I just read a couple of articles / blogs on the cyber fraud case where Patco Construction is suing their bank, Ocean Bank for failing to provide appropriate security controls to protect their online account. It appears that Ocean bank customers were the target of advanced malware attacks that hijacked their online credentials and at the end of the day, more than $500,000 was stolen from Patco’s account. As well described in the attached links, it would appear that the bank had less than adequate security measures to protect against today’s online threats and that they even fell short of the 2005 FFIEC guidelines; but, what does the court say?
According to David Navetta, an attorney who specializes in IT security and privacy…“since PATCO agreed to the bank’s security methods when it signed the contract, the court suggests then that PATCO considered the bank’s methods to be reasonable.” WOW – I don’t get it. The customer is responsible to make sure the bank has proper security controls in place? Sure, we all have a certain level of responsibility to make sure understand the vendor offering and capabilities when we purchase goods and services… but come on! How can the general public ever be educated and equipped to test if their bank is truly providing the level of controls needed at this level? Is that not the job of the bank examiner? Is it not the role of the regulatory bodies to make sure that SECURITY EXPERTS assess the current fraud threats and corresponding regulatory guidelines are then put in place? There is no way the average customer whether they be a reatil client, a small business, or a not-for-profit etc could ever be effective at making that kind of judgment call on their own and nor should they.
This just underscores how critical it is for the FFIEC to push out new guidance to address today’s cyber threat reality. Many banks today even fall short of addressing threats that have been around for years. Gartner analyst Avivah Litan agrees…”Unfortunately, the 2005 FFIEC guidance referred to examples of relatively crude online theft techniques that were commonplace in 2004 and 2005. The cybercriminal of 2011 has long ago bypassed and surpassed those old techniques.”