U.S. Appeals Court Gives Retailers Fraud Loss Victory

Written by Mark Rasch
July 10th, 2012

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

In a decision that has huge implications for retail chains, a Federal Court of Appeals ruled on July 3 that a contractor in Maine could successfully sue its bank for losses from a hacked bank account. The problem is that many of the “thefts” of money from retailers don’t occur at the bank itself. A hacker may attack the retailer’s computer, obtain user IDs and passwords, and then log into the bank’s computer either using the stolen credentials or even logging in from the compromised computer itself. To the bank, it sure looks like the login came from the retailer.

Once the bad guy gets in, it’s only a few keystrokes to wire transfer all of the account funds to a waiting account in Latvia, Bulgaria or wherever. The retailer only learns of the transfer later, when the funds are gone. Sometimes the bank can “clawback” all or part of the transaction; sometimes it cannot. But who eats the cost of that loss?

Many retailers maintain bank accounts that permit, or even encourage, depositors to interact with the bank electronically. This E-banking serves both the bank and the merchant, enabling fast and usually reliable transactions without having to wait in line at a teller. But who has liability if a bank account is hacked? And who has liability if a merchant’s computers are hacked and, through the compromised computers, funds are transferred? In general, the rule has been that the merchant bears the risk of loss. But that general rule is changing.

For consumer bank accounts, the risk of loss in the event of a hack or intrusion is either zero or close to that. The same rules that protect consumers from stolen or fraudulently used credit or debit cards protect them from hacked accounts. The consumer liability, under a law called Regulation E, is limited to $50 in most transactions and $250 is some other transactions, so long as the fraud is reported relatively promptly. As a practical matter, consumers rarely have to pay even the $50, because banks are willing to eat those costs to encourage more people to engage in online banking.

For commercial entities, however, Regulation E doesn’t apply. Instead, Article 4A of the Uniform Commercial Code (UCC) allows the bank to disclaim liability if the bank used “commercially reasonable” means to prevent the fraud.

The law that relates to commercial electronic banking transactions is UCC 4A, which says the bank is entitled to rely on the authenticity of a payment order if it is verified according to a security procedure that is a “commercially reasonable method of providing security against unauthorized payment orders” and the bank accepted the order in good faith.


One Comment | Read U.S. Appeals Court Gives Retailers Fraud Loss Victory

  1. Sid Sidner Says:

    But there is one more key point here: crooked employees at customers.

    There is a non-trivial amount of attempted fraud by employees at small businesses. Before the Zeus malware, business bankers worked with their SMB customers to put in place split-knowledge and dual-control. SMB accounting departments typically only have a few people in them, and do not have the kind of on-premise accounting and IT expertise that large companies have. Light-fingered employees (and sometimes even the boss) realize after awhile that there are no controls on key aspects of the handling of receipts and payments. If the SMB has to eat the loss, the SMB management starts to get very motivated to listen to the bankers and their CPAs, to implement effective controls.

    Now enter Zeus: how can the bank tell the difference between Zeus and real employee fraud? Worse, what if smart employees read about Zeus and realize that they can claim that malware was what caused the loss, when it was really them? Kind of like the dog-ate-my-homework defense that school kids use.

    Banks don’t want the horrible press about putting an SMB out of business, but they also don’t want to open the floodgates to human fraud.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.