Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:27 PM
Connect Directly

Couple's Lawsuit Against Bank Over Breach To Move Forward

Case raises questions about banks' liability in breach of customers' online accounts

A U.S. District Court ruling in a lawsuit against a bank over a hacked online account has raised thorny questions about who's ultimately responsible for the breach of a customer's account.

An Illinois district court denied Citizens Financial Bank's request to dismiss a lawsuit that charges the bank was negligent in protecting a couple's bank account after their user name and password were stolen and used to pilfer $26,000 from their account. The ruling lets the couple, Marsha and Michael Shames-Yeakel, continue with their lawsuit, mostly based on their allegations that the bank failed to properly secure their account.

The bank has held the couple responsible for the money that was stolen after an attacker used their online banking credentials to secure a loan on the account, first depositing it in the couple's business bank account, then wiring it to a bank in Hawaii, and then to a bank in Austria. By the time the couple reported the fraud to Citizens Financial, there was no way to retrieve the money from the Austrian bank, which refused to return it.

Experts are split over whether the couple has a chance of winning the case. But either way, the lawsuit has raised the thorny question of whether a bank should be held liable if a customer's account is breached.

In the court opinion (PDF) obtained by Wired, the couple maintains that Illinois-based Citizens Financial Bank "failed to guard access to Plaintiff's account with adequate security features at the time of the theft," with only a user name and password rather than a more secure multifactor authentication method. They argued the bank should have offered them token authentication.

The court document says the bank stood by its online banking disclaimer that exempts the bank from any liability: "We will have no liability to you for any unauthorized payment or transfer including wire transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice."

But whether the lawsuit holding the bank responsible for the couple's loss will stand up in court is unclear. John Pescatore, vice president and distinguished analyst at Gartner, says he doesn't expect the couple to win the case. "I don't see that this has much chance of succeeding. The real issue is the user's responsibility to protect their passwords, just as it is the car driver's responsibility to protect the car keys. If you leave the keys in the ignition and someone steals your car, suing the car manufacturer for negligence isn't going to work," Pescatore says.

And the argument that the bank should have offered two-factor authentication is moot, he says, because regulation from the Federal Financial Institutions Examination Council (FFIEC) only calls for "risk-based authentication" and doesn't specify it as two-factor authentication. Plus, consumers for the most part have resisted tokens and stronger authentication, while banks for the most part have avoided forcing the issue and "eaten" losses from account breaches, Pescatore says. "It's not going to be simple to prove negligence of the bank," he says. "And if they [the attackers] got their banking passwords, they probably got a lot of [their] other passwords, too."

Bruce Schneier, meanwhile, argues that the customer should not be held responsible for this type of bank account breach. "The banks don't want to be liable," Schneier says. "But it makes no sense that the customer should be responsible for [banking] fraud...The only way to improve security is for the person with the ability to mitigate it [like a bank] to take responsibility for this. Even if it's the customer's fault, the bank should be liable."

Schneier, who also blogged about the case yesterday, says banks should have to follow the same type of rules as credit-card companies when it comes to customer losses from a breach.

The ruling, meanwhile, did grant the bank's motion for a summary judgment on other charges by the couple, including one that sued the bank for reporting the couple's account as delinquent and for leaving out information in its reports.

And a similar lawsuit was filed late last week by Sanford, Maine-based Patco Construction against Ocean Bank after the company's bank account there was pillaged by cybercriminals earlier this year for $588,000, according to a report by The Washington Post. The company alleges that the bank didn't do enough to protect its account.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.