Failure to Conduct Proper Email Notifications on Account Usage and Account Changes Costs one Bank over $400,000
Sarasota, FL, July 31, 2012 / Internal Release - Many online merchants today focus their risk management efforts on preventing the fraudulent use of credit cards, with the assumption that account takeover risk is a minimal and acceptable risk. While account takeover risk may be less of concern for these companies, failure to employ reasonable security standards to protect their customer’s stored billing instruments could end up costing them a lot more money than they expected.
For most merchants account takeover risk is minimal, but if your company maintains a balance on behalf of the consumer, a stored value, such as commissions, peer to peer payments, balance transfers or loyalty points, you have increased risk for potential loss from account takeover.
Understanding you have risk is one thing, what you do to protect your company and access to your customer’s financial data is another. In our assessment, if your company has any access to stored value it should take note of recent legal cases in the banking sector that have set the precedent that financial institutions must employ reasonable security standards , such as sending proper notification for account changes and bank transfers, or courts may find them liable for their banking clients’ fraud losses. In short, you should establish a standard that meets or exceeds reasonable or “common sense” security standards.
In the banking world, unlike the general market, consumer bank accounts are protected from much of the liability of fraud losses from an account takeover under Regulation E, but business accounts are not. The point is, there would appear to be a clear definition of who is liable in the case of fraudulent account takeover and when it is reported in the banking sector. However, recent legal cases have been able to show that not employing simple security measures such as two factor authentication or email notification nullify these reporting limitations as well as the customer’s liability for loss. As a merchant or company in the position of having to fight a customer lawsuit where funds you stored were accessed fraudulently online, you would be best positioned to plead your case if you can show that you are employing these basic security practices of proper notification and authentication.
Businesses small and large, as well as municipal offices and state departments, have been targeted by hackers, malware and spear phishing campaigns that are after their bank account credentials. After taking over the accounts fraudsters attempt to syphon available balances to various money mules and bank accounts to withdraw these funds before the fraudulent transactions can be recognized and reversed. While consumers have 60 days to recognize and notify their bank of fraud to avoid full liability for the losses under Regulation E, commercial bank accounts are governed under the Uniform Commercial Code (UCC) which gives the business 48 hours to notify their financial institution. Fraudsters have continued to target businesses because corporate account takeovers can yield higher payouts, and over the past two years there have been several notable cases of businesses and their banks battling in court to determine who should be liable for the fraud.
A recent case between a California escrow company and their bank resulted in the financial institution settling for an undisclosed sum that covered the amount of the fraud losses plus interest. Fraudsters were able to obtain the company’s bank credentials by means of what was believed to be a case of hacking from Village View Escrow Inc.’s network. They were then able to consecutively send 26 wire transfers outside of the United States totaling more than $400,000 in losses. The financial institution, Professional Business Bank, had an email verification alert service in place but the fraudsters were able to disable it preventing Village View Escrow from realizing the fraud right away. The escrow company also contended that the bank was not in compliance with FFIEC authentication guidelines as they only offer single-factor authentication. Rather than contesting these allegations Professional Business Bank opted to settle with Village View Escrow for an undisclosed sum, but it was enough to cover the $400,000 fraud losses plus interest (and the actual losses occurred over 2 years ago).
The reality is many merchants and financial institutions knowingly ignore best practice security protocols when they believe doing so will enhance the customer experience online. Unfortunately, while this may, or may not, improve the customer experience it does increase the business’s exposure to fraud. In some cases the drive to enhance user experience can result in not implementing “common sense” security measures such as strong password controls, reasonable data collection and strong customer notification on use and changes within the online system at all. While the implications for not following these protocols might seem negligible to a company because they have not experienced fraud from account takeover in the past, recent trends in fraud, where fraudsters are conducting corporate account takeovers and siphoning out money, have shown that fraudsters are very aware of the potential for this type of a fraud attack. This increased fraud activity combined with the lack of attention to security protocols to protect accounts from account takeover combined with the results of recent customer lawsuits would indicate organizations should ensure they do follow “reasonable” security protocols.
Currently, it is still a legal gray area on who is financially liable for fraud loss as the result of account takeover, through phishing, malware or other means; especially when it comes to financial institutions and business banking clients. However through case law, which is the set of existing rulings making new interpretations of the law as times and technology change, precedent is being set and leading the way for future cases. The bottom line is financial institutions are expected to implement reasonable and common sense security measures to recognize and prevent fraud, and merchants and companies dealing with stored value should assume the same expectations apply to them. One thing we can take away from the Village View Escrow, Professional Business Bank case is that it should be considered a best practice to perform an email notification when an account change is made and when significant purchases or money transfers occur. The next time you are debating whether to send an email confirmation on an account change with your sales department, you may want to be a little more aggressive in your stance. While the step of sending account notifications and email confirmations regarding transactions, transfers and account changes may be resisted within your organization because of associated costs or increased friction in the user experience, the costs of not sending such notifications can be much greater. Consider these past cases of businesses holding financial institutions accountable for account takeover fraud losses as well.
Experi-Metal vs. Comerica Bank After their bank account credentials were compromised by a targeted phishing attack auto-parts company Experi-Metal had $560,000 fraudulently transferred from their bank account with Comerica. Comerica argued that Experi-Metal had been phished and should be liable for the losses, but courts ruled that the bank should have been able to identify and stop the fraudulent transfers. Comerica was required to reimburse Experi-Metal for the losses as it was determined that based on the company’s history of limited transactions to a small group of domestic parties and Comerica’s knowledge that the Experi-Metal was being targeted with phishing attempts, the fraud should have been prevented.
PATCO vs. Ocean Bank In the case of PATCO Construction Inc. versus Ocean Bank, however, courts ruled in favor of the financial institution. The construction company lost more than $500,000 after their account was taken over and argued that the bank should liable as they were not meeting FFIEC multifactor authentication requirements. The judge ultimately ruled that while Ocean Bank’s security was less than optimal it did meet the legal requirements for multifactor authentication, and the case was dismissed.
A strong account notification policy, on use and change, is a best practice The Fraud Practice recommends for all financial institutions and organizations storing billing instrument information on behalf of their customers. Anytime a user attempts to change their username, password or any contact or billing information the organization should send an automatic notification to the account holder via email in addition to offering text alerts and/or phone call notifications as applicable. This notification should also be sent to the old phone number or email address if these data points are changed. The use of such notifications alert consumers and businesses to account takeovers immediately and can prevent or minimize the resulting fraud losses. Additionally, when transfers or transactions occur or are attempted notifications should be sent to alert the customer so they can report them as fraudulent right away. Even in the case where notifications are sent but the customer does not respond, the fact that notifications occurred shows the organizations did take reasonable steps to detect, and inform the customer of potential fraudulent activity.