28 September 2016
Find out more

US judge backs bank against customer who sued over hack

08 June 2011  |  7820 views  |  3 arrow on screen

A US judge magistrate has ruled that a bank is not responsible for the loss of around $345,000 from a business customer account following a cyber-attack.

Magistrate judge John Rich has recommended that a US District Court in Maine grant Ocean Bank's motion for a summary dismissal of the complaint filed by Patco Construction Company.

Rich's order - first reported by BankInfoSecurity - comes after Patco Construction Company sued Ocean bank in the wake of a 2009 cyber-attack.

Malware was used to steal the firm's online banking credentials which the crooks then tapped to make ACH transactions worth nearly $600,000. Around $243,000 worth of payments were blocked by the bank once the fraud was discovered.

However, Patco sued Ocean for the remaining $345,000, arguing that the bank should have spotted the fraud and stopped it. The construction firm also argues that by not requiring customers to use multi-factor authentication, Ocean does not use best practice.

Ocean argued that having verified IDs, passwords and requested challenge response questions, it acted in good faith by processing the ACH payments and Patco was to blame for letting its details become compromised.

Rich concludes that, although Ocean could have done more to authenticate users, the law does not require banks to use the "best" possible security measures and customers are aware of what is on offer when they sign up.

Comments: (3)

Bruce Shirey
Bruce Shirey - The Rinaldi Group - San Diego | 08 June, 2011, 15:21

Seriously? Does Magistrate judge John Rich have part ownership or family in Ocean's bank management?  Under this farce of a ruling, Heartland, TJX and others should be off the hook for their breaches AND be entitled to get the millions of dollars paid in fines back.  Bank customers, like Patco Construction expect, safety and security for their money, not some legal fine print or worse, a lame intereptation from this judge that the Ocean's bank policy is to "try really hard" to protect its customer assets.  

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Michael Kyritsis
Michael Kyritsis - ACI - London | 09 June, 2011, 08:57

This is different to the situation of Heartland, TJX, etc - in which card details were compromised beloning to people who had not signed up for any card services with those companies.

Patco Construction Company signed up for Ocean's banking services and accepted the online banking credentials.

If this gets enough press coverage Ocean might lose a lot of customers, presumably to banks that have implemented multi-factor authentication.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 09 June, 2011, 16:53

The popularity of Mint, OfferMatic, BillGuard and other services that directly access the customer's bank account on the basis of a simple username and password suggests that two factor authentication solutions haven't been implemented by many US banks so many years after it was mandated by FFIEC. Against this backdrop, it's interesting to note that, while the court ruling holds a bank liable for compliance with FFIEC's mandate, it considers Password + Security Question as adequate implementation of 2FA although most security industry professionals won't think so. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Crooks hacking US accounts and wiring money to China - FBI

Crooks hacking US accounts and wiring money to China - FBI

28 April 2011  |  9062 views  |  0 comments
Fed Reserve computer hacker pleads guilty

Fed Reserve computer hacker pleads guilty

15 April 2011  |  7365 views  |  0 comments
FBI warns of new ACH malware scam

FBI warns of new ACH malware scam

21 January 2011  |  10711 views  |  0 comments
Bank settles wire transfer security suit against customer

Bank settles wire transfer security suit against customer

21 May 2010  |  10111 views  |  0 comments
Banks failing to protect small businesses from cyber crime wave

Banks failing to protect small businesses from cyber crime wave

10 March 2010  |  10512 views  |  0 comments
Bogus Nacha site targets US small businesses

Bogus Nacha site targets US small businesses

13 November 2009  |  8608 views  |  0 comments
FBI issues alert over spike in ACH fraud

FBI issues alert over spike in ACH fraud

04 November 2009  |  8149 views  |  0 comments
Judge forces Google to shut down Gmail account after bank error

Judge forces Google to shut down Gmail account after bank error

29 September 2009  |  3772 views  |  0 comments

Related blogs

Create a blog about this story (membership required)
Find out moreVisit VocaLink.com

Who is commenting?

A Finextra member Finextra Member Commented on: PSD2 - opportunities,...
A Finextra member Finextra Member Commented on: R3 banks use Intel dis...

Top topics

Most viewed Most shared
RBS tests demonstrate ability of Ethereum to support a national domestic payments systemRBS tests demonstrate ability of Ethereum...
13990 views comments | 55 tweets | 47 linkedin
Swift beware: Ripple signs banks to global payments steering groupSwift beware: Ripple signs banks to global...
8691 views comments | 32 tweets | 17 linkedin
Banks clubbing together to tackle KYCBanks clubbing together to tackle KYC
7325 views comments | 3 tweets | 8 linkedin
Brexit offers exciting opportunities for growthBrexit offers exciting opportunities for g...
7202 views comments | 4 tweets | 3 linkedin
FCA to kickstart sandbox with 24 applicantsFCA to kickstart sandbox with 24 applicant...
7170 views comments | 33 tweets | 15 linkedin

Featured job

Find your next job