U.S. Appeals Court Gives Retailers Fraud Loss Victory

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

In a decision that has huge implications for retail chains, a Federal Court of Appeals ruled on July 3 that a contractor in Maine could successfully sue its bank for losses from a hacked bank account. The problem is that many of the "thefts" of money from retailers don't occur at the bank itself. A hacker may attack the retailer's computer, obtain user IDs and passwords, and then log into the bank's computer either using the stolen credentials or even logging in from the compromised computer itself. To the bank, it sure looks like the login came from the retailer.

Once the bad guy gets in, it's only a few keystrokes to wire transfer all of the account funds to a waiting account in Latvia, Bulgaria or wherever. The retailer only learns of the transfer later, when the funds are gone. Sometimes the bank can "clawback" all or part of the transaction; sometimes it cannot. But who eats the cost of that loss?

Many retailers maintain bank accounts that permit, or even encourage, depositors to interact with the bank electronically. This E-banking serves both the bank and the merchant, enabling fast and usually reliable transactions without having to wait in line at a teller. But who has liability if a bank account is hacked? And who has liability if a merchant's computers are hacked and, through the compromised computers, funds are transferred? In general, the rule has been that the merchant bears the risk of loss. But that general rule is changing.

For consumer bank accounts, the risk of loss in the event of a hack or intrusion is either zero or close to that. The same rules that protect consumers from stolen or fraudulently used credit or debit cards protect them from hacked accounts. The consumer liability, under a law called Regulation E, is limited to $50 in most transactions and $250 is some other transactions, so long as the fraud is reported relatively promptly. As a practical matter, consumers rarely have to pay even the $50, because banks are willing to eat those costs to encourage more people to engage in online banking.

For commercial entities, however, Regulation E doesn't apply. Instead, Article 4A of the Uniform Commercial Code (UCC) allows the bank to disclaim liability if the bank used "commercially reasonable" means to prevent the fraud.

The law that relates to commercial electronic banking transactions is UCC 4A, which says the bank is entitled to rely on the authenticity of a payment order if it is verified according to a security procedure that is a "commercially reasonable method of providing security against unauthorized payment orders" and the bank accepted the order in good faith.This is intended to strike a balance between the need for transactions to go through and be accepted and the need to ensure those transactions are authentic. Federal banking regulations established by the FFIEC set out a variety of things banks can do to validate transactions, including multifactor authentication, challenge-response, callback for high dollar or unusual transactions, out-of-bandwidth authentication and credential exchange, among other things. Customers, likewise, are required to exercise reasonable care to protect themselves.

Many modern hacks to E-banking occur at the merchant's computer. Malware is inserted into the merchant's computer, which captures—through a keylogger—the passwords and any "challenge-response." The bank in Maine made the problem worse by lowering the threshold for the "challenge-response" to $1. Thus, the merchant had to enter the response code every time it made any funds transfer, which for that merchant was very frequently. The threat of a keylogger being installed on any one of the machines used for funds transfers was increased by this fact. In addition, the merchant argued that the bank's practices were not "commercially reasonable," because the bank neither monitored for unusual transactions nor notified the customer that transactions had taken place. The court held that a case could at least be pursued on the question of whether these actions were commercially reasonable.

This is similar to a ruling in June 2011 by a Michigan court that Comerica Bank was liable to a Michigan company called Experi-Metal after that company's computers were hacked and more than half a million dollars fraudulently transferred.

Taken together, these and other cases show that hackers are clearly targeting not only banks but their customers. Merchants know it. Law enforcement knows it. Banks know it, too. Hackers are installing sophisticated tools to try and appear to be the legitimate merchant, and to then take over the merchant's computers, obtain their passwords and transfer millions of dollars to their own accounts. Willie Sutton was right—they do it because that's where the money is.

Merchants need to go back to their online banks and get a much better idea of what types of "commercially reasonable" things they are doing to prevent fraud. Look over the agreements; see what the banks are representing that they do. How are they preventing fraud. And, yes, what is the retailer doing to prevent it, too. We can prevent the attack in the first place or spend millions on lawyers litigating liability afterward. Either way is OK with me.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.