Written by Comerica Bank was recently found liable for losses incurred from a phishing attack. The recent court decision has far-reaching implications for credit union liability in similar situations. If you are not familiar with Experi-Metal vs. Comerica, I would commend it to your attention. Because, once a legal standard is set, it will no doubt be applied in many other similar situations across the country.
Earlier this summer, a U.S. District Court ordered Comerica to reimburse Michigan-based Experi-Metal Inc. over a half-million dollars for funds the company lost after Comerica approved nearly two million dollars in fraudulent wire transfers from Experi-Metal’s account following a phishing attack against Experi-Metal.
Here are the basic facts –
- Comerica had been sending regular emails to their clients asking them to click and renew their security certificates – but then changed to a token-based, multi-factor authentication system.
- A phisher sent a fraudulent email to their client (Experi-Metal) asking them to login to a website that looked just like Comerica’s to renew their certificate – which an employee did, compromising their login credentials.
- Money wires transferring money out of their account to China, Estonia, Finland, Russia and Scotland began almost immediately, 47 in total to the tune of $2 million.
- Comerica was able to get most of the transactions reversed, but not all.
- Experi-Metal sued Comerica Bank to recover the remaining $560K of fraudulent transfers.
This case addresses one of the most challenging security questions facing financial services today – who is ultimately responsible, the credit union or the member? That should be a trick question, since the answer is really both. However, this court case opens up significant liability for credit unions and emphasizes the need for both extensive in-house anti-phishing and fraud detection capabilities, as well as extensive educational efforts aimed at members.
We recently recorded a podcast with a security expert from Cyveillance, James Brooks. The podcast delves into greater detail on the case, the findings, and most importantly, what Comerica might have done differently to prevent the fraud from happening.
Post written by Dave Frankil, President, NAFCU Services Corp.
Related Posts and Resources:
Biz2Credit Blog
CUinsight
MoneyAisle Blog
Musings from the CU Suite
NCR Banking Blog
Steve's MI Blog
Credit Union Video Ads
Dave, I appreciate you bringing this case to the broader audience, because I’ve been concerned for years that the public and the courts would place the burden to safeguard against phishing back upon the industry (versus the victim). As I’ve often described in seminars, we (as consumers) must remain ever vigilant–even to the point of contacting the “sending company” via a publicly-listed telephone number to confirm authenticity of the communication–to safeguard ourselves. It would appear that the court doesn’t place that much responsibility upon the consumer or business representative.
Cris
In the very heart of the Comerica Bank fraud event lays the poor practice of deploying point solution rather than real end-to-end online banking solution.
Predators will always exploit these unavoidable cracks between the point solution.
In the Credit Union case the problem is even bigger since a typical CU can’t even come close to mega-bank’s IT resources, and that fact has detrimental effect on the CUs chances to fight cyber crime effectively.
We at Made4Biz Security offer the world’s first real end-to-end online banking security and it’s called IDentiWall eBanking.
IDentiWall was designed towards the financial SMB market segment and as such includes:
-1- Anti-phishing
-2- Customer (member) Authentication
-3- Transaction Verification
-4- Risk Policy based security
-5- Security Breach Notification
-6- Customer’s Browsing Platform Sensitivity
-7- e-Banking, m-Banking, call-Banking, card-Banking protection
-8- Polite Implementation that was specially designed to accommodated scarce IT resources
-9- and we even built special pricing scheme for CU, one that doesn’t force the CU into high initial costs.
We believe that all this is essential when implementation in a CU environment is the case.
Often we’re asked if all the functionality is really needed, and as much as we wanted it not to be the case, we witnessed repeatedly that there’s no other way rather than being equipped with all this functionality. We wouldn’t have invested all that money if we could avoid it.
The good news however are that although IDentiWall is an all-in-one solution, its implementation is easier because of its “application agnostic” functionality and its total cost of ownership is dramatically the lowest in the industry.
For those of you who wish to continue this discussion offline, you can reach me at: ilan@made4biz.com