SlideShare a Scribd company logo

WhoPaysforCybercrimeLosses:FinancialInstitutionsorCustomers

A
Abbie Olson
1 of 3
Download to read offline
6| Banking Group |Winter 2015 Cybercrime is the top-ranked national security threat, above terrorism, espionage, and weapons of mass destruction, according to the U.S. Director of National Intelligence. Phishing, pharming, malware, and other forms of hacking are increasing in frequency, and losses attributable to financial fraud are growing. Most customers expect that, if they suffer a loss from financial fraud related to a cybercrime, their financial institution has to make them whole. And while that is sometimes the case, it is not an absolute. Some of the most common cybercrimes that result in financial fraud are phishing, pharming, and malware. Phishing uses email or social media to get someone to enter sensitive information, like account numbers and passwords, on a website that looks authentic, but is not. A common form of phishing occurs when emails containing stolen graphics tell customers that due to security concerns they need to click the included link to verify their information. Generally, the website that opens is a duplicate spoof of an actual login page that allows the criminal to record the customer’s information. Pharming redirects an authentic website’s traffic to a fake duplicate website that records any sensitive information that is entered. It is similar to phishing, By Abbie S. Olson 866-760-3429 aolson@gislason.com HackedCustomerAccounts: WhoPaysforCybercrimeLosses?
Winter 2015 | Banking Group | 7 except this cyberattack is directed at your website host. Criminals are able to record information entered on the fake website. Malware is a term that refers to a variety of forms of intrusive software, such as viruses, worms, Trojan horses, and spyware. Malware usually infects a specific computer and records a user’s keystrokes, including account numbers, passwords, and answers to security questions. Consumer Accounts Most of the time, financial institutions are liable for financial fraud losses from consumer accounts. Consumer accounts are regulated by the Electronic Fund Transfer Act (“EFTA”) and Regulation E . Under these regulations, consumers are responsible for reporting financial fraud to the financial institution. But once the fraud is reported, the burden of proof is on the financial institution to establish that the transaction was authorized or that there were reasonable methods in place to authenticate authorization at the time of the transaction. These authentication methods usually consist of PIN numbers and signatures, but can be a photograph, fingerprint, or other electronic or mechanical confirmation. Once the bank establishes that there were authentication measures in place, the burden shifts back to the customer to prove the fraud. Most often proof of fraud consists of debit or credit card charges in completely different cities when customers have proof of being somewhere else. If the customer proves there were fraudulent charges and reports them within 48 hours, then the customer’s liability is limited to $50.00 and the financial institution is liable for the rest. If the fraud isn’t reported within 48 hours, the customer’s liability increases to a maximum of $500.00. Business Accounts Generally a financial institution also bears the risk of payments from business accounts made as a result of fraudulent activities. In the commercial context, however, it is possible for the bank to shift the risk to its customers. The analysis of liability for financial fraud losses from business accounts is based on the Uniform Commercial Code (“UCC”) Article 4A. UCC Article 4A allows a financial institution to allocate the liability for financial fraud loss to the customer in situations where the financial institution has adopted commercially reasonable security procedures that the customer has agreed to, and where the financial institution used those procedures in good faith. The standard is not whether the security procedure is the best available; it is whether the procedure is reasonable for the particular customer and the particular bank. Experi-Metal, Inc. v. Comerica Bank Experi-Metal, Inc. fell victim to a phishing attack that resulted in the hijacking of its accounts. On the day of the phishing attack, 97 fraudulent wire transfers totaling $5.6 million were attempted between 7:00 a.m. and 2:00 p.m. Experi-Metal’s accounts contained approximately $546,000.00 at the beginning of the day, but Comerica only rejected 3 of the wire transfers due to a lack of funds. At approximately 11:30 a.m., Comerica was notified by a receiving bank of suspicious wire transfers. Experi-Metal was contacted to verify the transfers, and Comerica flagged Experi-Metal’s accounts to place a hold on additional wire transfers at approximately 12:30 p.m. But Comerica failed to end the current user’s session until approximately 2:00 p.m. The cybercriminal executed an additional 15 wire transfers between 12:30 and 2:00 p.m. In total, the cybercriminal completed wire transfers totaling approximately $1.9 million. Most of the funds were recovered, but $560,000 was not. Experi-Metal sued Comerica for the loss, claiming that Comerica failed to use commercially reasonable security procedures and failed to use good faith in allowing the wire transfers. The court found that Comerica did not present sufficient evidence that it used commercially reasonable security procedures. The court noted that, in making its determination, it considered the volume and frequency of the payment orders and book transfers, the $5-million overdraft that was created by the transfers, Experi-Metal’s limited wire transfer history, the destinations of the wire transfers, and Comerica’s knowledge of prior phishing attempts directed at its customers. In the end, the court decided that Comerica did not use commercially reasonable security procedures and, therefore, had to pay for the cybercrime losses. Patco Construction Company, Inc. v. People’s United Bank Patco Construction Company, Inc. lost approximately $589,000 from six fraudulent transfers that occurred over a seven-day period. The cybercriminals gained access to Patco’s accounts by stealing an employee’s login information and her customized security question answers through the use of malware.
8| Banking Group |Winter 2015 The bank’s security system required a user-specific ID, password, and challenge questions for every transaction. It also included invisible device authentication and risk profiling. The bank’s security system flagged each of the fraudulent transactions as unusually high-risk because they were inconsistent with the timing, value, and geographic location of the company’s regular wire transfers, but the bank still allowed the payments to go through without notifying Patco because the proper log-in information and challenge question answers were supplied. Portions of the fraudulent transfers were automatically returned because receiving account numbers were invalid. Patco was provided with mailed notice of the returns. Upon discovery of the fraudulent transfers, Patco notified the bank and the bank stopped the fraudulent activity. Of the $589,000 stolen, approximately $243,000 was recovered. The court determined that the bank was responsible for the unrecovered funds because its security procedures were not commercially reasonable. The court felt that by requiring challenge question answers for every transaction, the bank needlessly increased the likelihood that malware would be able to steal all necessary login information, thereby nullifying any increased security the challenge questions provided in the first place. This lack of security was compounded by the bank’s failure to monitor the risk-scoring reports that were available to it. The court found this lack of monitoring especially unreasonable in light of the bank’s knowledge of other recent fraud upon its customers, also attributable to malware. Choice Escrow and Land Title, LLC v. BancorpSouth Bank An employee of Choice Escrow and Land Title, LLC fell victim to a phishing scam that gave a third party access to the employee’s username and password and allowed the third party to mimic the employee’s IP address. The third party used that information to access the BancorpSouth system and execute a fraudulent wire transfer for $440,000, which was never recovered. Choice brought suit against BancorpSouth to recoup the funds. In determining whether BancorpSouth’s security measures were commercially reasonable, the court noted that BancorpSouth offered Choice four security measures including registration of unique user IDs and passwords, device authentication and challenge questions, daily activity limitations, and dual control. Choice declined both the daily activity limitations and the dual control, and signed a waiver acknowledging that it understood and assumed the risks of doing so. The court noted that at some point prior to the fraud, Choice asked if BancorpSouth could block all foreign transfers and BancorpSouth responded that it had no way of blocking only foreign transfers and recommended adding the dual control feature. Choice again, in writing, declined the additional security measure. The court found that in this situation BancorpSouth offered commercially reasonable security measures to Choice, but that Choice voluntarily declined the use of those security measures and thereby assumed full responsibility and risk of loss for all transactions. Choice then attempted to prove that BancorpSouth did not accept the payment order in good faith. The court pointed out that the good faith analysis in this situation focused on an inquiry of the aspects of the wire transfer that were left to the bank’s discretion. BancorpSouth’s process did not require its employees to check payment orders before they cleared, nor did it require them to check payment orders for irregularities. The court noted that in this situation there was one fraudulent transfer of an amount that was within the regular range of the account’s history. There was no independent reason for BancorpSouth to suspect the wire transfer was fraudulent, so it acted in good faith by processing it. Takeaway Password expiration, limited password reuse, multi-factored authentication, secure tokens, restriction of IP addresses, dual control, and customer notification are just some of the potential security procedures available for financial institutions. And while financial institutions are not required to implement every possible security procedure, at the very least, financial institutions should require the use of multiple security procedure options. The Federal Financial Institutions Examination Council published guidance in 2005 titled “Authentication in an Internet Banking Environment” that still provides the baseline of applicable standards for commercial reasonableness in Internet banking security. Financial institutions should also be careful to document and preserve any particular customer elections to participate in or opt out of the available security procedures. It is also a good idea to periodically review customer agreements to ensure that all available protections and liability limitations are included. Hacked Customer Accounts:Who Pays for Cybercrime Losses? continued from page 7

Recommended

Fraud in bank
Fraud in bankFraud in bank
Fraud in bankPawanKumarJha7
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissectedamiable_indian
 
How To: Prevent Loan Application Fraud
How To: Prevent Loan Application FraudHow To: Prevent Loan Application Fraud
How To: Prevent Loan Application FraudGeo Coelho
 
E commerce fraud
E commerce fraudE commerce fraud
E commerce fraudmiteshppt
 
Per.fin.7.03 p ptb
Per.fin.7.03 p ptbPer.fin.7.03 p ptb
Per.fin.7.03 p ptbDudleyDoright
 
Identity Theft Information for Businesses
Identity Theft Information for BusinessesIdentity Theft Information for Businesses
Identity Theft Information for BusinessesTri-State Better Business Bureau
 
Internet Fraud
Internet FraudInternet Fraud
Internet FraudElijah Ezendu
 
Identity Theft - Canada
Identity Theft - CanadaIdentity Theft - Canada
Identity Theft - Canada- Mark - Fullbright
 

Recommended

Fraud in bank
Fraud in bankFraud in bank
Fraud in bankPawanKumarJha7
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissectedamiable_indian
 
How To: Prevent Loan Application Fraud
How To: Prevent Loan Application FraudHow To: Prevent Loan Application Fraud
How To: Prevent Loan Application FraudGeo Coelho
 
E commerce fraud
E commerce fraudE commerce fraud
E commerce fraudmiteshppt
 
Per.fin.7.03 p ptb
Per.fin.7.03 p ptbPer.fin.7.03 p ptb
Per.fin.7.03 p ptbDudleyDoright
 
Identity Theft Information for Businesses
Identity Theft Information for BusinessesIdentity Theft Information for Businesses
Identity Theft Information for BusinessesTri-State Better Business Bureau
 
Internet Fraud
Internet FraudInternet Fraud
Internet FraudElijah Ezendu
 
Identity Theft - Canada
Identity Theft - CanadaIdentity Theft - Canada
Identity Theft - Canada- Mark - Fullbright
 
Be prepared to deal with fraud for web
Be prepared to deal with fraud for webBe prepared to deal with fraud for web
Be prepared to deal with fraud for webKatie Farrow
 
Bank frauds & its safety
Bank frauds & its safetyBank frauds & its safety
Bank frauds & its safetyBISWAJITGHORAI2
 
Business Identity Theft
Business Identity TheftBusiness Identity Theft
Business Identity Theft- Mark - Fullbright
 
Identity Privacy 101 - Quicken Loans Zing Blog
Identity Privacy 101 - Quicken Loans Zing BlogIdentity Privacy 101 - Quicken Loans Zing Blog
Identity Privacy 101 - Quicken Loans Zing BlogQuicken Loans Zing Blog
 
Bank frauds
Bank fraudsBank frauds
Bank fraudsjagannath ojha
 
Will The Typical Person Need ID Fraud Insurance Protection?
Will The Typical Person Need ID Fraud Insurance Protection?Will The Typical Person Need ID Fraud Insurance Protection?
Will The Typical Person Need ID Fraud Insurance Protection?tommy2tone44
 
Internet fraud
Internet fraudInternet fraud
Internet fraudYasha Singh
 
online banking
online bankingonline banking
online bankingRajat Goyal
 
Age Verificationn in the Alcohol industry
Age Verificationn in the Alcohol industry Age Verificationn in the Alcohol industry
Age Verificationn in the Alcohol industry BrandonRuse1
 
Kroll...Identity Theft Program
Kroll...Identity Theft ProgramKroll...Identity Theft Program
Kroll...Identity Theft Programjbmillen
 
MIG White Papers
MIG White PapersMIG White Papers
MIG White Papersdmadamczyk
 
Special Report for Retail Businesses on IDENTITY THEFT - ca
Special Report for Retail Businesses on IDENTITY THEFT - caSpecial Report for Retail Businesses on IDENTITY THEFT - ca
Special Report for Retail Businesses on IDENTITY THEFT - ca- Mark - Fullbright
 
Banking servics
Banking servicsBanking servics
Banking servicsjagannath ojha
 
Money Laundering in the Art, Collectibles, and Luxury Goods Industry
Money Laundering in the Art, Collectibles, and Luxury Goods IndustryMoney Laundering in the Art, Collectibles, and Luxury Goods Industry
Money Laundering in the Art, Collectibles, and Luxury Goods IndustryBrandonRuse1
 
e-Fraud ppt
e-Fraud ppte-Fraud ppt
e-Fraud pptjasonsirmon
 
Operationalizing Real-Time Fraud Detection
Operationalizing Real-Time Fraud DetectionOperationalizing Real-Time Fraud Detection
Operationalizing Real-Time Fraud DetectionVivastream
 
FRB Check Fraud
FRB Check FraudFRB Check Fraud
FRB Check Fraud- Mark - Fullbright
 
Identity theft godwin oyedokun
Identity theft godwin oyedokunIdentity theft godwin oyedokun
Identity theft godwin oyedokunGodwin Emmanuel Oyedokun MBA MSc ACA ACIB FCTI FCFIP CFE
 
Identity Theft ppt
Identity Theft pptIdentity Theft ppt
Identity Theft pptAngela Lawson
 
Internet Fraud
Internet FraudInternet Fraud
Internet FraudVasundhara Singh Gautam
 
Dn13 u3 a2_mzg
Dn13 u3 a2_mzgDn13 u3 a2_mzg
Dn13 u3 a2_mzgtavochiva17
 
Hacked Vehicles - InfoSec
Hacked Vehicles - InfoSecHacked Vehicles - InfoSec
Hacked Vehicles - InfoSecAlejandro Chang
 

More Related Content

What's hot

Be prepared to deal with fraud for web
Be prepared to deal with fraud for webBe prepared to deal with fraud for web
Be prepared to deal with fraud for webKatie Farrow
 
Bank frauds & its safety
Bank frauds & its safetyBank frauds & its safety
Bank frauds & its safetyBISWAJITGHORAI2
 
Identity Privacy 101 - Quicken Loans Zing Blog
Identity Privacy 101 - Quicken Loans Zing BlogIdentity Privacy 101 - Quicken Loans Zing Blog
Identity Privacy 101 - Quicken Loans Zing BlogQuicken Loans Zing Blog
 
Will The Typical Person Need ID Fraud Insurance Protection?
Will The Typical Person Need ID Fraud Insurance Protection?Will The Typical Person Need ID Fraud Insurance Protection?
Will The Typical Person Need ID Fraud Insurance Protection?tommy2tone44
 
Age Verificationn in the Alcohol industry
Age Verificationn in the Alcohol industry Age Verificationn in the Alcohol industry
Age Verificationn in the Alcohol industry BrandonRuse1
 
Kroll...Identity Theft Program
Kroll...Identity Theft ProgramKroll...Identity Theft Program
Kroll...Identity Theft Programjbmillen
 
MIG White Papers
MIG White PapersMIG White Papers
MIG White Papersdmadamczyk
 
Special Report for Retail Businesses on IDENTITY THEFT - ca
Special Report for Retail Businesses on IDENTITY THEFT - caSpecial Report for Retail Businesses on IDENTITY THEFT - ca
Special Report for Retail Businesses on IDENTITY THEFT - ca- Mark - Fullbright
 
Money Laundering in the Art, Collectibles, and Luxury Goods Industry
Money Laundering in the Art, Collectibles, and Luxury Goods IndustryMoney Laundering in the Art, Collectibles, and Luxury Goods Industry
Money Laundering in the Art, Collectibles, and Luxury Goods IndustryBrandonRuse1
 
Operationalizing Real-Time Fraud Detection
Operationalizing Real-Time Fraud DetectionOperationalizing Real-Time Fraud Detection
Operationalizing Real-Time Fraud DetectionVivastream
 

What's hot (20)

Be prepared to deal with fraud for web
Be prepared to deal with fraud for webBe prepared to deal with fraud for web
Be prepared to deal with fraud for web
 
Bank frauds & its safety
Bank frauds & its safetyBank frauds & its safety
Bank frauds & its safety
 
Business Identity Theft
Business Identity TheftBusiness Identity Theft
Business Identity Theft
 
Identity Privacy 101 - Quicken Loans Zing Blog
Identity Privacy 101 - Quicken Loans Zing BlogIdentity Privacy 101 - Quicken Loans Zing Blog
Identity Privacy 101 - Quicken Loans Zing Blog
 
Bank frauds
Bank fraudsBank frauds
Bank frauds
 
Will The Typical Person Need ID Fraud Insurance Protection?
Will The Typical Person Need ID Fraud Insurance Protection?Will The Typical Person Need ID Fraud Insurance Protection?
Will The Typical Person Need ID Fraud Insurance Protection?
 
Internet fraud
Internet fraudInternet fraud
Internet fraud
 
online banking
online bankingonline banking
online banking
 
Age Verificationn in the Alcohol industry
Age Verificationn in the Alcohol industry Age Verificationn in the Alcohol industry
Age Verificationn in the Alcohol industry
 
Kroll...Identity Theft Program
Kroll...Identity Theft ProgramKroll...Identity Theft Program
Kroll...Identity Theft Program
 
MIG White Papers
MIG White PapersMIG White Papers
MIG White Papers
 
Special Report for Retail Businesses on IDENTITY THEFT - ca
Special Report for Retail Businesses on IDENTITY THEFT - caSpecial Report for Retail Businesses on IDENTITY THEFT - ca
Special Report for Retail Businesses on IDENTITY THEFT - ca
 
Banking servics
Banking servicsBanking servics
Banking servics
 
Money Laundering in the Art, Collectibles, and Luxury Goods Industry
Money Laundering in the Art, Collectibles, and Luxury Goods IndustryMoney Laundering in the Art, Collectibles, and Luxury Goods Industry
Money Laundering in the Art, Collectibles, and Luxury Goods Industry
 
e-Fraud ppt
e-Fraud ppte-Fraud ppt
e-Fraud ppt
 
Operationalizing Real-Time Fraud Detection
Operationalizing Real-Time Fraud DetectionOperationalizing Real-Time Fraud Detection
Operationalizing Real-Time Fraud Detection
 
FRB Check Fraud
FRB Check FraudFRB Check Fraud
FRB Check Fraud
 
Identity theft godwin oyedokun
Identity theft godwin oyedokunIdentity theft godwin oyedokun
Identity theft godwin oyedokun
 
Identity Theft ppt
Identity Theft pptIdentity Theft ppt
Identity Theft ppt
 
Internet Fraud
Internet FraudInternet Fraud
Internet Fraud
 

Viewers also liked

Hacked Vehicles - InfoSec
Hacked Vehicles - InfoSecHacked Vehicles - InfoSec
Hacked Vehicles - InfoSecAlejandro Chang
 
1.3 Evolución Historica
1.3 Evolución Historica1.3 Evolución Historica
1.3 Evolución Historicalupita zume
 
1.5 clasificación de los s.o
1.5 clasificación de los s.o1.5 clasificación de los s.o
1.5 clasificación de los s.olupita zume
 
HERRAMIENTAS PARA LA GESTIÓN CULTURAL LOCAL
HERRAMIENTAS PARA LA GESTIÓN CULTURAL LOCAL HERRAMIENTAS PARA LA GESTIÓN CULTURAL LOCAL
HERRAMIENTAS PARA LA GESTIÓN CULTURAL LOCAL Daniela Silva Vidal
 
PCI Media Impact Health Note
PCI Media Impact Health NotePCI Media Impact Health Note
PCI Media Impact Health NotePCIMediaImpact
 
Cuidado del planeta
Cuidado del planetaCuidado del planeta
Cuidado del planetafredygtrz
 
ensayo de la importancia de la educacion moral en las empresas
ensayo de la importancia de la educacion moral en las empresas ensayo de la importancia de la educacion moral en las empresas
ensayo de la importancia de la educacion moral en las empresas Universidad Nacional de Trujillo
 

Viewers also liked (16)

Dn13 u3 a2_mzg
Dn13 u3 a2_mzgDn13 u3 a2_mzg
Dn13 u3 a2_mzg
 
Hacked Vehicles - InfoSec
Hacked Vehicles - InfoSecHacked Vehicles - InfoSec
Hacked Vehicles - InfoSec
 
Fall Newsletter
Fall NewsletterFall Newsletter
Fall Newsletter
 
1.3 Evolución Historica
1.3 Evolución Historica1.3 Evolución Historica
1.3 Evolución Historica
 
Slideshare
SlideshareSlideshare
Slideshare
 
MartukC
MartukCMartukC
MartukC
 
1.5 clasificación de los s.o
1.5 clasificación de los s.o1.5 clasificación de los s.o
1.5 clasificación de los s.o
 
Portfolio PPT version
Portfolio PPT versionPortfolio PPT version
Portfolio PPT version
 
Sig
SigSig
Sig
 
HERRAMIENTAS PARA LA GESTIÓN CULTURAL LOCAL
HERRAMIENTAS PARA LA GESTIÓN CULTURAL LOCAL HERRAMIENTAS PARA LA GESTIÓN CULTURAL LOCAL
HERRAMIENTAS PARA LA GESTIÓN CULTURAL LOCAL
 
Acción interdicto
Acción interdictoAcción interdicto
Acción interdicto
 
PCI Media Impact Health Note
PCI Media Impact Health NotePCI Media Impact Health Note
PCI Media Impact Health Note
 
Cuidado del planeta
Cuidado del planetaCuidado del planeta
Cuidado del planeta
 
Temario
TemarioTemario
Temario
 
Taller de memoria para adultos
Taller de memoria para adultosTaller de memoria para adultos
Taller de memoria para adultos
 
ensayo de la importancia de la educacion moral en las empresas
ensayo de la importancia de la educacion moral en las empresas ensayo de la importancia de la educacion moral en las empresas
ensayo de la importancia de la educacion moral en las empresas
 

Similar to WhoPaysforCybercrimeLosses:FinancialInstitutionsorCustomers

Cyber Claims Insight
Cyber Claims InsightCyber Claims Insight
Cyber Claims InsightGraeme Cross
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarDon Grauel
 
New Kmart Data Breach lawsuit spotlights PCI DSS
New Kmart Data Breach lawsuit spotlights PCI DSS New Kmart Data Breach lawsuit spotlights PCI DSS
New Kmart Data Breach lawsuit spotlights PCI DSSDavid Sweigert
 
Current Trends in Fraud Prevention
Current Trends in Fraud PreventionCurrent Trends in Fraud Prevention
Current Trends in Fraud PreventionBlackbaud
 
TECH CYBER CRIME Homegrown menace Contents1. Regional trouble.docx
TECH CYBER CRIME Homegrown menace Contents1. Regional trouble.docxTECH CYBER CRIME Homegrown menace Contents1. Regional trouble.docx
TECH CYBER CRIME Homegrown menace Contents1. Regional trouble.docxerlindaw
 
1112015 search.proquest.comcriminaljusticeperiodicalsprint.docx
1112015 search.proquest.comcriminaljusticeperiodicalsprint.docx1112015 search.proquest.comcriminaljusticeperiodicalsprint.docx
1112015 search.proquest.comcriminaljusticeperiodicalsprint.docxhyacinthshackley2629
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
 
Identity theft power_point
Identity theft power_pointIdentity theft power_point
Identity theft power_pointefandeye
 
Case - The Greater Providence Deposit & Trust EmbezzlementNino M.docx
Case - The Greater Providence Deposit & Trust EmbezzlementNino M.docxCase - The Greater Providence Deposit & Trust EmbezzlementNino M.docx
Case - The Greater Providence Deposit & Trust EmbezzlementNino M.docxtidwellveronique
 
Legal Ethics for a Changing Profession
Legal Ethics for a Changing ProfessionLegal Ethics for a Changing Profession
Legal Ethics for a Changing ProfessionDowney Law Group LLC
 
Top Fraud Events & Scandals in The Payment Industry
Top Fraud Events & Scandals in The Payment IndustryTop Fraud Events & Scandals in The Payment Industry
Top Fraud Events & Scandals in The Payment Industryitio Innovex Pvt Ltv
 
Naccu Card Fraud And Identity Theft
Naccu Card Fraud And Identity TheftNaccu Card Fraud And Identity Theft
Naccu Card Fraud And Identity Theftmherr_riskconsult
 
FHRBOC Preventing NFP Banking Fraud
FHRBOC Preventing NFP Banking FraudFHRBOC Preventing NFP Banking Fraud
FHRBOC Preventing NFP Banking Fraudtomciolkosz
 
Preventing Nonprofit Banking Fraud and the Tools You Can Use!
Preventing Nonprofit Banking Fraud and the Tools You Can Use!Preventing Nonprofit Banking Fraud and the Tools You Can Use!
Preventing Nonprofit Banking Fraud and the Tools You Can Use!tomciolkosz
 
Simple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudSimple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudEvan Francen
 

Similar to WhoPaysforCybercrimeLosses:FinancialInstitutionsorCustomers (20)

Cyber Claims Insight
Cyber Claims InsightCyber Claims Insight
Cyber Claims Insight
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
 
DRAFT 2 RP.docx
DRAFT 2 RP.docxDRAFT 2 RP.docx
DRAFT 2 RP.docx
 
New Kmart Data Breach lawsuit spotlights PCI DSS
New Kmart Data Breach lawsuit spotlights PCI DSS New Kmart Data Breach lawsuit spotlights PCI DSS
New Kmart Data Breach lawsuit spotlights PCI DSS
 
Current Trends in Fraud Prevention
Current Trends in Fraud PreventionCurrent Trends in Fraud Prevention
Current Trends in Fraud Prevention
 
Cyber Facts and Prevention Presentation Gianino
Cyber Facts and Prevention Presentation GianinoCyber Facts and Prevention Presentation Gianino
Cyber Facts and Prevention Presentation Gianino
 
TECH CYBER CRIME Homegrown menace Contents1. Regional trouble.docx
TECH CYBER CRIME Homegrown menace Contents1. Regional trouble.docxTECH CYBER CRIME Homegrown menace Contents1. Regional trouble.docx
TECH CYBER CRIME Homegrown menace Contents1. Regional trouble.docx
 
Credit Card Fraud PPT - Reena Prajapati.pptx
Credit Card Fraud PPT - Reena Prajapati.pptxCredit Card Fraud PPT - Reena Prajapati.pptx
Credit Card Fraud PPT - Reena Prajapati.pptx
 
1112015 search.proquest.comcriminaljusticeperiodicalsprint.docx
1112015 search.proquest.comcriminaljusticeperiodicalsprint.docx1112015 search.proquest.comcriminaljusticeperiodicalsprint.docx
1112015 search.proquest.comcriminaljusticeperiodicalsprint.docx
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...
 
Identity theft power_point
Identity theft power_pointIdentity theft power_point
Identity theft power_point
 
IDT Red Flags White Paper By Wrf
IDT Red Flags White Paper By WrfIDT Red Flags White Paper By Wrf
IDT Red Flags White Paper By Wrf
 
Case - The Greater Providence Deposit & Trust EmbezzlementNino M.docx
Case - The Greater Providence Deposit & Trust EmbezzlementNino M.docxCase - The Greater Providence Deposit & Trust EmbezzlementNino M.docx
Case - The Greater Providence Deposit & Trust EmbezzlementNino M.docx
 
Training for Bank Employees
Training for Bank EmployeesTraining for Bank Employees
Training for Bank Employees
 
Legal Ethics for a Changing Profession
Legal Ethics for a Changing ProfessionLegal Ethics for a Changing Profession
Legal Ethics for a Changing Profession
 
Top Fraud Events & Scandals in The Payment Industry
Top Fraud Events & Scandals in The Payment IndustryTop Fraud Events & Scandals in The Payment Industry
Top Fraud Events & Scandals in The Payment Industry
 
Naccu Card Fraud And Identity Theft
Naccu Card Fraud And Identity TheftNaccu Card Fraud And Identity Theft
Naccu Card Fraud And Identity Theft
 
FHRBOC Preventing NFP Banking Fraud
FHRBOC Preventing NFP Banking FraudFHRBOC Preventing NFP Banking Fraud
FHRBOC Preventing NFP Banking Fraud
 
Preventing Nonprofit Banking Fraud and the Tools You Can Use!
Preventing Nonprofit Banking Fraud and the Tools You Can Use!Preventing Nonprofit Banking Fraud and the Tools You Can Use!
Preventing Nonprofit Banking Fraud and the Tools You Can Use!
 
Simple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudSimple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment Fraud
 

WhoPaysforCybercrimeLosses:FinancialInstitutionsorCustomers

  • 1. 6| Banking Group |Winter 2015 Cybercrime is the top-ranked national security threat, above terrorism, espionage, and weapons of mass destruction, according to the U.S. Director of National Intelligence. Phishing, pharming, malware, and other forms of hacking are increasing in frequency, and losses attributable to financial fraud are growing. Most customers expect that, if they suffer a loss from financial fraud related to a cybercrime, their financial institution has to make them whole. And while that is sometimes the case, it is not an absolute. Some of the most common cybercrimes that result in financial fraud are phishing, pharming, and malware. Phishing uses email or social media to get someone to enter sensitive information, like account numbers and passwords, on a website that looks authentic, but is not. A common form of phishing occurs when emails containing stolen graphics tell customers that due to security concerns they need to click the included link to verify their information. Generally, the website that opens is a duplicate spoof of an actual login page that allows the criminal to record the customer’s information. Pharming redirects an authentic website’s traffic to a fake duplicate website that records any sensitive information that is entered. It is similar to phishing, By Abbie S. Olson 866-760-3429 aolson@gislason.com HackedCustomerAccounts: WhoPaysforCybercrimeLosses?
  • 2. Winter 2015 | Banking Group | 7 except this cyberattack is directed at your website host. Criminals are able to record information entered on the fake website. Malware is a term that refers to a variety of forms of intrusive software, such as viruses, worms, Trojan horses, and spyware. Malware usually infects a specific computer and records a user’s keystrokes, including account numbers, passwords, and answers to security questions. Consumer Accounts Most of the time, financial institutions are liable for financial fraud losses from consumer accounts. Consumer accounts are regulated by the Electronic Fund Transfer Act (“EFTA”) and Regulation E . Under these regulations, consumers are responsible for reporting financial fraud to the financial institution. But once the fraud is reported, the burden of proof is on the financial institution to establish that the transaction was authorized or that there were reasonable methods in place to authenticate authorization at the time of the transaction. These authentication methods usually consist of PIN numbers and signatures, but can be a photograph, fingerprint, or other electronic or mechanical confirmation. Once the bank establishes that there were authentication measures in place, the burden shifts back to the customer to prove the fraud. Most often proof of fraud consists of debit or credit card charges in completely different cities when customers have proof of being somewhere else. If the customer proves there were fraudulent charges and reports them within 48 hours, then the customer’s liability is limited to $50.00 and the financial institution is liable for the rest. If the fraud isn’t reported within 48 hours, the customer’s liability increases to a maximum of $500.00. Business Accounts Generally a financial institution also bears the risk of payments from business accounts made as a result of fraudulent activities. In the commercial context, however, it is possible for the bank to shift the risk to its customers. The analysis of liability for financial fraud losses from business accounts is based on the Uniform Commercial Code (“UCC”) Article 4A. UCC Article 4A allows a financial institution to allocate the liability for financial fraud loss to the customer in situations where the financial institution has adopted commercially reasonable security procedures that the customer has agreed to, and where the financial institution used those procedures in good faith. The standard is not whether the security procedure is the best available; it is whether the procedure is reasonable for the particular customer and the particular bank. Experi-Metal, Inc. v. Comerica Bank Experi-Metal, Inc. fell victim to a phishing attack that resulted in the hijacking of its accounts. On the day of the phishing attack, 97 fraudulent wire transfers totaling $5.6 million were attempted between 7:00 a.m. and 2:00 p.m. Experi-Metal’s accounts contained approximately $546,000.00 at the beginning of the day, but Comerica only rejected 3 of the wire transfers due to a lack of funds. At approximately 11:30 a.m., Comerica was notified by a receiving bank of suspicious wire transfers. Experi-Metal was contacted to verify the transfers, and Comerica flagged Experi-Metal’s accounts to place a hold on additional wire transfers at approximately 12:30 p.m. But Comerica failed to end the current user’s session until approximately 2:00 p.m. The cybercriminal executed an additional 15 wire transfers between 12:30 and 2:00 p.m. In total, the cybercriminal completed wire transfers totaling approximately $1.9 million. Most of the funds were recovered, but $560,000 was not. Experi-Metal sued Comerica for the loss, claiming that Comerica failed to use commercially reasonable security procedures and failed to use good faith in allowing the wire transfers. The court found that Comerica did not present sufficient evidence that it used commercially reasonable security procedures. The court noted that, in making its determination, it considered the volume and frequency of the payment orders and book transfers, the $5-million overdraft that was created by the transfers, Experi-Metal’s limited wire transfer history, the destinations of the wire transfers, and Comerica’s knowledge of prior phishing attempts directed at its customers. In the end, the court decided that Comerica did not use commercially reasonable security procedures and, therefore, had to pay for the cybercrime losses. Patco Construction Company, Inc. v. People’s United Bank Patco Construction Company, Inc. lost approximately $589,000 from six fraudulent transfers that occurred over a seven-day period. The cybercriminals gained access to Patco’s accounts by stealing an employee’s login information and her customized security question answers through the use of malware.
  • 3. 8| Banking Group |Winter 2015 The bank’s security system required a user-specific ID, password, and challenge questions for every transaction. It also included invisible device authentication and risk profiling. The bank’s security system flagged each of the fraudulent transactions as unusually high-risk because they were inconsistent with the timing, value, and geographic location of the company’s regular wire transfers, but the bank still allowed the payments to go through without notifying Patco because the proper log-in information and challenge question answers were supplied. Portions of the fraudulent transfers were automatically returned because receiving account numbers were invalid. Patco was provided with mailed notice of the returns. Upon discovery of the fraudulent transfers, Patco notified the bank and the bank stopped the fraudulent activity. Of the $589,000 stolen, approximately $243,000 was recovered. The court determined that the bank was responsible for the unrecovered funds because its security procedures were not commercially reasonable. The court felt that by requiring challenge question answers for every transaction, the bank needlessly increased the likelihood that malware would be able to steal all necessary login information, thereby nullifying any increased security the challenge questions provided in the first place. This lack of security was compounded by the bank’s failure to monitor the risk-scoring reports that were available to it. The court found this lack of monitoring especially unreasonable in light of the bank’s knowledge of other recent fraud upon its customers, also attributable to malware. Choice Escrow and Land Title, LLC v. BancorpSouth Bank An employee of Choice Escrow and Land Title, LLC fell victim to a phishing scam that gave a third party access to the employee’s username and password and allowed the third party to mimic the employee’s IP address. The third party used that information to access the BancorpSouth system and execute a fraudulent wire transfer for $440,000, which was never recovered. Choice brought suit against BancorpSouth to recoup the funds. In determining whether BancorpSouth’s security measures were commercially reasonable, the court noted that BancorpSouth offered Choice four security measures including registration of unique user IDs and passwords, device authentication and challenge questions, daily activity limitations, and dual control. Choice declined both the daily activity limitations and the dual control, and signed a waiver acknowledging that it understood and assumed the risks of doing so. The court noted that at some point prior to the fraud, Choice asked if BancorpSouth could block all foreign transfers and BancorpSouth responded that it had no way of blocking only foreign transfers and recommended adding the dual control feature. Choice again, in writing, declined the additional security measure. The court found that in this situation BancorpSouth offered commercially reasonable security measures to Choice, but that Choice voluntarily declined the use of those security measures and thereby assumed full responsibility and risk of loss for all transactions. Choice then attempted to prove that BancorpSouth did not accept the payment order in good faith. The court pointed out that the good faith analysis in this situation focused on an inquiry of the aspects of the wire transfer that were left to the bank’s discretion. BancorpSouth’s process did not require its employees to check payment orders before they cleared, nor did it require them to check payment orders for irregularities. The court noted that in this situation there was one fraudulent transfer of an amount that was within the regular range of the account’s history. There was no independent reason for BancorpSouth to suspect the wire transfer was fraudulent, so it acted in good faith by processing it. Takeaway Password expiration, limited password reuse, multi-factored authentication, secure tokens, restriction of IP addresses, dual control, and customer notification are just some of the potential security procedures available for financial institutions. And while financial institutions are not required to implement every possible security procedure, at the very least, financial institutions should require the use of multiple security procedure options. The Federal Financial Institutions Examination Council published guidance in 2005 titled “Authentication in an Internet Banking Environment” that still provides the baseline of applicable standards for commercial reasonableness in Internet banking security. Financial institutions should also be careful to document and preserve any particular customer elections to participate in or opt out of the available security procedures. It is also a good idea to periodically review customer agreements to ensure that all available protections and liability limitations are included. Hacked Customer Accounts:Who Pays for Cybercrime Losses? continued from page 7