It is a common scenario—a company's computer system becomes infected with some variant of the Zeus Trojan with a key logger that sends key strokes out to a command and control server operated by a criminal. The criminal searches the key strokes to find login credentials to that company's Internet bank account, which are used to access the account and make wire transfers to accounts controlled by money mules. If the transactions are not blocked by the bank or detected by the company in time to block them, the company and the bank end up in a dispute over who bears the risk of loss. If the dispute leads to litigation, each side faces risk and litigation costs, in part due to the practical difficulties of meeting their burdens of proof.
This scenario occurred in 2009 between Patco Construction Company and Ocean Bank (later acquired by People’s United Bank). Patco filed suit to recover $345,000 in fraudulent wire transfer losses, but the district court found that the bank had implemented reasonable security measures, allocated the risk of loss to Patco and dismissed all of Patco’s claims. On July 3, 2012, the First Circuit Court of Appeals reversed the district court upon finding that the bank failed to implement commercially reasonable security methods to prevent unauthorized transfers. The First Circuit’s decision offers valuable lessons, which are dependent on understanding how the law allocates risk and the security methods that were used.
The Law. Article 4A of the Uniform Commercial Code allocates the risk of loss for unauthorized commercial wire and ACH transfers to the bank that receives the transfer order unless the bank can show that it accepted the order in good faith and followed a commercially reasonable security procedure for verifying the transaction that was agreed to by the customer. The bank must show that the security procedure was reasonable for that specific customer and bank based on any express instructions from the customer, as well as the circumstances of the customer known to the bank (size, type and frequency of payment orders normally issued by the customer), alternative security procedures offered to the customer, and security procedures in general use by similarly situated banks and customers.
The Security Procedures. In October 2005, the FFIEC issued guidance for authentication in Internet banking, which recommended that banks implement multifactor authentication, layered security, or other controls to mitigate the risk of fraud associated with single-factor authentication (i.e. username and password). To meet the guidance, the bank purchased a “premium package” from a security vendor and implemented a multifactor authentication security procedure with six features: (1) user ID and password; (2) device authentication using a cookie; (3) risk profiling using an algorithm that assigned a risk score to each login and transaction based on factors such as location, IP address and size, type, and frequency of orders; (4) challenge questions; (5) dollar amount of the order that triggers challenge questions; and (6) blacklisting of IP addresses associated with known instances of fraud. The bank did not use out-of-band authentication or tokens.
The Fraudulent Transfers. For six years, Patco used Internet banking to make ACH transfers primarily for payroll. The payroll ACH transfers were always made on Fridays from a computer in Patco’s office with the same static IP address. Over six years, the largest ACH amount was $36,000 and the highest risk score was 214. In May 2009, an unauthorized person who supplied the correct user name, password and challenge question answers to access Patco’s Internet bank account made a series of daily fraudulent ACH transfers over the course of one week that totaled $588,851. All of the logins associated with the fraudulent transfers were from an unrecognized device and an IP address that Patco had never used. The daily fraudulent transfers were two and three times larger than any daily transfer Patco had requested in the prior six years, and they were assigned high-risk scores of 720 and 790. The payments were directed to accounts that had never before received payments from Patco. Even though the fraudulent transfer orders generated high-risk scores, the bank did not manually review any of the high-risk transactions.
The fraudulent transfers were only detected after Patco received notice by mail from the bank that some of the fraudulent transfers failed because they were sent to invalid account numbers. Even after Patco notified the bank of unauthorized transfers, another unauthorized transfer order was placed and initially processed by the bank. The bank was only able to recover or block some of the transfers, leaving a net loss of $345,000.
Commercially Unreasonable. In finding that the bank’s security procedures were commercially unreasonable, the First Circuit relied on the totality of the following “collective failures”: (1) prior to May 2009, the bank was aware of the increased fraud resulting from keylogger malware and had already experienced two other instances of fraud associated with keylogger malware; (2) the bank lowered its dollar threshold for the use of challenge questions from $100,000 to $1, which the court determined substantially increased the risk that a keylogger would capture the challenge question answers at the same time as the log-in credentials; (3) the bank introduced no additional security measures to counter its decision to lower the challenge question threshold; (4) other similarly situated banks had introduced the use of tokens or manual review and verification of uncharacteristic or suspicious transactions; and (5) the fraudulent transactions were flagged as uncharacteristic, highly suspicious, and potentially fraudulent from a “very high risk non-authenticated device,” but the bank did not use that information in processing the transactions.
Consumer Obligations. The First Circuit noted that there are open questions under Article 4A of the UCC as to what, if any, obligations a company has when the bank’s security system is commercially unreasonable. The court identified two factual issues that might affect this determination. First, Patco argued that it requested e-mail alerts from the bank but never received them, while the bank argued that it sent a general notice to all customers with instructions on how to change their “Alerts” to receive e-mail alerts and Patco never set its account to receive alerts; and (2) whether the fraud originated from keylogging malware because Patco was alleged to have failed to properly preserve available computer forensic evidence (the anti-virus scan that Patco’s IT consultant ran after the fraud was detected quarantined and deleted the encryption key necessary to see the configuration file, which could have shown whether the malware was configured to capture log-in credentials).
The lessons-learned and issues to consider based on this decision include:
- Implementing a one-size fits all security solution or failing to implement the solution as designed will leave a bank vulnerable to a finding of commercial unreasonableness, especially if the tools give the bank sufficient information to detect and prevent the fraud (e.g. reviewing high-risk transactions before processing) but the bank does not.
- When bank employees are contacted by customers who report suspected fraud, what instructions are being given to customers?
- Are customers instructed to engage a qualified computer forensic expert to examine their computer network and appropriately preserve relevant data?
- It may be beneficial to develop a standard set of recommendations that can be sent to customers in this scenario, and documentation of sending that communication should be preserved.
- Are there protocols that results in at least temporarily blocking or adding heightened monitoring to all orders on accounts where the customer reports suspicious activity to prevent fraudulent orders from being processed after the bank receives the first report of suspicious activity?
- If banks are communicating with customers regarding available features and options to enhance the security of Internet banking, are those communications being preserved and documented appropriately so that they may be properly introduced as evidence to show security options made available but not implemented by the customer?
- In addition to other security features and best-practices, are banks advising customers to use a dedicated computer that is used only for accessing their Internet banking account (e.g. the computer is not used to browse any other sites on the Internet or to check e-mail)?
- In deciding how to address the dispute with customers, one factor to consider is that the commercial reasonableness of the security will be judged by courts and juries several years after the incident occurred. And even though the security should be judged based on what was appropriate at the time of the incident, given the speed at which technology and attack vectors change, the passage of time will likely negatively impact the perception of whether the security was commercially reasonable.