1. 6| Banking Group |Winter 2015
Cybercrime is the top-ranked national security threat, above
terrorism, espionage, and weapons of mass destruction,
according to the U.S. Director of National Intelligence.
Phishing, pharming, malware, and other forms of hacking are
increasing in frequency, and losses attributable to financial
fraud are growing. Most customers expect that, if they suffer a
loss from financial fraud related to a cybercrime, their financial
institution has to make them whole. And while that is sometimes
the case, it is not an absolute.
Some of the most common cybercrimes that result in financial
fraud are phishing, pharming, and malware. Phishing uses email
or social media to get someone to enter sensitive information,
like account numbers and passwords, on a website that looks
authentic, but is not. A common form of phishing occurs
when emails containing stolen graphics tell customers that due
to security concerns they need to click the included link to
verify their information. Generally, the website that opens is a
duplicate spoof of an actual login page that allows the criminal
to record the customer’s information. Pharming redirects an
authentic website’s traffic to a fake duplicate website that records
any sensitive information that is entered. It is similar to phishing,
By Abbie S. Olson
866-760-3429
aolson@gislason.com
HackedCustomerAccounts:
WhoPaysforCybercrimeLosses?
2. Winter 2015 | Banking Group | 7
except this cyberattack is directed at your website host.
Criminals are able to record information entered on the fake
website. Malware is a term that refers to a variety of forms
of intrusive software, such as viruses, worms, Trojan horses,
and spyware. Malware usually infects a specific computer
and records a user’s keystrokes, including account numbers,
passwords, and answers to security questions.
Consumer Accounts
Most of the time, financial institutions are liable for
financial fraud losses from consumer accounts. Consumer
accounts are regulated by the Electronic Fund Transfer
Act (“EFTA”) and Regulation E . Under these regulations,
consumers are responsible for reporting financial fraud to
the financial institution. But once the fraud is reported, the
burden of proof is on the financial institution to establish
that the transaction was authorized or that there were
reasonable methods in place to authenticate authorization
at the time of the transaction. These authentication
methods usually consist of PIN numbers and signatures,
but can be a photograph, fingerprint, or other electronic or
mechanical confirmation. Once the bank establishes that
there were authentication measures in place, the burden
shifts back to the customer to prove the fraud. Most often
proof of fraud consists of debit or credit card charges in
completely different cities when customers have proof of
being somewhere else. If the customer proves there were
fraudulent charges and reports them within 48 hours, then
the customer’s liability is limited to $50.00 and the financial
institution is liable for the rest. If the fraud isn’t reported
within 48 hours, the customer’s liability increases to a
maximum of $500.00.
Business Accounts
Generally a financial institution also bears the risk of
payments from business accounts made as a result of
fraudulent activities. In the commercial context, however, it
is possible for the bank to shift the risk to its customers. The
analysis of liability for financial fraud losses from business
accounts is based on the Uniform Commercial Code
(“UCC”) Article 4A. UCC Article 4A allows a financial
institution to allocate the liability for financial fraud loss to
the customer in situations where the financial institution
has adopted commercially reasonable security procedures
that the customer has agreed to, and where the financial
institution used those procedures in good faith. The
standard is not whether the security procedure is the best
available; it is whether the procedure is reasonable for the
particular customer and the particular bank.
Experi-Metal, Inc. v. Comerica Bank
Experi-Metal, Inc. fell victim to a phishing attack that
resulted in the hijacking of its accounts. On the day of
the phishing attack, 97 fraudulent wire transfers totaling
$5.6 million were attempted between 7:00 a.m. and 2:00
p.m. Experi-Metal’s accounts contained approximately
$546,000.00 at the beginning of the day, but Comerica only
rejected 3 of the wire transfers due to a lack of funds.
At approximately 11:30 a.m., Comerica was notified by a
receiving bank of suspicious wire transfers. Experi-Metal
was contacted to verify the transfers, and Comerica flagged
Experi-Metal’s accounts to place a hold on additional wire
transfers at approximately 12:30 p.m. But Comerica failed
to end the current user’s session until approximately 2:00
p.m. The cybercriminal executed an additional 15 wire
transfers between 12:30 and 2:00 p.m.
In total, the cybercriminal completed wire transfers
totaling approximately $1.9 million. Most of the funds
were recovered, but $560,000 was not. Experi-Metal sued
Comerica for the loss, claiming that Comerica failed to
use commercially reasonable security procedures and failed
to use good faith in allowing the wire transfers. The court
found that Comerica did not present sufficient evidence that
it used commercially reasonable security procedures. The
court noted that, in making its determination, it considered
the volume and frequency of the payment orders and book
transfers, the $5-million overdraft that was created by the
transfers, Experi-Metal’s limited wire transfer history, the
destinations of the wire transfers, and Comerica’s knowledge
of prior phishing attempts directed at its customers. In
the end, the court decided that Comerica did not use
commercially reasonable security procedures and, therefore,
had to pay for the cybercrime losses.
Patco Construction Company, Inc. v. People’s United Bank
Patco Construction Company, Inc. lost approximately
$589,000 from six fraudulent transfers that occurred over
a seven-day period. The cybercriminals gained access to
Patco’s accounts by stealing an employee’s login information
and her customized security question answers through the
use of malware.
3. 8| Banking Group |Winter 2015
The bank’s security system required a user-specific ID,
password, and challenge questions for every transaction.
It also included invisible device authentication and risk
profiling. The bank’s security system flagged each of the
fraudulent transactions as unusually high-risk because they
were inconsistent with the timing, value, and geographic
location of the company’s regular wire transfers, but the
bank still allowed the payments to go through without
notifying Patco because the proper log-in information and
challenge question answers were supplied. Portions of the
fraudulent transfers were automatically returned because
receiving account numbers were invalid. Patco was provided
with mailed notice of the returns. Upon discovery of the
fraudulent transfers, Patco notified the bank and the bank
stopped the fraudulent activity. Of the $589,000 stolen,
approximately $243,000 was recovered.
The court determined that the bank was responsible for
the unrecovered funds because its security procedures
were not commercially reasonable. The court felt that by
requiring challenge question answers for every transaction,
the bank needlessly increased the likelihood that malware
would be able to steal all necessary login information,
thereby nullifying any increased security the challenge
questions provided in the first place. This lack of security
was compounded by the bank’s failure to monitor the
risk-scoring reports that were available to it. The court
found this lack of monitoring especially unreasonable in
light of the bank’s knowledge of other recent fraud upon its
customers, also attributable to malware.
Choice Escrow and Land Title, LLC v. BancorpSouth Bank
An employee of Choice Escrow and Land Title, LLC fell
victim to a phishing scam that gave a third party access to
the employee’s username and password and allowed the
third party to mimic the employee’s IP address. The third
party used that information to access the BancorpSouth
system and execute a fraudulent wire transfer for $440,000,
which was never recovered. Choice brought suit against
BancorpSouth to recoup the funds.
In determining whether BancorpSouth’s security measures
were commercially reasonable, the court noted that
BancorpSouth offered Choice four security measures
including registration of unique user IDs and passwords,
device authentication and challenge questions, daily activity
limitations, and dual control. Choice declined both the
daily activity limitations and the dual control, and signed a
waiver acknowledging that it understood and assumed the
risks of doing so. The court noted that at some point prior
to the fraud, Choice asked if BancorpSouth could block all
foreign transfers and BancorpSouth responded that it had
no way of blocking only foreign transfers and recommended
adding the dual control feature. Choice again, in writing,
declined the additional security measure. The court found
that in this situation BancorpSouth offered commercially
reasonable security measures to Choice, but that Choice
voluntarily declined the use of those security measures and
thereby assumed full responsibility and risk of loss for all
transactions.
Choice then attempted to prove that BancorpSouth did not
accept the payment order in good faith. The court pointed
out that the good faith analysis in this situation focused on
an inquiry of the aspects of the wire transfer that were left
to the bank’s discretion. BancorpSouth’s process did not
require its employees to check payment orders before they
cleared, nor did it require them to check payment orders
for irregularities. The court noted that in this situation
there was one fraudulent transfer of an amount that was
within the regular range of the account’s history. There was
no independent reason for BancorpSouth to suspect the
wire transfer was fraudulent, so it acted in good faith by
processing it.
Takeaway
Password expiration, limited password reuse, multi-factored
authentication, secure tokens, restriction of IP addresses,
dual control, and customer notification are just some of
the potential security procedures available for financial
institutions. And while financial institutions are not
required to implement every possible security procedure, at
the very least, financial institutions should require the use of
multiple security procedure options. The Federal Financial
Institutions Examination Council published guidance
in 2005 titled “Authentication in an Internet Banking
Environment” that still provides the baseline of applicable
standards for commercial reasonableness in Internet banking
security.
Financial institutions should also be careful to document
and preserve any particular customer elections to participate
in or opt out of the available security procedures. It is also
a good idea to periodically review customer agreements to
ensure that all available protections and liability limitations
are included.
Hacked Customer Accounts:Who Pays for Cybercrime Losses? continued from page 7