It's kind of crazy. I know that my battle.net account is more secure than a lot of people's online banking credentials: not only do I need a user name and password to access my bnet account, but my account is linked with a mobile app that gives me time-sensitive one-time-use 8-10 security code.

Recently I had to wipe my phone without being able to get the serial number information from the bnet app. It was kind of a pain, but I had to actually scan and send in an image of my drivers license for them to release the old authenticator from my account so I could attach a new one.

Think about that. An online gaming company is more secure about account authorization than a lot of banks are.

The law doesn't care about their game's fictional currency. They have more incentive to protect it than a bank has to keep real money as secure as possible.

Exactly.

Blizzard pays support costs when player's accounts get hacked and are motivated to keep the players as happy paying customers.

Many banks seem to regard deposit holders as merely some kind of annoying obligation necessary to participate in FDIC programs (and occasionally as a source of absurd fees).

See my comment. This is all in the above-and-beyond category. HOWEVER note that the profits Blizzard is seeing from battle.net may be more than the profits of that entire bank. They have more clients, need a reputation, and are in fierce competition. That bank may not be.

It is overall saddening that Blizzard, a game company, protects user data better than a bank. HOWEVER note that this happened in 2009. I doubt Blizzard was this secure back then. Also iPhone and Android were not as big then as they are today, and they were more up-and-coming than anything.

This is a tad off topic, but the iPhone authenticator was added early in 2009 (see: http://wow.joystiq.com/2009/04/03/battle-net-mobile-authenti...) and the hardware fob was already in use well before that, with the same stringent identity verification methods in place in case the authenticator was lost.

Blizzard offers the best of both worlds in my opinion: the authenticator is cheap/free and optional so you can choose how secure you want your account to be. Though, as noted, it's expensive for Blizzard to restore all the hacked accounts so they have incentives (free Corehound pet, for example) if you opt-in to have an authenticator on your account.

Chase is similar. Username and password, and to login from a new device (web, iphone app, etc) requires putting in a time-sensitive code sent to your phone by SMS or email. An actual dedicated mobile app is somewhat a bad design since many people do not have smart phones and it makes it client dependent vs. account dependent.

With Credit Cards, the end merchant is liable, not the bank, which is why they have no issue with stop payments and such.

In this case, the plaintiff is asking the bank to assume liability because he got hacked. That's a bit of a stretch.

Why is it a stretch? The bank is liable for funds stolen through a bank robbery, a much more aggressive criminal action. Why is the bank supposed to protect your funds in one instance but not another?

From reading over the court filings, it looks like Ocean Bank's defense was built around the ACH/eBanking agreements that Patco signed before they commenced the service.

In these agreements, Patco "agreed to, among other things, assume all liability and responsibility to monitor its commercial checking account (“Account”) on a daily basis. See Modified eBanking Agreement § XIII.B; ACH Agreement §§ 11 and 12(a). Patco further agreed that it would indemnify Ocean Bank from any suits arising from its failure to abide by the terms of the Modified eBanking Agreement and the ACH Agreement"

(Source - Defendant's Answer to Plaintiff's First Amended Complaint and Counterclaims - pg 10 - retrieved from http://www.buckleysandler.com/Patco_v_Peoples(1).pdf)

This is one of those situations where the many pages of fine print came back to bite an innocent victim. The bank did not have adequate security, but they came armed with abundant proof that Patco violated its terms of service. I am Canadian, so I don't know a huge amount about US civil law, but I'm pretty sure that the US has a mitigation requirement on any torts. Patco would have violated this.

I've got to tell you, reading that .pdf makes me want to keep my money under my mattress.

Contract clauses that waive a bank's standard of due care for online security should not be enforceable. All sorts of other clauses are declared unenforceable all the time. This clearly should be one of them. It is practically the whole charter of a bank to protect funds from unauthorized access. If your contract waives that responsibility, you shouldn't be allowed to have the word "Bank" in your name.

I agree with you completely - I would give you +1000 if I could.

The part I find the funniest is that the judge actually agreed that the bank's security was lax, yet still dismissed because Patco was in violation of the agreements.

I wonder how many new business customers Ocean Bank has signed up since this suit went public? The good old free market is (hopefully) doing its thing.

But is there anything to suggest that other banks in similar business space are any different?

After having gone through the entire thread I wish I have your patience.

Let's assume for a second that this wasn't a hacker, but a malicious employee. In your world is the bank still liable for this?

No, because even using countermeasures that meet or exceed industry best practices, a malicious employee could be expected to gain access to the account. Unlike this case, the internal fraud would be entirely outside the bank's control.

Yeah, I guess if its in the fine print then what is the judge supposed to do? I agree, I need to find a more secure mattress.

Not allow an unconscionable clause to be enforced in court. Happens all the time.

Because one happens because the bank didn't secure their vault enough and one happens because the client didn't secure their computers enough.

There is a difference in the fact that the bank is fully aware that the robbery is not a normal transaction.

The bank cannot be expected to be aware of normal transactions conducted with a fraudulent intent. Assuming they take some precautions (like they do if the suddenly see 15 quick purchases from Russia when you live in Oregon), there's only so much liability they can be expected to shoulder.

All major banks have systems whose job is to have a notion of normal and abnormal transactions. Any bank operating at the level of the majors should be able to pick out the $100k electronic funds transfer, which is probably the only customer-not-present paperless ACH transaction of that size in the history of the relationship for a regional construction firm, and require callback authorization for it. That's all they had to do.

The point isn't that the bank should be universally responsible for fraud. It's that the responsibility for fraud does not end exactly at the login prompt.

Agreed and this is something that you can't say you are aware of because banks do not communicate of internal security measure checks. As an example : I paid 1c on my own website via paypal while doing paiement integration test, and the transaction was blocked. I received a text message that told me to call the bank to authorize the paiement. I asked if it would block again for another test, but they have consigns to not answering that kinds of questions and I'm glad they did ;)

There are things that are baseline law and things that are above-and-beyond. Statistical analysis on usage patterns of your account appear to be above-and-beyond.

Your bank (a decent bank presumably) obviously gives a shit about this because they want customer loyalty which comes with not getting identity stolen and they don't want to pay up. However that is not the law.

There is no industry wide law that requires statistical analysis on financial transactions as a anti-fraud methodology. Frankly this bank may get hit with people pulling business from them because they don't protect their clients, but that is another story.