FYI...Security on Trial: Effectiveness vs. Convenience
March 25, 2013 - "On March 18 a Missouri US District Court ruled that BancorpSouth was not liable for a fraudulent $440,000 wire transfer
executed by cyber criminals using a hijacked account belonging to one of its customers (Choice Escrow Land Title LLC) account. The primary basis for the court’s ruling was the Uniform Commercial Code (UCC) Article 4a. Essentially it states that if a bank offers commercially reasonable security procedures and a commercial customer refuses to implement them, then the customer is liable for any fraud on their account
BancorpSouth offers its customers dual authorization for wire transfers. The customer, Choice Escrow Land Title, declined to use it
. While many aspects of this case will be discussed and debated, a key point made by Judge John Maughmer in his summary judgment is worth noting: “The tension in modern society between security and convenience is on full display in this litigation." This case perfectly illustrates the ongoing struggle between security effectiveness and convenience. Choice Escrow declined to implement dual authorization for wire transfers because they deemed the control could interfere with their ability to conduct business. As a small company, Choice was concerned that two employees would not always be readily available to execute a wire transfer. Because wire transfers are typically used when immediate payment is required, any delays would impact the timeliness of these payments.
While not overtly stated in the summary judgment, the fraud was most certainly enabled by Man-in-the-Browser (MitB) malware
. The correct username and password were used from a device with a valid software token and a regularly used IP address. These are all indications of MitB malware, which can inject fraudulent transactions into authenticated online banking sessions or use the legitimate user’s machine as a proxy to route fraudulent transactions.
Device identification methods (including software tokens and IP address used here) simply cannot reliably detect fraud conducted using MitB malware. In fact, dual authorization is also highly susceptible to MitB malware. The fraudster simply needs to compromise multiple devices at the target business, which has been done on numerous occasions. The heart of the matter in this case is usable security. It’s considered commercially reasonable to require the customer to use (and often pay for) hardware tokens to authenticate online banking sessions and subsequent transactions within the session. It’s also considered commercially reasonable for risk engines to regularly block legitimate transactions suspected of being fraudulent, and place a hold on suspicious transactions until the customer is contacted. Finally, it’s considered commercially reasonable to regularly ask online banking customers to answer multiple challenge questions. Even though answers to these questions can be easily captured via malware and phishing, and often can be discovered using a simple web search.
All the solutions listed above provide marginally improved security, but they do so at the high cost of customer inconvenience. As commercial banking customers become more educated about the legal liabilities surrounding online banking and payments fraud, we expect to see a shift in their behavior. Banks that provide convenient, effective security controls and place a strong emphasis on maintaining a frictionless customer experience will be perceived more favorably. Those that force their customers to adopt cumbersome, questionable security controls will be viewed as adversarial
. Financial institutions that do not provide effective, usable security controls should be prepared for some of their customers to look for and move to providers that do."
26 Mar 2013 - "... The court ruled that the company assumed greater responsibility for the incident because it declined to use a basic security precaution recommended by the bank: requiring -two- employees to sign off on all transfers... a judge with the U.S. District Court for the Western District of Missouri focused on the fact that Choice Escrow was offered and explicitly declined in writing the use of dual controls, thereby allowing the thieves to move money directly out their account using nothing more than a stolen username and password. The court noted that Choice also declined to set a limit on the amount or number of wire transfers allowed each day (another precaution urged by the bank), and that the transfer amount initiated by the thieves was not unusual for Choice, a company that routinely moved large sums of money..."