Industry and legal experts say a spate of lawsuits filed in the wake of a surge in online bank fraud is forcing banks to re-examine their online banking security.
Online bank fraud -- particularly attacks against corporate accounts belonging to small- and mid-sized businesses -- has become an increasingly critical problem for the industry for at least the past year. Criminals have used malware like the Zeus Trojan to steal banking customers' online credentials, hijack accounts, and initiate fraudulent ACH and wire transactions. Several businesses (see list below) that had their accounts drained in fraud attacks have sued their banks in an attempt to recoup their losses.
"The lawsuits are prompting financial institutions to be generally more proactive and view the threat of fraud more strategically," said Terry Austin, president and CEO at Guardian Analytics Inc., a Los Altos, Calif.-based provider of fraud detection technology. In light of the litigation, banks are realizing there is more at stake than accepting a certain level of risk associated with fraud, he added: "Their reputations are at stake."
Scott Vernick, partner at Fox Rothschild LLP who handles data security cases, agreed that the lawsuits raise reputational risk issues for banks. "Individual consumers and businesses want to believe their financial institutions are places where they can conduct online business in a secure fashion. … If you're a bank, you want to project and cultivate the image that it's safe to conduct business online."
The fact that in two cases, banks haven't been able to win summary judgments to avoid going to trial will lead banks to pay more attention to their security and how they set up their contractual agreements with their small business customers, said David Navetta, a founding partner of the Information Law Group, which focuses on privacy, data security and IT issues. Some banks might re-examine weaknesses associated with two-factor authentication.
"Banks with the wherewithal will look at what they're doing from a security standpoint and take an inventory of potential areas where there may be some risk," he said.
Austin said the lawsuits illustrate the prevailing public opinion is that it is the banks' responsibility to secure the online channel, and banks are beginning to look for more long-term solutions to the problem instead of stopgap measures. "As painful as it's been, it's generating positive responses," Austin said of the litigation.
Here's a rundown of some of the cases resulting from online bank fraud:
Patco Construction Company Inc. v. People's United Bank d/b/a Ocean Bank: Maine-based Patco sued Ocean Bank after cybercriminals hijacked the company's accounts during a week in May 2009 and stole $588,851 through multiple fraudulent ACH transfers. After the bank recovered or blocked some of the transfers, the company's loss totaled $345,444, according to court documents.
Patco contended that Ocean Bank failed to implement proper security to prevent the fraudulent transfers by not offering multifactor authentication, using an "unreasonably low trigger" for challenge question-based authentication, and other deficiencies. The bank argued that its contracts with Patco for e-banking and ACH transactions limited Ocean's liability. Patco also was required to notify the bank of any objections to an ACH debit on the same day it occurs, according to the bank; Patco claimed it wasn't aware of the fraudulent activity until a week after it started.
Experi-Metal Inc. v. Comerica Inc.: Michigan-based manufacturing company Experi-Metal (EMI) filed suit against Comerica after a phishing attack in January 2009 led to 85 fraudulent wire transfers from EMI's accounts to multiple accounts both overseas and domestic. The unauthorized transfers totaled $1.9 million; Comerica was able to recover all but $560,000, according to court documents.
EMI blamed the loss on a number of Comerica failings, including not detecting and preventing the fraudulent transfers and its practice of sending emails to EMI with instructions to follow a link and log on to a website for the purpose of renewing the digital certificates that Comerica used for authentication. EMI also contended that Comerica should have known that the token-based authentication system it switched to in 2008 was ineffective against man-in-the-middle attacks.
Comerica countered that the alleged loss was the fault of EMI. Valid credentials were used to conduct the transactions, the bank said in a court filing, adding, "If some unknown criminals used those credentials rather than the EMI employee to whom they had been entrusted, this was caused solely by the actions of that employee." The bank also denied that the website in the phishing email sent to EMI appeared to belong to Comerica to "any reasonably alert person who was responsible for safeguarding EMI's financial records and digital credentials."
Last month, U.S. District Judge Patrick Duggan denied Comerica's request for summary judgment in the case.
Shames-Yeakel v. Citizens Financial Bank: In a consumer case, Marsha and Michael Shames-Yeakel of Indiana sued Citizens Financial Bank in 2007 after an attacker broke into their online account and stole $26,500 from a home equity credit line. The lawsuit, filed in the northern district of Illinois, alleges a number of violations, including that the bank's online security lagged behind industry standards. Last August, U.S. District Judge Rebecca Pallmeyer rejected the bank's request to dismiss the claim; the parties agreed to settle the case late last year.
PlainsCapital Bank v. Hillary Machinery: In what was a strange twist, Hillary Machinery of Plano, Texas was sued by its former bank, Dallas-based PlainsCapital, after being victimized by online banking fraud late last year. Hillary countersued the bank over the cyberheist, in which criminals stole about $800,000; PlainsCapital recovered almost $600,000. The parties settled in the spring without going to trial.
Bullitt County, Kentucky v. First Federal Savings Bank of Elizabethtown: The county sued its bank, First Federal Savings Bank of Elizabethtown, last summer after cybercriminals stole $415,989 through fraudulent ACH transactions, according to court documents obtained by The Courier-Journal. The bank, which claims the county's security failures led to a Zeus infection, refused to reimburse the county for $310,176 that wasn't recovered.
Vernick of Fox Rothschild said he doesn't expect these kinds of lawsuits to go away anytime soon. Indeed, the number of online bank fraud attacks hasn't dropped at all, Austin of Guardian Analytics said. The company recently held a roundtable with banks, credit unions and law enforcement officials; the consensus was that online fraud is increasing. "The banks on the frontlines all say it's getting worse," he said.