Home / Articles / Inadequate IT procedures expose banks to liability for online fraud

Inadequate IT procedures expose banks to liability for online fraud

December 18, 2012

Share:

In today’s cyberworld, where would-be thieves are finding ever more clever ways to commit fraud and theft, it’s critical that banks offering online banking implement effective, risk-based security procedures. Not only is it good business in terms of customer satisfaction, but it can also help protect a bank against liability for online fraud. In a recent case, one bank learned this lesson the hard way.

Technology was underused

In Patco Construction Co. v. People’s United Bank, the U.S. Court of Appeals for the First Circuit found that a bank was potentially liable for over $345,000 in fraudulent withdrawals from a customer’s account.

The customer, Patco, used online banking primarily to make weekly payroll payments. These payments were always made on Fridays, were always initiated from a computer at Patco’s offices, and always originated from a single static IP address. The largest payment Patco ever made was just under $37,000.

In 2007, the bank implemented a sophisticated security system that involved user IDs and passwords, “invisible” device authentication and risk profiling. The system monitored all log-in attempts and transactions and assigned each a risk score based on IP address, device ID, the customer’s “normal” transaction profile, and other factors. Risk scores that exceeded a specified threshold triggered additional authentication procedures — in this case, answering three pre-established challenge questions.

Challenge questions also were triggered if the transaction amount exceeded $100,000. Transactions were immediately blocked if the user’s IP address appeared on a fraud watchlist.

In 2008, the bank reduced the dollar threshold from $100,000 to $1. The following year, a fraudster with access to a Patco employee’s ID and password — as well as the challenge question answers — initiated six withdrawals over a seven-day period totaling nearly $589,000. The withdrawal amounts ranged from around $56,000 to more than $115,000.

Despite the unusual nature of these transactions, which yielded unprecedentedly high risk scores, the bank processed them as usual and did nothing to alert Patco. Fortunately, some of the transfers were rejected because of bad account numbers, and the bank blocked some transfers after Patco notified it of the fraud. Nonetheless, Patco was left with a $345,000 loss.

System was compromised

Under Article 4A of the Uniform Commercial Code, banks generally bear the risk of losses caused by unauthorized transfers. But they can shift the risk of loss to customers by having them agree to commercially reasonable security procedures for verifying transactions.

In this case, the bank’s procedures weren’t commercially reasonable. By reducing the dollar threshold to $1, the bank essentially crippled its risk-scoring system, since users had to answer the challenge questions for every transaction. This made the answers more vulnerable to interception by keyloggers (programs that record everything a user types) or other malware, increasing the risk of fraud.

In light of these weaknesses, and the bank’s knowledge of fraud incidents involving keylogging malware, the bank’s failure to implement additional security measures — such as manual reviews or additional authentication procedures for transactions with high risk scores — was unreasonable.

Do your homework

To avoid liability for online fraud, review your security procedures to ensure that they’re designed to require a higher level of security for riskier transactions or customers and that the procedures are effective. The FFIEC’s paper, “Authentication in an Internet Banking Environment,” provides guidance on the “layered” security measures needed to combat fraud in the current environment.

For more information contact David Klopfer at [email protected]

All content provided in this article is for informational purposes only. Matters discussed in this article are subject to change. For up-to-date information on this subject please contact a Clark Schaefer Hackett professional. Clark Schaefer Hackett will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.

Guidance

Related Articles

Article

1 Min Watch

IT Risk Assessment Video – Clark Schaefer Consulting

Article

2 Min Read

IT Risk Assessment Explainer Video

Article

3 Min Read

Disbursements: Internal Controls in a Remote Environment

Article

4 Min Read

Top 5 Reasons to Use Cloud-based Data Backup

Article

3 Min Read

Using insurance to manage your nonprofit’s risk

Article

5 Min Read

Are you ready for a catastrophe?

Get in Touch.

What service are you looking for? We'll match you with an experienced advisor, who will help you find an effective and sustainable solution.
  • Hidden
  • This field is for validation purposes and should be left unchanged.