Who should be responsible for financial fraud?

Improvements in payment protections are shifting the liability for fraud to the least-secure party

$45 million was stolen from ATMs around the world in a matter of hours. In what a U.S. Attorney called a "21st-century bank heist," a New York-based organized crime ring in February hacked into financial databases, stole prepaid debit card data, removed their withdrawal limits, cloned new cards, and then sent "mules" (people commissioned to conduct the transactions) to make 4,500 ATM withdrawals worldwide.

[Shift to EMV cards expected to increase online fraud]

With four perpetrators caught and indictments issued in New York, victims on all sides of this crime are now left to sort out who assumes the losses. Does the liability rest with the financial institutions that were initially hacked and whose data was used to manipulate the withdrawal limits and load balances onto the cards? Or are the financial institutions that processed the transactions responsible?

"The law likes to impose liability on the party that is best able to avoid harm. But liability is all over the place in the area of financial payments fraud," says Mark Rasch, principal attorney at Rasch Technology and Cyberlaw. "Recovering money from those who are liable is also difficult and expensive: You have to file the lawsuits and go through discovery, which can take years."

As standards for pattern recognition and authentication change, so do the legal challenges that come with them. Liability rules are changing especially quickly in relation to card readers, corporate accounts and card-not-present transactions.

The trouble with magnetic stripes

Of these three areas of financial systems fraud, the most dramatic changes are occurring in card and card-reader protections for U.S. merchants making transactions through ATMs and other card-reader systems.

"Although statistics are hard to come by, card fraud has been increasing steadily over the past few years in the U.S.," says Randy Vanderhoof, executive director of the Smart Card Alliance. "Meanwhile, card fraud has been decreasing in Europe and elsewhere where they are using chip-enabled EMV smart cards rather than mag stripes." The EMV (EuroPay, MasterCard and Visa) open framework promotes interoperable, chip-enabled payment cards.

[PCI council says government should stay out of payment card standards]

In the U.K., where EMV cards are the dominant form of payment, counterfeit card fraud dropped by two-thirds (from 150 million pounds to less than 50 million pounds) between 2008 and 2010, according to a 2011 presentation by the Federal Reserve Bank of Kansas City. And from January 2010 to September 2011, FICO, a predictive-analysis company, reported a 60 percent decline in counterfeit card fraud in Europe, where smart cards are the dominant form of payment.

The risk in using magnetic stripes is that the data they contain is static and includes the cardholder's name and address, the financial institution, the 16-digit account number, the expiration date and even the security confirmation code on the back of the card. All of which means the information on the stripe can be used to make new cards, explains Vanderhoof.

[Experts question security used in Target breach]

"As long as you are able to read static data that is encoded on the back of a magnetic stripe, criminals can replicate that data onto another piece of plastic, just like the original," he says.

This weakness made it possible for the criminals and their global network of mules to quickly steal $45 million using counterfeit cards.

In an EMV chip-based smart payment card, this data is stored securely within the chip, meaning that only authorized merchant terminals can read the stored data and it cannot be reused to create fraudulent transactions, Vanderhoof continues.

Instead, each transaction processed with an EMV chip card and card reader is assigned a unique identifier. If criminals do break the card or terminal's encryption programs, the data they see is good for one use only. The data stream processed through the terminal is also unique, so it cannot be re-used even if it is captured by wireless sniffers listening in from the parking lot, for example.

Deadlines meet resistance

In 2011 and 2012, MasterCard, Visa, Discover and American Express announced they were accelerating plans to issue EMV smart cards and were already using them for applications such as college credit cards and cards for travelers who want to use them internationally.

The next stage is to get the card readers compliant with the new smart payment cards, says John Graham, vice president of global information assurance and risk for First Data Corporation, one of the largest payment processors in the U.S., with infrastructure in 34 countries.

"The infrastructure is there to support EMV cards, but there are costs to banks and financial institutions that send out smart cards," Graham says. "We've also ensured our back-end systems and mainframes are able to accept these new forms of transactions."

[PCI DSS 3.0 is an evolution, not a revolution]

According to EMV Connection, approximately 1.5 billion EMV cards have been issued globally, and 21.9 million terminals were accepting EMV cards as of Q4 of 2011. This represents 44.7 percent of the total payment cards in circulation and 76.4 percent of point-of-sale terminals installed outside the U.S., where statistics are harder to find.

Under the EMV framework, merchants that process transactions through card readers have until October 2015 to make their systems ready to handle chip-enabled readers.

[Major attacks on retailers cast spotlight on higher security cards]

If merchants cannot process EMV payment cards and they are defrauded by counterfeit data in magnetic-stripe cards, liability for losses will begin to shift to the merchants that have not upgraded payment card readers, according to Vanderhoof. Likewise, if merchants can process EMV payment cards and the card issuer is still allowing its customer to use a non-EMV card, that issuer will begin to assume the liability for fraudulent transactions.

While large merchants stand ready to meet the EMV deadline, small mom-and-pop operations are the hardest to convince and need more education, says Graham, adding that, in some cases, small business are still using old, analog lines to conduct transactions.

The transition to smart cards will likely occur in phases, say experts.

"For some, it makes sense to make the upgrade to EMV-enabled readers as soon as possible, and for others it may be a phased-in approach that may not meet the EMV deadlines as they now stand," says Steve Kenneally, vice president for the center of regulatory compliance at the American Bankers Association.

Kenneally notes that earlier this year, the ATM Industry Association asked for a push back on the deadlines imposed to them by Visa. As a result, most of the brands behind EMV smart cards are imposing their own liability shift dates for ATMs. For example, MasterCard will fully shift liability for card readers onto merchants on Oct. 1, 2016, while Visa will shift liability to its merchants in October of 2017, according to the financial publication and resource group ATM Marketplace.

MasterCard predicts that about 70 percent of those with card processing terminals will make the October 2015 compliance deadline and has even laid out its own liability shift schedule, which currently extends to 2017 for gas stations. (Gas stations are one of the first places criminals test cloned cards to see if they will process, according to experts.)

Most guidelines take into account that for some time during the transition, merchants will need to be able to process both mag stripe and chip-enabled cards. MasterCard provides incentives for merchants to become EMV-compliant, such as audit relief to organizations with readers that can handle both forms of payments.

[CSOs guide to the Target data breach]

Resources for upgrading to EMV are available through many organizations. Visa, MasterCard and other payment processors, along with the Smart Card Alliance and the PCI Council, provide guidance for understanding how PCI DSS and EMV work together to protect payment card data.

"There's been a lot of work behind the scenes to educate the market about the value of EMV," says Vanderhoof. "Financial institutions, merchants and processors all need to coordinate around a common method of handling EMV payments."

[JPMorgan to notify 500,000 due to data breach, but will not offer replacement cards]

EMV chip-enabled smart cards also allow for the use of strong authentication methods—using more than just passwords to authenticate transactions. The chip supports tokens and other forms of authentication, including offline or online onetime passwords or PINs requested at the time of transaction. Increasingly, these challenge codes are being sent to the card user on their cellphones, say Vanderhoof and Graham.

Better detection tools head off fraud

In recent years, the success rate for Automated Clearing House (ACH) takeover attempts has been dramatically reduced, according to Doug Johnson, vice president and senior adviser of risk management and policy for the American Bankers Association (ABA), and fraud detection and analysis are behind the drop.

Since 2009, the ABA has conducted a yearly survey of its members to compare how many ACH takeovers were attempted to how many successful transactions were generated from the those attempts. In 2009, 70 percent of fraudulent transactions went undetected and were processed, while in 2012, only nine percent of fraudulent attempts made it through to transaction; the rest were blocked.

"This metric tells us that fraud detection patterns and triggers are better tuned to detect velocity of transactions, size of transactions and anomalous behavior of the end point system conducting the transaction," says Johnson.

Fraud attempts continue against ACH account holders, of course, but more security controls have been built in so that it's harder for criminals to succeed, agrees Avivah Litan, an analyst at Gartner.

For example, JP Morgan Corporate and Investment Banking puts some control into the hands of ACH account holders by allowing them to personally determine which companies can conduct ACH transactions with their account, while anyone not specified is not allowed to use that ACH account. The investment firm also includes education on ACH fraud and how it is conducted from the victim's own computer.

[Collisions likely over PCI 3.0]

Who's liable?

ACH takeover usually starts when account holders are victims of a phishing attack that tricks them into installing malware on their computers, or victims accidentally download malware from an infected or malicious website. Once the ACH transaction is initiated, a criminal can check the balance and initiate transfers without being seen by the system operator, explains Rasch.

Each party in this case was a victim, including the client that was phished, the back-end financial institution that sent the funds, and the processor between the two parties that negotiated the transaction.

[Passing PCI firewall audits: Top 5 checks for ongoing success]

Now, each party is finding that their share of the liability for the fraud is shifting as the result of better security practices. This is particularly good news for account holders who historically have been left holding the bag for transactions not stopped by their financial institutions.

As banks and processors add more pattern analysis and stronger authentication measures into their protections, these become "reasonable security practices" under the Uniform Commercial Code, explains Johnson. Under the code, entities with reasonable security practices are more likely to be protected from liability should they be victims of ACH fraud.

This shift is already beginning to happen, as evidenced by the fact that ACH fraud victims are taking their cases to court and account holders are winning judgments, says Gartner's Litan.

For example, in July of 2012, a first circuit court overturned a 2011 judgment in favor of the bank that allowed nearly $600,000 in unusual and fraudulent transactions to process. In the suit, Patco, the construction company victimized by the fraud, claims that the bank was not in compliance with the Uniform Commercial Code for reasonable security, and in particular it failed to meet the Federal Financial Institutions Examination Council's (FFIEC) authentication guidance for online banking.

Under FFIEC guidelines, authentication measures at banks should include strong pattern recognition and pattern matching tools. Most of these points were spelled out in the contract between Patco and the bank, yet the bank failed to challenge the six unusual transfers that resulted in the fraud.

"By contract, the customer of the ACH processor and the bank agree to a set of commercially reasonable standards that dictates what happens if a customer suffers losses and standards weren't adhered to," Johnson says. "The party that was not adhering to standards is the one that has liability."

Remote transactions require new security solutions

1 2 Page 1
Page 1 of 2
SUBSCRIBE! Get the best of CSO delivered to your email inbox.