US Court rules a bank can be sued for their failure to adopt multi-factor authentication

Late last month an Illinois District Court ruled a bank can be sued for their failure to adopt multi-factor authentication and concluded the bank breached its duty to protect the Plaintiffs' account against fraudulent access, and if the bank's failure to adopt multi-factor authentication caused fraudulent access to plaintiffs' account, it could be held liable for negligence.

In 2007, a hacker gained access to the plaintiffs' online accounts by using the plaintiffs’ username and password. The hacker ordered a $26,500 advance on the plaintiffs’ home equity line of credit, which was transferred to a bank in Austria. When the theft was discovered and the funds traced, the Austrian bank refused to return the money.

Citizens Bank notified the plaintiffs that it intended to hold them liable for the harm. The online banking agreement between Citizens and the plaintiffs stated "We will have no liability to you for any unauthorized payment or transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice." Citizens billed the plaintiffs for the $26,500, and when failed to pay the balance on time, Citizens reported the account as delinquent to credit bureaus, and threatened to foreclose on their home, if the plaintiffs continued to refuse to make payments.

The plaintiffs sued Citizens, claiming that the bank's actions violated the Fair Credit Reporting Act (15 U.S.C. § 1681, et seq.), the Truth in Lending Act (15 U.S.C. § 1601, et seq.), the Electronic Funds Transfer Act (15 U.S.C. § 1693 et seq.) and constituted common law negligence.

The Court ruled, "In light of Citizens' apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access[,]" and if the bank's failure to adopt multi-factor authentication caused fraudulent access to plaintiffs' account, it could be held liable for negligence.”

follow the source link for more

NAB tests voiceprint recognition

CUSTOMERS enrolled in National Australia Bank's new voice biometrics system for phone banking may be able to use the same system to authenticate their internet banking activities.

NAB is the first local institution to give customers an opportunity to enrol in a voiceprint recognition system, dispensing with the need to remember PINs and passwords or provide personal information when calling the bank.

NAB direct channels speech program manager Sam Jackel said voiceprints could be used as a second-factor authentication method for internet banking transactions independently verified at present via an SMS message sent to the customer's mobile phone.

Users had to open the message to retrieve a single-use passcode and enter it into the onscreen session, he said.

But, Mr Jackel said, using voiceprints would enable a simple phone call to authenticate the user against the unique voiceprint record.