Trust on Trial: The 5 Lessons Learned from the Comerica Bank LawsuitIndustry Experts: 'This Litigation Raises the Stakes'
Banking/security leaders continue to debate the merits of the lawsuit between Dallas-based Comerica Bank and its customer, Experi-Metal Inc. (EMI), a Michigan-based metal supply company that claims the bank exposed its clients to phishing attacks.
But already industry analysts say there are some key lessons learned that other institutions can draw from this case. At the heart of them is the importance of maintaining trust in a banking relationship.
"I believe that banks owe their business customers a high level of security and control in order to preserve the trust relationship," says Larry Ponemon, head of the Ponemon Institute, a research firm focusing on information security and privacy studies. "This litigation raises the stakes, however. While I don't agree that banks should be responsible for notifying business customers about phishing scams, the EMI lawsuit is likely to become a whole new path for litigation against financial institutions."
Among the top lessons learned from this case:
1. Customers Must be Armed, Educated -- What financial institutions teach their customers about security and -- how they go about this education -- makes a huge difference say security experts. Customers must remain diligent about protecting their own accounts -- from creating strong passwords and reducing the number of authorized users to using their best senses when banking online, says Alysa Hutnik, a lawyer at Kelley Drye & Warren, a Washington DC-based law firm that specializes in post-incident response. "If something feels a little funny, then the customer should contact the financial institution to confirm the process," she adds. If financial institutions want to continue the migration of business customers from offline to online banking, they need to ensure that customers are educated about what the financial institution will and will not do re: security "And the financial institution may need to provide an additional level of customer service to quell some of these fears," Hutnik says.
This case also demonstrates that no single security method is a panacea, Hutnik observes. Security tokens are not inherently secure, and digital certificates come with their own set of security challenges. The lawsuit re-emphasizes the need to educate customers not only on the benefits of online banking, but also the importance of protecting access to these accounts.
2. Banks Must Respond to Phishing Threats - The type of phishing spoof that occurred in the Comerica case will likely continue to happen - until banks and their customers wake up to it and it no longer succeeds. "The costs of running this type of a scam are so low that if anyone falls for it, the fraudster has made a profit," Hutnik says. "And when the fraudster can hit a $550,000 jackpot while operating nearly anonymously from almost any place in the world, there's every reason to believe that the fraudster will continue to do the same thing until he or she is caught or no one falls for it."
Phishing -- especially spear phishing -- has been on a rise for the last couple of years, says Rohyt Belani, CEO of Intrepidus, a New York-based risk assessment firm. "I only see this trend going upward. This is a difficult problem to solve with technology and filters alone," he says. Organizations need to focus on educating their employees and customers using techniques that can prove a positive impact, such as simulating the threat and training those that are found susceptible.
Avivah Litan, a Gartner analyst, says the most practical defense for banks is to secure their customer accounts through a layered security approach that includes stronger authentication, fraud detection and transaction verification. "The best way to stop phishing emails is through signed emails, but that requires more of an infrastructure change than companies are willing to make," she says. "So for now we have to rely on spam filters that aren't up to par. There are other measures that can be taken that I can outline, but frankly, the crooks will just find another avenue for attack."
3. Security Controls Must be Updated -- An institution's security controls are key. But how often they are updated is even more important, says Tom Wills, a security analyst at Javelin Strategy and Research. "Way too many financial institutions have static security programs - they put in controls, which might be based on a one-time risk assessment, and then walk away thinking they are safe until next year," Wills says. "As expensive as it is, continuously assessing risk is a critical part of the solution. That may seem obvious, but I only know of a handful of institutions in the U.S. that are putting that principle into practice."
The management question needs to be: What's more costly in the end - your anti-phishing program, or the reputational damage, customer loss, and usage loss that comes from phishing attacks? "Depending on how the EMI vs. Comerica case turns out," Wills says, "the cost of lawsuits may now be added to the equation."
4. Teach Customers About ACH Risks -- What are institutions teaching their business customers about the threat of ACH fraud and the pattern that follows closely what happened at EMI? When Elaine Dodd, head of the Fraud division at the Oklahoma Bankers Association, talks to her banks, she tells them it is a multi-pronged approach. First, educate those business customers and their employees who make ACH payments.
Having a dedicated computer for the business customer's online banking transactions is the first place to start, Dodd says. Many of the infections that led to a business losing its login credentials came from an employee surfing the net or checking personal email.
Customers need to be aware of the hazards of clicking on hyperlinks in e-mails from unknown sources and of pop-up boxes purporting to be from their financial institution. "For this reason, staff should never open e-mails from anyone they do not know or have a reason to trust," Dodd says.
5. Monitor, Monitor, Monitor -- Having a real-time fraud detection solution in place at the institution is another "must-have" for every financial institution, says Michael Urban, Senior Director Fraud Solutions at FICO. He sees the number of institutions with real-time fraud detection solutions in place cutting their fraud losses dramatically. "Criminals will target those banks and their customers that don't have the real-time fraud solutions," he says. "Unfortunately, for some institutions it is a cost that they can't afford, but certainly it must happen, and soon."
Institutions must be proactive in monitoring commercial business accounts and transactions to detect and stop fraudulent transactions. Banks also need to teach their commercial customers to monitor their accounts, says Nancy Atkinson, wholesale banking senior analyst at Aite Group, a Boston, MA-based research firm that focuses on the financial services industry. "The smaller the business is, they probably don't have the staff to look at their online banking situation every day, except to see if a certain check has cleared," Atkinson says. Banks need to "convince them to look at their account information every day."
Banking institutions also should teach customers about "debit blocks" that can be placed on their accounts. A debit block is used to stop any transactions except those that are preauthorized. Larger corporations have long used debit blocks to prevent unauthorized ACH transactions, says Atkinson. But many small-to-midsize businesses simply aren't aware of the practice.
In most banks, large corporate accounts are covered by the treasury area, while smaller businesses fall under the retail or business bank area, "The retail or business banking areas of banks don't have the familiarity about ACH transactions and debit blocks," Atkinson says.
The larger banks also have the monitoring systems in place to stop ACH fraud, but many smaller banks have not spent the money to update their monitoring systems, Atkinson says. She recommends that smaller institutions turn to their core processors to provide monitoring services.