Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Comerica Bank ordered to pay after customer hacked

Robert McMillan | June 15, 2011
A Michigan court has ruled that Comerica Bank is liable for a US$560,000 cyberheist, saying the bank should have done a better job to spot millions of dollars in fraudulent transactions after one of the bank's customers was tricked in a phishing attack two years ago.

The Michigan court's decision is important because U.S. courts are only now starting to decide who should pay for these scams, known as Automated Clearing House (ACH) fraud. Security experts believe that ACH scammers have made hundreds of millions of dollars over the past few years, typically hitting small businesses, school boards and community organizations that work with smaller regional banks. The hackers steal the online banking credentials of company employees and then quickly move hundreds of thousands of dollars out of accounts using the ACH system, which was created to move money such as payroll funds.

Consumers aren't liable for this type of fraud, but that's not the case when it comes to small businesses. In fact, despite this week's ruling, it's really not clear who must pay after ACH fraudsters strike. Just last week a Maine magistrate judge ruled in favor of the bank in a similar incident. That decision could cost Patco Construction, in Sanford, Maine, $345,000.

While many ACH fraud disputes are quietly settled out of court, with both sides accepting some losses, if companies take ACH fraud disputes to court, the decision of liability is almost a coin toss, said David Navetta, a founding partner with the Information Law Group. "I expect that we will see varying opinions in various jurisdictions," he said. "If things start getting appealed to the appellate courts ... then the district courts are bound by that ruling. That's when it starts to get serious."

That's exactly what's going to happen in this case, according to bank spokeswoman Kathleen Pitton. According to her, Comerica plans to file an appeal. "We presented evidence that disputes the allegations made against us and believe that, following a review of the evidence, the appellate court will agree and reverse this decision," she said in an e-mail message.

Neither Experi-Metal nor its lawyer, Richard Tomlinson, returned calls seeking comment. News of the ruling was first reported Tuesday by the Detroit Free Press.

Banks are now doing a better job of spotting ACH fraud than they were in 2009, but the criminals are still making money, said Avivah Litan, a distinguished analyst with Gartner Research. "Every bank I've talked to is really concerned about it and worried about it," she said. "Some are better able to deal with it than others."

Companies such as RSA Security, Actimize and Guardian Analytics sell customer profiling and fraud detection systems designed to flag fraudulent transactions, but the fraudsters are always on the lookout for ways to beat the bank. "They've been known to beat the profiling systems," Litan said. "It's becoming very problematic."

And as the recent court decisions have shown, nobody knows for sure who's going to be left footing the bill.


Previous Page  1  2 

Sign up for MIS Asia eNewsletters.