BankInfoSecurity.com - Information Security News, Regulations, & Education

Just Released: Our Online Webinar Catalog

Bank Information Security Articles

Customer Vs. Bank: Who is Liable for Fraud Losses?

Credit
EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Comerica/EMI Case Raises Key Questions About Responsibility, Security

February 22, 2010 - Linda McGlasson, Managing Editor

Save

Digg

Delicious

Please login or register to save this article.

Comment on this article

At first this court case was a curiosity: Experi-Metal Inc. (EMI), a Michigan-based metal supply company, sued Comerica Bank, claiming that the bank exposed its customers to phishing attacks.

But now this story shapes up as a significant test case for the banking industry, raising several key questions that must be answered about fraud and responsibility.

"It will establish who is liable in the U.S. - the bank or the customer - for fraud losses that result from phishing," says Tom Wills, Senior Analyst, Security, Fraud & Compliance, Javelin Strategy & Research.

The Basics
The lawsuit, filed by EMI in a Michigan circuit court, alleges that Dallas-based Comerica opened its customers to phishing attacks by sending emails asking customers to click on a link to update the bank's security software. In January 2009, an EMI employee opened and clicked on links within a phishing email that purported to be from Comerica. The email duped the employee into believing the bank needed to update its banking software. Subsequently, more than $550,000 was stolen from the company's bank accounts and sent overseas.

EMI says even though the bank had two-factor authentication using digital certificates for its online banking portal, the phishing scam was able to circumvent these measures. The bank says its online security methods were reasonable "because they were in general used by other similarly situated customers of other banks." Now that this case is in the courts, observers say, several important questions will be debated re: trust, responsibility and security. Among them:

Click to Get Updates on the Latest Information Security News

Company*

Title*

Email*

Subscription Type:

Healthcare Enews

General Healthcare Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Government Enews

General Government Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Banking Enews

General Banking Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Credit Union Enews

General Credit Union Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Need Help?

#1: How Much Trust is Lost?
Clearly, Comerica has lost EMI's trust, but how much further can this costly loss of confidence spread among banking customers - even at other institutions? "Cases like this, when they hit the courts and the press, work at a macro level to erode the trust of all banks by all customers, even affecting those institutions with good anti-phishing programs in place," says Javelin's Wills. "It will make it that much harder for all banks to migrate their customer base to the highly cost-effective (from an operational standpoint) online channel."

Anytime a company incurs a data breach that compromises personal information, the organization risks having its customers walk away for good. "That's why it's so important that, before an incident occurs, a company take proactive steps to implement a reasonable security program," says Alysa Hutnik, a lawyer at Kelley Drye & Warren, a Washington DC-based law firm that specializes in post-incident response. "Even after a breach, if a company handles the issue responsibly, those efforts can earn back trust bit by bit. But here, where a customer is out of pocket hundreds of thousands of dollars as a result of a breach and was compelled to file a lawsuit to redress the issue, yes, the trust is likely lost."

Because trust is so fundamental to banking institutions, they have to draw a distinct line, says Avivah Litan, an analyst at Gartner. "Either banks explicitly and visibly warn their customers that banking with them is not safe and that [customers] are held liable for hacking into their accounts through online banking," she says. "Or they assume liability."

#2: Is a Bank Liable For Phishing?
Should a bank be held liable for a customer's employee falling for a phishing email that supposedly represents the bank? The EMI/Comerica case highlights several hotly-debated issues.

On the plaintiff's side, the employee's vulnerability to the phishing attack raises the core question of 'What is sufficient training?,' says attorney Hutnik. Most employees have been warned about phishing attempts, but even the most robust training does not protect against occasional human error. Does this training need to occur more frequently, or is it a matter of customizing the training to the evolving and specific types of phishing attempts? If a company is going to be responsible under the law for employees' vulnerability to phishing attempts, Hutnik says, that's a pretty good incentive to increase training.

Can a bank be held liable? Some security experts say emphatically 'No.' "The bank clearly could have made better decisions on how to update security information," says Branden Williams, Director of the Security Consulting Practice at RSA, the security division of EMC. "But judging by the timelines, they may have been ahead of their time with offering multi-factor authentication for online business banking."

1 | 2

View On 1 Page

Next Related Article:

Church Latest Victim of ACH Fraud

Ultimately, who do you see as liable for fraud losses in this case: The bank or the customer? Why?

Here's your chance to be a part of the dialogue and engage with your peers! Just enter your comment to the right, click submit to send it to our Editor. All entries are posted anonymously.

Please login if you would like to post a comment on this question.

Banks have once again taken the minimal approach to this problem. Regulators allow this minimal approach, as they are provided direction by elected officals lobbied by industry groups. The bank should have been monitoring and detected the phishing scheme and then hightened security on the processes that could have been compromised. Human intervention over automated systems. Was this a normal transaction for this customer? If not, stop it and make a call. When did stupidity become an excuse? When bank tellers cash checks for people pretending to be their customers - it just goes downhill from there.

I think the bank is responsible because they were stupid enough to send live links to customers in earlier emails, instead of sending messages that direct the user go to the regular home page and update a profile, or find a special message, or the like. If the customer-bank relationship led the customer to accept the emails with links as normal forms of communication, then why should the customer expect anything different?

If you, the consumer, willingly open and respond to a phish, you should be held responsible for any funds lost over a predefined amount. I would say a business account with $500K, the consumer should be responsible for anything over 10%

If you, the consumer, do not already have cybersecurity awareness plan/policy/training instituted within your organization, and hold your employees accountable, then you should be liable for 100% of the lost funds.

If you, the consumer, have cyber dolts that can access your business accounts, then you are at fault.

Best plan: Training, training, and more training. Set daily limits on funds access - with the ability for a principal of the company to over-ride in certain situations.

When did stupidity become an excuse?

While it does appear that the bank put themselves at risk, more information is needed to prove they are liable. The truth is most customers disregard or complain about the safeguards that are implemented for their protection. Security cost money, and most people do not want to pay for it. Finally, no amount of security is going to protect someone who gave their information away in an email.

We don't have all the details.

I don't think that one party can be held completely liable. Each party has responsibility and had a part in the funds being taken out of the account.

While some of the important details are not included in this article, I think that in this case the bank should be liable. While I agree that the bank could have done more post-incident, I also beleive it could have prevented this in the first place. The bank made two errors that allowed this to happen. Error number one was to use legtitmate emails asking the customer to update their securty measures. This set a precedent in the client's mind that the bank will use emails for this purpose, making phishing attacks more sucessful. Error number two was not using strong multi-factor authetication such as a token or fob. This would have reduced the chances of sucessfully accessing the account. This should be a requirement for any account that offers the ability to move funds out of the bank such as bill-pay or cash management. If banks would like for users to continue to use online services, it is up to the banking industry to prove that this is a safe delivery system. This incident does the opposite.

First of all, banks should have real-time fraud detection system. Secondly, banks should offer their customers the option of limiting the amount of wire transactions for internet orders. These are post-breach control points that will minimize the impact even if a customer makes a mistake. Therefore, not offering alternative options for mitigation of risks, bank has to be liable by leaving customer choiceless.

Topics of Interest

First Party

Mortgage Fraud Trends: Cindi Dixon, Mela Capital Group
FDIC on Top Fraud Threats to Banks

Physical Security

Redspin Security Report: Top 10 Network Security Threats of 2008 - Q2 Update
Physical Asset Management & IT Security

Compliance

How to Prioritize Risk & Justify Security Investments
Understanding Man-in-the-Browser Attacks and Addressing the Problem

Remote Capture

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access
Do Consumers Want Mobile Banking? - SWACHA's Dennis Simmons on Electronic Payment Trends

Identity Theft Red Flags Rule

Identity Theft Red Flags Rule Survey: Executive Summary
Identity Theft Red Flags Rule Compliance Survival Guide

Federal Reserve Board

Regulatory Reform: Dodd's Bill Analyzed
Regulatory Reform: "We're Easy Targets" - Alex Sanchez, Florida Bankers Association

Latest Tweets & Mentions

Recent Content
Most Popular

1Heartland, Discover Settle at $5 Million
2How to Protect Consumers from ID Theft
3The Mobile Mandate
4Church Latest Victim of ACH Fraud
5Video: Why Cyber Challenge is Needed
6FDIC: 829 Troubled Banks
7ID Theft: Courts Cracking Down
810 Tips to Thwart Skimming
9Skimming: Old Crime, New Tools
10Key Elements of Risk Management

1Failed Banks and Credit Unions, 2010
22010 Data Breach Timeline
3Pay-At-The-Pump Skimming on the Rise
4Account Takeover: The New Wrinkle
5Tapping the Power of Social Media
6ATM Skimming: How Effective is Jitter?
741 Banking Breaches So far in 2010
8New Fraud Spree Investigated
9Social Media Policy - The 6 Essentials
10FDIC: Top 5 Fraud Threats

BankInfoSecurity.com Research

Podcast:Mortgage Fraud: Compliance to be a Challenge
Webinar:Vendor Management Part I: FDIC Explains How to Manage Your Outsourcing Risks
Handbook:2010 Webinar Catalog
White Paper:Understanding Man-in-the-Browser Attacks and Addressing the Problem
Regulation:FHFA: Issues Subpoenas for PLS Documents

Recent Blog Entries

Be Mindful of Insider Fraud Against Seniors

California's Financial Abuse Reporting Act, SB 1018, which r…

Read The Agency Insider by Linda McGlasson

Vendor Solutions

TraceSecurity

Solutions For:

Identification and Authentication, Regulatory Compliance Solution, ID-Certify, Vulnerability Assessment
Intrusion Inc.

Solutions For:

Content Management/ Filtering, Identity Theft Prevention, Network Security

Marketplace

Information Security Media Group - Family of Websites

Banking

BankInfoSecurity.com
Careers
Blogs

Credit Unions

CUInfoSecurity.com
Careers
Blogs

Government

GovInfoSecurity.com
Careers
Blogs

Healthcare

HealthcareInfoSecurity.com
Careers
Blogs

About Us
Contact Us
Site Map
Terms of Service
Advertise
RSS

BankInfoSecurity NewsGet the RSS Feed
Agency ReleasesGet the RSS Feed
Latest ArticlesGet the RSS Feed
WebinarsGet the RSS Feed
BankInfoSecurity.com BlogGet the RSS Feed

Home
Training
Resources
Content Library
- Agency Releases
- Articles
- Handbooks
- Podcasts
- Surveys
- Webinars | Calendar
- White Papers
Careers
Blog

Advanced Search

Browse Topics

Agencies

Federal Deposit Insurance Corp
Federal Reserve Board
Federal Trade Commission
FFIEC
FHFA
FinCEN
Government Accountability Office
National Credit Union Admin.
NIST
Office Comptroller of Currency
Office of Thrift Supervision

Anti-Money Laundering

Banking Today

Confidence In Banking

Business Continuity & Disaster Recovery

Pandemic Preparation

Compliance

Bank Secrecy Act
Basel II
CA Bill 1386
E-SIGN Act
FACTA
Gramm-Leach-Bliley Act
Guidance
Identity Theft Red Flags Rule
NCUA Part 748
Patriot Act
PCI DSS
Sarbanes-Oxley Act

Emerging Technology

Application Security
Authentication
Cloud Computing
Data Loss
Encryption
GRC
ID Access & Management
Messaging
Mobile Banking
Network/Perimeter
Remote Capture
SIM/SEM
Social Media
Storage
Web Security

Fraud

ACH
ATM
Check
Debit, Credit, Prepaid Cards
First Party
Insider
Mortgage
Payments
Wire

Governance & Standards

BITS
Cobit
COSO
FFIEC Handbook
ISO
ITGI
ITIL
PCAOB

Identity Theft

Pharming
Phishing
Skimming

Leadership & Management