While one would be foolish to say we can now rest on our laurels, I think it time to pause and celebrate some very tangible progress in the fight against online fraud. July 3, 2012 marked the end of a very interesting yearlong journey for Patco, a Maine-based construction company who became the victim of an online fraud attack that pilfered more than $500,000 from their commercial bank account.
After suing Ocean Bank for poor security controls, and ultimately responsibility for the fraud losses, the US District court of Maine ruled in favor of the bank in June of last year. Basically claiming caveat emptor; the court felt Patco Construction agreed to the bank’s security methods when they signed their commercial contract and were, therefore, aware of the risks at hand. While in my mind, the ruling underscored the sad state of affairs in the world of online fraud (for insight check out my previous blog post ) we have really come a long way in the past 12 months.
Here is a snapshot of several key developments since then:
- June 28, 2011
The FFIEC released new (stronger) guidance reinforcing the risk-management framework originally put in place several years earlier. This new guidance directly addresses the security control deficiencies at Ocean Bank.
- July 11, 2011
In a similar online fraud court case, a Dallas-based court ruled in favor of the plaintiff, Experi-Metal, claiming that their bank, Comerica, should have had better fraud detection controls in place.
- August 24, 2011
Ocean Bank found themselves entangled in a different fraud case involving AML; this time, they were found guilty and fined more than $11 million.
- January 1, 2012
The FFIEC begins to audit banks against the new guidance for online security controls.
- March 16, 2012
Heavyweight software vendor Microsoft leads a collaborative effort to take down key servers involved in a major Zeus and SpyeEye banking Trojan botnet. Teaming up with FS-ISAC and NACHA, they filed suit against 39 parties.
- July 3, 2012
Order is restored. A U.S. Federal appeals court reverses the previous ruling in the Patco/Oceanbank case and slams the bank for failing to have adequate controls.
So, we have made very solid progress and learned some key lessons along the way.
- With today’s well-equipped organized crime groups, banks must implement layered security solutions that:
- Provide controls beyond simple authentication and transaction-risk scoring
- Take context into account and adapt security controls to the situational risk
- Are built on a framework that equips banks with the agility to deploy new controls as threats and business needs evolve.
- Fighting fraud is a team effort — online customers, banks, industry regulators and security software companies all have role to play.