Hacking Into Bank Accounts – What Is the Bank’s Responsibility?

A U.S. court has decided that a bank whose client lost money because someone hacked into its account and transferred funds out of it, was not liable to the client because the bank had used ‘commercially reasonable’ security. The case is described on the Goodwin Proctor website. The lengthy decision of the Judge Magistrate in Patco Construction v People’s Bank, later upheld, is available online. .

Is this the right standard of care for negligence? Does it matter that the bank is regulated strictly under the Bank Act? Does it matter that the U.S. bank could rely on Article 4A of the Uniform Commercial Code (on electronic funds transfers), which has no equivalent in Canada?

‘Commercially reasonable’ security clearly does not mean unbreakable security. How else should one draw the line to set a fair allocation of risk between bank and client?


  1. David Collier-Brown

    We probably need a standard for commercial reasonable, which in the computer world arguably means very little. The current chip-cards were hacked in Britain 2010, soon after they were introduced as a solution to all the then problem of bank security…


  2. How much of this client vs. bank issue, when hacking occurs, is governed by the “contracts” clients are adhered to when they open accounts etc.? I’ve understood the introduction of “pin and chip” on Visa cards (and perhaps others) as a device to place liability on the client if the relevant account is hacked.

  3. David Collier-Brown

    Pin and chip was indeed sold as a means of reducing liability to the issuing banks. In practice, it did the opposite.

    Steven J. Murdoch, Saar Drimer, Ross Anderson, Mike Bond of Cambridge write, in “Chip and PIN is Broken” (2010 IEEE Symposium on Security and Privacy, http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf), that:

    One goal of EMV was to externalise the costs of dispute
    from the issuing bank, in that if a disputed transaction
    has been authorised by a manuscript signature, it would be
    charged to the merchant, while if it had been authorised by a
    PIN then it would be charged to the customer. The net effect
    is that the banking industry, which was responsible for the
    design of the system, carries less liability for the fraud. The
    industry describes this as a ‘liability shift’.

    Regrettably, instead of sending the PIN to the bank to be verified, the chip card checks the pin itself and sends a message containing just the code “0x9000” to the bank if it thinks the pin is valid.

    This makes it less secure than the older cards, sufficiently so that a grad student at Cambridge last year was able to build a pocket-size device to reproduce the attack. See http://www.cl.cam.ac.uk/~osc22/scd/

    A criminal can reprogram the chip, the merchant terminal or a pocket-sized device to steal pins or send “the pin was valid” to the bank, whichever they prefer.

    This happened to me last year: the Bank of Nova Scotia reported my card and pin was used at one of their branches to steal money from my account. They caught it and contacted me before I even noticed it, and issued a new card within the hour.

    In this case we were able to identify a particular merchant terminal which had been reprogrammed to capture card numbers and pins. Reputedly there is a number of kits of attack programs for Windows-based ATMs which a criminal can chose from.


  4. After reading the article, I jumped to a dated argument about the safety and use of electronic banking tools. I would say the public, in general, would be shocked to learn of such a decision as this one.

    This decision could undermine the confidence of electronic banking, which would cripple e-commerce efforts.

    good article.