You got Phished, sue the bank?
Ah the wonders of our legal system. Two recent lawsuits highlight that even though banks can have two factor authentication and take what seem like reasonable steps to prevent fraud, they can still be sued if their customers are duped. According to bankinfosecurity.com, a Michigan based company is suing Comerica Bank to recover the 550k in monies stolen out of their account. Comerica claims that its systems were not breached and it had more than reasonable policies and process in place to stop fraud. They should not be responsible for naivety (or is it just plain stupidity) of the plaintiff.
It seems for years Comerica would send out a once a year reminder to their online banking customers to update their information and have a new certificate issued. A few years back the bank upgraded security to use tokens in addition to user names and passwords. But phishers sent out an email asking the company to update their records. The link took them to a look a like site to Comerica. The company entered all of their information into the bogus site. That gave the bad guys everything they needed. Using the credentials and information the unsuspecting company employee supplied, the bad guys pilfered the account in a matter on hours.
The bank says that the bad guys had all the required information, even the token numbers. How can they reasonably know that it was fraudulent activity. Should they be responsible for the actions of their customer? I would think not, absent some other activity or action that should have set off some sort of fraud alarms.
In another similar case reported on bankinfosecurity.com, a bank is preemptively suing a customer, asking the court to declare that it followed reasonable procedures and should not be responsible for the customer falling for another phishing scam. In that cast it looks like using the information obtained by phishing, the bad guys set up a contact email address for the bank account and once that was done, basically had their own way with things. The bank says that the email address was confirmed and they were following reasonable process. Not to mention that all of the illegal activity was international and the company in question never did any business internationally. The court has not ruled on that one yet.
But the bigger question is should your bank be responsible. We have all gotten used to the idea of a stolen credit card or debit card, VISA and MasterCard come in and absolve the card holder of any liability save 50 dollars or so. But that is not the case in bank transfers. The banks are not going to eat it! All the more reason to be extra vigilant whenever dealing with your confidential banking information.
So who does pay the money that VISA and MasterCard absorb in fraud? Someone has to. Usually it is a combination of the processing banks, issuing banks and sometimes even the merchants. But ultimately we all pay for the fraud with higher prices and processing rates.
This is why PCI and similar regulations are important but not just for compliance sake alone. Making every link in the chain more security, makes us all more secure.
I agree with your logic. However I'm not ready to blame the victim for wire fraud cases like this. excerpt: 7:30 a.m. and 10:50 a.m. the same day, the phishers made 47 wire transfers to various accounts in Russia, Estonia, Scotland, Finland, China, as well as domestic accounts"
Until banks implement non-laughable fraud detection for ach and other transfers, I don't think they can hide behind "because no one else is doing it" or "but I passed my PCI audit." Judge/jury will decide acceptable security in these cases. Scary stuff.
Blaming the victim loses customers. Blaming the Bank will motivate them to solve the problem e.g. Visa's fraud system. The banks want online transactions to keep costs down. They'll invest appropriately when motivated by customer departure, lawsuits, or regulation. They know it's coming, why not be proactive?