At first this court case was a curiosity: Experi-Metal Inc. (EMI), a Michigan-based metal supply company, sued Comerica Bank, claiming that the bank exposed its customers to phishing attacks.
But now this story shapes up as a significant test case for the banking industry, raising several key questions that must be answered about fraud and responsibility.
"It will establish who is liable in the U.S. - the bank or the customer - for fraud losses that result from phishing," says Tom Wills, Senior Analyst, Security, Fraud & Compliance, Javelin Strategy & Research.
The Basics
The lawsuit, filed by EMI in a Michigan circuit court, alleges that Dallas-based Comerica opened its customers to phishing attacks by sending emails asking customers to click on a link to update the bank's security software. In January 2009, an EMI employee opened and clicked on links within a phishing email that purported to be from Comerica. The email duped the employee into believing the bank needed to update its banking software. Subsequently, more than $550,000 was stolen from the company's bank accounts and sent overseas.
EMI says even though the bank had two-factor authentication using digital certificates for its online banking portal, the phishing scam was able to circumvent these measures. The bank says its online security methods were reasonable "because they were in general used by other similarly situated customers of other banks." Now that this case is in the courts, observers say, several important questions will be debated re: trust, responsibility and security. Among them:
#1: How Much Trust is Lost?
Clearly, Comerica has lost EMI's trust, but how much further can this costly loss of confidence spread among banking customers - even at other institutions? "Cases like this, when they hit the courts and the press, work at a macro level to erode the trust of all banks by all customers, even affecting those institutions with good anti-phishing programs in place," says Javelin's Wills. "It will make it that much harder for all banks to migrate their customer base to the highly cost-effective (from an operational standpoint) online channel."
Anytime a company incurs a data breach that compromises personal information, the organization risks having its customers walk away for good. "That's why it's so important that, before an incident occurs, a company take proactive steps to implement a reasonable security program," says Alysa Hutnik, a lawyer at Kelley Drye & Warren, a Washington DC-based law firm that specializes in post-incident response. "Even after a breach, if a company handles the issue responsibly, those efforts can earn back trust bit by bit. But here, where a customer is out of pocket hundreds of thousands of dollars as a result of a breach and was compelled to file a lawsuit to redress the issue, yes, the trust is likely lost."
Because trust is so fundamental to banking institutions, they have to draw a distinct line, says Avivah Litan, an analyst at Gartner. "Either banks explicitly and visibly warn their customers that banking with them is not safe and that [customers] are held liable for hacking into their accounts through online banking," she says. "Or they assume liability."
#2: Is a Bank Liable For Phishing?
Should a bank be held liable for a customer's employee falling for a phishing email that supposedly represents the bank? The EMI/Comerica case highlights several hotly-debated issues.
On the plaintiff's side, the employee's vulnerability to the phishing attack raises the core question of 'What is sufficient training?,' says attorney Hutnik. Most employees have been warned about phishing attempts, but even the most robust training does not protect against occasional human error. Does this training need to occur more frequently, or is it a matter of customizing the training to the evolving and specific types of phishing attempts? If a company is going to be responsible under the law for employees' vulnerability to phishing attempts, Hutnik says, that's a pretty good incentive to increase training.
Can a bank be held liable? Some security experts say emphatically 'No.' "The bank clearly could have made better decisions on how to update security information," says Branden Williams, Director of VeriSign's PCI Practice. "But judging by the timelines, they may have been ahead of their time with offering multi-factor authentication for online business banking."
SOURCE: http://www.bankinfosecurity.com
0 Visitor Reactions & Comments: