But first, let me help you out with some research. Here is the FIRST SENTENCE of the SUMMARY OF KEY POINTS section on the FIRST PAGE of the FFIEC's _Guidance on Authentication in Online Banking_. Wait for it. Wait... for... it...
The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
Now then:
(1) A fine-print clause waiving the banks responsibility for any protection of funds in an account beyond providing a working login prompt should be found unconscionable.
(2) That the compromise in question here didn't occur in a fashion that you recognize as a "technical compromise" doesn't actually make it not a security failure on the part of the bank. By creating a security system that revolved around a security mechanism that literally every bank of Keybank's size and above recognizes and loudly proclaims is inadequate, the bank fielded an inadequate technical countermeasure to attacks and cannot lean on semantic games to hide that fact.
(3) It seems obvious to me that customers should not be expected to be better at tracking anomalies than banks, who spend tens of millions of dollars every year on systems to profile and analyze transactions. Regardless, it does not follow from a customer delay in noticing fraud that the bank couldn't or shouldn't have been expected to see the fraud earlier!
(4) How does it change anything that, once fraud was detected, further fraud was halted? There'd be no dispute at all if the bank continued to allow online criminals to siphon out of a known compromised account. The entire debate is what the standard should be before all parties acknowledge fraud.
You say there's "simply no way I can find the bank acted negligently unless I have a hate on for the banks". Well, I don't have a hate on for the banks. We do work for banks. There are many banks I like. My comments are not motivated out of irrational bank hatred.
† They aren't, by the way, "facts of the case"; each is your interpretation of the facts we're aware of in the case. They are as "factual" as your bald assertion that disagreement with you must imply irrational hatred of banking.
But first, let me help you out with some research. Here is the FIRST SENTENCE of the SUMMARY OF KEY POINTS section on the FIRST PAGE of the FFIEC's _Guidance on Authentication in Online Banking_. Wait for it. Wait... for... it...
The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
Now then:
(1) A fine-print clause waiving the banks responsibility for any protection of funds in an account beyond providing a working login prompt should be found unconscionable.
(2) That the compromise in question here didn't occur in a fashion that you recognize as a "technical compromise" doesn't actually make it not a security failure on the part of the bank. By creating a security system that revolved around a security mechanism that literally every bank of Keybank's size and above recognizes and loudly proclaims is inadequate, the bank fielded an inadequate technical countermeasure to attacks and cannot lean on semantic games to hide that fact.
(3) It seems obvious to me that customers should not be expected to be better at tracking anomalies than banks, who spend tens of millions of dollars every year on systems to profile and analyze transactions. Regardless, it does not follow from a customer delay in noticing fraud that the bank couldn't or shouldn't have been expected to see the fraud earlier!
(4) How does it change anything that, once fraud was detected, further fraud was halted? There'd be no dispute at all if the bank continued to allow online criminals to siphon out of a known compromised account. The entire debate is what the standard should be before all parties acknowledge fraud.
You say there's "simply no way I can find the bank acted negligently unless I have a hate on for the banks". Well, I don't have a hate on for the banks. We do work for banks. There are many banks I like. My comments are not motivated out of irrational bank hatred.
† They aren't, by the way, "facts of the case"; each is your interpretation of the facts we're aware of in the case. They are as "factual" as your bald assertion that disagreement with you must imply irrational hatred of banking.