Is your e-banking internet access security commercially reasonable?
by Stites & Harbison, PLLC
Banks seek to make their services more consumer-friendly and convenient. A popular service being offered by banks today is e-banking, where customers are able to access their accounts, and conduct transactions involving those accounts, over the internet. Of course those services also provide opportunities for unscrupulous third-parties to gain unauthorized access to accounts, and more importantly, the funds in those accounts. To protect their customers and those accounts, banks are utilizing a variety of security measures. One bank installed several layers of security within its e-banking system, yet a substantial unauthorized loss was suffered by one of its customers. Had the bank done too little? Had it done too much? The ultimate decision maker was a panel of judges who answered that question against the bank.
Over a seven-day period in May of 2009, the Bank authorized six apparently fraudulent withdrawals, totaling $588,851.26, from Patco Construction Company’s account, after the perpetrators correctly supplied Patco’s customized answers to security questions. After being alerted by Patco, the Bank was able to block or recover $243,406.83 of that sum, but leaving a loss to Patco of $345,444,43. Patco brought suit against the Bank to recover its loss, alleging that the Bank’s security system was not commercially reasonable, and that Patco had not consented to the procedure.
Back in 2003, Patco added internet banking to its account at Bank. It used e-banking primarily to make regular weekly payroll payments, which had certain repeated characteristics:
- they were always made on Friday;
- they were always initiated from one of the computers housed at Patco’s offices in Sanford, Maine;
- they originated from a single static internet protocol (IP) address; and
- they were accompanied by weekly withdrawals for federal and state tax withholdings and 401(k) contributions.
The highest payroll payment ever made using e-banking was $36,634.74.
When Patco enrolled in e-banking, it signed an e-banking agreement with Bank wherein it is stated that “Bank did not assume any responsibilities,” use of the service was at Patco’s risk, and that Bank was only liable for its gross negligence, “limited to six months of fees.” The agreement also required Patco to contact Bank immediately upon discovery of an unauthorized transaction.
In 2005, the FFIEC, in response to increased on-line banking fraud, issued guidance titled Authentication in an Internet Banking Environment, in part to help banks evaluate and implement authentication systems and practices. Following publication of that guidance, Bank hired a third-party to conduct a risk assessment of its system, and determined that its e-banking product was a high risk system that required enhanced security and multifactor authentication.
In 2007, Bank rolled out its new internet security package. The system had six features:
- User ID’s and passwords, which required each authorized Patco employee to use both a company ID and password, and a user specific ID and password, in order to access on-line banking;
- The system placed a “device cookie” onto customers’ computers to identify particular computers used to access on-line banking;
- .A feature which entailed the building of a risk profile for each customer based on a number of different factors including the location from which a user logged in, when/how often the user logged in, what a user did while on the system, the size, type and frequency of payment orders normally issued by the customer to the Bank, and the IP address that the customer typically used to log into on-line banking;
- .Challenge questions: The system required users, during initial log in, to select three challenge questions and responses. The challenge questions would be prompted depending on the risk score associated with a particular transaction, and if the customer could not answer the question in three tries, the customer was blocked from on-line banking and would be required to contact the Bank;
- A dollar amount rule: The system permitted the Bank to set a dollar threshold amount above which a transaction would automatically trigger the challenge questions, even if the user ID, password and device cookie were all valid. Initially Bank set the threshold at $100,000.00, but on June 6, 2008, the Bank lowered the threshold level to $1.00, so, in Patco’s case, it would be prompted to answer the challenge questions every time it initiated a transaction; and
- Subscription to the service provider’s “eFraud Network,” which compared characteristics of the transaction (such as the IP address of the user) with those of known instances of fraud. An attempt to access the system by someone with that characteristic would be automatically blocked, and not even prompted for the challenge questions.
The Bank, however, chose not to implement several other measures of the program:
- Out-of-band Authentication: examples include notification to the customer, callback (voice) verification, e-mail approval from the customer, and cell phone based challenge/response processes;
- User-selected picture;
- Tokens – physical devices that the user has, such as a USB token device, a smart card, or a password-generating token; and
- Monitoring of risk-scoring reports – the Bank did not monitor the risk-profiling reports received as part of the risk-profiling feature although it had the capability to do so.
Suffice it to say that the series of six (6) e-banking withdrawals at issue, were inconsistent with the prior history of e-banking transactions conducted by Patco, in terms of amounts, recipients of the funds, the device from which the perpetrators logged in from, from an IP address that had not been used previously, and there were no corresponding tax payment withdrawals.
The six (6) transactions were made over an eight-day period of time. Luckily, some of the transactions had bad routing information for the recipients so were returned to Bank, which generated “return” notices to Patco from the Bank. The owner of Patco received the first “return” notice and contacted the Bank. Thereafter, the Bank took steps to block completion of that transaction and recovered a portion of the previously withdrawn funds.
A few months later, Patco sued Bank to recover its loss. It asserted six separate theories of relief. Bank filed a motion for summary judgment and the federal Magistrate Judge determined that Bank’s security measures were commercially reasonable and that Patco had agreed to them. Thus, the Magistrate concluded, Patco and not the Bank bore responsibility for Patco’s loss. Thereafter, the District Court Judge adopted the Magistrate’s findings and entered an order in favor of Bank. Bank appealed to the 1st Circuit Court of Appeals.
Patco’s first theory was that Bank was liable under Article 4A of the UCC, which are provisions meant to govern the rights, duties and liabilities of banks and their commercial customers with respect to electronic funds transfers. Under 4A, a bank receiving a payment order ordinarily bears the risk of loss of any unauthorized transfer. [In Tennessee, the statute is TCA 47-4A-204]. The bank can shift that risk of loss in one two ways: 1) actually verify the payment order is authorized; or 2) If the bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders. [TCA 47-4A-202].
In the Patco case, Bank did not verify the authenticity, so the question becomes whether Bank’s security system was commercially reasonable.
The Court of Appeals found that Bank substantially increased the risk of fraud when it changed the challenge question threshold from $100,000.00 to $1.00, because all transactions would then require challenge questions to be answered which substantially increased the likelihood that keyloggers or malware would capture that information for unauthorized uses. An expert testified that keylogging software was a persistent problem throughout the financial industry, thus the Court concluded that it is foreseeable by a bank that a customer’s computer would become infected with a keylogger.
Also, the failure to implement the additional program security features was “especially unreasonable in light of Bank’s knowledge of ongoing fraud.” In fact, prior to these transactions, Bank itself had twice experienced its own losses due to keylogger infection.
Bank also had warnings that the subject transactions were fraudulent based upon the numerous risk factors, but the bank failed to monitor the risk factor reports and notify the customer.
The Court of Appeals concluded: “The collective failures, taken as a whole, rendered Bank’s security procedures commercially unreasonable.” Accordingly, the summary judgment in favor of Bank was reversed.
(Cite: Patco Construction Company, Inc. v. Peoples United Bank d/b/a Ocean Bank (July 3, 2012), United States First Circuit Court of Appeals, 684 F.3d 197.)