Light Dark
December 10, 2012 By George Tubin 3 min read
Banking & Finance
Fraud Protection

In May 2009, an unknown hacker gained access to PATCO Construction’s online banking account at People’s United Bank (doing business as Ocean Bank). PATCO claimed the hacker somehow installed malware on a company PC to obtain banking credentials and commit online fraud. The fraudster was then able to use the stolen credentials — a user ID, password and the answers to three security questions — to access a PATCO employee’s online bank account.

Over a five-day period, the hacker initiated fraudulent Automated Clearing House (ACH) and wire transfers totaling over $588,000. Although the bank’s risk engine flagged the transactions as being “very high risk,” the debit requests were successfully processed. Once the fraud was discovered, the bank was able to recover less than half of the funds, leaving PATCO with a loss of approximately $345,000.

Reversing a lower-court ruling, a federal court of appeals stated that the bank’s security system was “commercially unreasonable,” based on requirements set under Article 4A of the Uniform Commercial Code. While the technology components of the bank’s security system appeared reasonable on paper, the manner in which the bank operated the technologies was called into question.

The appellate court’s final advice? “On remand, the parties may wish to consider whether it would be wiser to invest their resources in resolving this matter by agreement.”

Earlier this month, the parties did just that. PATCO’s Chief Executive Officer Mark Patterson reported that a settlement had been reached, with People’s United Bank refunding all losses suffered by his company. This settlement, coupled with the outcome of the Experi-Metal lawsuit, which also favored the commercial customer over its bank, has set a precedent that will have far-reaching ramifications for the industry.

Sentiment Has Shifted Toward the Commercial Customer

The recent update to the Federal Financial Institutions Examination Council’s (FFIEC) 2005 “Authentication in an Internet Banking Environment” guidance was clearly focused on driving banks to implement better fraud prevention capabilities to protect commercial customer accounts, especially for small- and medium-sized businesses (SMBs). Now, with two landmark cases ruling in favor of the commercial customer, legal precedent has also shifted away from financial institutions regarding online fraud incidents. With regulators and courts stepping in to protect SMBs, the days of banks using UCC 4A to deflect fraud liability to the customer are over.

‘Commercially Reasonable’ Isn’t What It Used to Be

Many financial institutions believe that providing “commercially reasonable” security consists of acquiring a set of fraud prevention technologies similar to those of their peer institutions. However, recent court rulings indicate that the manner in which the technologies are implemented and operated are critical factors in determining commercial reasonableness. If an alleged “commercially reasonable” fraud prevention platform does not detect a commonly used fraud scheme, it will be very difficult to argue that it was implemented properly.

Most Banks Will Now Refund Commercial Account Losses From Online Fraud

Based on the two recent cases, we expect the vast majority of banks to refund SMB fraud losses as a matter of course. Rather than deal with the reputational damage associated with an exposed — and especially litigated — fraud event, banks will simply avoid the gamble and refund losses (except for cases of egregious client negligence).

Compliance and Legal Departments Take a Back Seat

Fraud prevention will no longer be driven by administrative functions that seek to invest in fraud prevention programs that best position the bank for regulatory examinations and legal proceedings. Instead, customer service and fraud prevention specialists will devise, implement and maintain fraud prevention programs that are actually designed to prevent losses and not simply meet a compliance check box. When fraud is being prevented, litigation is avoided, regulatory compliance is met, costs are reduced, etc. When fraud prevention is given a primary focus rather than a secondary focus, legal and regulatory compliance requirements will fall in line.

Banks Are Forced to Deal With Malware-Based Fraud

The terms “malware,” “key-logging” and “man-in-the-browser/man-in-the-middle” are mentioned over 20 times in the recent 12-page FFIEC authentication guidance supplement. Both the PATCO and Experi-Metal fraud incidents involved malware. It is a well-known and documented fact that malware is being used extensively to compromise bank customers’ devices and commit fraud. Traditional antivirus applications do a poor job of detecting and preventing dangerous financial malware. Meanwhile, traditional authentication techniques and risk engines are only partially effective when it comes to identifying and preventing many forms of malware-based fraud. They also come at a high cost. A new approach for preventing malware-based fraud is sorely needed.

The PATCO ruling has triggered a seismic shift in fraud liability. Given this new landscape, preventing fraud — and specifically malware-based fraud — should be the top priority of every bank’s fraud prevention program. While it sounds obvious, many banks are more concerned with peer bank comparisons and legal positioning than actually preventing fraud. We know malware-based fraud can be prevented in a cost-effective, customer-friendly, manageable and regularly compliant fashion.

 |  | 
George Tubin
Sr. Security Strategist

More from Banking & Finance
March 13, 2024

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

March 7, 2024

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

January 26, 2024

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature