Pub. 6 2011-2012 Issue 5

www.nebankers.org 14 Extraordinary Service for Extraordinary Members. • dual customer authorization through different access devices; • use of positive pay, debit blocks, or other services to limit transaction use on accounts; • enhanced controls over account activities (e.g., transaction value thresholds); • internet protocol (IP) tools that block connection of bank servers to IP addresses known (or suspected) for fraudulent activity; and, • enhanced customer education. For compliance with the supplement beginning in Janu- ary 2012, banks should engage their respective technology providers to determine what the cyber threats are and what enhanced (layered) security measures are available under each bank’s current contract for services. Effectiveness of Certain Authentication Tech- niques. In the supplement, the FFIEC provides guidance on the integrity of two types of customer authentication techniques: (a) simple device identification and (b) challenge questions. According to the FFIEC, the following authentica- tion techniques are no longer sufficient: • simple one-dimensional device authentication (which was implemented by many banks in response to the guidance) relying on the use of cookies loaded onto a customer’s per- sonal computer to confirm that the PC attempting access is the one enrolled by the customer. • simple challenge questions easily answered by anyone that researched the customer through Internet searches and social media. Examples of stronger, more effective controls identified in the supplement are: • complex device identification tools such as a “one-time” cookie to create a complex digital “fingerprint” to identify a number of a PC’s characteristics, including PC configura- tion, IP address, geo-location, and other factors. • a complex challenge question process by use of multiple, more sophisticated, or “out-of-wallet” questions. 6 Customer Awareness &Education. The supplement also prescribes that customer awareness should be included as a part of the bank’s security programs for both commercial and consumer customers. At minimum, these programs should include: • a description of accountholder protections; • an explanation of circumstances under which the bank will contact the customer to verify his or her identity; • suggestions for commercial online banking customers to per- forma risk assessment and controls evaluation periodically; • a listing of alternative risk controls for customers to con- sider to reduce their online banking risk; and, • a contact list for customers to use if they notice suspicious account activity or experience a security-related event. By providing security procedures in writing to new and existing customers, banks can confirm that customers are aware of the types of security available at the bank. As secu- rity options change, existing customers should be updated on what is available through links or news on the bank’s website. Court Decisions, the Guidance & the Supplement After issuance of the guidance, cases arose alleging that use of single factor authentication constitutes unreasonable security. In Shames-Yeakel v. Citizens Financial Bank , 7 the court allowed the plaintiffs’ negligence claim (arising from an unauthorized transfer obtained from the plaintiffs’ account by a fraudster using the plaintiffs’ user name and password) to survive by denying a motion for summary judgment, based in part on the guidance. The plaintiffs alleged that the bank had negligently failed to move from single to dual factor authentication per the guidance in time to prevent the unauthorized transfer. The court decided that “[i]n light of Citizens’ apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plain- tiffs’ account against fraudulent access” and the plaintiffs’ claim was allowed to proceed. Last year, a federal court in Maine delivered a significant decision regarding bank liability for unauthorized with- drawal of funds from a corporate deposit account after a fraudster obtained access to the online credentials of the bank’s customer. 8 The main allegation in the suit was that the authentication procedures and other security measures employed by the bank failed to prevent the fraudulent wire transfers and were not commercially reasonable. The Patco court found in favor of the bank by relying in part on the standards set by the guidance concluding that the bank provided commercially reasonable security measures by using not only multifactor authentication but also multiple layers of security. In holding that the bank had implemented commercially reasonable security, the court noted that the bank offered authentication through user identifications and passwords, set transaction limits in connection with challenge questions to those initiating the transactions, and summarized the layered security of- fered and implemented by the bank at the time of the fraud. Moreover, the court stated that the bank’s implementation of the security procedures was a “careful effort at compli- ance” with the guidance and that “when measured against the . . . guidance yardstick that both parties have treated as a critical factor in this case, is commercially reasonable, incorporating not only at least two factors but also multiple layers of security.” Q Cyber Fraudsters — continued