The banking sector could face a major shake-up after a court in the US ruled that a bank failed to protect a user's account against fraudulent access.
In a recent case, a US judge allowed Marsha and Michael Shames-Yeakel to bring a case against Citizens Financial Bank, who alleged that the bank failed to implement state-of-the-art security technology, as they were the victims of fraud perpetrated through their online bank account to the tune of $26,500.
The US District Judge refused to grant summary judgement in favour of the financial institution, clearing the way for the court case to take place. In her judgement, Rebecca Pallmeyer stated: “In light of citizens' apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access.”
Rik Ferguson, senior security advisor at Trend Micro, claimed that the case could have important ramifications across the US. He highlighted a 2005 FFIEC report entitled ‘Authentication in an internet banking environment', that stated: “The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.”
Ferguson said: “The sheer volume of personal banking data and the ease with which it can be accessed is staggering. Don't for a moment think that cost or lack of skill is a barrier to entry into the shady world of ‘carding' and online financial fraud.
“Logon details for online banking are usually sold priced as a percentage of the available balance on the account. Today, bank accounts are available online for as little as three per cent including personal, business and offshore accounts.”
He claimed that online banking in the US still tends to rely on simple username and password combinations, and in the rare cases where a confirmation number is required, this is often sent to the customer's email account, which is also easy for a criminal to compromise.
The US has used single factor authentication, based purely on something you know, in this case, your password, while in Europe, two-factor authentication has been common for years involving a username and password, the something you know and an additional piece of information, often based on something you have.
Ferguson said: “The deployment of these kinds of technologies in Europe, along with the language issues, means that the US is considered ‘low-hanging fruit' for online banking fraud, and until financial institutions invest in the necessary deterrent technology, it will remain so.
“That being said though, two-factor authentication technology may not be familiar to even some European banking customers, because (as was the case with chip and PIN cards) certain European countries have also been guilty of tardiness in deploying security technologies for online banking. So, if your bank doesn't require this additional security, you can bet that cybercriminals know this and that your bank and your account will be targets.”
He further claimed that it is worth remembering that you should not always rely on the goodwill of your financial institution to reimburse you for losses to cybercrime.
“An argument I have heard time and again from friends and acquaintances is 'Why should I worry when the bank always reimburse any losses?' If the losses to cybercrime ever become too much for UK banks for example, they can fall back on the provisions of their Banking Code which states ‘If you act without reasonable care, and this causes losses, you may be responsible for them',” said Ferguson.