed PATCO to more risk, the court says.
"These collective failures, taken as a whole, rendered Ocean Bank's security procedures commercially unreasonable," the ruling says.
But Gartner's Litan says Ocean Bank's practices were not atypical. "Many small banks just launch a standardized approach to fraud detection," she says. "Really, their vendors should be working with them more. Small banks just don't have any resources to monitor 15 to 20 percent of the log-ins every day; they need better tools."
Aside from the bank's security measures, did PATCO fulfill its own security obligations? The appellate court leaves that question open for further legal review.
Under Article 4A of the Uniform Commercial Code, a bank typically bears the risk of loss when unauthorized funds transfers are approved. The bank may shift that risk of loss onto the customer by one of two ways: by proving the commercial reasonableness of the security procedures it offers, or by proving that the payment it approved was approved on good faith and in compliance with security procedures noted in its contract.
In its ruling, the appeals court says, "There remain several genuine and disputed issues of fact which may be material to the question of whether PATCO has satisfied its obligations and responsibilities under Article 4A, or at least to the question of damages."
The appellate court goes on to say the reversed ruling does not address what, if any, obligations and responsibilities Article 4A of the UCC imposes on commercial customers, even when the security provided by the bank is deemed commercially unreasonable.
"Article 4A does not appear to be a one-way street," the court says. "Commercial customers have obligations and responsibilities as well."
Other Open Questions
In reversing the lower court's ruling, the appeals court notes some open questions of dispute, including:
- Were E-Mail Alerts Offered? In 2007, when it launched its enhanced authentication for NetTeller, Ocean Bank claims it began offering e-mail alerts for transactions. PATCO says it was never made aware of the e-mail alert option, and that previous requests for e-mail notification were ignored by the bank.
"Neither party has submitted into the record an example of such an e-mail alert or specified when such an e-mail alert would have been sent," the court states. "It is unclear what PATCO would have learned from such an e-mail alert and whether and when such an e-mail would have placed PATCO on notice of the fraudulent transfer."
- What Triggered the Fraud? The parties disagree over whether key-logging malware enabled the fraudulent transactions.
Ocean Bank says, once fraud was detected, it told PATCO to disconnect computers used for e-banking from its corporate network. The bank also claims it told PATCO to stop using those computers for work purposes and that the infected computers needed to be reviewed by a forensics investigator or law enforcement official.
The bank says PATCO did not heed the advice. Affected computers were not isolated, nor were hard-drives preserved forensically, so it remains unclear whether the system was actually infected by a key-logger.
PATCO denies those claims and says the bank only instructed it to bring in a forensics professional to check the system for a security breach.
PATCO also says an outside IT consultant did discover a remnant of Zeus/Zbot malware, but nothing else.
"We leave these questions open on remand so that the district court may, after briefing, assess whether such obligations exist, either for liability purposes or for mitigation of damages."
To resolve these and other questions, the appeals court remanded the case for further legal proceedings. But at the same time, the court strongly suggested that an out-of-court settlement might be the better option.
"On remand, the parties may wish to consider whether it would be wiser to invest their resources in resolving this matter by agreement."