Bank to Reimburse Hacking DamagesAdded: Friday, December 14th, 2012
Category: Recent Headlines Involving File Sharing > Current Events
Tags:ET, p2p, Torrent, Piracy, Peer To Peer, Network, Hackers, Internet, BitTorrent, Google, utorrent, bitcomet, extratorrent, 2010, www.extratorrent.com
Bank in Maine has finally agreed to reimburse its client $345,000. This amount was lost to hackers because, as the court ruled, the financial institution’s security practices were “commercially unreasonable”.
People’s United Bank, which owns Ocean Bank, will now have to pay Patco Construction Company all the assets the hackers stole from its account three years ago, plus around $45,000 in interest. Back in 2009, the hackers installed malware on the company’s PCs and stole its banking credentials in order to siphon money from its bank account.
The construction company had argued that the authentication system of the People’s United Bank was inadequate and therefore failed to contact Patco after the transactions were flagged as suspicious. Nevertheless, the bank claimed that it had done due diligence as it did verify that the ID and password were authentic.
The judges with the First Circuit Court of Appeals have finally ruled in July 2011 that the bank’s security system was improperly configured and advised the two parties to come to a settlement. That’s what they did last week. However, according to the settlement, the construction company won’t be reimbursed attorneys fees.
Patco, a family-owned business, sued Ocean Bank after it discovered that intruders were stealing around $100,000 per day from its Internet bank account. They did it by sending a malicious e-mail to Patco’s employees, which allowed them to surreptitiously install the Zeus password-stealing trojan on some employee’s PC. After this, they obtained the company’s banking credentials and used them to initiate a series of online money transfers over a week. Almost $600,000 was transferred out of the account before the company realized it had been hacked. The bank, after being notified of the fraud, managed to block only $240,000 in transfers, but its client failed to retrieve the rest.
The company claimed that the Ocean bank’s security system was inadequate and the financial institution didn’t comply with its own security procedures. Indeed, despite flagging the transactions in question as unusually “high-risk” due to the timing, value and geographical location of the transactions, the Ocean bank failed to notice the alerts and let the money go without notifying Patco. The company usually only made transfers on Fridays (payroll payments) from its offices in Maine, all from the same IP address, with the largest amount it ever transferred being around $36,000. However, the fraudulent transactions exceeded $90,000, initiated from various IP addresses, and addressed to people who had never received payments from the company before. In fact, the fraudulent activity was determined only after the transactions were sent to nonexistent bank accounts.
December 14th,2012Posted by:
Friday, December 14th, 2012
|nonexistent bank accounts,is the money in purgatory now? and then goes to heaven after they get the rest.|
|This bank should have it's doors nailed shut,and those running it should be run out of town on a donkey's ass.|
|Basically what happened the transfers were flagged high risk; yet the bank was just too lazy to call the company and ask them id they initiate these transfers..|
PATCO Reimbursed for Online Fraud Losses: Liability Shifts to the Bank
George Tubin | December 10, 2012
In May 2009, an unknown hacker gained access to Patco Construction’s online banking account at Peoples United Bank (d/b/a Ocean Bank). Patco claimed that the hacker somehow installed malware on a company PC to fraudulently obtain online banking credentials. The fraudster was then able to use the stolen credentials, including user ID, password, and answers to three challenge questions, to access a Patco employee’s online banking account.
Over a five-day period, the hacker initiated fraudulent ACH and wire transfers totaling over $588,000. Although the bank’s risk engine flagged the transactions as being “very high-risk”, the debit requests were successfully processed. Once the fraud was discovered, the bank was able to recover less than half the funds, leaving Patco with a loss of approximately $345,000.
Reversing a lower court ruling, a federal court of appeals stated that the bank’s security system was actually “commercially unreasonable” based on the requirements set under Article 4A of the Uniform Commercial Code. While the technology components of the bank’s security system appeared reasonable on paper, the manner in which the bank operated the technologies was called into question. The appellate court’s final advice: “On remand the parties may wish to consider whether it would be wiser to invest their resources in resolving this matter by agreement.”
Earlier this month, the parties did just that. Patco’s CEO Mark Patterson reported that a settlement was reached which included People's United Bank refunding all losses suffered by his company. This settlement, coupled with the outcome of the previous Experi-Metal lawsuit, which also favored the commercial customer over its bank, has set a precedent that will have far reaching ramifications for the industry. These include:
Sentiment has shifted to the commercial customer
The recent update to the FFIEC’s 2005 “Internet banking authentication” Guidance was clearly focused on driving banks to implement better fraud prevention capabilities to protect commercial customer accounts, especially for small and medium sized businesses (SMBs). And now, with two landmark cases ruling in favor of the commercial customer, legal precedent has also shifted away from financial institutions regarding online fraud incidents. With regulators and courts stepping in to protect SMBs, the days of banks using UCC 4A to deflect fraud liability to the customer are over.
“Commercially reasonable” is not what it used to be
Many financial institutions believe that providing “commercially reasonable” security consists of acquiring a set of fraud prevention technologies similar to their peer institutions. However, recent court rulings indicate that the manner in which the technologies are implemented and operated are critical factors in determining commercial reasonableness. If an alleged “commercially reasonable” fraud prevention platform does not detect a commonly used fraud scheme, it will be very difficult to argue that it was implemented properly.
Most banks will now refund commercial account fraud losses
Based on the two recent cases, we expect the vast majority of banks to refund SMB fraud losses as a matter of course. Rather than deal with the reputational damage associated with an exposed, and especially a litigated, fraud event, banks will simply avoid the gamble and refund losses (except for cases of egregious client negligence).
Compliance and legal departments take a back seat
Fraud prevention will no longer be driven by administrative functions that seek to invest in fraud prevention programs that best position the bank for regulatory examinations and legal proceedings. Instead, customer service and fraud prevention specialists will devise, implement and maintain fraud prevention programs that are actually designed to prevent losses and not simply to meet a compliance check box. When fraud is being prevented, litigation is avoided, regulatory compliance is met, costs are reduced, etc. When fraud prevention is given a primary, rather than a secondary focus, legal and regulatory compliance requirements will fall in line.
Banks are forced to deal with malware-based fraud
The terms malware, keylogging, and MitB/MitM are mentioned over 20 times in the recent 12 page FFIEC Authentication Guidance Supplement. Both the Patco and Experi-Metal fraud incidents involved malware. It is a well-known and documented fact that malware is being used extensively to compromise bank customer devices and commit fraud. Traditional antivirus applications do a poor job of detecting and preventing dangerous financial malware. Meanwhile, traditional authentication techniques and risk engines are only partially effective at identifying and preventing many forms of malware-based fraud. They also come at a high cost. A new approach for preventing malware-based fraud is sorely needed.
The Patco ruling has triggered a seismic shift in fraud liability. Given this new landscape, preventing fraud, and specifically malware-based fraud, should be the top priority of every bank’s fraud prevention program. While it sounds obvious, many banks are more concerned with peer bank comparisons and legal positioning than actually preventing fraud. We know malware-based fraud can be prevented in a cost effective, customer friendly, manageable and regulatory compliant fashion. Just ask any Trusteer customer.
|Really a mess ,whats the online security this bankers provide ? It was detected only after the transactions were sent to nonexistent bank accounts.For a ordinary customer it is very difficult to establish that his account being hacked so as to recover the lost money.|
|The convenience of on-banking is great but so are the risks. I never liked using credit cards or check cards to make on-line purchases or bill payments. The one time I had problem I was purchased a cruise on-line only to find out the ship wasn't as advertised in other words the ship was a dump etc. It took about a year to get my 2000 dollars back. To use online banking with close 3/4 of a million is crazy. I thought these banks were insured by the Feds. Furthermore didn't this company have someone in place to monitor it's accounts. I know the money was tranferred out pretty quickly and the bank should have done something but I have a "few bucks" in in a couple of different accounts and have this habit of checking my banking interests every couple days. What a mess that was easily avoidable.|
|what the heack ??|
|posted by (2012-12-15 17:02:24)|
|cancel purchasing after statement account tells you all mistakes you didn't spend and your money back. if you call police they give you where report like web complain links and maybe reports can help to court and why bank don't return your money when any take money from your credit card if you not purchasing nothing?|
websites without flash don't shows click bottom icons and don't do purchasing by enter key if this can help!
|posted by (2012-12-19 14:40:28)|
|Not to encourage pushing in-line but check all number Aussie Hangerbays in China too!! I have a feeling I am million-out of pocket.|
|posted by (2012-12-20 02:38:45)|
|FDIC only insures up to 100k per account if memory serves me correctly|
|posted by (2012-12-26 23:20:12)|
|It is called Laundering. Wash-a-wash-a-wash.|
Do all the hard work for them and soon they will have a licence to kill as well. Laughing and lying.
Lying and laughing.
Most Popular Stories