Trust on Trial: The 5 Lessons Learned from the Comerica Bank Lawsuit

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

It all comes down to trust.

Banking/security leaders continue to debate the merits of the lawsuit between Dallas-based Comerica Bank and its customer, Experi-Metal Inc. (EMI), a Michigan-based metal supply company that claims the bank exposed its clients to phishing attacks.

But already industry analysts say there are some key lessons learned that other institutions can draw from this case. At the heart of them is the importance of maintaining trust in a banking relationship.

"I believe that banks owe their business customers a high level of security and control in order to preserve the trust relationship," says Larry Ponemon, head of the Ponemon Institute, a research firm focusing on information security and privacy studies. "This litigation raises the stakes, however. While I don't agree that banks should be responsible for notifying business customers about phishing scams, the EMI lawsuit is likely to become a whole new path for litigation against financial institutions."

Among the top lessons learned from this case:

1. Customers Must be Armed, Educated -- What financial institutions teach their customers about security and -- how they go about this education -- makes a huge difference say security experts. Customers must remain diligent about protecting their own accounts -- from creating strong passwords and reducing the number of authorized users to using their best senses when banking online, says Alysa Hutnik, a lawyer at Kelley Drye & Warren, a Washington DC-based law firm that specializes in post-incident response. "If something feels a little funny, then the customer should contact the financial institution to confirm the process," she adds. If financial institutions want to continue the migration of business customers from offline to online banking, they need to ensure that customers are educated about what the financial institution will and will not do re: security "And the financial institution may need to provide an additional level of customer service to quell some of these fears," Hutnik says.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

This case also demonstrates that no single security method is a panacea, Hutnik observes. Security tokens are not inherently secure, and digital certificates come with their own set of security challenges. The lawsuit re-emphasizes the need to educate customers not only on the benefits of online banking, but also the importance of protecting access to these accounts.

2. Banks Must Respond to Phishing Threats - The type of phishing spoof that occurred in the Comerica case will likely continue to happen - until banks and their customers wake up to it and it no longer succeeds. "The costs of running this type of a scam are so low that if anyone falls for it, the fraudster has made a profit," Hutnik says. "And when the fraudster can hit a $550,000 jackpot while operating nearly anonymously from almost any place in the world, there's every reason to believe that the fraudster will continue to do the same thing until he or she is caught or no one falls for it."

Phishing -- especially spear phishing -- has been on a rise for the last couple of years, says Rohyt Belani, CEO of Intrepidus, a New York-based risk assessment firm. "I only see this trend going upward. This is a difficult problem to solve with technology and filters alone," he says. Organizations need to focus on educating their employees and customers using techniques that can prove a positive impact, such as simulating the threat and training those that are found susceptible.

Avivah Litan, a Gartner analyst, says the most practical defense for banks is to secure their customer accounts through a layered security approach that includes stronger authentication, fraud detection and transaction verification. "The best way to stop phishing emails is through signed emails, but that requires more of an infrastructure change than companies are willing to make," she says. "So for now we have to rely on spam filters that aren't up to par. There are other measures that can be taken that I can outline, but frankly, the crooks will just find another avenue for attack."