online and mobile banking fraud issues and hot topics treasury management association of chicago...

Online and Mobile Banking Fraud Issues and Hot TopicsTreasury Management Association of Chicago

2012 Windy City Summit(Chicago, Illinois)

Erin F. Fonté, ShareholderCox Smith Matthews Incorporated

June 7, 2012© 2012, Cox Smith Matthews Incorporated

Disclaimers

2

The opinions expressed in this presentation are solely those of the presenter and do not necessarily reflect the opinions of Cox Smith Matthews Incorporated.

This presentation is an educational tool that is general in nature and for purposes of illustration only. The materials in this presentation are not exhaustive, do not constitute legal advice and should not be considered a substitute for consulting with legal counsel. Cox Smith Matthews Incorporated does not have obligation to update the information contained in this presentation.

© 2012, Cox Smith Matthews Incorporated

Trends In Payments Fraud

3© 2012, Cox Smith Matthews Incorporated

0 20 40 60 80 100 120

Debit Card

ACH

Credit Card

Check

Online Bill

Wire

ATM

+ 3 YearsCurrent

PaymentChannel

Percentage of Importance(Source: AITE Group)

Trends in Payments Fraud (cont’d)

4

FFIEC Supplement – “Threat Landscape & Compensating Controls” Fraudsters using increasingly sophisticated and malicious

techniques Many schemes target small to medium-sized business Key logging/keystroke malware Man-in-the-middle/Man-in-the-browser attacks Controls: anti-malware software; transaction monitoring/anomaly

detection; out-of-band verification; use of restricted funds transfer recipient list; establishing limits based on customer’s business; require business customers to utilize dual control routines


Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011

5

FFIEC Authentication Supplemental Guidance Supplement to “Authentication in an Internet Banking

Environment” (issued in 2005, supplement 6/28/11) Effective January 1, 2012 FFIEC Authentication

Supplement includes changes/additional guidance for:

(1) risk assessments

(2) authentication for high-risk transactions

(3) layered security programs

(4) effectiveness of certain authentication techniques

(5) customer education and awareness (esp. commercial customers)


Supplemental Guidance on Internet Banking Authentication (FFIEC) (cont’d)

6

(1) Risk Assessments

Should consider, but not be limited to, the following: Changes in the internal and external threat environment (including

Appendix information) Changes in customer base adopting electronic banking Changes in the customer functionality offered through electronic

banking (e.g. consumer RDC via mobile device) Actual incidents of security breaches, identity theft, or fraud

experienced by the institution or industry


Supplemental Guidance on Internet Banking Authentication (FFIEC) (cont’d)


(1) Risk Assessments (cont’d)

Bank A has effectively implemented a layered approach, including active monitoring solutions and stringent authentication requirements, both in and out-of-bank in nature

All new customers that send wires or originate ACH transactions must go thru a one-on-one Webex training class where fraud prevention is stressed along with following established internal procedures and controls

We are also deploying a fraud awareness and prevention program for our commercial customers to ensure they have the knowledge and tools needed to protect their assets



(2) Customer Authentication for High-Risk Transactions 2005 FFIEC Guidance definition of “high-risk transactions” remains

unchanged (“electronic transactions involving access to customer information or the movement of funds to other parties.”)

Retail/Consumer Banking Generally involve accessing account info, bill payment, intrabank funds

transfers or wire transfers Small dollar and therefore a comparatively lower level of risk, but still need

layered security Business/Commercial Banking

Generally involve ACH and wire Frequency and dollar amounts larger, so comparatively more risk than

consumer “Layered security . . . utilizing controls consistent with the increased level of

risk for covered business transactions”


9

(2)Customer Authentication for High-Risk Transactions (cont’d)

Bank A requires dual authorization of all wires submitted through our Commercial Online Banking application

Bank A requires dual authorization and file authentication for all ACH files

Bank A has only allowed a limited number of customers outside the U.S. to utilize RDC and we monitor those transactions on a daily basis



10

(3) Layered Security Programs Layered NOT the same as multi-factor Layered security uses different controls at different points in a

transaction process so weakness in one control can be compensated by strength of other control

Examples: Fraud detecting and monitoring systems that include customer history and

behavior (i.e. heuristics) and enable a timely and effective FI response Dual customer authorization through different access devices Out-of-band verification for transactions (authentication via 2 systems at

same time – login, PW, token + phone call verification) Use of “positive pay,” debit blocks, and other techniques to limit transactional

use of account



(3) Examples of Layered Security (cont’d): Enhanced account controls (transaction value thresholds, payment

recipients, # of transactions per day, days and times for payment (payment windows)

Internet Protocol (IP) reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities

Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud

Enhanced control over changes to account maintenance activities performed by customers either online or through customer services channels

Enhanced customer education to increase awareness of fraud risk and effective techniques customers can use to mitigate risk



(3)Examples of Layered Security (cont’d):

Minimum Layered Security Components: Anomalies/FI response for initial login and authentication for electronic

banking Anomalies/FI response Initiation of electronic transactions involving transfers

of funds to other parties Control of Administrative Functions: more controls than routine business

use Bank A has implemented or plan on implementing the various examples of

layered security described above We strongly encourage our customers to utilize Positive Pay and Payee

Review Ongoing customer education thru messages on our Online Banking

application, notification of recent fraud schemes, webinars, etc.



(4) Effectiveness of Certain Authentication Techniques

Device Identification Simple cookies no longer “cut it” Geo-location and IP address matching – fraudsters can now beat those, too One time cookies and “digital fingerprint” methods are better All Agencies consider complex device identification to be more secure and

preferable to simple device identification “Institutions should no longer consider simple device identification, as a

primary control, to be an effective risk mitigation technique”



(4) Effectiveness of Certain Authentication Techniques (cont’d)

Challenge Questions Keystroke logging malware and personal information voluntarily posted on

social media have made basic challenge questions (mother’s maiden name, high school mascot) ineffective

Must use “out of wallet” questions to be effective (sophisticated, customer can knows “in their head” and often deploy red herring questions to trick fraudsters

Dual authorization seems to be working quite well. We have only experienced a couple of losses from wire or ACH fraud and those were caused by customers not following prescribed internal procedures and controls

Requiring out of band authentication for originated ACH files has been highly effective and has prevented multiple fraud attempts



15

(5) Customer Education and Awareness (esp. commercial customers)

“A financial institution’s customer awareness and educational efforts should address both retail and commercial account holders and, at a minimum, include following elements:”

Explanations of protection provided and not provided, and the extent to which Reg E covers their accounts

Explanations of when, if ever, bank will contact customer on unsolicited basis and/or ask for electronic banking credentials

Suggestion that online banking customers perform a related risk assessment and controls evaluation periodically

A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk (or resources where such info can be found)

Listing of FI contacts for customers to use to alert FI to suspicious account activity or security-related questions



16

(5) Customer Education and Awareness (esp. commercial customers) (cont’d)

Bank A performs onsite customer audits of all Remote Deposit Capture customers that we deem to be high risk to insure proper internal procedures and controls are being followed

Bank A asks all Remote Deposit Capture customers to complete an annual Risk survey that focuses on fraud prevention and internal controls

Bank A clearly states on the front page of its Treasury Management PT&C that it will never ask for passwords, User Ids, token authentications by e-mail, e-mail internet links, mail, over the telephone or in-person

Bank A has a revolving list of alerts in our Online Banking application about fraud detection and prevention


Case Law Issues and Preventative Measures

17

Commercially Reasonable Security (Patco issues)

Unknown third parties initiated a series of withdrawals from Patco’s account with Ocean Bank over several days totaling $588,851; Oceans Bank blocked $243,406; Patco wanted bank to pay remainder

Court focused on whether the security procedures employed by Ocean Bank were “commercially reasonable” (under UCC and state UCC)

70 page opinion looking at: perspectives of competing experts; industry practices; and alternative security measures

Court concludes that bank’s procedures may not have been perfect or best, but they were “commercially reasonable” (appeal?)

Patco challenged use of challenge questions themselves – unique threat of key logging renders challenge questions ineffective


Case Law Issues and Preventative Measures (cont’d)

18

Commercially Reasonable Security (Patco issues cont’d)

Brian Krebs “Krebs on Security” said “Passwords + Secret Questions = “Reasonable” eBanking Security”

Multi-factor: (1) what you know (login, password); (2) what you have (token); (3) who you are (biometric)

BUT word to the wise – do not fall behind on making sure that the multi-factor authentication is also part of layered security

Open question on whether failure to comply with updated FFIEC guidance would be strike against bank’s security being “commercially reasonable”

Open question as to how far below the FFIEC guidance bar you have to fall before your security measures become “unreasonable”

Guidance is meant to set a “baseline” for best practices, and in reality “guidance” documents are still used by plaintiffs and litigants when arguing what the standard of care should be; carries weight in that it can aid plaintiffs in moving their case pretty far along

And always keep up with what your competition is offering



19

Experi-Metal v. Comerica Issues

Whether EMI employee who was phished was authorized to initiate wire transfers = risks to and claims against bank for complete customer administrative controls

Bank’s escalation procedures killed telephone wires, and killed future sessions of online banking – BUT did not kill current session where fraudsters were in the system

Resulted in fraudsters being able to conduct additional fraudulent transfers from 12:04 p.m. until 2:05 p.m. (2 hours, 1 minute) – 15 additional fraudulent wire transfers orders initiated in that time



20

Experi-Metal v. Comerica Issues (cont’d)

“Good Faith” standard under UCC

Court in Experi-Metal v. Comerica Bank concluded that Comerica did not act in good faith (i.e. did not observe “reasonable commercial standards of fair dealing”)

“A bank dealing fairly with its customers, under these circumstances, would have detected and/or stopped” the fraudulent activity earlier

No longer “good heart and empty head” but rather “honesty in fact and the observance of reasonable commercial standards of fair dealing.” (U.C.C. §§ 1-201, 3-103, emphasis added)

“Honesty in fact” = SUBJECTIVE prong (pure heart and empty head) – no evidence that Comerica employees



21


“Observance of reasonable commercial standards of fair dealing” = OBJECTIVE prong (Michigan court citing In re Jersey Tractor Trailer Training, 580 F. 3d at 156.)

The Official Comments to the U.C.C. make clear that this objective standard should not be equated with a negligence test: Although fair dealing is a broad term that must be defined in context, it is clear that it is concerned with the fairness of conduct rather than the care with which an act is performed. Failure to exercise ordinary care in conducting a transaction is an entirely different concept than failure to deal fairly in conducting the transaction. (citing U.C.C. § 1-201 cmt. 20.)



22


“There is a paucity of cases and authority discussing this recently added prong of the “good faith” requirement.”

The Maine Supreme Court is only court that has proposed an approach to address whether the objective prong as been met: (1) whether the conduct of the holder comported with industry or “commercial” standards applicable to the transaction and,(2) second, whether those standards were reasonable standards intended to result in fair dealing. (citing Maine Family Fed. Credit Union, 727 A.2d at 343).



23


EMI and Comerica’s expert witness’ comments on “good faith” were basically rejected by court

Comerica offered NO EVIDENCE that it did act in “good faith” – unlike “commercially reasonable security” good faith standard places burden on BANK

NO EVIDENCE on OBJECTIVE prong of UCC good faith test = BANK LOSES



24


[T]he parties cannot vary by agreement what satisfies the “good faith” standard . . . If “reasonable commercial standards of fair dealing” obligated Comerica to respond to the fraudulent wire transfer activity in a particular way and Comerica failed to observe those standards, it cannot demonstrate that it acted in good faith simply by showing that it was relieved of the obligations to adhere to any of those standards in its agreement(s) with Experi-Metal . . . [T]o prevail, Comerica had to present evidence conveying the reasonable commercial standards of fair dealing applicable to a bank’s response to an incident like the one at issue here and to show, by a preponderance of the evidence, that its employees observed those standards . . .



25


“There are number of considerations relevant to whether Comerica acted in good faith with respect to this incident”

(1) “The volume and frequency of the payment orders and the book transfers that enabled the criminal to fund those orders” = FFIEC Layered Security

(2) “The $5 million overdraft created by those book transfers in what is regularly a zero balance account” = FFIEC High Risk Transaction

(3) “Experi-Metal’s limited prior wire activity” = FFIEC Layered Security (Customer History and Behavior)



26


(4) “The destinations and beneficiaries of the funds” = FFIEC High Risk Transactions

(5) “Comerica’s knowledge of prior and the current phishing attempts” = FFIEC Risk Assessments

“This trier of fact is inclined to find that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier. Comerica fails to present evidence from which this Court could find otherwise.”


QUESTIONS?

Erin F. Fonté, CIPP

Shareholder

Banking and Financial Institutions/

Privacy and Data Security

Cox Smith Matthews Incorporated111 Congress Avenue, Suite 2800

Austin, Texas 78701 Direct: [email protected]

@PaymentsLawyer

Link me in: Erin Fonte


online and mobile banking fraud issues and hot topics treasury management association of chicago...

Documents

internet banking environment

electronic banking changes

mobile banking fraud

payments fraud contd

customers business

business customers

changesadditional guidance

aite group slide