BankInfoSecurity.com - Information Security News, Regulations, & Education

Bank Information Security Articles

Customer Vs. Bank: Who is Liable for Fraud Losses?

Credit
Eligible
As a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info
Comerica/EMI Case Raises Key Questions About Responsibility, Security
February 22, 2010 - Linda McGlasson, Managing Editor
Share

Comment on this article
(Page 2 of 2)

Williams quotes an old saying: "I'll open the door for you, but only you can walk through it." Comerica did open the door with its security updates, he says, but a simple training issue would have prevented the employee from walking through that door. "Companies that become complacent with security become easy targets."

#3: What is 'Reasonable Security'
In this case, was the bank's two-factor security token technology an unreasonable safeguard based on the information available at the time it was implemented by the company? Discovery and expert testimony on this point will be critical, says Hutnik. So too, will the surrounding facts on what information the bank provided to its customers about giving personal information online, or in response to an email alert, leading up to and after it transitioned away from the digital certificate security process.

Hutnik sees a third key issue, which is often a gap in many companies: What measures were in place to detect unauthorized, unusual activity involving this customer account, and did the bank act quickly enough in response to such detection? "All companies could benefit from evaluating and assessing how they compare the issues raised in this case against their own information security programs," she says.

David Navetta, a lawyer at the Information Law Group, a Colorado-based law firm, says one of the issues that will be key in this case is whether the bank has a legal duty to prevent these types of phishing attacks. And if so, whether the security measures it took were "reasonable" under the law. To the extent a bank has a general duty to protect client accounts, does that duty extend to preventing (or reducing the risk of) its customers from being duped by social engineering attacks such as phishing? "That will be the threshold legal question, and I don't know what the answer will ultimately be," he says.

Another point that Navetta says will be considered is "Reasonableness." Under the law for purposes of negligence, a defendant can avoid liability even if a plaintiff suffered harm, as long as the defendant did not breach its duty of care. "In this context, if the bank's security measures where 'reasonable' under the law, it would not be liable," Navetta says. "I think the fact that the bank used two-factor authentication will help its cause in this respect," he says. On the other hand, he adds, "Many security professionals I have spoken to/read have indicated that a phishing attack was a known weakness, or at least a theoretical weakness, of two-factor authentication."

Regulators Were 'Asleep at the Wheel'
While EMI and Comerica argue over liability, Gartner's Litan says the nation's legislators and banking regulators bear the bulk of the blame for such breaches. "It's their job to set the rules for soundness and safety of the U.S. banking system, and to enforce that the banks execute those rules," she says. "They are negligent here - in not passing legislation that protects business accounts (as Reg E protects consumer accounts) and in not enforcing security measures at the banks, as set forth by the FFIEC strong authentication guidance," Litan says.

Litan also has strong words for bank examiners. "Frankly, they are also asleep at the wheel," she says. "And the banks are taking advantage of the current legislative and regulatory environment by not proactively securing business accounts."

No matter the outcome, this case will set a precedent, predicts Rohyt Belani, CEO of the Intrepidus Group, a New York City-based security firm. Banks and other e-commerce providers need to take some of the responsibility to help their customers mitigate the risk associated with phishing attacks - especially those that exploit the institution's brands. "Just posting information about phishing on the login page doesn't cut it," Belani says. "I believe banks need to work on enhancing their authentication mechanisms, changing the way they communicate with their clients (not embedding active links, etc.), and educating the customers using techniques that are proven to reduce susceptibility.

"Banks should view it as a wake-up call and work on mitigating phishing attacks."


1 | 2




Question
Question
?Ultimately, who do you see as liable for fraud losses in this case: The bank or the customer? Why?
Here's your chance to be a part of the dialogue and engage with your peers! Just enter your comment to the right, click submit to send it to our Editor. All entries are posted anonymously.
Please login if you would like to post a comment on this question.

"Banks have once again taken the minimal approach to this problem. Regulators allow this minimal approach, as they are provided direction by elected officals lobbied by industry groups. The bank should have been monitoring and detected the phishing scheme and then hightened security on the processes that could have been compromised. Human intervention over automated systems. Was this a normal transaction for this customer? If not, stop it and make a call. When did stupidity become an excuse? When bank tellers cash checks for people pretending to be their customers - it just goes downhill from there.
"I think the bank is responsible because they were stupid enough to send live links to customers in earlier emails, instead of sending messages that direct the user go to the regular home page and update a profile, or find a special message, or the like. If the customer-bank relationship led the customer to accept the emails with links as normal forms of communication, then why should the customer expect anything different?
"If you, the consumer, willingly open and respond to a phish, you should be held responsible for any funds lost over a predefined amount. I would say a business account with $500K, the consumer should be responsible for anything over 10%

If you, the consumer, do not already have cybersecurity awareness plan/policy/training instituted within your organization, and hold your employees accountable, then you should be liable for 100% of the lost funds.

If you, the consumer, have cyber dolts that can access your business accounts, then you are at fault.

Best plan: Training, training, and more training. Set daily limits on funds access - with the ability for a principal of the company to over-ride in certain situations.

When did stupidity become an excuse?
"While it does appear that the bank put themselves at risk, more information is needed to prove they are liable. The truth is most customers disregard or complain about the safeguards that are implemented for their protection. Security cost money, and most people do not want to pay for it. Finally, no amount of security is going to protect someone who gave their information away in an email.
"We don't have all the details.

I don't think that one party can be held completely liable. Each party has responsibility and had a part in the funds being taken out of the account.
"While some of the important details are not included in this article, I think that in this case the bank should be liable. While I agree that the bank could have done more post-incident, I also beleive it could have prevented this in the first place. The bank made two errors that allowed this to happen. Error number one was to use legtitmate emails asking the customer to update their securty measures. This set a precedent in the client's mind that the bank will use emails for this purpose, making phishing attacks more sucessful. Error number two was not using strong multi-factor authetication such as a token or fob. This would have reduced the chances of sucessfully accessing the account. This should be a requirement for any account that offers the ability to move funds out of the bank such as bill-pay or cash management. If banks would like for users to continue to use online services, it is up to the banking industry to prove that this is a safe delivery system. This incident does the opposite.
"First of all, banks should have real-time fraud detection system. Secondly, banks should offer their customers the option of limiting the amount of wire transactions for internet orders. These are post-breach control points that will minimize the impact even if a customer makes a mistake. Therefore, not offering alternative options for mitigation of risks, bank has to be liable by leaving customer choiceless.

Topics of Interest

FFIEC

Pharming

E-SIGN Act

Bank Secrecy Act

ID Access & Management

National Credit Union Admin.

Latest Tweets & Mentions

BankInfoSecurity.com Research

Recent Blog Entries

More Blogs Posts

Vendor Solutions

More Vendor Solutions

Marketplace

Advanced Search
Browse Topics
close

Agencies

Anti-Money Laundering


Banking Today

Business Continuity & Disaster Recovery

Compliance

Emerging Technology

Fraud

Governance & Standards

Identity Theft

Leadership & Management


Physical Security

Risk Management

Training & Education