Account Takeover: Utility Sues BankNew Case Puts Spotlight on Institutions' Responsibilities
A Tennessee utility has sued its bank after a $327,000 account takeover incident. This new case shows why institutions must go above and beyond when it comes to detecting and thwarting fraud losses.
See Also: Webinar | How the SASE Architecture Enables Remote Work
Tennessee Electric Company Inc., d.b.a. TEC Industrial Maintenance & Construction, in July filed a complaint against TriSummit Bank, a $278 million institution based in Tennessee. The complaint alleges the bank is to blame for a series of fraudulent payroll drafts sent from TEC's account in 2012. TEC says the bank failed to have those ACH transactions approved by the utility before they were transmitted.
This is but the latest in a series of high-profile account takeover cases, and experts say it is going to put the onus on the bank to prove it took every possible measure to protect its customer from fraud.
Onus is on the Institution
In the wake of the 2011, FFIEC authentication guidance update, Doug Johnson, senior vice president of risk management policy for the American Bankers Association, says banking regulators have made it clear that it is banking institutions' responsibility to ensure they are providing layers of security to protect their customers' accounts.
ABA's Doug Johnson on the role updated FFIEC authentication guidance plays in ensuring banks provide adequate online security measures.
And George Tubin, a banking fraud expert at anti-malware provider Trusteer, says even if a commercial customer's account is taken over because of a phishing attack and subsequent malware infection that resulted because of the customer's negligence, the onus is on the banking institution to detect and stop suspicious transactions.
"A lot of banks think out-of-band, one-time passwords protect them from malware-based fraud - they don't," Tubin says.
In fact, unless a commercial customer explicitly declines to accept a certain security procedure offered by its bank, as was the case in the Choice Escrow and Land Title LLC account takeover incident, banks have struggled to prove their security measures were reasonable if fraud results, he explains.
"Based on the information presented, this case does not have a situation where the customer failed to use a certain security procedure or refused a security procedure," Tubin says. "The fact that the customer was infected by malware, which enabled this fraud, will not be viewed as something the customer did wrong. Anybody can get infected with malware, unless they're utilizing commercial-grade anti-malware software, which is usually only provided via the financial institution."
Julie Conroy, a financial fraud and security analyst at Aite, says TEC has a compelling case, but she sees nothing here that will help banking institutions better understand what constitutes "reasonable security" in the eyes of the courts.
"The confusion and mixed messages that we've received from the courts is around what levels of security qualify as 'commercially reasonable,'" Conroy says. "I don't see anything in this case that would help set a clear precedent in that regard."
According to the complaint, on May 10, 2012, 55 separate payroll orders totaling $327,804 were sent by TriSummit Bank to different accounts located throughout the U.S. The bank, however, failed to verify those orders with TEC, the utility claims.
Not only did the funds go to accounts that had not previously been paid by TEC, but the amounts, which ranged from $550 to $11,000, were not customary for the utility, the suit alleges.
TEC says its agreement with the bank also required that the bank call the utility before any payroll transactions were authorized. All of those calls, per the agreement between TEC and TriSummit, should have been recorded.
TEC argues that the 55 separate transactions approved in May 2012 were not authorized via a telephone call.
TEC also alleges it alerted the bank of suspicious activity just days before the fraudulent transactions were approved. On May 8, TEC's controller had trouble accessing the bank's online-banking site. After contacting the bank, the controller was advised to visit the branch and load the payroll files there. The following day, the controller received a phone call from someone feigning to be from the bank, asking that the employee try once more to access the online banking site to see if it was now working properly.
TEC claims its controller mentioned this suspicious phone call to numerous bank employees the next day, May 9, during a separate authorization call. The bank told TEC it would look into the matter, TEC says. Allegedly, just hours before that call is when the bank approved the fraudulent transactions.
TriSummit Bank was able to recover all but $192,656 of the $327,804 lost in fraudulent transactions, the suit states. Now TEC is asking that the bank refund its account for the amount the bank was not able to recover.
Neither TEC nor TriSummit Bank responded to Information Security Media Group's request for comment about the case.
Going to Trial?
If the calls between the bank and utility were recorded, then the bank should have a record of the authorization history, says Trusteer's Tubin. He also says that if the claims made by this Tennessee utility are true, the bank would be wise to settle.
"This case would likely follow the PATCO and Experi-Metal routes, where fraud occurred so, by definition, the bank's security procedures were inadequate," Tubin adds.
In the Experi-Metal Inc. and PATCO Construction Inc. cases, the courts ultimately favored the commercial customers. But an appellate court in June supported a lower court's ruling in the Choice Escrow case that favored the bank (see Bank Wins Account Takeover Loss Case).
The court found that Choice Escrow's refusal to use a dual-person authorization service for wire-transfer approval offered by the bank shielded the bank from liability.
Choice Escrow is considering an appeal of its case before the U.S. Supreme Court (see Fraud Case May Go to Supreme Court).
In TEC's case, the bank now must prove its security measures were 'commercially reasonable,' Tubin says.
"Based on the information in the complaint, the bank should have detected this fraud," he says. "A 'commercially reasonable' security approach would have either detected and/or prevented the malware from stealing the user's credentials, and an anomaly detection system would have picked up the double ACH transactions for double the typical weekly amount."
Further, if the bank did not follow through on its voice confirmation of the fraudulent ACH transaction, as alleged, Tubin says, "The bank would clearly be at fault for not adhering to the security practice used every week to confirm the ACH transaction."