Spears Legal Technology

Disclaimer

This blog is a resource guide for informational purposes only, and not the delivery of legal, technical or other professional advice. Using the information provided on this blog does not constitute an attorney-client relationship. If you need legal advice, please consult your lawyer.

Ruling Raises Stakes for Cyberheist Victims

scales
Small businesses take heed: Depending on the terms of your bank account you may be responsible for fraudulent ACH transfers. Background information is available here and here.

Regulatory agencies and courts need to start recognizing true two-factor authentication as more than mere guidance for high-risk transactions. Holding the plaintiffs responsible for the banks’ legal fees on top of losing their funds will have a chilling effect on future lawsuits.

BancorpSouth’s most secure option for Internet-based authentication at the time was “dual control,” which required the customer to have one user ID and password to approve a wire transfer and another user ID and password to release the same wire transfer. The other option — if the customer chose not to use choose dual control — required one user ID and password to both approve and release a wire transfer.

Choice Escrow’s lawyers argued that because BancorpSouth allowed wire or funds transfers using two options which were both password-based, its commercial online banking security procedures fell short of 2005 guidance from the Federal Financial Institutions Examination Council (FFIEC), which warned that single-factor authentication as the only control mechanism is inadequate for high-risk transactions involving the movement of funds to other parties.

A trial court
was unconvinced, and last week The 8th Circuit Court of Appeals found essentially the same thing, while leaning even more toward the defendants.

Link.

blog comments powered by Disqus