08 June, 2011 – 10:35
A US judge magistrate has ruled that a bank is not responsible for the loss of around $345,000 from a business customer account following a cyber-attack.
Magistrate judge John Rich has recommended that a US District Court in Maine grant Ocean Bank’s motion for a summary dismissal of the complaint filed by Patco Construction Company.
Rich’s order – first reported by BankInfoSecurity – comes after Patco Construction Company sued Ocean bank in the wake of a 2009 cyber-attack.
Malware was used to steal the firm’s online banking credentials which the crooks then tapped to make ACH transactions worth nearly $600,000. Around $243,000 worth of payments were blocked by the bank once the fraud was discovered.
However, Patco sued Ocean for the remaining $345,000, arguing that the bank should have spotted the fraud and stopped it. The construction firm also argues that by not requiring customers to use multi-factor authentication, Ocean does not use best practice.
Ocean argued that having verified IDs, passwords and requested challenge response questions, it acted in good faith by processing the ACH payments and Patco was to blame for letting its details become compromised.
Rich concludes that, although Ocean could have done more to authenticate users, the law does not require banks to use the “best” possible security measures and customers are aware of what is on offer when they sign up.