Online and Mobile Banking Fraud Issues and Hot TopicsTreasury Management Association of Chicago
2012 Windy City Summit(Chicago, Illinois)
Erin F. Fonté, ShareholderCox Smith Matthews Incorporated
June 7, 2012© 2012, Cox Smith Matthews Incorporated
Disclaimers
2
The opinions expressed in this presentation are solely those of the presenter and do not necessarily reflect the opinions of Cox Smith Matthews Incorporated.
This presentation is an educational tool that is general in nature and for purposes of illustration only. The materials in this presentation are not exhaustive, do not constitute legal advice and should not be considered a substitute for consulting with legal counsel. Cox Smith Matthews Incorporated does not have obligation to update the information contained in this presentation.
© 2012, Cox Smith Matthews Incorporated
Trends In Payments Fraud
3© 2012, Cox Smith Matthews Incorporated
0 20 40 60 80 100 120
Debit Card
ACH
Credit Card
Check
Online Bill
Wire
ATM
+ 3 YearsCurrent
PaymentChannel
Percentage of Importance(Source: AITE Group)
Trends in Payments Fraud (cont’d)
4
FFIEC Supplement – “Threat Landscape & Compensating Controls” Fraudsters using increasingly sophisticated and malicious
techniques Many schemes target small to medium-sized business Key logging/keystroke malware Man-in-the-middle/Man-in-the-browser attacks Controls: anti-malware software; transaction monitoring/anomaly
detection; out-of-band verification; use of restricted funds transfer recipient list; establishing limits based on customer’s business; require business customers to utilize dual control routines
© 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011
5
FFIEC Authentication Supplemental Guidance Supplement to “Authentication in an Internet Banking
Environment” (issued in 2005, supplement 6/28/11) Effective January 1, 2012 FFIEC Authentication
Supplement includes changes/additional guidance for:
(1) risk assessments
(2) authentication for high-risk transactions
(3) layered security programs
(4) effectiveness of certain authentication techniques
(5) customer education and awareness (esp. commercial customers)
© 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) (cont’d)
6
(1) Risk Assessments
Should consider, but not be limited to, the following: Changes in the internal and external threat environment (including
Appendix information) Changes in customer base adopting electronic banking Changes in the customer functionality offered through electronic
banking (e.g. consumer RDC via mobile device) Actual incidents of security breaches, identity theft, or fraud
experienced by the institution or industry
© 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) (cont’d)
7© 2012, Cox Smith Matthews Incorporated
(1) Risk Assessments (cont’d)
Bank A has effectively implemented a layered approach, including active monitoring solutions and stringent authentication requirements, both in and out-of-bank in nature
All new customers that send wires or originate ACH transactions must go thru a one-on-one Webex training class where fraud prevention is stressed along with following established internal procedures and controls
We are also deploying a fraud awareness and prevention program for our commercial customers to ensure they have the knowledge and tools needed to protect their assets
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011
8© 2012, Cox Smith Matthews Incorporated
(2) Customer Authentication for High-Risk Transactions 2005 FFIEC Guidance definition of “high-risk transactions” remains
unchanged (“electronic transactions involving access to customer information or the movement of funds to other parties.”)
Retail/Consumer Banking Generally involve accessing account info, bill payment, intrabank funds
transfers or wire transfers Small dollar and therefore a comparatively lower level of risk, but still need
layered security Business/Commercial Banking
Generally involve ACH and wire Frequency and dollar amounts larger, so comparatively more risk than
consumer “Layered security . . . utilizing controls consistent with the increased level of
risk for covered business transactions”
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011
9
(2)Customer Authentication for High-Risk Transactions (cont’d)
Bank A requires dual authorization of all wires submitted through our Commercial Online Banking application
Bank A requires dual authorization and file authentication for all ACH files
Bank A has only allowed a limited number of customers outside the U.S. to utilize RDC and we monitor those transactions on a daily basis
© 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011
10
(3) Layered Security Programs Layered NOT the same as multi-factor Layered security uses different controls at different points in a
transaction process so weakness in one control can be compensated by strength of other control
Examples: Fraud detecting and monitoring systems that include customer history and
behavior (i.e. heuristics) and enable a timely and effective FI response Dual customer authorization through different access devices Out-of-band verification for transactions (authentication via 2 systems at
same time – login, PW, token + phone call verification) Use of “positive pay,” debit blocks, and other techniques to limit transactional
use of account
© 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011
(3) Examples of Layered Security (cont’d): Enhanced account controls (transaction value thresholds, payment
recipients, # of transactions per day, days and times for payment (payment windows)
Internet Protocol (IP) reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities
Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud
Enhanced control over changes to account maintenance activities performed by customers either online or through customer services channels
Enhanced customer education to increase awareness of fraud risk and effective techniques customers can use to mitigate risk
11© 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011
(3)Examples of Layered Security (cont’d):
Minimum Layered Security Components: Anomalies/FI response for initial login and authentication for electronic
banking Anomalies/FI response Initiation of electronic transactions involving transfers
of funds to other parties Control of Administrative Functions: more controls than routine business
use Bank A has implemented or plan on implementing the various examples of
layered security described above We strongly encourage our customers to utilize Positive Pay and Payee
Review Ongoing customer education thru messages on our Online Banking
application, notification of recent fraud schemes, webinars, etc.
12© 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011
(4) Effectiveness of Certain Authentication Techniques
Device Identification Simple cookies no longer “cut it” Geo-location and IP address matching – fraudsters can now beat those, too One time cookies and “digital fingerprint” methods are better All Agencies consider complex device identification to be more secure and
preferable to simple device identification “Institutions should no longer consider simple device identification, as a
primary control, to be an effective risk mitigation technique”
© 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011
(4) Effectiveness of Certain Authentication Techniques (cont’d)
Challenge Questions Keystroke logging malware and personal information voluntarily posted on
social media have made basic challenge questions (mother’s maiden name, high school mascot) ineffective
Must use “out of wallet” questions to be effective (sophisticated, customer can knows “in their head” and often deploy red herring questions to trick fraudsters
Dual authorization seems to be working quite well. We have only experienced a couple of losses from wire or ACH fraud and those were caused by customers not following prescribed internal procedures and controls
Requiring out of band authentication for originated ACH files has been highly effective and has prevented multiple fraud attempts
14© 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011
15
(5) Customer Education and Awareness (esp. commercial customers)
“A financial institution’s customer awareness and educational efforts should address both retail and commercial account holders and, at a minimum, include following elements:”
Explanations of protection provided and not provided, and the extent to which Reg E covers their accounts
Explanations of when, if ever, bank will contact customer on unsolicited basis and/or ask for electronic banking credentials
Suggestion that online banking customers perform a related risk assessment and controls evaluation periodically
A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk (or resources where such info can be found)
Listing of FI contacts for customers to use to alert FI to suspicious account activity or security-related questions
© 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011
16
(5) Customer Education and Awareness (esp. commercial customers) (cont’d)
Bank A performs onsite customer audits of all Remote Deposit Capture customers that we deem to be high risk to insure proper internal procedures and controls are being followed
Bank A asks all Remote Deposit Capture customers to complete an annual Risk survey that focuses on fraud prevention and internal controls
Bank A clearly states on the front page of its Treasury Management PT&C that it will never ask for passwords, User Ids, token authentications by e-mail, e-mail internet links, mail, over the telephone or in-person
Bank A has a revolving list of alerts in our Online Banking application about fraud detection and prevention
© 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures
17
Commercially Reasonable Security (Patco issues)
Unknown third parties initiated a series of withdrawals from Patco’s account with Ocean Bank over several days totaling $588,851; Oceans Bank blocked $243,406; Patco wanted bank to pay remainder
Court focused on whether the security procedures employed by Ocean Bank were “commercially reasonable” (under UCC and state UCC)
70 page opinion looking at: perspectives of competing experts; industry practices; and alternative security measures
Court concludes that bank’s procedures may not have been perfect or best, but they were “commercially reasonable” (appeal?)
Patco challenged use of challenge questions themselves – unique threat of key logging renders challenge questions ineffective
© 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures (cont’d)
18
Commercially Reasonable Security (Patco issues cont’d)
Brian Krebs “Krebs on Security” said “Passwords + Secret Questions = “Reasonable” eBanking Security”
Multi-factor: (1) what you know (login, password); (2) what you have (token); (3) who you are (biometric)
BUT word to the wise – do not fall behind on making sure that the multi-factor authentication is also part of layered security
Open question on whether failure to comply with updated FFIEC guidance would be strike against bank’s security being “commercially reasonable”
Open question as to how far below the FFIEC guidance bar you have to fall before your security measures become “unreasonable”
Guidance is meant to set a “baseline” for best practices, and in reality “guidance” documents are still used by plaintiffs and litigants when arguing what the standard of care should be; carries weight in that it can aid plaintiffs in moving their case pretty far along
And always keep up with what your competition is offering
© 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures (cont’d)
19
Experi-Metal v. Comerica Issues
Whether EMI employee who was phished was authorized to initiate wire transfers = risks to and claims against bank for complete customer administrative controls
Bank’s escalation procedures killed telephone wires, and killed future sessions of online banking – BUT did not kill current session where fraudsters were in the system
Resulted in fraudsters being able to conduct additional fraudulent transfers from 12:04 p.m. until 2:05 p.m. (2 hours, 1 minute) – 15 additional fraudulent wire transfers orders initiated in that time
© 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures (cont’d)
20
Experi-Metal v. Comerica Issues (cont’d)
“Good Faith” standard under UCC
Court in Experi-Metal v. Comerica Bank concluded that Comerica did not act in good faith (i.e. did not observe “reasonable commercial standards of fair dealing”)
“A bank dealing fairly with its customers, under these circumstances, would have detected and/or stopped” the fraudulent activity earlier
No longer “good heart and empty head” but rather “honesty in fact and the observance of reasonable commercial standards of fair dealing.” (U.C.C. §§ 1-201, 3-103, emphasis added)
“Honesty in fact” = SUBJECTIVE prong (pure heart and empty head) – no evidence that Comerica employees
© 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures (cont’d)
21
Experi-Metal v. Comerica Issues (cont’d)
“Observance of reasonable commercial standards of fair dealing” = OBJECTIVE prong (Michigan court citing In re Jersey Tractor Trailer Training, 580 F. 3d at 156.)
The Official Comments to the U.C.C. make clear that this objective standard should not be equated with a negligence test: Although fair dealing is a broad term that must be defined in context, it is clear that it is concerned with the fairness of conduct rather than the care with which an act is performed. Failure to exercise ordinary care in conducting a transaction is an entirely different concept than failure to deal fairly in conducting the transaction. (citing U.C.C. § 1-201 cmt. 20.)
© 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures (cont’d)
22
Experi-Metal v. Comerica Issues (cont’d)
“There is a paucity of cases and authority discussing this recently added prong of the “good faith” requirement.”
The Maine Supreme Court is only court that has proposed an approach to address whether the objective prong as been met: (1) whether the conduct of the holder comported with industry or “commercial” standards applicable to the transaction and,(2) second, whether those standards were reasonable standards intended to result in fair dealing. (citing Maine Family Fed. Credit Union, 727 A.2d at 343).
© 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures (cont’d)
23
Experi-Metal v. Comerica Issues (cont’d)
EMI and Comerica’s expert witness’ comments on “good faith” were basically rejected by court
Comerica offered NO EVIDENCE that it did act in “good faith” – unlike “commercially reasonable security” good faith standard places burden on BANK
NO EVIDENCE on OBJECTIVE prong of UCC good faith test = BANK LOSES
© 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures (cont’d)
24
Experi-Metal v. Comerica Issues (cont’d)
[T]he parties cannot vary by agreement what satisfies the “good faith” standard . . . If “reasonable commercial standards of fair dealing” obligated Comerica to respond to the fraudulent wire transfer activity in a particular way and Comerica failed to observe those standards, it cannot demonstrate that it acted in good faith simply by showing that it was relieved of the obligations to adhere to any of those standards in its agreement(s) with Experi-Metal . . . [T]o prevail, Comerica had to present evidence conveying the reasonable commercial standards of fair dealing applicable to a bank’s response to an incident like the one at issue here and to show, by a preponderance of the evidence, that its employees observed those standards . . .
© 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures (cont’d)
25
Experi-Metal v. Comerica Issues (cont’d)
“There are number of considerations relevant to whether Comerica acted in good faith with respect to this incident”
(1) “The volume and frequency of the payment orders and the book transfers that enabled the criminal to fund those orders” = FFIEC Layered Security
(2) “The $5 million overdraft created by those book transfers in what is regularly a zero balance account” = FFIEC High Risk Transaction
(3) “Experi-Metal’s limited prior wire activity” = FFIEC Layered Security (Customer History and Behavior)
© 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures (cont’d)
26
Experi-Metal v. Comerica Issues (cont’d)
(4) “The destinations and beneficiaries of the funds” = FFIEC High Risk Transactions
(5) “Comerica’s knowledge of prior and the current phishing attempts” = FFIEC Risk Assessments
“This trier of fact is inclined to find that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier. Comerica fails to present evidence from which this Court could find otherwise.”
© 2012, Cox Smith Matthews Incorporated
QUESTIONS?
Erin F. Fonté, CIPP
Shareholder
Banking and Financial Institutions/
Privacy and Data Security
Cox Smith Matthews Incorporated111 Congress Avenue, Suite 2800
Austin, Texas 78701 Direct: [email protected]
@PaymentsLawyer
Link me in: Erin Fonte
27© 2012, Cox Smith Matthews Incorporated
Top Related