Patco said that the manner in which Ocean Bank configured its authentication system only gave the appearance of being multi-factor, even though it wasn't.
In a 70-page ruling last week, Magistrate Judge John Rich sided with Ocean Bank and recommended that the U.S. District Court in Maine grant the bank's motions for a summary dismissal of Patco's complaints.
Rich dismissed Patco's complaints about bank's handling of the ACH transfers and agreed that the theft resulted largely from Patco's failure to protect its banking credentials. The judge said Ocean Bank had provided clear notice to Patco about its online authentication measures and security controls as well as the extent to which it could be held liable for any mishaps.
The judge did concede that Ocean Bank could have done more to authenticate the identity of those initiating money transfer requests. But he held that what the bank did was reasonable and comparable to the controls many other banks had in place.
The ruling is important because numerous small and medium-sized businesses (SMBs) have been plundered in the same way as Patco in recent years. Most cases involved cyber crooks finding a way to steal online banking credentials, particularly from smaller companies, and then using those credentials to initiate large ACH transfers.
Such thefts have resulted in hundreds of millions of dollars being stolen from SMB accounts over the last three years and then transferred outside the U.S.
Just last month, the FBI and the Financial Services Information Sharing and Analysis Center (FS-ISAC) warned about a growing number of incidents in which accounts belonging to SMBs were being looted and the money sent to apparently legitimate businesses in China.
The U.S. Federal Deposit Insurance Corporation protects consumers from this type of fraud, but banks consider small businesses liable, a position now backed up by the Maine court ruling. Patco has asked the judge to review the ruling, but if he allows it to stand, the company's only option is to appeal. Patterson isn't sure what the company will do.
"We're thinking about it," he said.
Patco has stopped doing almost all ACH transactions online now and has moved back to paper checks, Patterson said. "It's painful. It takes more time for our employees. They have to go down and make a deposit and we have to write all the checks," he said. He'd still like to use online banking, but won't because of the problems with ACH. "The problem is it's not secure and the banks are not responsible if an ACH fraud happens," he said.
Sign up for CIO Asia eNewsletters.