Bad News For Banks: Courts Side With Customers

Saturday, September 03, 2011

Robert Siciliano

37d5f81e2277051bc17116221040d51c

Who is responsible for financial losses due to fraud? The bank or the customers whose accounts have been drained?

One Michigan judge recently decided in favor of Comerica Bank customers, holding the bank responsible for approximately $560,000 out of a total of nearly $2 million in unrecovered losses.

A copy of the bench decision is available from Pierce Atwood LLP, and the firm also outlines significant highlights and observations regarding this case.

Clearly, the bank’s client, Experi-Metal, made some serious errors, but in the end, the bank paid the price. The court’s decision acknowledges that a vice president of Experi-Metal made the initial mistake of clicking on a link within a phishing email, which appeared to have been sent by Comerica but was in fact sent by a scammer.

He then responded to a request for his Comerica account data, despite Comerica’s regular warnings about phishing scams and advice to never provide account information in response to an email.

In doing so, the customer offered the scammer immediate online access to his company’s Comerica bank accounts. Naturally, the scammer began transferring money out of the accounts.

I’ll spare you the legalese and get to the nitty-gritty.

“The Court considered several factors as relevant to whether Comerica acted in good faith, including:

  • The volume and frequency of the payment orders and the book transfers that enabled the fraudster to fund those orders
  • The $5 million overdraft created by those book transfers in what is regularly a zero balance account
  • Experi-Metal’s limited prior wire activity
  • The destinations (Russia and Estonia) and beneficiaries of the funds
  • Comerica’s knowledge of prior and current phishing attempts.

It was the Court’s inclination to find that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier. Furthermore, the Court found that Comerica “fails to present evidence from which this Court could find otherwise.”

This case means that Comerica and, by extension, all banks, must adhere more closely to the FFIECs recently released supplement to its previously released guidelines on authentication in an Internet banking environment, by adding multiple layers of security.

In this case, the computer or other device the scammer used to access Comerica’s website could surely have been traced overseas and flagged for: hiding behind a proxy, device anomalies such as a time zone and browser language mismatch, past history of online scams and identity theft, and the list goes on.

Financial institutions could protect users and themselves by incorporating device identification, device reputation, and risk profiling services to keep scammers out. Oregon-based iovation Inc. offers the world’s leading device reputation service, called ReputationManager 360, and is used by leading financial institutions to help mitigate these types of risk in their online channel.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

Possibly Related Articles:
9470
Breaches
Banking
Legal breaches Banking Liability Customers Comerica Courts
Post Rating I Like this!
E376ca757c1ebdfbca96615bf71247bb
shawn merdinger Hrm. Wonder how this squares with other recent court rulings against the bank's customers, like the one profiled in CNBC's "Code Wars" and written about in Wired here: http://www.wired.com/threatlevel/2011/06/bank-ach-theft/
1315317350
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.