Tag: customer awareness and education

26 Mar 2013

Court rules in favor of Bank in account takeover case

Unlike the PATCO ruling, a district court in Missouri has ruled in favor of the bank in an account takeover case brought by one of its commercial customers.  This case was very similar to the PATCO case with one important exception, which I’ll discuss shortly.  But it also raises some interesting questions that could impact financial institutions.

First, the details.  In March 2010, BancorpSouth received a request via the Internet to execute a wire transfer in the amount of $440,000 on behalf of its customer, Choice Escrow and Land Title.  The Bank wired the funds, and the following day the customer contacted the Bank to notify them that they they in fact did not authorize the wire transfer.  The company filed suit to recover the loss, claiming that the Bank did not use appropriate security measures.  But their claim wasn’t that appropriate security wasn’t made available, but that there were several security options available and the Bank allowed the customer to select an inferior option.  This is quite different from the PATCO case, where strong authentication was available to the Bank from the software vendor, but the Bank in that case decided not to offer it to their customer.  In this case the Bank offered both single and dual-control authentication options, and the customer waived the dual-control option.  This gave any authorized user of the software the ability to initiate and approve a wire without requiring a second user to approve and release the funds.  Using malware, a hacker was able to gain control of the PC, record the user name and password via a keystroke logger, and send the fraudulent wire.

The PATCO case was decided in favor of the customer because the Bank failed to make strong, commercially reasonable, authentication options available to the customer even though the software vendor offered them to the Bank.  But in this case, the judge decided just the opposite; stronger options were made available, but were declined by the customer.  Remember, according to UCC 4A the risk of loss for an unauthorized transaction will lie with a customer if the bank can establish that its security procedure is a commercially reasonable method of providing security against unauthorized payment orders.  So, advantage Bank.  But again, the customer claimed that the Bank should NOT have offered the weaker option to them knowing that it was insufficient to address the risks.  In other words, simply offering the weaker option to the customer was an implicit acknowledgement by the Bank that it was commercial reasonable.  In the end this argument was rejected because the Bank had documentation that it offered, and the customer refused, the stronger option multiple times.

Although this case turned out OK for the Bank, the verdict does raise several questions for financial institutions:

  • Knowing that one option is better than another, should institutions even offer more than one authentication option to their customers?  And what happens when a customer (or product) increases in risk?  Do you require the users to upgrade?
  • Since the judge in both this case and the PATCO case referenced UCC 4A as the legal basis for their decisions, should the FFIEC be more prescriptive about exactly what constitutes “commercially reasonable” (and what doesn’t)?  The 2003 FFIEC E-Banking guidance says that “whether a method is a commercially reasonable system depends on an evaluation of the circumstances.”  But the updated 2011 FFIEC authentication guidance doesn’t mention “commercially reasonable” (or UCC 4A) at all.  Why not?  Specifically, why not include the “…the risk of loss for an unauthorized transaction will lie with a customer if…” language?
  • Are institutions putting too much faith in technical measures, and avoiding simpler, but more effective, controls?   Anomaly detection is getting a lot of attention these days, but in this case Choice had a history of transfers with similar size and quantity, and anomaly triggers were not activated.  Simple dual-authentication would have prevented this fraudulent transfer.
  • On the other hand, are vendors overlooking more effective technologies, such as out-of-band authentication and secure DNS?

In summary, there are still questions, but there are also a couple of lessons financial institutions should take away from this.  First, the court determined that although dual-control was more labor intensive for the customer, it was also the more secure option, and as such Choice should have opted for increased security over the increased inconvenience.  Lesson?  Perhaps you should be less concerned about inconveniencing your customers with increased security requirements, and more focused on convincing (i.e. educating) them on why a little increased effort on their part is justified…i.e. security trumps useability.  Second, customer awareness efforts and documentation made all the difference in this case.  If the Bank had not made, and documented, multiple efforts to implement stronger authentication, this case could easily have gone the other way.

16 Jul 2012

Commercially UNreasonable Security

So an appellate court has just reversed the PATCO court ruling, essentially deciding against the financial institution.  They ruled that the banks’ security procedures were commercially UN-reasonable.

To summarize, a commercial e-banking customer (PATCO Construction) experienced a financial loss due to an account take-over.  They sued the bank to recover the loss, claiming the bank used poor security.  The original ruling was in favor of the bank.  This ruling was in favor of the customer, and has major implications for all financial institutions as they navigate their way through the increasing risk and increased regulatory requirements of Internet banking.

The entire ruling is worth a read, but here are a few of the highlights from my perspective:

  • In the end, it wasn’t just a single control failure, but a series of failures on the part of the Bank that led to the ruling.  One example is that the Bank lowered the alert trigger for challenge questions from $100,000 to $1, effectively requiring all transactions to require an additional authentication step.  The Bank undoubtedly felt they were increasing the safety of all transactions by taking this step, but it actually had the opposite effect.  By requiring challenge questions for all transactions they substantially increased the number of chances the criminals had to intercept the correct challenge responses.
  • The on-line banking product (NetTeller Premium) and provider (Jack Henry & Associates) offered adequate options for on-line transaction security, but not all options were enabled by the Bank.  And…
  • …of those security options offered by the Bank, not all were accepted by the customer.  And…
  • …of those offered and accepted, some were ignored.  For example the anomaly detection capabilities worked properly, and automated risk profiling correctly generated abnormally high risk scores for the fraudulent transactions, but no action was taken by the Bank to block them.
  • The definition of “commercially reasonable” has evolved from the initial ruling favoring the customer, to the most recent one.  Both rulings make several references to Article 4A of the UCC (Uniform Commercial Code).  The initial ruling stated that because the customer signed the agreement, they implicitly agreed to the security measures, effectively rendering them commercially reasonable.    However the most recent ruling quotes from UCC 4A and states “[t]he standard is not whether the security procedure is the best available. Rather it is whether the procedure is reasonable for the particular customer and the particular bank.”  Therefore…
  • …a “one-size-fits-all” approach will not work, institutions MUST tailor their controls to the risks of the transaction.

But here is the most significant take-away for me, and the one with the biggest implication for financial institutions.  The judge ruled that based on the UCC 4A official comments on Section (1)(b), if and when the security procedures are deemed commercially reasonable, the burden then shifts to the customer

“…to supervise its employees to assure compliance with the security procedure and to safeguard confidential security information and access to transmitting facilities so that the security procedure cannot be breached.”

So, all you have to do is risk assess the customer and transactions and employ layered security suitable to the risk, and then the legal and financial liability shifts to the customer, right?  Maybe not.  According to the FFIEC Internet Authentication update, one of the controls an institution may include (translated from ‘FFIEC-speak’ as SHOULD include) in its layered security program is a “Customer Awareness and Education” program.  Which means you are still on the hook unless you can document that you also maintain a customer awareness program AND your customers are actually being trained.  (As I mentioned here, you may also want to add a summary of your customer awareness program to your annual report to the Board of Directors).

I’m certain we’ll see more lawsuits on this matter and future rulings may go either way, but the risk is real and immediate so don’t wait for the courts to sort things out.  Here is what you need to do:

  1. Complete the risk assessment if you haven’t already.  Define high risk transactions, and identity high risk customers.
  2. Implement a layered security program.  Make sure you know and understand all of the controls available from your e-banking product vendor.  Vendors are adding controls all the time to address the evolving threat environment.
  3. Make sure your customers know and understand all of the controls you’ve made available to them.   If they resist or refuse a particular control that you’ve recommended, have them sign-off that they understand and accept the increased risk.
  4. Educate your customers, initially and periodically throughout the relationship, and regardless of whether they resist.  Regardless of the quantity and sophistication of your technical controls, the customer is, and will always remain, the weakest link in the security chain.
15 Nov 2011

2012 Compliance Trends, Part 1 – Training

This post will begin a series of 5 topics that I consider to be good candidates for increased regulatory scrutiny in the coming year.  For each topic, I will make the case for increased scrutiny based on 3 criteria:

  1. Recent audit and examination experience,
  2. Regulatory changes, and
  3. Recent events.

In keeping with my policy of trying to provide clear actionable solutions to each challenge, I will also provide suggestions to keep you ahead of the trend.

The first topic is actually making its debut appearance this year, and although training has always been important for financial institutions, it only recently crept into the top 5.  And this is really a two-part trend;

Employee training and Customer training.

First, the case for employee training.  I have always placed the importance of this in the top 10, but a recent event and examination experience have moved this into my top 5.  The recent event is the RSA breach, which I first wrote about here right after the news broke in March, and again here a couple of months ago.  This turned out to be a rather standard social engineering attack conducted over a long period of time exploiting the trust of a single employee.  The FFIEC defines social engineering this way:

Social engineering involves an attacker obtaining authenticators by simply asking for them. For instance, the attacker may masquerade as a legitimate user who needs a password reset or as a contractor who must have immediate access to correct a system performance problem. By using persuasion, being aggressive, or using other interpersonal skills, the attackers encourage a legitimate user or other authorized person to give them authentication credentials. Controls against these attacks involve strong identification policies and employee training.

Additionally we continue to see employee security policy and awareness training questions in every pre-examination questionnaire, regardless of whether the examiners are Federal or State.  With the increased use of social media by financial institutions, and the understanding that the employee is still the weak link in the security chain*, I  predict increased need for, and emphasis on, employee training.

Customer training has always been a best practice, but it’s now a requirement.  Also referred to as customer awareness and education, the case for customer training as a trend is two-fold.  The first is the recent updated FFIEC guidance on Internet authentication.  Customer training is listed as one of the effective controls that may be included in a layered security program for both retail and commercial account holders with Internet access capability (in other words, almost all account holders), and compliance starts in January.  According to the FFIEC, customer training should contain, at a minimum:

  • An explanation of what is, and what isn’t, covered under Reg E.
  • Under what circumstances the institution may contact the customer and request log on credentials.  This one is the most important, and even though the answer is probably “never”, it can’t be repeated enough.
  • A strong suggestion that the customer perform their own risk assessment.  (The verbiage in the guidance actually leaves out the word “strong”…I added it.)
  • To go with the previous risk assessment, a list of possible controls that the customer may consider, including where they may get additional assistance.  (Institutions may be tempted to offer their own assistance, but I recommend against it.  Not only may this prove to be a resource drain, it may also inadvertently set you up for a liability claim if a customer does experience a breach.)
  • A list of institution names and contact numbers for the customer to use in the event they notice suspicious account activity.  Make sure to include off-hour contact information if applicable, as most recent exploits have occurred on weekends and other non-business hours.

The second reason for the importance of customer training is the realization by the fraudsters that customers are an easy target.  As one recent example of this trend, Trusteer just issued a warning that fraudsters are actually setting up call centers to facilitate ID theft by targeting merchants.  This goes way beyond simply installing malware and grabbing login credentials,  this attacks the most secure elements in the transaction chain; controls such as the one-time passwords, IP blocks (black lists) and positive pay (white lists).  Although the actual details of the attack are fascinating…and frightening…at its core this is really nothing more than an extremely sophisticated social engineering attack, and as such the standard social engineering controls apply.

In summary, re-examine your employee AND customer training and awareness programs, and plan on increasing your training in both areas in 2012.  Make sure your customer training contains at least the minimum elements, and that you periodically repeat the training.  Finally, conduct testing on both groups to validate comprehension where you can (easier for employees than customers), and document everything!

 

*Additional reading:

http://www.csoonline.com/article/print/691910