David Johnson’s review of Shames-Yeakel v. Citizens Financial Bank centers around concepts of “expeditious implementation” and “state-of-the-art” security measures.

At issue is whether Citizens can be held liable for negligence in a data breach case.

The plaintiffs claimed that while Citizens had begun to make some of these [multi-factor authentication] changes in 2007, it should have adopted them years earlier. They pointed to a 2005 documents authored by the Federal Financial Institutions Examination Council (FFIEC) with found that single factor authentication was inadequate and discussed tokens as an alternative. See http://www.ffiec.goc/pdf/authentication_guidance.pdf.

Noting these facts, the Court concluded: “In light of Citizens’ apparent delay in complying with FFIEC security standards, a reasonable finder of facts could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access.” Accordingly, the Court let the plaintiffs’ negligence claim go forward.

The Court’s conclusion in this case is not surprising. It is very difficult for a defendant to meet the summary judgment motion standards on the element of standard of care. However, the Court’s decision that a failure to expeditiously implement state-of-the art security procedures can constitute a breach of the standard of care is also an indication of how a jury might decide this case, as well. Cyber-security may be a rat race. Unfortunately, you may not be able to stop running.

Definitely an interesting case to watch. Multi-factor authentication specified by the FFIEC has been implemented in various manners by banks to “comply” with the letter. The case hopefully will therefore explore what constitutes a reasonable level of security for this one control and beyond (i.e. should everything center on this one vulnerability, and the failure to address it, or is weak authentication just a symptom of wider negligence). The bank will have a hard time explaining the reason(s) for delay, which could help provide a more formal idea to others of how to prioritize security within their compliance programs. The case may also help regulators step up their audits as they can now point to negligence claims as a sort of bad-cop enforcement scenario — auditors may play up the good-cop trying to help a bank avoid trouble down the road.

Monday’s New York County District Attorney’s Office news release says an indictment from 2007 has been updated and now has 173-counts against seventeen men. They are charged with operating a multi-national criminal enterprise from November 2001 to August 2007.

The Western Express Cybercrime Group is responsible for over $4 million worth of identified credit card fraud, and trafficked in well over 95,000 stolen credit card numbers. These figures reflect the levels of fraud and stolen credit numbers which have been identified thus far.

The news release is related to the arrest of two of the men in Prague on July 30, 2008 (Viatcheslav Vasilyev and Vladimir Kramarenko) who were just extradited last week to the US and arraigned in NY Supreme Court on Monday. Only two of the seventeen have yet to be arrested; Oleg Kovelin and Dzimitry Burak.

Quick math on those numbers (4 million / 17 men / 5 years) suggests they were making about $50K a year each from their complex operation, described in the news release:

The Western Express Cybercrime Group carried out its criminal operations through a structure consisting of vendors, buyers, cybercrime services providers, and money movers. The vendors were individuals who sold large volumes of stolen credit card numbers and other personal identifying information through the Internet. The buyers used the Internet to purchase that information from the vendors, for the purpose of committing additional crimes such as larceny and identity theft. The cybercrime services providers promoted, facilitated, and aided in the purchase, sale and fraudulent use of stolen credit card numbers and other personal identifying information through various computer services that they provided to the vendors and the buyers. Finally, other defendants operated as money movers. Those defendants provided financial services and conducted financial transactions for other participants in the criminal enterprise in order to move funds and launder the proceeds of criminal activity. The money movers relied on anonymous digital currencies, such as Egold and Webmoney, to buy, sell, and launder the proceeds of criminal transactions, and conducted their business online, using Web sites, instant messaging, and email. Some of the defendants charged in the indictment played more than one role.

In other words a business was setup to convert stolen payment card information into cash. Someone sold the card information and someone bought it using someone who provided an online market. Someone then laundered the money paid for the stolen card information.

This reinforces my argument that Gonzales was hardly a hacker mastermind but more like a manager or officer of an organization that brought together various people with specialized skills. The Secret Service supposedly let him continue to operate so they could monitor him and apprehend additional suspects. Some might say Gonzales exploited this relationship and expanded his damage but obviously he was caught and this indictment confirms that his operation is now defunct.

The question is now whether criminals are going to step up into the vacuum left by Western Express to take over the market, or if they will shift to other forms of crime or even legitimate operations.

The answer might be found in the history of fighting organized crime. Along with drugs, arms, gambling, loans/extortion, cornering contracting etc. criminal gangs obviously now could operate in stolen card information. A typical explanation of the process goes something like this:

The relative ease with which large sums of money could be obtained by drug trafficking provided a solid financial underpinning for gangs, increased the solidarity of existing gangs, and offered strong incentives for the development of new ones.

With this in mind, the US Justice Department’s National Gang Intelligence Center report says that gangs are the “primary retail-level distributors of most illicit drugs…with 1 million members responsible for up to 80 percent of crimes in communities across the nation”. Drugs obviously present different market forces than cardholder information (e.g. addiction) but there are still many important security lessons that can be learned by studying the broader fight against long-term underground economies.