Comerica/EMI Case Raises Key Questions About Responsibility, Security
At first, this court case was a curiosity: Experi-Metal Inc. (EMI), a Michigan-based metal supply company, sued Comerica Bank, claiming that the bank exposed its customers to phishing attacks.
Now this story shapes up as a significant test case for the banking industry, raising several key questions that must be answered about fraud and responsibility.
"It will establish who is liable in the U.S. - the bank or the customer - for fraud losses that result from phishing," says Tom Wills, Senior Analyst, Security, Fraud & Compliance, Javelin Strategy & Research.
The Basics
The lawsuit, filed by EMI in a Michigan circuit court, alleges that Dallas-based Comerica opened its customers to phishing attacks by sending emails asking customers to click on a link to update the bank's security software. In January 2009, an EMI employee opened and clicked on links within a phishing email that purported to be from Comerica. The email duped the employee into believing the bank needed to update its banking software. Subsequently, more than $550,000 was stolen from the company's bank accounts and sent overseas.
EMI says even though the bank had two-factor authentication using digital certificates for its online banking portal, the phishing scam was able to circumvent these measures. The bank says its online security methods were reasonable "because they were in general used by other similarly situated customers of other banks." Now that this case is in the courts, observers say, several important questions will be debated re: trust, responsibility and security.
Among them:
#1: How Much Trust is Lost?
Clearly, Comerica has lost EMI's trust, but how much further can this costly loss of confidence spread among banking customers - even at other institutions? "Cases like this, when they hit the courts and the press, work at a macro level to erode the trust of all banks by all customers, even affecting those institutions with good anti-phishing programs in place," says Javelin's Wills. "It will make it that much harder for all banks to migrate their customer base to the highly cost-effective (from an operational standpoint) online channel."
Anytime a company incurs a data breach that compromises personal information, the organization risks having its customers walk away for good. "That's why it's so important that, before an incident occurs, a company take proactive steps to implement a reasonable security program," says Alysa Hutnik, a lawyer at Kelley Drye & Warren, a Washington DC-based law firm that specializes in post-incident response. "Even after a breach, if a company handles the issue responsibly, those efforts can earn back trust bit by bit. But here, where a customer is out of pocket hundreds of thousands of dollars as a result of a breach and was compelled to file a lawsuit to redress the issue, yes, the trust is likely lost."
Because trust is so fundamental to banking institutions, they have to draw a distinct line, says Avivah Litan, an analyst at Gartner. "Either banks explicitly and visibly warn their customers that banking with them is not safe and that [customers] are held liable for hacking into their accounts through online banking," she says. "Or they assume liability."
#2: Is a Bank Liable For Phishing?
Should a bank be held liable for a customer's employee falling for a phishing email that supposedly represents the bank? The EMI/Comerica case highlights several hotly debated issues.
On the plaintiff's side, the employee's vulnerability to the phishing attack raises the core question of 'What is sufficient training?,' says attorney Hutnik. Most employees have been warned about phishing attempts, but even the most robust training does not protect against occasional human error. Does this training need to occur more frequently, or is it a matter of customizing the training to the evolving and specific types of phishing attempts? If a company is going to be responsible under the law for employees' vulnerability to phishing attempts, Hutnik says, that's a pretty good incentive to increase training.
Can a bank be held liable? Some security experts say emphatically 'No.' "The bank clearly could have made better decisions on how to update security information," says Branden Williams, Director of VeriSign's PCI Practice. "But judging by the timelines, they may have been ahead of their time with offering multi-factor authentication for online business banking."
Williams quotes an old saying: "I'll open the door for you, but only you can walk through it." Comerica did open the door with its security updates, he says, but a simple training issue would have prevented the employee from walking through that door. "Companies that become complacent with security become easy targets."
#3: What is 'Reasonable Security?'
In this case, was the bank's two-factor security token technology an unreasonable safeguard based on the information available at the time it was implemented by the company? Discovery and expert testimony on this point will be critical, says Hutnik. So too, will the surrounding facts on what information the bank provided to its customers about giving personal information online, or in response to an email alert, leading up to and after it transitioned away from the digital certificate security process.
Hutnik sees a third key issue, which is often a gap in many companies: What measures were in place to detect unauthorized, unusual activity involving this customer account, and did the bank act quickly enough in response to such detection? "All companies could benefit from evaluating and assessing how they compare the issues raised in this case against their own information security programs," she says.
David Navetta, a lawyer at the Information Law Group, a Colorado-based law firm, says one of the issues that will be key in this case is whether the bank has a legal duty to prevent these types of phishing attacks. And if so, whether the security measures it took were "reasonable" under the law. To the extent a bank has a general duty to protect client accounts, does that duty extend to preventing (or reducing the risk of) its customers from being duped by social engineering attacks such as phishing? "That will be the threshold legal question, and I don't know what the answer will ultimately be," he says.
Another point that Navetta says will be considered is "Reasonableness." Under the law for purposes of negligence, a defendant can avoid liability even if a plaintiff suffered harm, as long as the defendant did not breach its duty of care. "In this context, if the bank's security measures where 'reasonable' under the law, it would not be liable," Navetta says. "I think the fact that the bank used two-factor authentication will help its cause in this respect," he says. On the other hand, he adds, "Many security professionals I have spoken to/read have indicated that a phishing attack was a known weakness, or at least a theoretical weakness, of two-factor authentication."
Regulators Were 'Asleep at the Wheel'
While EMI and Comerica argue over liability, Gartner's Litan says the nation's legislators and banking regulators bear the bulk of the blame for such breaches. "It's their job to set the rules for soundness and safety of the U.S. banking system, and to enforce that the banks execute those rules," she says. "They are negligent here - in not passing legislation that protects business accounts (as Reg E protects consumer accounts) and in not enforcing security measures at the banks, as set forth by the FFIEC strong authentication guidance," Litan says.
Litan also has strong words for bank examiners. "Frankly, they are also asleep at the wheel," she says. "And the banks are taking advantage of the current legislative and regulatory environment by not proactively securing business accounts."
No matter the outcome, this case will set a precedent, predicts Rohyt Belani, CEO of the Intrepidus Group, a New York City-based security firm. Banks and other e-commerce providers need to take some of the responsibility to help their customers mitigate the risk associated with phishing attacks - especially those that exploit the institution's brands. "Just posting information about phishing on the login page doesn't cut it," Belani says. "I believe banks need to work on enhancing their authentication mechanisms, changing the way they communicate with their clients (not embedding active links, etc.), and educating the customers using techniques that are proven to reduce susceptibility.
"Banks should view it as a wake-up call and work on mitigating phishing attacks."
Source: Bankinfo Security; By Linda McGlasson, Managing Editor
A blog dedicated to the anti-fraud community towards creating awareness and preventing Fraud and all related fields and activities
Tuesday, February 23, 2010
Monday, February 22, 2010
‘Whistle-blower policy the best way to check frauds’
FINANCIAL EXPRESS:
As corporate India debates ways and means to strengthen the corporate governance framework for the listed companies, post the Satyam scandal, an international expert says a whistle blower policy is the best way to prevent corporate frauds from blowing up. The rider: it should be implemented in spirit, and not just in form.
“Whistle blower policy is the best way to check corporate frauds,” says Marc Duchevet, global head for governance risk & internal control, Mazars. Mazars is one of the world’s largest audit firms with a turnover of more than $1.2 billion and 12,500 professionals in over 55 countries. Duchavet also made the point that in any organisation, where fraud develops with management collusion, there will be at least one good, solid whistle blower. "In addition, there will be several others who will be able to smell the rat that is feeding on the business and who would be in a position to raise a red flag”.
On a tour to India recently, he was charitable enough to accept that it is the fear of possible abuse which may have held back corporate India from implementing the policy with zeal. “Often there is discomfort among the management over the confidentiality and requisite protection offered to such a whistle blower under the policy. Fear of abuse of such a framework by people out to settle scores or working on a personal vendetta keeps management from implementing the policy,” he said.
Whistle blower policies have become a matter of concern in the corporate sector. An area of concern, the Mazar expert said, is that once the implementation of the policy starts, there is no choice but to address "all the incidents that come to your attention".
According to him, experience shows that corporate India does indeed recognise the value of good governance. There are, of course, a large number of corporations that believe that there is a direct relationship between business governance and business valuation.
To the extent this consideration is applied by drivers of corporate governance in the right spirit, this is an positive sign. But where emphasis is on mere paper disclosure, it is a concern. International companies are focusing on key areas like risk management, values and ethics and internal control. These three go together.
The truly best or effective monitoring does not come from the number of bodies exercising oversight. Rather, it comes from those who are willing to accept full accountability and are duly empowered to take necessary punitive action.
Though the government moved fast to protect investor interests after the Satyam promoters’ frauds came into light in 2008, India’s image as a favourite investment destination was hurt. This led experts to question the effectiveness of the section 49 of Sebi’s listing guidelines in protecting investor interest.
Significantly, it is still not mandatory for listed companies here to implement the whistle blower policy. However, some companies like ONGC and GAIL India have adopted it on a voluntary basis. But, the government is seriously considering making it mandatory for the PSUs.
Source: The Financial Express
As corporate India debates ways and means to strengthen the corporate governance framework for the listed companies, post the Satyam scandal, an international expert says a whistle blower policy is the best way to prevent corporate frauds from blowing up. The rider: it should be implemented in spirit, and not just in form.
“Whistle blower policy is the best way to check corporate frauds,” says Marc Duchevet, global head for governance risk & internal control, Mazars. Mazars is one of the world’s largest audit firms with a turnover of more than $1.2 billion and 12,500 professionals in over 55 countries. Duchavet also made the point that in any organisation, where fraud develops with management collusion, there will be at least one good, solid whistle blower. "In addition, there will be several others who will be able to smell the rat that is feeding on the business and who would be in a position to raise a red flag”.
On a tour to India recently, he was charitable enough to accept that it is the fear of possible abuse which may have held back corporate India from implementing the policy with zeal. “Often there is discomfort among the management over the confidentiality and requisite protection offered to such a whistle blower under the policy. Fear of abuse of such a framework by people out to settle scores or working on a personal vendetta keeps management from implementing the policy,” he said.
Whistle blower policies have become a matter of concern in the corporate sector. An area of concern, the Mazar expert said, is that once the implementation of the policy starts, there is no choice but to address "all the incidents that come to your attention".
According to him, experience shows that corporate India does indeed recognise the value of good governance. There are, of course, a large number of corporations that believe that there is a direct relationship between business governance and business valuation.
To the extent this consideration is applied by drivers of corporate governance in the right spirit, this is an positive sign. But where emphasis is on mere paper disclosure, it is a concern. International companies are focusing on key areas like risk management, values and ethics and internal control. These three go together.
The truly best or effective monitoring does not come from the number of bodies exercising oversight. Rather, it comes from those who are willing to accept full accountability and are duly empowered to take necessary punitive action.
Though the government moved fast to protect investor interests after the Satyam promoters’ frauds came into light in 2008, India’s image as a favourite investment destination was hurt. This led experts to question the effectiveness of the section 49 of Sebi’s listing guidelines in protecting investor interest.
Significantly, it is still not mandatory for listed companies here to implement the whistle blower policy. However, some companies like ONGC and GAIL India have adopted it on a voluntary basis. But, the government is seriously considering making it mandatory for the PSUs.
Source: The Financial Express
Thursday, February 18, 2010
Wednesday, February 17, 2010
Wipro rushes to plug gap after $4-m fraud
MUMBAI BANGALORE:
A Wipro employee embezzled crores of rupees over the past three years, sending India’s third-largest software exporter scrambling to tighten internal controls in the finance division where the fraud took place.
The employee had been working with the company for the past three years in the â controllership™ division within the finance department. This cell is responsible for keeping the companys financial books and also has powers to authorise payments whenever needed. The employee is believed to have embezzled about $4 million by stealing a password and transferring money from Wipros account at a bank.
Suresh C Senapaty, Wipros CFO, confirmed the incident. This has been a case of embezzlement, which we discovered in December, and its very unfortunate that this person succumbed to this,†Mr Senapaty said. “The company has carried out an investigation and is undertaking actions with respect to stricter adherence to processes.
Wipro has since disbanded the controllership unit. The fraud is believed to have cost the company about $4 million. Wipro officials have succeeded in recovering about half the money, but will still face a loss of about $2 million.
Mr Senapaty said the incident did not involve more than one Wipro staffer. Our investigations have revealed that only this employee was involved, and nobody else in the team had any clue, Mr Senapaty said.
Apart from setting up an internal investigation team, Wipro has also taken help from external auditors and investigation experts who will vet its processes and certify the soundness of its controls. The company is already engaged with an external agency for conducting assessment of the existing audit and other processes in order to verify any potential loopholes.
The amount involved is not large, but the incident has upset people at the helm of Indias the IT major. Wipro has always taken pride in the sound work ethics of its employees and in the strictness of its controls. “We have to be more alert in monitoring, and we need to tighten the processes for ensuring an early warning system and make it tougher, Mr Senapaty said.
Among other measures being considered by Wipro, employees working in sensitive functions within the finance department may be rotated more frequently. Currently, employees in such functions spend around three years before a transfer. Going forward, Wipro also plans to make it mandatory for employees working in the finance division and elsewhere, to sign an undertaking about sharing of passwords and any unauthorised transactions.
Wipro officials discovered the fraud after receiving an alert about overdraft transaction, even when the companys accounts had sufficient balance according to the official records. The employee, whose name cannot be made public, siphoned off the companys money to his personal savings accounts in multiple transactions worth anywhere between Rs 1 lakh to Rs 1.2 crore, and used the money to acquire jewellery, apart from making other investments, including buying land.
The employee stole password from a colleague and used it to transfer money to his and his family members personal accounts, an official told ET on condition of anonymity. While the company continues to believe that it was a fraudulent act committed by the employee, the issue raises questions about information security policies.
An interim report on the incident was presented to the management, board members and other authorities concerned, including disclosure and audit committees. We have recovered more than half of the amount, and its not substantial enough. However, we have kept all the stakeholders posted in an interim report submitted recently, Mr Senapaty added.
Mr Senapaty, according to several people who spoke with ET on condition of anonymity, had to face some tough questions from the management, and he had to act swiftly in terms of restructuring the entire division.
Source: The Economic Times, By MV Ramsurya & Pankaj Mishra
A Wipro employee embezzled crores of rupees over the past three years, sending India’s third-largest software exporter scrambling to tighten internal controls in the finance division where the fraud took place.
The employee had been working with the company for the past three years in the â controllership™ division within the finance department. This cell is responsible for keeping the companys financial books and also has powers to authorise payments whenever needed. The employee is believed to have embezzled about $4 million by stealing a password and transferring money from Wipros account at a bank.
Suresh C Senapaty, Wipros CFO, confirmed the incident. This has been a case of embezzlement, which we discovered in December, and its very unfortunate that this person succumbed to this,†Mr Senapaty said. “The company has carried out an investigation and is undertaking actions with respect to stricter adherence to processes.
Wipro has since disbanded the controllership unit. The fraud is believed to have cost the company about $4 million. Wipro officials have succeeded in recovering about half the money, but will still face a loss of about $2 million.
Mr Senapaty said the incident did not involve more than one Wipro staffer. Our investigations have revealed that only this employee was involved, and nobody else in the team had any clue, Mr Senapaty said.
Apart from setting up an internal investigation team, Wipro has also taken help from external auditors and investigation experts who will vet its processes and certify the soundness of its controls. The company is already engaged with an external agency for conducting assessment of the existing audit and other processes in order to verify any potential loopholes.
The amount involved is not large, but the incident has upset people at the helm of Indias the IT major. Wipro has always taken pride in the sound work ethics of its employees and in the strictness of its controls. “We have to be more alert in monitoring, and we need to tighten the processes for ensuring an early warning system and make it tougher, Mr Senapaty said.
Among other measures being considered by Wipro, employees working in sensitive functions within the finance department may be rotated more frequently. Currently, employees in such functions spend around three years before a transfer. Going forward, Wipro also plans to make it mandatory for employees working in the finance division and elsewhere, to sign an undertaking about sharing of passwords and any unauthorised transactions.
Wipro officials discovered the fraud after receiving an alert about overdraft transaction, even when the companys accounts had sufficient balance according to the official records. The employee, whose name cannot be made public, siphoned off the companys money to his personal savings accounts in multiple transactions worth anywhere between Rs 1 lakh to Rs 1.2 crore, and used the money to acquire jewellery, apart from making other investments, including buying land.
The employee stole password from a colleague and used it to transfer money to his and his family members personal accounts, an official told ET on condition of anonymity. While the company continues to believe that it was a fraudulent act committed by the employee, the issue raises questions about information security policies.
An interim report on the incident was presented to the management, board members and other authorities concerned, including disclosure and audit committees. We have recovered more than half of the amount, and its not substantial enough. However, we have kept all the stakeholders posted in an interim report submitted recently, Mr Senapaty added.
Mr Senapaty, according to several people who spoke with ET on condition of anonymity, had to face some tough questions from the management, and he had to act swiftly in terms of restructuring the entire division.
Source: The Economic Times, By MV Ramsurya & Pankaj Mishra
Subscribe to:
Posts (Atom)