The Duty to Authenticate Identity: the Online Banking Breach Lawsuits
This is a reprint of an article I originally wrote for the American Bar Association's SciTech Lawyer magazine. You can read the original HERE. If you are interested in this article and the cross-roads between security, privacy and the law, you should also consider joining the ABA's Information Security Committee (which I Co-Chair).
____________________________________
We have entered an era where our commercial transactions are increasingly being conducted online without any face-to-face interaction, and without the traditional safeguards used to confirm that a party is who they purport to be. The attenuated nature of many online relationships has created an opportunity for criminal elements to steal or spoof online identities and use them for monetary gain. As such, the ability of one party to authenticate the identity of the other party in an online transaction is of key importance.
To counteract this threat, the business community has begun to develop new authentication procedures to enhance the reliability of online identities (so that transacting parties have a higher degree of confidence that the party on the other end of an electronic transaction is who they say they are). At the same time, the law is beginning to recognize a duty to authenticate.
On the authentication side, mechanisms to prevent unauthorized individuals from posing as authorized parties include user names and passwords (i.e. “something you know”), token-based authentication (i.e. “something you have”), biometrics (i.e. “something you are”) and others. Increasingly systems are being devised to confirm the identity of a transacting party based in part on their behavior (i.e. “something you’ve done [or not done]”) A good example is the fraud detection algorithms used by credit card companies to detect anomalous behavior that is or may be indicative of ongoing or future fraudulent credit card use. As discussed further below, this approach is beginning to find its way into the law as well.
On the legal side, several statutory regimes establish rules that seek to enhance the reliability of online identities. This is particularly true in the financial sector, where existing law and recent court decisions regarding online authentication may well establish a trend ultimately applicable to many other types of commercial transactions.
The Federal regulators of the Federal Financial Institutions Examination Council (“FFIEC”) have long been concerned about the authentication of identity in online banking transactions. In 2005 the FFIEC issued a guidance document entitled Authentication in an Internet Banking Environment (“2005 Guidance”). In June 2011, after a series of fraudulent wire transfers from small business accounts facilitated by online identity fraud, the FFEIC issued a supplement to its 2005 Guidance (“2011 FFIEC Supplement”).
Both the 2005 Guidance and 2011 FFIEC Supplement outline recommend security measures that banks can implement to enhance their ability to authenticate the identity of online banking users and prevent fraud. As discussed below, a key feature of both FFIEC guidance documents is the use of “multi-factor authentication.”
In addition, well before the regulatory guidance from the FFIEC, lawmakers in most states adopted Uniform Commercial Code Article 4A (Funds Transfers). Section 202 (Use and Acceptance of Payment Order) of Article 4A establishes a legal mechanism to allocate the risk of loss between a bank and its customer in the event of a fraudulent transfer of funds from the customer’s account. Pursuant to this section, if a bank satisfies certain security requirements, including those directly related to authenticating identification, its customer will be liable for fraudulently transferred funds, even if the transfer was initiated by a criminal hacker. Conversely, if the bank fails to meet such requirements, the bank will bear the risk of such losses.
The 2005 Guidance and UCC 4A-202 set the stage for the recent legal wrangling between banks that provide online access to bank accounts and small businesses who saw millions of dollars evaporate from their banking accounts after criminals stole or spoofed their online banking authentication credentials.
Summary of the Online Banking Breaches and Lawsuits
For the past few years, the media has reported on several stories involving the fraudulent transfer of funds from small business accounts using online banking systems. Many of these security breaches involved a common fact pattern: using various methods (e.g. keystroke loggers, phishing attacks, Zeus botnets) criminal elements would steal online banking credentials from a small business customer and use those credentials to log into the customer’s online banking account and transfer money to the criminal’s account (often overseas in an Eastern European country or a former republic of the Soviet Union). This scheme was very sophisticated and most believe it was being carried out by organized crime.
Of significance, it was often the customer’s weak security or a mistake on the customer’s part that often allowed the criminals to obtain the customer’s online banking identity credentials in the first instance. In some cases, banking customers fell for “phishing attacks” that spoofed the look and feel of a bank’s email template and asked the customer to provide their username and password. In another case (“EMI v. Comerica”) described below, the criminals tricked an individual working for the customer into providing the randomly generated number from the “token” physically possessed by that person – a number that expired within seconds -- and used it to access the online banking site in real-time to initiate dozens of wire transfers.
In many cases the banks refused to reimburse these small business customers for the funds fraudulently transferred from their account . Beyond the monetary considerations, this refusal was likely premised on the fact that it was the conduct of the customers themselves that had allowed their credentials to be stolen. Also, as the risk of this attack appeared serious, banks probably did not want to establish a precedent of just paying these losses. Most importantly, the banks likely believe that the law is on their side in this situation.
Analysis of the Online Banking Breach Lawsuits
Needless to say, these circumstances led to several lawsuits brought by small business customers seeking to recover from the banks. The main allegation in these suits was that the authentication procedures and other security measures employed by the banks did not prevent the fraudulent wire transfers and were not commercially reasonable. Specifically, the customers alleged that the security measures in place to enable the bank to authenticate the identity of the online banking user failed, and were not reasonable under the law. As some of these cases wound their way through State and Federal courts we began to get some decisions providing insight on how courts analyze the concept of “commercially reasonable security” for purposes of authenticating identity.
Focusing on the issue of identity, these lawsuits involved a fairly common set of allegations:
- the bank did not utilize multifactor authentication (e.g. something in addition to user name and password, such as “token-based” authentication or “out of band” fax confirmation) to verify the identity of the person initiating the funds transfers;
- the bank failed to provide notice to the plaintiffs of unusual or suspicious activity;
- the bank’s security measures did not prevent the fraudulent transfers and were not commercially reasonable;
- the bank failed to block transfer requests from IP addresses that were different than those typically used by the plaintiff;
- the allowable daily transfer limit vastly exceeded the plaintiffs’ average/maximum daily transfers (e.g. in PATCO, the daily maximum limit was $750,000, but the most PATCO ever needed to transfer previously was $36,600);
- the funds were transferred to individual accounts to which the plaintiffs had never transferred funds before; and
- despite having been informed of unauthorized transactions by the plaintiff, the bank did not close the account in order to prevent more fraudulent transactions (e.g. in EMI, after allowing 45 fraudulent wire transfers to go through, the bank allegedly allowed another 46 to go through even after the plaintiff informed the bank that it had not initiated the initial batch of fraudulent wire transfers).
As the legal basis of liability, both PATCO and EMI focused on section 202(b) of UCC Article 4A, which provides:
If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.
While the plaintiffs attempted to argue that the banks failed to meet all of these requirements, much of the focus was on the issues of “commercially reasonable” security and the good faith requirement. A big factor for analyzing these issues was the 2005 Guidance, and whether the defendant banks initiated “layered security” in the form of behavioral analytics to further authenticate the identity of the online banking customer.
In both PATCO and EMI the court relied on the 2005 Guidance to render its decision. In that document, the FFIEC summarized its key point concerning authentication in the online banking environment as follows:
The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.
In PATCO, for the “something you have” authentication factor the bank utilized a “device cookie” placed on the customer’s computer to identify particular computers used to access online banking. If the cookie changed or was newly installed on a different computer, the risk score for the transaction increased, and that potentially resulted in the user being asked a challenge question (e.g. “What is your mother’s maiden name?”). In fact, the bank in PATCO actually set its system up so that a challenge question (which amounts to a “something you know” factor) was asked for every transaction. As such the modification or replacement of the device cookie would have effectively had no impact: to gain access to the online account, the online banking customer would be asked the challenge question in all events anyway.
Despite the fact that the device cookie factor was rendered irrelevant, the court referred to the FFIEC and held that the bank had (at least technically) implemented multi-factor authentication per the 2005 Guidance. In addition, in holding that the bank had implemented commercially reasonable security the court noted that the bank utilized “layered security” (also mentioned in the 2005 Guidance), including some controls that analyzed customer behavior while banking online (discussed below). In its holding the court specifically indicated that the bank’s security was not optimal, but then noted that commercially reasonable security does not require a bank to adopt the best security procedures then available.
In EMI¸ the bank actually utilized “true” multi-factor authentication. In addition to user name and password, the plaintiff in EMI had been provided a physical token that sent a number to the user when he or she logged into the online banking site. That number is only good for 30-60 seconds, so unless the fraudster actually possesses the token, or is able to intercept the number and log-in in real-time, it is not possible to spoof the identity of the banking customer. Unfortunately, through the use of a phishing attack, the fraudsters were able to persuade the plaintiff’s representative to provide his username, password and token number, and logged in immediately upon receiving them. Once establishing a legitimate online banking session, they were able to initiate approximately 97 wire transfers over a six-hour period.
On motion for summary judgment, the EMI court ruled that the bank implemented commercially reasonable security as a matter of law because the plaintiff agreed in its contract with the bank that the bank’s security was commercially reasonable. However, later at trial, the court ruled that the bank failed to act in good faith concerning its processing and acceptance of the fraudulent wire transfers at issue. According to the court this failure occurred, in large part, because the bank did not implement behavioral analytics to further authenticate the identity of the online banking user after the online banking session began.
The Role of Behavioral Analytics
In both cases the existence (or lack of) security controls related to the plaintiff-customers’ behavior played a role in the court’s ruling. While neither court expressly described it in these terms, each court was effectively analyzing a new factor in authenticating identity – i.e., authentication based on behavior: “what you do [or don’t do].” This approach supplements the three traditional authentication factors (something you know, something you have, and something you are) by analyzing the user’s conduct as an attribute of identity. By comparing the behavior of the current user against the prior behavior of known authorized users, the likelihood of identifying a fraudster posing as an authorized user is increased.
In PATCO, the existence of “layered security,” including many controls tied to behavioral analytics, further supported the court’s finding of commercially reasonable security. Those controls included customer “risk profiling” that considered factors like the location of the user logging in, when and how often the online banking system was previously used by the customer, the activities the user typically engaged in, the Internet Protocol (IP) address typically used by the customer to log-in, and the size, type, and frequency of payment orders normally issued by the customer. Taking these behavioral factors into account the bank’s system in PATCO would assign a risk to a particular online banking session and if that risk reached certain thresholds the user would be asked to further authenticate his or her identity (in this case through a challenge question).
In contrast, the lack of behavioral analytics was a key factor that led the judge in EMI to rule against the bank at trial. The court identified several behavioral red flags that it believed should have raised the bank’s suspicion. The failure of the bank to take these red flags into account lead the court to rule that the bank had not proved that it acted in good faith to detect and stop the fraudulent wire activity. In particular, the bank failed to compare the fraudsters’ behavior against the prior activities of the plaintiff, including the volume and frequency of the payment orders and the book transfers that enabled the criminal to fund those orders; the plaintiff’s limited prior wire activity; the $5 million overdraft created by those book transfers in what is regularly a zero balance account, and; the destinations and beneficiaries of the funds (to Moscow, Estonia, and China).
2011 FFIEC Regulatory Guidance Supplement and Behavioral Analytics
Shortly after the decisions in EMI and PATCO, the FFIEC released its 2011 Supplement and reinforced the importance of behavioral analytics for confirming identity and detecting potential fraudulent behavior. For example, the 2011 FFIEC Supplement clarifies the concept of customer authentication:
The concept of customer authentication, as described in the 2005 Guidance, is broad. It includes more than the initial authentication of the customer when he/she connects to the financial institution at login. Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high risk transactions, but rather institute a system of layered security, as described herein. (emphasis supplied)
Examples of “layered security” in the 2011 FFIEC Supplement as related to enhanced authentication protocols include (in relevant part):
- fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response;
- the use of dual customer authorization through different access devices; and
- the use of out‐of‐band verification for transactions.
In fact, the 2011 FFIEC Supplement indicates that one of the “minimum” elements that should be part of layered security for online banking are processes designed to detect anomalies and effectively respond to suspicious or anomalous activity related to initial login and authentication as well as initiation of transactions involving the transfer of funds to others. In support of this element, the FFIEC specifically noted that in many cases of online banking fraud, the fraud could have been prevented because the wire transfers being originated by the fraudsters were anomalous when compared with the customer’s established patterns of behavior. In short, the 2011 FFIEC Supplement further supports the contention that behavior should be used as an additional factor for purposes of validating identity, and that legal authorities consider this factor important.
Conclusion
Issues of identity, authentication and reasonable security will surely continue to collide with the law as society transacts more frequently online. As a result, the legal responsibility of parties to establish adequate means to verify the identity of their customers, clients and users is likely to increase. As outlined above we are already seeing this in the online banking context.
What is clear from these cases is that authentication protocols employed by entities need to be adaptive to the particular threats and scams that may arise in the future. The idea of using a customer’s online behavior to further authenticate identity could expand into other contexts such as healthcare, social media activities and other contracting relationships where data is or can be recorded concerning prior behavior.
As we move forward it is likely that legislation or court decisions will mandate legal standards and requirements around authenticating identity, and similar to UCC 4A-202 in the online banking context, allocate risk of loss based on an entity’s compliance (or failure to comply) with such standards. Lawyers working on online transactions would be well-advised to consider the legal risk associated with authenticating identity. As the threats increase, lawyers will be called on not only to litigate these matters after the fact, but also to establish legal and contractual mechanisms for minimizing risk.