Pub. 3 2013 Issue 3

9 SUMMER 2013 Dual Control Online Authentication: Court Tells Borrower “Enough is Enough” BY CHRISTIAN C.M. BEAMS AND FREDRIC D. BELLAMY, RYLEY CARLOCK & APPLEWHITE backdrop for the next bout of insom- nia. This one has a happy ending, where a judge got one right. The issue involved an online bak- ing security feature that went beyond the already required security feature known as dual-level (or multi-factor) authentication. The bank in this case recommended and repeatedly tried to convince its customer to agree to a protocol called “dual control,” which requires that a customer have two separate individuals enter their user names and passwords to authorize a wire transfer to another bank. The idea is that the more passwords involved in – and in fairness, the more burden- some – the login process, the less likely a security breach is to occur. But despite multiple levels of security, is it the bank’s fault when a hacker successfully re- moves $440,000 from a customer’s trust ac- count? The customer sure thought so. The court disagreed. The focus of the analysis, as you might imagine, was on the bank’s actions. What precautions did it take? In this particular case out of Missouri – Choice Escrow and Land Title LLC v. Ban- corpSouth Bank – the bank had specifically warned the cus- tomer, an escrow and title company, to use dual control to mitigate the risk that a hacker could arrange a transfer of money from the customer’s trust ac- count. Yet the customer declined, even after having been warned specifically that if a hacker compromised an au- thorized user’s computer and obtained his or her user id and password, money could end up being transferred without authorization. Moreover, when the customer refused to allow the bank to use its recommended dual control protocol for the customer’s account, I N THE LAST FEW YEARS, WE HAVE SEEN A CONSISTENT THEME AMONG TROUBLED BANKING CUSTOMERS, AND IT CAN BE DESCRIBED IN THOSE three little words every banker knows all too well. No, it’s not “Let’s Play Ball.” And no, not “I Love You,” either. Those three words, of course, are “Blame the Bank.” Business takes a turn for the worse? Blame the Bank. Construction defects? Blame the Bank. Marital problems? Well, perhaps not, but you get the idea – it’s somehow always the lender’s fault. And what made this practice all the more maddening is the rate at which courts allowed these theories to survive summary judgment and be presented to juries, which have on many occa- sions found against lenders in these contexts. But this article isn’t intended to shake the cobwebs loose on long- forgotten nightmares or provide the COUNSELOR’S CORNER Q “Enough is Enough” | continued on page 10