Appellate Court Decision Demonstrates Security Is Not Just About Technology - It’s About People

A federal appellate court recently held that a bank is potentially liable to a customer for failing to catch fraudulent money transfers totaling over $500,000. (Patco Construction Company v. People’s United Bank, 1^st Cir., July 3, 2012, http://www.ca1.uscourts.gov/pdf.opinions/11-2031P-01A.pdf). The court held the bank’s security measures were not “commercially reasonable,” thereby exposing the bank to possible liability for the fraudulent transfers to be decided by the trial court.

The decision is significant as it demonstrates the importance of people to security, and that effective data security is not just about the technology. The security system used by the bank was impressive, offering the following options:

• UserID and Password*
• One-time-password (OTP) Tokens
• Out-of-band Authentication
• User selected image for recognizing the bank
• Customer Device Recognition by IP address and cookie*
• Transaction Risk Profiling*
• Challenge-Response based upon shared secrets*
• Dollar Amount threshold for invoking Challenge-Response*
• Access to intelligence from the eFraud Network including IP addresses of known hostile systems*
• Risk Scoring Reports

* Implemented by the bank

The court’s decision reveals that the crux of the problem was not with the technology, but with the decisions made by the bank personnel:

• The bank decided to trigger challenge questions for any transaction over $1.
• This decision increased the frequency with which a user was required to enter the answers to his or her challenge questions, and accordingly increase the likelihood that the authentication information could be stolen by hackers, for example through a keylogger or other malware.
• When the system triggered warnings that fraud was likely occurring, the bank personnel neither monitored the transactions nor provided notice to customers before allowing the transaction to be completed.
• Bank personnel did not monitor the risk-scoring reports.
• The bank did not conduct any regular reviews of transactions that generated high risk scores.
• Bank employees should have been aware of the increased risk of compromise security because at the times in question keylogging malware was a persistent problem throughout the financial industry.
• Bank personnel should have understood that triggering the use of the same challenge questions for high-risk transactions as were used for ordinary transactions, was ineffective as a stand-alone backstop to password/ID entry.
• The bank’s decision to set the dollar amount rule at $1 for all of its customers ignored the legal requirement that security procedures take into account “the circumstances of the customer” known to the bank.
• The bank did nothing with the information generated by comparing the fraudulent transactions against the customer’s profile.
• The bank’s generic “one-size-fits all” approach to customers was contrary to the bank’s legal obligation to take the customer’s circumstances into account.
• Other banks clients using the same security product employed manual reviews or some other additional security measure to protect against the type of fraud that occurred in this case.

Lessons Learned. Useful take-aways from the Patco decision for all companies, not just banks, include the following:

• Examine the factors above with respect to your own organization as they led the court to conclude that the security procedures used were not commercially reasonable.

• The technology solution you purchase for information security must be robust and at least commensurate with industry standards.
• Do not ignore the human element necessary to properly implement and use the system.
• Do not set system alerts or alarms to be overly-sensitive, which can lead to the “boy who cried wolf” syndrome.
• Continually review your system and personnel procedures to be sure they are keeping up with industry standard security measures, and are appropriate to meet continually advancing threats and risks.
• Security is not “one-size-fits-all.” The system must not only be configured to your organization, but also the procedures and actions taken in response to security system outputs must be take into account each customer’s unique circumstances
• Properly train your personnel on how to effectively use your information security systems and monitor its outputs through manual reviews and similar procedures.