A U.S. District Court ruling in a lawsuit against a bank over a hacked online account has raised thorny questions about who's ultimately responsible for the breach of a customer's account.

An Illinois district court denied Citizens Financial Bank's request to dismiss a lawsuit that charges the bank was negligent in protecting a couple's bank account after their user name and password were stolen and used to pilfer $26,000 from their account. The ruling lets the couple, Marsha and Michael Shames-Yeakel, continue with their lawsuit, mostly based on their allegations that the bank failed to properly secure their account.

The bank has held the couple responsible for the money that was stolen after an attacker used their online banking credentials to secure a loan on the account, first depositing it in the couple's business bank account, then wiring it to a bank in Hawaii, and then to a bank in Austria. By the time the couple reported the fraud to Citizens Financial, there was no way to retrieve the money from the Austrian bank, which refused to return it.

Experts are split over whether the couple has a chance of winning the case. But either way, the lawsuit has raised the thorny question of whether a bank should be held liable if a customer's account is breached.

In the court opinion (PDF) obtained by Wired, the couple maintains that Illinois-based Citizens Financial Bank "failed to guard access to Plaintiff's account with adequate security features at the time of the theft," with only a user name and password rather than a more secure multifactor authentication method. They argued the bank should have offered them token authentication.

The court document says the bank stood by its online banking disclaimer that exempts the bank from any liability: "We will have no liability to you for any unauthorized payment or transfer including wire transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice."

But whether the lawsuit holding the bank responsible for the couple's loss will stand up in court is unclear. John Pescatore, vice president and distinguished analyst at Gartner, says he doesn't expect the couple to win the case. "I don't see that this has much chance of succeeding. The real issue is the user's responsibility to protect their passwords, just as it is the car driver's responsibility to protect the car keys. If you leave the keys in the ignition and someone steals your car, suing the car manufacturer for negligence isn't going to work," Pescatore says.

And the argument that the bank should have offered two-factor authentication is moot, he says, because regulation from the Federal Financial Institutions Examination Council (FFIEC) only calls for "risk-based authentication" and doesn't specify it as two-factor authentication. Plus, consumers for the most part have resisted tokens and stronger authentication, while banks for the most part have avoided forcing the issue and "eaten" losses from account breaches, Pescatore says. "It's not going to be simple to prove negligence of the bank," he says. "And if they [the attackers] got their banking passwords, they probably got a lot of [their] other passwords, too."

Bruce Schneier, meanwhile, argues that the customer should not be held responsible for this type of bank account breach. "The banks don't want to be liable," Schneier says. "But it makes no sense that the customer should be responsible for [banking] fraud...The only way to improve security is for the person with the ability to mitigate it [like a bank] to take responsibility for this. Even if it's the customer's fault, the bank should be liable."

Schneier, who also blogged about the case yesterday, says banks should have to follow the same type of rules as credit-card companies when it comes to customer losses from a breach.

The ruling, meanwhile, did grant the bank's motion for a summary judgment on other charges by the couple, including one that sued the bank for reporting the couple's account as delinquent and for leaving out information in its reports.

And a similar lawsuit was filed late last week by Sanford, Maine-based Patco Construction against Ocean Bank after the company's bank account there was pillaged by cybercriminals earlier this year for $588,000, according to a report by The Washington Post. The company alleges that the bank didn't do enough to protect its account.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.