Iowa Banking Law Blog

A Swedish bank located just north of Stockholm recently reported that a group of Swedish criminals with prior fraud and theft convictions nearly stole millions of dollars from the bank last August.  However, the criminals did not attempt to gain online access to the internet banking system.  Instead, they installed an advanced technical equipment underneath an employee’s desk, allowing them to control his computer remotely.  When they began to transfer the funds from the bank into another account, the employee noticed the operation and pulled the cable to the device.  Investigators, however, did not indicate how the criminals gained access to the employee’s workstation in the first place.

            The Seventh Circuit dismissed a class action lawsuit against Old National Bancorp, ruling consumers had no right to recover for a 2005 data breach.  The plaintiffs accused Old National Bancorp of failing to properly secure personal data collected through its web site after a hacker obtained access to a 2005 online customer application.  The breach exposed financial data and personal information, including social security numbers, of thousands of customers.

            The plaintiffs believed they should be compensated for the credit monitoring services they needed after the breach.  The Court ruled that Indiana law did not provide recovery for plaintiffs’ mere “allegations of increased risk of future identity theft.”  The Court stated the consumers “have not suffered a harm that the law is prepared to remedy.” 

            In sum, victims of data breaches cannot recover until they can show the breach actually led to identity theft.  At least according to this Court's determination, no remedy exists for an increased likelihood of identity theft, or for the expenses of credit monitoring.

For other articles on this see Wired, and Computerworld. 

According to an article on cnet.com by Robert Vamosi multifactor authentication is not a silver bullet solution.  (link).  In 2005, the Federal Financial Institutions Examination Council (FFIEC) released a guidance encouraging financial institutions that engage in high risk transactions – those that allow customers to access personal information or move funds to other accounts – to utilize multi-factor authentication because it was considered to be more difficult to breach.  A multi-factor authentication would typically require the customer to enter, in various combinations, something he or she knows (e.g. a password), something he or she has (e.g. an ATM card), and something he or she is (e.g. fingerprinting).

However, according to the article cited above, multi-factor authentication is not necessarily so secure after all.  For example, if the authentication is based on something you know, such as “What is your favorite city?” and a customer’s user ID is “CubsFan123,” then chances are that the customer’s favorite city is Chicago.  For those banks that use security images to confirm to users that they are on the bank’s real site, phishers may be able to set up fake bank sites using the same security images because many of the major banks are using the same images in the same pattern consistently.  For banks that use device fingerprinting authentication by looking for unique information about a customer’s machine, researchers say that most machines have the same fingerprint, so a phisher could cut the fingerprint from a machine that has lawfully used the bank website and then paste that fingerprint, which the bank has already recognized, onto another machine to unlawfully access a customer’s account.

The article recommends that customers remain vigilant in scrutinizing a website’s certification, for example by ensuring that a bank’s internet address starts with “https” (which indicates an added security) rather than simply “http.”  As for banks, however, it appears that the FFIEC’s solution of using multi-factor authentication may need further assessment – but at least the FFIEC is making the phishers work harder.

            For more information contact Mary A. Zambreno of Dickinson, Mackaman, Tyler & Hagen, P.C.

In the quest to meet the needs of merchant-customers, your bank may be tempted to rush into contracts with vendors of remote deposit capture technology.  It is well worth your time to take a hard look at the contract before signing.  Usually, and not surprisingly, the contract provided by the vendor is drafted heavily in its favor.  Take a second look at your merchant-customers, too.  Are they, and their employees, ready to take on the responsibility of storing checks?  What measures are in place to safeguard checks and prevent double-presentment?  Please read the full article on our website for more information about entering into remote deposit capture vendor and service contracts. 

For more information contact Emily S. Pontius of Dickinson, Mackaman, Tyler & Hagen, P.C.  

The OCC's new website, www.helpwithmybank.gov offer consumers answers, advice, and the means with which to make complaints against banks.  It is a very user-freindly site, listing topics such as "account errors," "overdrafts," "interest rates," and "denial of credit."  Clicking on a given topic will bring a consumer to a page with answers to common consumer inquiries and OCC contact information.  The site is relevant to both national banks and and other non-national financial institutions, as it is intended to help consumers of all financial institutions, and will direct consumers to the appropriate agency for resolving their problems.  States and other federal regulatory bodies may follow suit and offer their own user-friendly consumer protection website.  With the advent of the internet and the help of sites like www.helpwithmybank.gov, consumers today are more knowledgeable of their rights than ever.  This site serve as a reminder that banks that are not vigilant in their dealings with consumers face a serious risk of private suits and regulatory sanctions. 

It wasn’t too long ago when the thought of checking statements and paying bills online was a revolutionary concept.  But with the arrival of “mobile banking” (or the “mobile wallet,” as it has been referred to), online banking may soon become outdated.  According to a report published by Celent, it is estimated that by 2010, 35% of households that do online banking will be using mobile banking.  Mobile banking will not only enable customers to check statements and pay bills online through the use of their cellular phones, the FDIC reports that customers may soon also have the ability to make purchases and payments from their cellular phones, send money through a secure connection, and download money to their phone.  Celent also estimates that these transactions will comprise 10% of the contactless market by 2010.  Apparently, mobile banking is of great interest to members of Generation Y (i.e. 18-25 year olds), with 40% of this population indicating that mobile financial services would be a factor to consider when selecting a bank.  However, given the frequency of lost or misplaced cellular phones, one obvious concern would be how to protect against unauthorized access to a customer’s bank account.

For further information contact Mary A. Zambreno at Dickinson, Mackaman, Tyler & Hagen, P.C.

On May 3, 2007 five virtual bank licenses were sold for a total of $404,000.  These licenses give the respective buyers the exclusive right to engage in banking activities on Entropia Universe.  Entropia Universe, similar in many ways to Second Life, is a “massive online virtual universe . . . set in a distant Sci-Fi future.”  http://www.entropiauniverse.com/en/rich/5035.html.  “Players” on Entropia create an online identity, called an “avatar” and explore, hunt, and interact with other, among other things—all while in front of their computer.  By hunting, collecting, mining, opening a virtual business, etc. players can earn Entropia currency, called PED.  There is a fixed 10 to 1 exchange rate between PED and U.S. dollars and players can easily exchange dollars for PED’s or vice versa.  With their PED’s, players can by tools, weapons, or virtual real estate in the Entropia Universe. 

So where does a bank come in, and why would anyone pay nearly $100,000 dollars for a mere license to bank in this virtual arena?  The answer is simple—because real money can be made.  There are over 500,000 registered users on Entropia Universe and in 2006 $350 million dollars was exchanged for PED, the virtual Entropia currency.  These virtual banking licenses allow owners to lend money and collect interest from Entropia players, using virtual Entropia property as collateral. 

Like real world banking, virtual banking is not cheap.  After purchasing the 2 year exclusive license, bank owners must plunk down $100,000 (1 million PED) of working capital to open the bank.  Virtual bankers must also pay a monthly rent for the virtual building, and 5% of all interest charged.

This fascinating development raises many questions.  Who regulates these virtual banks?  What laws apply?  Will these bold investments payoff?  And finally, if a virtual market collapses in a virtual universe does anyone hear it?  Only time will tell. 

For more details see the following link:  http://www.entropiauniverse.com/en/rich/6357.html 

For more information contact Jeffrey J. Andersen.