Malwarians at the Gate: Banks, Businesses and ACH Fraud

Banks and their customers are on opposite ends of a feud over which is responsible when online banking accounts get hacked and pillaged. But where does the fault really lie?

Banks and their customers are on opposite ends of a feud over which is responsible when online banking accounts get hacked and pillaged. But where does the fault really lie?

Banks and their customers are on opposite ends of a feud over which is responsible when online banking accounts get hacked and pillaged. But where does the fault really lie? And is there a cure for the plague of online banking fraud? 
You left your car unlocked. When you return, it was vandalized and its windshield painted black — but you drove it anyway, and crashed into the side of a bus. Would you expect Ford to pay for the damages?
That is the position in which boutique and mid sized banks find themselves today, as they wrestle with the security challenges posed by customers who take few precautions to secure their computers and engage in risky online behavior, but still expect the banks to reimburse them when someone steals their money as a result.
These banks are the front line in a growing battle between banks and their customers over the question of “Who pays?” for security breaches of customer machines. This question is at the heart of a slew of lawsuits making their way through federal and state courts. Cases like PlainsCapital v Hillary Machinery (and the reverse); Shames-Yeakel v. Citizens Financial Bank; Experi-Metal vs. Comerica are weighing questions such as where responsibility for securing access to online accounts lies, and what constitutes due standard of care in protecting customer accounts. Thousands of smaller banks are eagerly awaiting something like a precedent-setting answer from these cases on which to hang their “Not Our Problem” policy, while consumers – already suspicious of a banking sector that has come under fire for their reliance on fees – looks for the same. Said decision has not been forthcoming. 
With no clear federal- or state precedent yet, its worthwhile considering the issues that are being considered and whether a consensus solution is possible. 
Issues of liability around banking security is a tangle of conflicting regulations and jurisdictions. As an example, consider the 2009 case of Shames-Yeakel v Citizens Financial BankSHAMES-YEAKEL v. CITIZENS FINANCIAL BANK, which was brought in the U.S. District Court Dist. Court for the Northern District of Illinois. In that case, two small business owners, based in Indiana, sued Citizens Financial sued the bank after it held them liable for over $26,000 siphoned from a home equity line of credit using a stolen user name and password to the couple’s Citizens’ home equity line of credit. The plaintiffs, seeking restitution from Citizens, cited violations of no fewer than three federal statues – the Truth in Lending Act, the Electronic Funds Transfer Act, and the Fair Credit Reporting Act, as well as one Indiana law: the Indiana Uniform Consumer Credit Code, as well as negligence and breach of contract.
Historically, Federal Law has limited consumer losses on lost or stolen credit cards. Banks have customarily extended this to all consumer losses through fraud. Practically speaking, when your accounts are messed withget jacked-up, you tell the bank, “Fix your problem, gimme a new card and all my money back.” And presently, the bank replies, ‘OK.” Then they say, “Sorry.” However, business banking customers have not enjoyed these protections, as a rule, even though most businesses today do heaps of high-risk, high value transactions online, including wire and ACH transfers.
As the Shames-Yeakel case reveals, however, small businesses often have a mix of personal and business accounts linked to the same login and PIN online — and this puts the bank in a pickle from a liability standpoint. Add to that the complication that many smaller banks have outsourced much of their transaction processing to third party providers, and the small window of time that banks have to detect online fraud and the picture gets smallerdarker, still. Failure to detect the fraudulent transaction means tens or hundreds of thousands of dollars sent to some lucky guy named Petruso in greater Kiev. At which point, the customer rings up ol’ Misery Bank and Trust and says, “Who the hell is Petruso and why did you send him my money?” 
The bank, keenly aware that this is a business customer, blames him: “A properly formatted, authenticated wire request from your computer asked us to send money and we did. Tough noogies.” The customer retorts, “Nuh uh!” and points out the lackluster security used to protect their Web banking applications (in the case of Citizens Financial, simply a user ID and PIN), balky or non-existent fraud detection systems (“Did you notice that the IP address I connected from when I requested that transfer was in Ukraine?!”) Queue the lawsuit.
Is this a hopeless situation? Hardly. But it will require changes on both sides of the customer-bank relationship. 
For their part, banks must be clearer with their customers about the dangers that go along with the fabulous convenience of online banking and transactions. Banks must do a better job communicating with their customers about safe practices online, evolving threats and scams and what they, the bank, are doing about it. 
Looked at from the standpoint of investment, banks need to invest in both high tech fraud detection systems that include better tools for monitoring emerging threats, online reputation and sophisticated, multi- stage account takeovers. Even today, the “technology” at use in too many small banks comes down to some guy named Phil in the wire transfer room, acting as the bank’s RED team – as in “Raised Eyebrows Department.” Its not that Phil is obsolete, its just that banks need new procedures technology to cut down the number of transactions that come to Phil’s attention. What  might these include? 
•         Better transaction monitoring: if you’ve got a standing wire transfer order out there – same payee, same or similar amounts on a recurring basis – we’re not worried.
•         Stronger authentication: using two true factors (not just those stupid pictures which are two elements of one factor, something you know) to access accounts can reduce the amount of obvious and easy account fraud.
•         Even stronger credential-challenges for each online wire transaction requests.
•         Transaction anomaly- or fraud detection software, which can plug into their outsourced payments kit quite nicely.
•         Humans in the loop – banks would do well to rely more on (expensive) manual checks in which employees call customers and get voice approval for high value transactions.
Customers need to do a better job of keeping the machines they use to do online banking and other high risk activities clean of data stealing malware. I believe that banks have something to offer here, as well. Some thoughts:
•         Give business customers basic information on threat vectors, and make clear the real dollar consequences of computer mismanagement – don’t bury it in a 20 page digital EULA.
•         Provide suggestions to small business customers on how to create and enforce internal IT security policy documents.
•         Provide intelligence feeds to business customers on newly emerging threats;
•         Contract with trusted local providers of computer security services to provide incident response services — at a cost — to business customers who’ve been compromised.
•         Adopt a zero-tolerance approach for compromised machines. It’s horrible, I know, and inconvenient, but it’s far less horrible and less inconvenient than sending $92,000 to Moldova and then squabbling over whose fault it is.
 
Nick Selby is Managing Director of TRM Partners, a security consultancy.

You left your car unlocked. When you return, it was vandalized and its windshield painted black — but you drove it anyway, and crashed into the side of a bus. Would you expect Ford to pay for the damages?

That is the position in which boutique and mid sized banks find themselves today, as they wrestle with the security challenges posed by customers who take few precautions to secure their computers and engage in risky online behavior, but still expect the banks to reimburse them when someone steals their money as a result.

These banks are the front line in a growing battle between banks and their customers over the question of “Who pays?” for security breaches of customer machines. This question is at the heart of a slew of lawsuits making their way through federal and state courts: PlainsCapital v Hillary Machinery (and the reverse); Shames-Yeakel v. Citizens Financial Bank; Experi-Metal vs. Comerica.

These cases are weighing questions such as where responsibility for securing access to online accounts lies, and what constitutes due standard of care in protecting customer accounts especially in an age of extremely sophisticated and stealthy malware to aid with account and automated clearing house fraud. Thousands of smaller banks are eagerly awaiting something like a precedent-setting answer from these cases on which to hang their “Not Our Problem” policy, while consumers – already suspicious of a banking sector that has come under fire for their reliance on fees – looks for the same. Said decision has not been forthcoming. 

With no clear federal- or state precedent yet, its worthwhile considering the issues that are being considered and whether a consensus solution is possible. 

The question of liability around banking security is a tangle of conflicting regulations and jurisdictions. As an example, consider the 2009 case of Shames-Yeakel v Citizens Financial Bank, which was brought in the U.S. District Court Dist. Court for the Northern District of Illinois.

In that case, two small business owners, based in Indiana, sued Citizens Financial sued the bank after it held them liable for over $26,000 siphoned from a home equity line of credit using a stolen user name and password. The plaintiffs, seeking restitution from Citizens, cited violations of no fewer than three federal statues – the Truth in Lending Act, the Electronic Funds Transfer Act, and the Fair Credit Reporting Act, as well as one Indiana law: the Indiana Uniform Consumer Credit Code, as well as negligence and breach of contract.

Historically, Federal Law has limited consumer losses on lost or stolen credit cards. Banks have customarily extended this to all consumer losses through fraud. Practically speaking, when your accounts get jacked-up, you tell the bank, “Fix your problem, gimme a new card and all my money back.” And presently, the bank replies, ‘OK.” Then they say, “Sorry.” However, business banking customers have not enjoyed these protections, as a rule, even though most businesses today do heaps of high-risk, high value transactions online, including wire and automated clearing house (ACH) transfers.

As the Shames-Yeakel case reveals, however, small businesses often have a mix of personal and business accounts linked to the same login and PIN online — and this puts the bank in a pickle from a liability standpoint. Add to that the complication that many smaller banks have outsourced much of their transaction processing to third party providers, and the small window of time that banks have to detect online fraud and the picture gets smaller, still.

Failure to detect the fraudulent transaction means tens or hundreds of thousands of dollars sent to some lucky guy named Petruso in greater Kiev. At which point, the customer rings up ol’ Misery Bank and Trust and says, “Who the hell is Petruso and why did you send him my money?” The bank, keenly aware that this is a business customer, blames him: “A properly formatted, authenticated wire request from your computer asked us to send money and we did. Tough noogies.” The customer retorts, “Nuh uh!” and points out the lackluster security used to protect their Web banking applications. In the case of Citizens Financial, the bank simply required a user ID and PIN), there’s no shortage of balky or non-existent fraud detection systems in online banking, either. “Did you notice that the IP address I connected from when I requested that transfer was in Ukraine?!” No? Queue the lawsuit.

Is this a hopeless situation? Hardly. But it will require changes on both sides of the customer-bank relationship. Banks must be clearer with their customers about the dangers that go along with the fabulous convenience of online banking and transactions. Banks must do a better job communicating with their customers about safe practices online, evolving threats and scams and what they, the bank, are doing about it. 

Looked at from the standpoint of investment, banks need to invest in both high tech fraud detection systems that include better tools for monitoring emerging threats, online reputation and sophisticated, multi- stage account takeovers. Even today, the “technology” at use in too many small banks comes down to some guy named Phil in the wire transfer room, acting as the bank’s RED team – as in “Raised Eyebrows Department.” Its not that Phil is obsolete, its just that banks need new procedures technology to cut down the number of transactions that come to Phil’s attention. What  might these include?

  • Better transaction monitoring: if you’ve got a standing wire transfer order out there – same payee, same or similar amounts on a recurring basis – we’re not worried.
  • Stronger authentication: using two true factors (not just those stupid pictures which are two elements of one factor, something you know) to access accounts. This can reduce the amount of obvious and easy account fraud.
  • Even stronger credential-challenges for each online wire transaction requests.
  • Transaction anomaly- or fraud detection software, which can plug into their outsourced payments kit quite nicely.
  • Humans in the loop – banks would do well to rely more on (expensive) manual checks in which employees call customers and get voice approval for high value transactions.

Customers need to do a better job of keeping the machines they use to do online banking and other high risk activities clean of data stealing malware. I believe that banks have something to offer here, as well. Some thoughts:

  • Give business customers basic information on threat vectors, and make clear the real dollar consequences of computer mismanagement – don’t bury it in a 20 page digital EULA.
  • Provide suggestions to small business customers on how to create and enforce internal IT security policy documents.
  • Provide intelligence feeds to business customers on newly emerging threats.
  • Contract with trusted local providers of computer security services to provide incident response services — at a cost — to business customers who’ve been compromised.
  • Adopt a zero-tolerance approach for compromised machines. It’s horrible, I know, and inconvenient, but it’s far less horrible and less inconvenient than sending $92,000 to Moldova and then squabbling over whose fault it is. 

Nick Selby is Managing Director of TRM Partners, a security consultancy.

Suggested articles