Hackers were able to steal more than $300,000 from a client’s Ocean Bank account, but according to a Maine judge’s ruling, the bank is not responsible. Though the judge acknowledged the bank didn’t follow “best” security practices, he ultimately ruled the customer should have done more to protect the account, Wired and BankInfoSecurity report. Hackers gained access to Patco Construction Company’s banking credentials by sending a malicious email to employees and subsequently installing a password-stealing Trojan.
When the thieves started siphoning about $100,000 a day from the account, Patco says alarms were raised at the bank—but the bank didn’t notice or heed them; instead of manually reviewing the red flags, the bank's system just asked challenge questions. The family-owned business didn’t realize the problem until nearly $600,000 in fraudulent transfers were allowed to go through. The bank was able to block $240,000 of the transfers; the company lost the rest of the money. Patco claimed the bank should have used multi-factor authentication, but the bank said it did enough by verifying an authentic ID and password. The judge agreed, noting that the bank is clear when customers sign up about how much security it provides and how much liability it assumes.