Technology was underused
In Patco Construction Co. v. People’s United Bank, the U.S. Court of Appeals for the First Circuit found that a bank was potentially liable for over $345,000 in fraudulent withdrawals from a customer’s account.
The customer, Patco, used online banking primarily to make weekly payroll payments. These payments were always made on Fridays, were always initiated from a computer at Patco’s offices, and always originated from a single static IP address. The largest payment Patco ever made was just under $37,000.
In 2007, the bank implemented a sophisticated security system that involved user IDs and passwords, “invisible” device authentication and risk profiling. The system monitored all log-in attempts and transactions and assigned each a risk score based on IP address, device ID, the customer’s “normal” transaction profile, and other factors. Risk scores that exceeded a specified threshold triggered additional authentication procedures — in this case, answering three pre-established challenge questions.
Challenge questions also were triggered if the transaction amount exceeded $100,000. Transactions were immediately blocked if the user’s IP address appeared on a fraud watchlist.
In 2008, the bank reduced the dollar threshold from $100,000 to $1. The following year, a fraudster with access to a Patco employee’s ID and password — as well as the challenge question answers — initiated six withdrawals over a seven-day period totaling nearly $589,000. The withdrawal amounts ranged from around $56,000 to more than $115,000.
Despite the unusual nature of these transactions, which yielded unprecedentedly high risk scores, the bank processed them as usual and did nothing to alert Patco. Fortunately, some of the transfers were rejected because of bad account numbers, and the bank blocked some transfers after Patco notified it of the fraud. Nonetheless, Patco was left with a $345,000 loss.
System was compromised
Under Article 4A of the Uniform Commercial Code, banks generally bear the risk of losses caused by unauthorized transfers. But they can shift the risk of loss to customers by having them agree to commercially reasonable security procedures for verifying transactions.
In this case, the bank’s procedures weren’t commercially reasonable. By reducing the dollar threshold to $1, the bank essentially crippled its risk-scoring system, since users had to answer the challenge questions for every transaction. This made the answers more vulnerable to interception by keyloggers (programs that record everything a user types) or other malware, increasing the risk of fraud.
In light of these weaknesses, and the bank’s knowledge of fraud incidents involving keylogging malware, the bank’s failure to implement additional security measures — such as manual reviews or additional authentication procedures for transactions with high risk scores — was unreasonable.
Do your homework
To avoid liability for online fraud, review your security procedures to ensure that they’re designed to require a higher level of security for riskier transactions or customers and that the procedures are effective. The FFIEC’s paper, “Authentication in an Internet Banking Environment,” provides guidance on the “layered” security measures needed to combat fraud in the current environment.
For more information contact David Klopfer at [email protected]