US Appeals Court Says Bank Liable For Losses From Poor Online Security

An anonymous reader writes with this extract: "Threatpost reports that a judge on the United States Court of Appeals this week ruled that People's United Bank's processes and systems for protecting customer accounts from fraud were not "commercially reasonable." The ruling in People's United Bank (formerly Ocean Bank of Maine) versus Patco Construction Company reverses a lower court's ruling in a case that stems from six allegedly fraudulent transactions that occurred over the period of a week in May, 2009 and drained close to $589,000 dollars from Patco's accounts. Patco alleged that People's United Bank did an inadequate job of protecting them against fraud, ignoring repeated 'high risk' warnings from the bank's fraud detection system. Now the Appeals Court appears to agree. The ruling could have broad implications in the U.S., where businesses that are the victim of account takeovers and fraudulent transactions are suing banks to recover lost funds."

Right ruling

[DoofusOfDeath]

I don't see why it's any more complicated than, "I gave the bank X dollars. I have not withdrawn any money. They owe me X dollars."

The fact that this hasn't been the case so far strikes me as a case of the banks owning their regulators and the legislature. But I don't want to make too hasty of an assumption. Does anyone know the history of this issue?

Re:Right ruling

[evilviper]

In cases where the bank's security measures aren't to blame (the typical case will be when the user picked a weak password, or allowed his password to be stolen somehow, or lost it to keylogging software they installed along with a desktop weather widget) why place the loss on the bank? All they did was implement the security measures that they and their customer agreed upon.

The reason the bank should ALWAYS be liable is because "the customer" never gets a chance to "agree upon" the bank's security measures. I want two-factor authentication, I want one-time-use credit card numbers, I want cryptographically secure transactions... My bank doesn't care what I want.

Oh, and an important aside... Banks are REQUIRED BY LAW to provide two-factor authentication for their online banking services. Has your bank ever sent you an RSA key? No? That's because they got their lawyers to work out a loophole where those 'forgotten passwork"-type questions count as one factor, and your password the second. So EVERY BANK OUT THERE is actively circumventing the law, to provide insecure access to your account. Did they ever ask you? They sure didn't ask me.