In May 2009, an unknown hacker gained access to PATCO Construction’s online banking account at People’s United Bank (doing business as Ocean Bank). PATCO claimed the hacker somehow installed malware on a company PC to obtain banking credentials and commit online fraud. The fraudster was then able to use the stolen credentials — a user ID, password and the answers to three security questions — to access a PATCO employee’s online bank account.

Over a five-day period, the hacker initiated fraudulent Automated Clearing House (ACH) and wire transfers totaling over $588,000. Although the bank’s risk engine flagged the transactions as being “very high risk,” the debit requests were successfully processed. Once the fraud was discovered, the bank was able to recover less than half of the funds, leaving PATCO with a loss of approximately $345,000.

Reversing a lower-court ruling, a federal court of appeals stated that the bank’s security system was “commercially unreasonable,” based on requirements set under Article 4A of the Uniform Commercial Code. While the technology components of the bank’s security system appeared reasonable on paper, the manner in which the bank operated the technologies was called into question.

The appellate court’s final advice? “On remand, the parties may wish to consider whether it would be wiser to invest their resources in resolving this matter by agreement.”

Earlier this month, the parties did just that. PATCO’s Chief Executive Officer Mark Patterson reported that a settlement had been reached, with People’s United Bank refunding all losses suffered by his company. This settlement, coupled with the outcome of the Experi-Metal lawsuit, which also favored the commercial customer over its bank, has set a precedent that will have far-reaching ramifications for the industry.

Sentiment Has Shifted Toward the Commercial Customer

The recent update to the Federal Financial Institutions Examination Council’s (FFIEC) 2005 “Authentication in an Internet Banking Environment” guidance was clearly focused on driving banks to implement better fraud prevention capabilities to protect commercial customer accounts, especially for small- and medium-sized businesses (SMBs). Now, with two landmark cases ruling in favor of the commercial customer, legal precedent has also shifted away from financial institutions regarding online fraud incidents. With regulators and courts stepping in to protect SMBs, the days of banks using UCC 4A to deflect fraud liability to the customer are over.

‘Commercially Reasonable’ Isn’t What It Used to Be

Many financial institutions believe that providing “commercially reasonable” security consists of acquiring a set of fraud prevention technologies similar to those of their peer institutions. However, recent court rulings indicate that the manner in which the technologies are implemented and operated are critical factors in determining commercial reasonableness. If an alleged “commercially reasonable” fraud prevention platform does not detect a commonly used fraud scheme, it will be very difficult to argue that it was implemented properly.

Most Banks Will Now Refund Commercial Account Losses From Online Fraud

Based on the two recent cases, we expect the vast majority of banks to refund SMB fraud losses as a matter of course. Rather than deal with the reputational damage associated with an exposed — and especially litigated — fraud event, banks will simply avoid the gamble and refund losses (except for cases of egregious client negligence).

Compliance and Legal Departments Take a Back Seat

Fraud prevention will no longer be driven by administrative functions that seek to invest in fraud prevention programs that best position the bank for regulatory examinations and legal proceedings. Instead, customer service and fraud prevention specialists will devise, implement and maintain fraud prevention programs that are actually designed to prevent losses and not simply meet a compliance check box. When fraud is being prevented, litigation is avoided, regulatory compliance is met, costs are reduced, etc. When fraud prevention is given a primary focus rather than a secondary focus, legal and regulatory compliance requirements will fall in line.

Banks Are Forced to Deal With Malware-Based Fraud

The terms “malware,” “key-logging” and “man-in-the-browser/man-in-the-middle” are mentioned over 20 times in the recent 12-page FFIEC authentication guidance supplement. Both the PATCO and Experi-Metal fraud incidents involved malware. It is a well-known and documented fact that malware is being used extensively to compromise bank customers’ devices and commit fraud. Traditional antivirus applications do a poor job of detecting and preventing dangerous financial malware. Meanwhile, traditional authentication techniques and risk engines are only partially effective when it comes to identifying and preventing many forms of malware-based fraud. They also come at a high cost. A new approach for preventing malware-based fraud is sorely needed.

The PATCO ruling has triggered a seismic shift in fraud liability. Given this new landscape, preventing fraud — and specifically malware-based fraud — should be the top priority of every bank’s fraud prevention program. While it sounds obvious, many banks are more concerned with peer bank comparisons and legal positioning than actually preventing fraud. We know malware-based fraud can be prevented in a cost-effective, customer-friendly, manageable and regularly compliant fashion.

More from Banking & Finance

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today