The Blame Game
2 comment(s)
Who is to blame when a company is a victim of wire fraud? Does the bank bear full responsibility for policing the company’s account for unusual transactions? Does the company bear more responsibility since they “own” and manage the credentials needed to login in to the bank’s website? Unfortunately, for Experi-Metal and Comerica, the answers to these questions will end up being provided by the United States District Court. The trial to decide who should assume wire fraud losses ended on January 26 and the verdict is expected any day now.
The facts of the case are relatively straightforward. On January 22, 2009, fraudsters initiated 47 fraudulent wires totaling $560,000 from Experi-Metal’s bank account to destinations dotted around the globe. Experi-Metal and Comerica disagreed as to which party should assume the loss and the issue ended up in court.
Here’s where it gets interesting… Prior to implementing online multi-factor authentication, Comerica routinely sent out emails to customers asking them to login to Comerica’s site to receive a new digital certificate. With the digital certificate in place, the customer was authenticated and able to conduct business via Comerica’s site. Periodically, Comerica would repeat the process and a new certificate would be issued.
After Comerica had implemented multi-factor authentication which included the use of a token (a random generated access code to be input in addition to username and password), an employee with Experi-Metal responded to a phishing email that directed them to a site that appeared to be Comerica’s website. Given Comerica’s previous digital certificate process, presumably the employee believed that the email was legitimate. Unfortunately for Experi-Metal and Comerica, the site was in fact controlled by fraudsters. As requested, the employee provided their login credentials as well as a token generated code. Fraudsters now had all the information they needed to commit wire fraud. Over the course of the following 6 hours, they initiated nearly 90 transactions, 47 of which were successful.
Depending on your perspective, you may believe that Experi-Metal is at fault. The employee should have realized that the fraudster’s site looked a little “weird”. Alternatively, the bank should never have allowed 47 international wires to be completed over 6 hours when the Experi-Metal had only sent 2 wires in the last two years. Further, Comerica had implemented an approach to multi-factor authentication that many other banks employ. They were no better or worse than their peers.
Having reviewed Experi-Metal’s legal filings and their statements to the media, they appeared to be most annoyed with the fact that the wire activity was so out of the norm that the bank should have flagged it for further review. In fact, Experi-Metal argued in court that behavioral checks such as analysis of the company’s wire transaction frequency, destination and amount, etc would have stopped the fraud.
Once an individual is granted access to a bank’s online platform, simply assuming that you have truly granted access to the real customer is a very bad idea. Authenticating the customer is just the first step. The motto should be: Trust that you have granted access to the real customer, but verify by reviewing the transactions before they are released.
If Comerica loses in court, undoubtedly other victims of wire fraud will initiate legal actions. Now is the time to ensure that your bank has robust wire fraud detection in place. Fighting the issue in court is a last resort I bet that even Comerica doesn’t recommend.
Posted in:
ACH and Wire Fraud