It’s an uphill battle – but we’re making progress in the fight against online fraud

July 10, 2012 by Mike Byrnes     No Comments

Teamwork12While one would be foolish to say we can now rest on our laurels, I think it time to pause and celebrate some very tangible progress in the fight against online fraud. July 3, 2012 marked the end of a very interesting yearlong journey for Patco, a Maine-based construction company who became the victim of an online fraud attack that pilfered more than $500,000 from their commercial bank account.

After suing Ocean Bank for poor security controls, and ultimately responsibility for the fraud losses, the US District court of Maine ruled in favor of the bank in June of last year. Basically claiming caveat emptor; the court felt Patco Construction agreed to the bank’s security methods when they signed their commercial contract and were, therefore, aware of the risks at hand. While in my mind, the ruling underscored the sad state of affairs in the world of online fraud (for insight check out my previous blog post ) we have really come a long way in the past 12 months.

Here is a snapshot of several key developments since then:

  1. June 28, 2011
    The FFIEC released new (stronger) guidance reinforcing the risk-management framework originally put in place several years earlier. This new guidance directly addresses the security control deficiencies at Ocean Bank.
  2. July 11, 2011
    In a similar online fraud court case, a Dallas-based court ruled in favor of the plaintiff, Experi-Metal, claiming that their bank, Comerica, should have had better fraud detection controls in place.
  3. August 24, 2011
    Ocean Bank found themselves entangled in a different fraud case involving AML; this time, they were found guilty and fined more than $11 million.
  4. January 1, 2012
    The FFIEC begins to audit banks against the new guidance for online security controls.
  5. March 16, 2012
    Heavyweight software vendor Microsoft leads a collaborative effort to take down key servers involved in a major Zeus and SpyeEye banking Trojan botnet. Teaming up with FS-ISAC and NACHA, they filed suit against 39 parties.
  6. July 3, 2012
    Order is restored. A U.S. Federal appeals court reverses the previous ruling in the Patco/Oceanbank case and slams the bank for failing to have adequate controls.

So, we have made very solid progress and learned some key lessons along the way.

  1. With today’s well-equipped organized crime groups, banks must implement layered security solutions that:
    1. Provide controls beyond simple authentication and transaction-risk scoring
    2. Take context into account and adapt security controls to the situational risk
    3. Are built on a framework that equips banks with the agility to deploy new controls as threats and business needs evolve.
  2. Fighting fraud is a team effort — online customers, banks, industry regulators and security software companies all have role to play.
Mike Byrnes


Entrust product manager Mike Byrnes has more than 20 years’ experience in product management and technology marketing with a focus on internet security and business communication systems. Mike drives product marketing for the Entrust IdentityGuard authentication platform with a significant focus on mobile solutions. In addition to mobile, his background covers identity and access management, fraud detection, malware protection, and email encryption solutions. Mike serves as vertical market prime for Entrust financial services segment, working with large banks across the globe to roll out solutions to their consumer- and corporate-banking client base.

Add to the Conversation