Modernizing Authentication — What It Takes to Transform Secure Access
Following the 2009 theft of $588,000 from Patco Construction's account at Ocean Bank (now People's United), a federal appeals court recently ruled that a bank's security systems were "commercially unreasonable," and urged both parties to settle the matter out of court, according to Krebs on Security's Brian Krebs. The decision reverses a 2011 lower court ruling that found Ocean Bank not at fault for the loss.
"The exact cause of the breach isn't known," write Threatpost's Brian Donohue and Paul Roberts. "However, an antivirus scan found a computer used by a Patco employee that was infected with the Zeus Trojan. It is believed that the piece of malware had key logging capabilities and managed to steal the employee’s user name and password, as well as the answer to a security question."
"Up until 2008, Ocean Bank had an anti-fraud system in place that would question every transaction larger than $100,000," writes Softpedia's Eduard Kovacs. "Starting July 2008, the threshold was lowered to just $1 because of the large number of fraudulent transfers that targeted small amounts of money. Since Patco performed numerous online fund transfers, a ZeuS Trojan was able to swipe the company banking credentials and easily steal the large amount of money over a period of seven days. 'In our view, Ocean Bank did substantially increase the risk of fraud by asking for security answers for every $1 transaction, particularly for customers like Patco which had frequent, regular and high dollar transfers,' the court stated."
"Since the answers to the challenge questions were displayed every time Patco made a transfer, this 'increased the risk that such answers would be compromised by keyloggers or other malware that would capture that information for unauthorized uses,' according to the ruling," writes Computerworld's Jeremy Kirk. "The court also found that Ocean Bank was not monitoring its transactions for fraud nor notifying customers before a suspicious transaction was allowed to proceed, both capabilities that it did possess with its security system."
"Mark Patterson, co-owner of Patco, says he hopes the court's ruling sends a message to banking institutions and other corporate victims of account takeover events that have been reluctant to pursue legal action," writes BankInfoSecurity's Tracy Kitten. "'It is great news for victims out there who are going after banks that have not been keeping their customers' money secure,' Patterson says. '(It's) a wake up call.'"