A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a U.S. district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks.

In May 2009, Sanford, Maine based Patco Construction Co. filed suit against Ocean Bank, a division of Bridgeport, Conn. based People’s United Bank. Pacto used online banking primarily to make weekly payroll payments. Patco said cyber thieves used the ZeuS trojan to steal its online banking credentials, and then heisted $588,000 in batches of fraudulent automated clearing house (ACH) transfers over a period of seven days.

In the weeks following the incident, Ocean Bank managed to block or claw back $243,406 of the fraudulent transfers, leaving Patco with a net loss of $345,445. Because the available funds in Patco’s account were less than the total fraudulent withdrawals, the bank drew $223,237 on Patco’s line of credit to cover the transfers. Patco ended up paying interest on that amount to avoid defaulting on its loans.

Patco sued to recover its losses, arguing in part that Ocean Bank failed to live up to the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password. On May 27, a magistrate recommended that the court make Patco the loser by denying Pacto’s motion for summary judgment and granting the bank’s motion.

David Navetta, a founding partner of the Information Law Group, said that Patco has about another week to dispute the magistrate’s recommendations, but that it is unlikely that the judge overseeing the case will overturn the magistrate’s findings.

Navetta said the magistrate considered the legal issues and propounded an analysis of what constitutes “commercially reasonable” security.

“Many security law commentators, myself included, have long held that reasonable security does not mean bullet-proof security, and that companies need not be at the cutting edge of security to avoid liability,” Navetta said. “The court explicitly recognizes this concept, and I think that is a good thing.”

But Avivah Litan, a fraud and bank security analyst at Gartner, took strong exception to the way the magistrate arrived at the recommended decision, calling it “an outrage.”

“In my opinion, this is frankly an egregious injustice against small U.S. businesses,” Litan said. “It is also a complete failure of the bank regulatory system in the United States, which should come as no surprise, given the history of the regulators in the 21st century.”

The Technology

Ocean Bank relied on service provider Jack Henry to process bank-to-bank transfers, and it selected an authentication process that required customers to log in with a company ID, user ID and password. Customers also were asked to provide answers to three “challenge questions” that would be asked if the system scored a transaction as “high risk.”

The Jack Henry product came with a risk scoring system developed by RSA‘s Cyota, which rates the riskiness of transactions by using several factors, such as the location of a user’s Internet address, when and how often the user logs in, and how the customer navigates the site. Challenge questions were prompted when the risk score for a transaction exceeded 750 on a scale of zero to 1,000 (RSA considers transactions generating risk scores in excess of 750 to be high-risk). Ocean bank also kept track of customer “device IDs,” an amalgamation of attributes from the customer’s PC that could be used to create a unique fingerprint for that machine.

Until 2008, Ocean Bank set its dollar amount threshold — transfer amounts that would automatically require the answer to a challenge questions regardless of the Cyota fraud score — at $100,000. But in July 2008, the bank lowered that threshold to $1. The bank told the court that it did so to enhance security following ACH fraud at the bank that targeted low-dollar amount transactions. After the change, customers were forced to answer a challenge question whenever they used the bank’s system.

The Analysis

Patco’s security expert, Sari Green of Portland, Me. based Sage Data Security, told the court that by setting challenge questions to be asked on every transaction, the bank greatly increased the risk that a fraudster equipped with a banking Trojan would be able to compromise the answers to a customer’s challenge questions. Patco also argued that because the questions were triggered on every transaction regardless of the scoring of the transaction, that system did not provide any additional security.

Navetta said the magistrate considered the question of whether Ocean Bank’s security was sufficient. The magistrate analyzed whether the bank’s security satisfied “multi-factor authentication” guidelines by incorporating at least two of three checks: Something the user knows (such as a password), something the user has (such as the passcode generated by a one-time token); and something the user is, such as a biometric identifier. (Those guidelines were established in 2005 by banking regulators at the Federal Financial Institutions Examination Council (FFIEC).

Navetta said the magistrate accepted the bank’s argument that the password-based scheme used by the bank was multi-factor as described in the FFIEC. “To some degree the court acknowledged that the bank’s security could have been better,” Navetta said. “Even so, it was technically multi-factor as described in the FFIEC guidance in the court’s opinion, and ‘the best’ was not necessary.”

The magistrate wrote that while the guidelines say two out of three of those factors should be incorporated, it says nothing about how banks must respond when one of those factors detects an anomaly. More importantly, the magistrate accepted the bank’s assertion that a device ID satisfied the “something the user has” requirement.

The magistrate was unswayed by evidence presented by Patco’s lawyers that modern malware threats like ZeuS can modify content in the victim’s browser (and thus prompt users for the answers to all of their secret questions). ZeuS also allows attackers to tunnel their communications through a victim’s own PC and browser, an attack method that can negate the value of a device ID as a second factor. Navetta said Patco’s main theory concerning the weakness of the bank’s security was that the lower dollar threshold set by the bank made customers easier prey for predators like the ZeuS Trojan, but that the magistrate was unconvinced by that argument because Patco did not have actual forensic evidence that a keystroke logger was the culprit. The magistrate said Patco erred by “having irreparably altered the evidence on its hard drives by running scans on its computers and continuing to use them prior to making proper forensic copies.”

Avivah Litan said the methods used by Jack Henry to support Ocean Bank were not appropriate to the risks associated with online business banking in 2009.

“Zeus, browser-based Trojans and other modern-day threats are known by anyone following online banking security to circumvent all the methods that were being used at the time by the bank and its processor,” Litan said. “Unfortunately, the 2005 FFIEC guidance referred to examples of relatively crude online theft techniques that were commonplace in 2004 and 2005. The cybercriminal of 2011 has long ago bypassed and surpassed those old techniques.”

The FFIEC was on the verge of releasing updated guidance at the end of last year to clarify the new and stronger types of multi-layered defenses required in 2011. Litan said those updates were expected to explain that the examples of strong online banking security measures which they listed in 2005 have been rendered useless and obsolete by next-generation cybercrime techniques.

“It’s truly disappointing that the much-needed update was never issued, no doubt because of internal politics and disagreements among the regulatory agencies,” she said. “The regulators should not leave these matters in judges’ hands to decide and should protect U.S. businesses from bank shortcomings that compromise the safety and security of their accounts, just as consumers are protected under Regulation E. In my opinion, this judge did not correctly interpret the 2005 FFIEC authentication guidance.”

Patco co-owner Mark Patterson said the company hasn’t yet decided whether to appeal.

“The one thing the judge mentioned in his decision is that there is basically zero case law on [question of what constitutes reasonable security] for the banks,” Patterson said. “Not anymore. That’s why we’re concerned this could have national implications. Tons of small businesses continue to be at a huge risk for this type of thing happening to them.”

The magistrate’s recommendations are by no means a done deal, even if the district court adopts them. The decision could be appealed, possibly all the way to the US Supreme Court. Interested parties could present further legal argument by filing amicus curiae (friend of the court) briefs at any time during the appeal process.

A copy of the recommended decision is available here (PDF).

KrebsOnSecurity will continue to follow this case and to bring you updates on new developments as they happen. Stay tuned.

Tags: ach fraud, avivah litan, Cyota, David Navetta, gartner, Information Law Group, Jack Henry, Ocean Bank, Patco Construction, RSA, Sage Data Security, Sari Green