Adversarial Machine Learning for Fraud Detection - How Can Organizations Benefit from the Pioneering Work of the NSA and Facebook?
The settled fraud dispute between PATCO Construction and the former Ocean Bank, now part of People's United Bank, still leaves open the question of what responsibilities commercial customers bear when a bank's security procedures are found to be commercially unreasonable, says PATCO attorney Dan Mitchell.
PATCO reached a settlement in mid-November with People's United Bank over a wire fraud dispute dating back to 2009. The Maine-based construction company was compensated for the $500,000 monetary loss it suffered. But an appellate court's ruling, which favored PATCO by reversing a lower court's decision, has raised questions about commercial liability in the wake of a fraud event.
"If the banks have security procedures that are commercially unreasonable, it's hard to think of steps that a customer could take to prevent fraud," says Mitchell, along with PATCO co-owner Mark Patterson, in an interview with BankInfoSecurity [transcript below].
Even though Article 4A of the Uniform Commercial Code suggests commercial customers should have more sophisticated fraud-detection systems than retail/consumer customers, Mitchell argues "banks clearly are in a better position to police fraud."
"They're in a much better position to know what the threats are," he says. "And they're in a much better position to design their systems in a way to prevent this kind of thing."
During this interview, Mitchell and Patterson discuss:
Patterson is a co-owner of Sanford, Maine-based PATCO Construction Inc., a small residential and commercial construction company with 22 employees that has been in business since 1985.
Mitchell is an attorney for Maine-based Bernstein Shur, where he works in litigation and business law. He also is a member of the firm's data security team, where his work in the PATCO case is noted for breaking new ground in the ways courts should evaluate commercial reasonableness for Internet banking.
TRACY KITTEN: Walk us through the settlement that you reached with People's United Bank.
MARK PATTERSON: Basically, the bank and PATCO came to an agreement that we were to receive the original loss, which was $345,000, plus interest and no legal fees.
DAN MITCHELL: No provision requiring us to maintain confidentiality.
KITTEN: Are you satisfied with the outcome?
PATTERSON: No. We've been working this through the courts for almost three years; [we're] certainly not happy about that. It's been a very trying event and has taken a lot of energy to get through. Having the lower court disagree with our position and then having to go to the appeals court, and having won there having to go through the various motions after at the federal district court appeal level, it's been very frustrating. And it's been very expensive. In the end, it cost us a lot of money to get our money back.
MITCHELL: Although I think the company is pleased the bank reimbursed them for their entire account loss, it would have been a lot better [to settle early on], when PATCO went to the bank at the beginning of this thing, as it tried to do, to get this resolved. ... I think it would have been better for everybody all around.
PATTERSON: We looked at this as purely a business decision. We thought that we were right, but generally nobody wins when they go to court. It's a situation where we offered the bank a settlement number, $345,000 initially, and we offered the bank $250,000 to settle this and walk away, and they said no. They weren't going to pay even close to that. They offered us a token amount and said that's all. "We're not at fault here. This is your problem." Basically, the relationship was tossed out.
Three years later, and hundreds and hundreds of thousands of dollars in legal fees, deposition costs and court costs, we're to the point where we should have been before - reimbursed for our expenses, for our loss plus interest. I can tell you the bank has spent four or five times that amount going through this legal process. I have no idea what their numbers are, but I can only imagine what their fees have been.
KITTEN: What are your thoughts about your settlement setting an example for other business disputes between commercial customers and banks when it comes to account take-over fraud?
PATTERSON: You've got to remember, as Dan has alluded to before, every case is unique. What did they do? How did they do it? How did they handle this type of transaction? Were they monitoring the reports? Every transaction is very different. If they have a situation, after they look it over and their experts look it over, and it seems that the bank has some liability, then I would make sure that the bank has a copy of our decision and really thinks about this process. One of the challenges you have when you're dealing with banks is whether you're dealing with a community bank or a big bank. Big banks have nothing in the community. They don't know the customers. There is no relationship there. In the end, a large bank, when it gets to this type of situation, there's no relationship.
MITCHELL: My guess is that this case will have an impact on banks, and it will cause them to really think long and hard about whether they draw a line in the sand on these cases. We know that corporate account takeover goes on a lot, and we see some cases that make it into the news; but most don't make the news. I think that's probably because most banks do decide to work with the customer to resolve these cases. This decision certainly will only make that even more pronounced.
PATTERSON: I've talked to a number of people that have had losses here in the state of Maine, and they lost $70,000-80,000. It's a lot of money, but they have been advised by their counsel, and justly so after what we've gone through, that it's going to cost you a lot more money to try and get your money back. It's not worth the battle. They have said, "We just wrote it off."
KITTEN: And the reputational damage that's done is something that you can't really put a price tag on, but obviously has an impact.
PATTERSON: On both sides. If you're a title company and you lose $300,000 out of each checking account, how are your customers, who are banks and so forth, going to feel about giving you transactions if you're losing money out of your escrow account? They're concerned. We were concerned. Are our present customers going to be concerned about whether we're going to be able to build their house or their building if we lose that kind of money? Local banks have a lot more to lose because they're local. It's about relationships. They're concerned about how they're perceived in the community. Since this happened, a number of my business acquaintances and friends who are on the boards of directors at banks have said, "We have had discussions in our board room about this, and we have all agreed we will cut a deal."
KITTEN: Dan, what can you tell us about why the appellate court reversed the district court's decision?
MITCHELL: It's unusual, and typically, most cases don't succeed on appeal. In this case, I think the trial court itself recognized that it was a close call, and when the trial court issued its decision, it recognized it was an area of first impression. There were no guideposts for the court here to follow, and so the court did its best and issued a detailed opinion and set forth its reasons clearly. It acknowledged that it was a close call. But the appeals court took a look at the decision and disagreed, which is what we think the right answer was. I wouldn't say that the court here got it completely wrong; I just think it was an area of the law that had no guideposts. So, in those situations, I think you're probably more likely than in most other legal areas to see a reversal, and that's what happened.
KITTEN: In its ruling, this appellate court raises a question about responsibilities commercial customers may have when it comes to complying with security expectations outlined under Article 4A of the Uniform Commercial Code. Dan, what can you tell us about that question?
MITCHELL: It's a pretty narrow question, actually. One of the few questions it left open was a briefing of what, if any, responsibilities the commercial customer has when a bank's security procedures are found to be commercially unreasonable. That's what the first circuit found in this case - that the security procedures were commercially unreasonable - and so it left open the question of what, if any, obligations the commercial customer has. We think the answer would have been virtually no more obligations than the customer otherwise would have, because in that situation, if the banks have security procedures that are commercially unreasonable, it's hard to think of steps that a customer could take to prevent fraud.
The reality is that even though commercial customers under the law are treated as being more sophisticated than consumers, banks clearly are in a better position to police fraud in this area. They're in a much better position to know what the threats are. They're in a much better position to design their systems in a way to prevent this kind of thing. Commercial customers, just like any customer, have some obligations to protect their security credentials, to protect their passwords, to protect their logins, to maintain a basic firewall and maybe do some other very basic things. But beyond that, with the threats that are out there today and the sophistication of the threats, the average commercial customer really is not in a position to stop an attack.
KITTEN: Would you argue that commercial customers do bare some responsibility?
MITCHELL: Sure. I think every customer bears some responsibility. Commercial customers should make sure that they're protecting their passwords. They ought to maintain a good firewall and they ought to know what the security procedures are that their banks are using so they can make sure that they're not doing anything to counteract them. They ought to follow the training that's provided to them by banks, and I think more and more banks now are actively giving information to their customers about threats, and customers need to pay attention to that. They need to follow the instructions. I think those are the primary obligations customers have, and to deal with the problem once it comes up, and deal with it quickly.
PATTERSON: If you're working off passwords, I would stop. Tokens, although more secure, have been gotten around, too. To me, if you're going to do an ACH transaction today, I would only rely on a second, out-of-band verification. In other words, you can do a transaction; but before it goes through, somebody at the bank you know calls you. You talk to them and say, "Yes, this is what I meant to do."
MITCHELL: Another thing more and more businesses are doing is having a separate dedicated terminal, which they only use for banking transactions. That's above and beyond what the law requires of a commercial customer. But as a matter of good practice, I think more and more people are doing it because they just don't want to have to deal with the consequences of something like this.
PATTERSON: Dan, I agree with you. We do that, but the challenge is most small businesses have one computer. Most small businesses are one or two people. They're as exposed as a company like Google. They're in the same situation, where if they do the wrong transaction and their money is moved out, they could lose $5,000 to $10,000, and that would kill them. That would put them out of business. In my opinion, we don't do ACH transactions. We do them if we have to for some strange reason. I can think of two reasons that we do them: One is that we have to do them for purposes of paying federal and state taxes; the other, for payroll taxes. We're required by law to do that if it's over a certain amount. And after what recently happened in South Carolina, where all those Social Security numbers and so forth were stolen, I'm not sure that's good, either. You're exposed at that point. The other issue is that people simply shouldn't be doing them. If every business owner read the ACH agreement that their bank provides them today, they would be scared and they would not sign up for the service.
KITTEN: What do you think you would do differently, from a technology standpoint, if anything?
PATTERSON: I wouldn't do ACH transactions. We don't do them today, unless you do out-of-band verification, where you actually talk to somebody at the bank who says, "Mark, you're pushing X amount of dollars to California, $10,000 to this account. Is this what you want to do?" And I can say, "Yes, that's what I want to do."
KITTEN: Dan, what can you tell us about Article 4A. Article 4A of the UCC, which is governed by the states?
MITCHELL: One of the interesting things about this case is that this situation is governed by state law. The Uniform Commercial Code has been adopted in each of the states, and Article 4A has been adopted in each of the states. I have not done a comprehensive survey of what the law is like, how it's been adopted in every state, but I'm sure there are some slight variations from state to state. The real impact of having it exist in so many different places is that it can be interpreted in different ways. The same issue might be interpreted differently by a court in one state versus a court in another state.
In our case, we were in the federal system so it's a little bit different, because we had a federal court construing state law, essentially, but the reality is that you could get a lot of variation. There aren't a lot of reported legal cases in this area, and that's another reason why this case was important; it sets sort of a guidepost. But, yes, it's theoretically possible. Look, my thing on Article 4A is, first of all, it was adopted in the '80s and early '90s. The world looked a lot different then, in terms of the types of electronic banking that was going on. It's probably a good idea for the Uniform Law commissioners who promulgate and propose Uniform Commercial Code Articles to go back and re-evaluate Article 4A and take a look at it again and see if it needs some updating. I'm not ready to answer that question; but I think it's at least a question that ought to be asked. The law was enacted at a time when there was no online banking. They ought to give it another look.
KITTEN: Dan, do you think the appellate court's lingering question about this article in the Uniform Commercial Code will be answered by a subsequent lawsuit?
MITCHELL: I would bet my bottom dollar that there will be more lawsuits in the future in this area. What types of questions will come up really will depend on the unique circumstances of each case. But given the prevalence of corporate account takeover, you can bet that there will be more cases.
Follow Tracy Kitten on Twitter: @FraudBlogger
Kaspersky Lab has discovered a new, advanced persistent threat - inside its own networks. Dubbed...
Kaspersky Lab has discovered a new, advanced persistent threat - inside its own networks. Dubbed...
New Report Cites Key Vulnerabilities, Slow Response Times
Former IPS Officer, Industry Veteran Tapped to Lead Body
(ISC)²'s Lim on New Vulnerabilities, Development Strategies
Red Sky's Gamache on the Skills, Tools Needed
VMware's Hudson on the Risks of Not Moving to the Cloud
MIFA's Patterson on Latest Research, Security Trends
Expert Offers Mitigation Advice for Healthcare Organizations