Tag Archives: controls

Federal court rules SMB — not bank — liable for loss from online theft

Even though Uniform Commercial Code places loss risk with banks for unauthorized transfers, a Federal court ruled against an SMB in Missouri last month and with the larger bank — primarily because the SMB did not implement fraud prevention controls offered by the bank.  This resulted in a $440,000 loss for the SMB.  Here’s the nutshell version:

  1. SMB has business account with bank
  2. Bank offers security (fraud prevention) controls for SMB
  3. SMB declines to implement controls (twice)
  4. SMB computer hacked & SMB’s credentials used to transfer money from its bank to Cyprus bank
  5. SMB sues bank for loss stemming from stolen funds
  6. Federal court rules against SMB and with bank
  7. SMB out $440,000 plus legal expenses

If this indeed sets precedent, this further increases SMB business risk.

Some lessons learned:

  • If your bank offers recommended security services or tools, use them (unless you can show that this directly and materially negatively impacts your business)
  • Use Positive Pay where list of authorized checks are provided to the bank via separate channel (i.e. bank has to cross check against that list prior to paying checks/requests presented to them)
  • Use a dedicated computer for banking transactions
  • Use two-factor authentication where possible
  • If not using Positive Pay or similar service, establish criteria with your bank for when they should alert you that a check or transfer request seems unusual

 More here in this Dark Reading story.