This is page 2 of:
U.S. Appeals Court Gives Retailers Fraud Loss Victory
This is intended to strike a balance between the need for transactions to go through and be accepted and the need to ensure those transactions are authentic. Federal banking regulations established by the FFIEC set out a variety of things banks can do to validate transactions, including multifactor authentication, challenge-response, callback for high dollar or unusual transactions, out-of-bandwidth authentication and credential exchange, among other things. Customers, likewise, are required to exercise reasonable care to protect themselves.
Many modern hacks to E-banking occur at the merchant’s computer. Malware is inserted into the merchant’s computer, which captures—through a keylogger—the passwords and any “challenge-response.” The bank in Maine made the problem worse by lowering the threshold for the “challenge-response” to $1. Thus, the merchant had to enter the response code every time it made any funds transfer, which for that merchant was very frequently. The threat of a keylogger being installed on any one of the machines used for funds transfers was increased by this fact. In addition, the merchant argued that the bank’s practices were not “commercially reasonable,” because the bank neither monitored for unusual transactions nor notified the customer that transactions had taken place. The court held that a case could at least be pursued on the question of whether these actions were commercially reasonable.
This is similar to a ruling in June 2011 by a Michigan court that Comerica Bank was liable to a Michigan company called Experi-Metal after that company’s computers were hacked and more than half a million dollars fraudulently transferred.
Taken together, these and other cases show that hackers are clearly targeting not only banks but their customers. Merchants know it. Law enforcement knows it. Banks know it, too. Hackers are installing sophisticated tools to try and appear to be the legitimate merchant, and to then take over the merchant’s computers, obtain their passwords and transfer millions of dollars to their own accounts. Willie Sutton was right—they do it because that’s where the money is.
Merchants need to go back to their online banks and get a much better idea of what types of “commercially reasonable” things they are doing to prevent fraud. Look over the agreements; see what the banks are representing that they do. How are they preventing fraud. And, yes, what is the retailer doing to prevent it, too. We can prevent the attack in the first place or spend millions on lawyers litigating liability afterward. Either way is OK with me.
If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.
-Marc
July 12th, 2012 at 10:38 am
But there is one more key point here: crooked employees at customers.
There is a non-trivial amount of attempted fraud by employees at small businesses. Before the Zeus malware, business bankers worked with their SMB customers to put in place split-knowledge and dual-control. SMB accounting departments typically only have a few people in them, and do not have the kind of on-premise accounting and IT expertise that large companies have. Light-fingered employees (and sometimes even the boss) realize after awhile that there are no controls on key aspects of the handling of receipts and payments. If the SMB has to eat the loss, the SMB management starts to get very motivated to listen to the bankers and their CPAs, to implement effective controls.
Now enter Zeus: how can the bank tell the difference between Zeus and real employee fraud? Worse, what if smart employees read about Zeus and realize that they can claim that malware was what caused the loss, when it was really them? Kind of like the dog-ate-my-homework defense that school kids use.
Banks don’t want the horrible press about putting an SMB out of business, but they also don’t want to open the floodgates to human fraud.