A lawsuit headed to court this week over the 2009 cyber theft of more than a half-million dollars from a small metals shop in Michigan could help draw brighter lines on how far banks need to go to protect their business customers from account takeovers and fraud.
The case is being closely watched by a number of small to mid-sized organizations that have lost millions to cyber thieves and have been waiting for some sign that courts might be willing to force banks to assume at least some of those losses.
Nearly two years ago, cyber crooks stole more than $560,000 from Sterling Heights, Mich. based Experi-Metal Inc. (EMI), sending the money to co-conspirators in a half-dozen countries.
On Jan. 22, 2009, EMI controller Keith Maslowski responded to an e-mail that appeared to be from its bank, Comerica. The message claimed the bank needed to carry out scheduled maintenance on its banking software, and instructed the EMI employee to log in at a Web site that looked like Comerica’s online banking site. Maslowski says the email resembled the annual e-mails Comerica used to send, prompting customers to renew EMI’s digital certificates. Trouble was, the year before, Comerica had switched from using digital certificates to requiring commercial customers to enter the one-time passcode from a security token. The site linked to in the e-mail asked for that code, and Maslowski complied.
Almost immediately, the crooks who stole those credentials began wiring money out of EMI’s account. Between 7:30 a.m. and 10:50 a.m. that day, the attackers initiated 47 wire transfers — to China, Estonia, Finland, Russia and Scotland.
Both EMI and Comerica agree on the above version of events, but have very different versions of what happened before and directly after the theft. The two parties met on Tuesday for a pretrial conference, and presented their respective briefs to the court. Comerica’s is here (PDF), and Experi-Metal’s is available at this link (PDF).
EMI claims Comerica inquired about the transfers at 10:50 a.m., and that EMI asked the banks not to honor any requested wire transfers until future notice. But over the next three hours, thieves would initiate another 38 wires from EMI’s account. EMI also noted that, prior to this burst of fraudulent wires, the company had requested a total of two wire transfers in as many years.
For its part, Comerica said Experi-Metal is not entitled to relief because it cannot prove that Comerica’s actions caused its claimed damages. “The unfortunate events of January 22, 2009 happened because Mr. Maslowski failed to safeguard Experi-Metal’s security information, in breach of Experi-Metal’s contract with Comerica,” Comerica said in its pre-trial brief. “And those losses would not have occurred had Experi-Metal accepted Comerica’s recommendation that Experi-Metal require a different user to approve all wires after one user initiated them.”
Many of the facts to be litigated center around whether Maslowski was authorized to initiate electronic transfers, and did Comerica employees fail to take action with respect to the suspected fraud on a timely basis under industry and commercial standards? Also in question is what portion of Experi-Metal’s claimed losses occurred before Comerica knew of and had a reasonable amount of time to react to the fraudulent wires?
Businesses do not enjoy the same legal protections afforded to consumer banking customers hit by cyber thieves, and most organizations will be held responsible for any losses due to phishing or account takeovers. But a rash of these attacks that has netted thieves more than $70 million over the last few years has caused some victim businesses and their lawyers to look for ways to hold banks more accountable, by pointing out ways in which the banks may not be living up to the somewhat nebulous state legal standards that govern commercial banking activities.
The few cases brought so far challenge whether banks are meeting their obligations under the Uniform Commercial Code. Michigan’s adoption of the UCC holds that a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method [emphasis mine] of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”
David Navetta, founding partner of the Information Law Group and co-chair of the American Bar Association’s Information Security Committee, said the court in this case punted on any discussion of whether Comerica’s security procedures were commercially reasonable. Instead, Navetta said, the court focused on the contracting process between the parties. It declared as a matter of law that Comerica’s security was reasonable because EMI had agreed that it was reasonable in a contract.
“The EMI Court also focused on process in another way that ultimately hurt the bank, and provide the main basis of the dispute for this trial,” Navetta wrote in an e-mail to KrebsOnSecurity. “The court focused on the question of whether Comerica acted in ‘good faith’ in accepting the payment orders from the phishers. This essentially shifts the analysis to the activities of Comerica in reacting to the security breach and refraining from processing the fraudulent wire transfers and sending money out. The question becomes where do the bank’s responsibilities end and the customer’s begin, and to what degree must banks anticipate their customer’s mistakes and develop security to mitigate the risk of a security breach. Reading the trial papers it is obvious that the big fight in front of the jury is whether and to what degree EMI brought this upon itself.”
Navetta believes this case is likely to make banks look very carefully at their security policies and make sure they are in line with federal guidance from federal regulators. “They also may beef up their educational processes around phishing attacks,” Navetta said. “They will also likely offer very robust security in some cases that their clients may ultimately turn down.”
For the moment, though, relatively few banks — particularly smaller to mid-sized institutions — are offering commercial customers that robust security that goes beyond mere customer authentication, said Charisse Castagnoli, an independent security consultant and adjunct professor at the John Marshall Law School.
Castagnoli said more banks could and should offer the kind of technology employed by the major credit card networks, which try to build profiles of customer activity and then alert the customer or the issuing bank of any suspicious or unusual activity. But she said a large percentage of banks outsource the day-to-day customer transactions to third-party service providers, most of whom do not currently offer services that would conduct that transaction analysis.
“If you look at economic theory, the organization that is best positioned to mitigate the risk is really the bank, because with extremely simple technologies deployed they could reduce risk of current threat or losses from 90 to 95 percent of the time,” Castagnoli said.
“This is a classic case where anomaly detection is ideally suited, because if you look at the circumstances in these thefts and how the transfers occurred, it slaps you in the face because most of this activity looks so odd and would stand out to anyone who took a moment to look,” she said. “But the service providers don’t offer this detection, because of the cost to implement and deploy it, and the question of whether they can push those costs onto their customers. On top of that, there is no incentive or disincentive for that provider to make these investments, because it increases complexity and cost, and nobody is mandating that they do it.”
That may change soon. Garnter fraud analyst Avivah Litan wrote last week that businesses can soon expect new IT security guidance from the the Federal Financial Institutions Examination Council (FFIEC), the regulatory body that issued the last round of guidance on secure electronic banking Authentication in an Internet Banking Environment (PDF) in 2005. From Litan’s blog:
“Nonetheless, not all financial institutions have kept up with the spirit of the 2005 guidance. The threats and associated risk levels have clearly moved ahead of the safeguards many banks and credit unions, and their service providers have in place today.
“Typically, the larger banks and credit unions have remained proactive, for reasons ranging from reducing fraud costs, maintaining reputations, and improving organizational efficiency.
“But most of the smaller financial institutions have relied on their online banking service providers to mitigate fraud risk with appropriate services, but the service providers have not introduced risk appropriate fraud mitigation services across their various platform versions and implementations, leaving thousands of U.S. financial institutions — and their customers — unnecessarily exposed.
“I don’t envy the regulators’ job of striking the right balance between too much and too little prescriptive guidance. But based on what happened with the last round, it appears that many executives at financial institutions need more regulatory prodding and detailed guidance in order to allocate budgetary resources to their online and mobile (and other channels’) banking security programs.
“The fate of a customer’s bank account safety should not be determined by the U.S. courts. It should be proactively guided by well-informed and balanced regulators, and conscientious security staff at our nation’s banks.”
I will continue to closely follow this case and others like it. Stay tuned for more updates, including news of additional lawsuits from commercial banking customers seeking to recover six-figure losses from cyber fraud.”