A lot of expatriates in Mexico make use of online banking; some for the convenience, some because it is the only way to transact business with a bank in another country, and some because their bank is pushing them to do so. There was a story in the news last summer that probably did not attract the attention of many of these users of online banking but should have.
Online banking has not been around for very many years, and as a result a lot of the rules and regulations governing it are still not well defined. Each bank has its own policies regarding online transactions, but there is little in the way of legal precedent governing this practice. That changed on August 4, 2011 when the case of Patco Construction Company, Inc., v. People’s United Bank d/b/a Ocean Bank (case no. 2:09-cv-503-DBH) was decided in the United States District Court in Maine. This was one of the first cases to deal with online hacking of bank accounts and has been followed closely by the banking industry and by computer security professionals.
The background of the case is that in May 2009 Patco suddenly realized it was short over a half million dollars from its bank account. Some unknown criminals had over a week-long period issued a series of transfers from Patco’s commercial account to dozens of different co-conspirators around the globe. Ocean Bank was able to recover part of the 588,000 dollars in fraudulent transfers but not 345,000 dollars which was gone and untraceable. When the bank claimed it was not their responsibility and this was the customer’s loss, that is when the lawyers got involved.When an outside IT consultant ran anti-virus scans on computers at the Patco office they found them infected with a Zeus/Zbot trojan, which could have been used to steal the company’s online banking credentials. Crooks often rely on tricking people into clicking a link in email or on a website, which enables the perpetrators to bypass antivirus software and load malware capable of stealing passwords, logging keystrokes, etc.
Next it came to light that Patco had not had a half million dollars sitting in their account, but that Ocean Bank had loaned against the company’s line of credit and continued putting more money in the account so the thieves could continue stealing more and more. Patco naturally contended the bank should have had procedures in place to prevent this occurrence, and a customer should not be liable for paying back such a loan.
It turns out the bank did have procedures and software in place, good ones. In order to make a funds transfer, multifactor authentication in the form of an answer to a secret “challenge question” was required for large transactions. Knowing this would make transactions more secure, the bank required this action for all transactions over $1, but the result of establishing the requirement was that it became much quicker for the Zeus trojan infection to capture all the different questions and the answers. The attempt to increase security actually had the unintended consequence of helping the crooks.
In the final analysis, the lawsuit boils down to Patco contending that its bank could have done more to protect against this kind of online fraud, and Ocean Bank contending that their customers could have done more to protect themselves. Outsiders can agree that both parties could have been more vigilant, and the court has now ruled that the bank is not liable for the customers’ losses. This ruling is bound to reverberate for years to come, and what it means to everyone who uses online banking is that they can no longer afford to be cavalier about the subject of security.
Occasional Reporter contributor Charles Miller is a freelance computer consultant with more than 20 years IT experience and a Texan with a lifetime love for Mexico. He may be contacted through his web site at SMAguru.com.