More than a few enterprise security managers must have shuddered when they heard about the lawsuit filed against Bank of America by an online banking customer. Such litigation could set precedent for who is responsible for securing a consumer's data -- even on the consumer's own computer.
A Miami man blames Bank of America for more than $90,000 stolen in an unauthorized wire transfer to Latvia. Joe Lopez filed a lawsuit on Feb. 7 claiming that Bank of America had not alerted him to malicious code that could -- and indeed had -- infected his computer. A forensic investigation by the U.S. Secret Service revealed that a Trojan called Coreflood, which acts as a keystroke logger, had compromised one of his PCs.
"A win for Lopez could really rock the already shaky foundations of e-commerce, from Internet banking and trading to online shopping," said Stephen Cobb, a security expert and the author of Privacy for Business. "An unresolved tension has always existed between the responsibility of financial institutions to fully disclose the risks inherent in Internet usage and their desire to get more people to use the Internet."
This is the first known case of a U.S. banking customer suing for a loss that was the result of a hacking incident. Though the cause of the infection hasn't been determined, many experts say the likely culprit was phishing, either through an e-mail or Web site that pretends to come from a legitimate company and solicits the recipient's confidential information.
"Bank of America wants to set precedent that you [the customer] need to have reasonable computer security -- and that's a very reasonable thing to ask for," said Dave Jevans, chairman of the Anti-Phishing Working Group [APWG].
A report released this month by APWG said that 140 brand names have been hijacked to use in online scams since it began examining phishing trends and reporting its findings in November 2003. Included in the number reported for January were eight financial institutions. The group also reported that the number of active phishing sites in January had increased to 2,560 -- an average monthly increase of 28% since July.
Some see user awareness and education as the only way to prevent a continued trend.
"There is growing recognition that things will only get worse unless there is effective and large-scale public education as to Internet risks, security practices and responsible behavior," Cobb said. "I think this is long overdue and needs to be vigorously pursued, particularly in the school system, from kindergarten to college."
Jevans agrees. "People aren't educated about spyware -- a lot has to be done for awareness," he said. "And many still don't use antivirus. I also think you're going to see a much stronger push for two-factor authentication -- it will help prevent these situations from happening."
And two-factor authentication may be just what the doctor ordered. Last week Bank of America announced it will now use VeriSign's Unified Authentication encryption software to make it harder for cybercriminals to steal accounts. "VeriSign Unified Authentication is a complete range of two-factor authentication methods that will integrate with Bank of America's existing technology environment, without costly additions of disparate hardware and software infrastructure," according to a news release. The company said the flexibility in choosing a second form of ID, such as a password, token or smart card, based on open standards was a big selling point.
"Banking regulators are pushing two-factor authentication as a best practice," said Mike Overly, a partner at law firm Foley & Lardner. "We're seeing greater and expanded risks in online banking, but also increased efforts by financial institutions to reduce the incidents of phishing and other similar activities."
However, if banks and other financial institutions aren't willing to take such steps on their own, the government may intercede. "This case will get a lot of scrutiny," Jevans said. "Things may ultimately come down in the form of government regulation."