Major US banks harden accounts for hack victims – Krebs on Security


When US consumers have their online bank accounts hacked and looted by hackers, US financial institutions are legally bound to reverse any unauthorized transactions as long as the victim reports the fraud in a timely manner. But new data released this week suggests that for some of the nation’s largest banks, reimbursing victims of account takeover has become more the exception than the rule.

The findings came in a report published by Senator Elizabeth Warren (D-Mass.), which in April 2022 opened an investigation for fraud related to Zellethe peer-to-peer digital payment service used by many financial institutions that allows customers to quickly send money to friends and family.

Zelle is run by LLC Early Warning Services (EWS), a private financial services company jointly owned by Bank of America, Capital one, JPMorgan Chase, NCP Bank, Truist, American bankand Wells Fargo. Zelle is enabled by default for customers of more than 1,000 different financial institutionseven though a large number of customers still don’t know it’s there.

Sen. Warren said several of EWS’ owning banks — including Capital One, JPMorgan and Wells Fargo — failed to provide all of the requested data. But Warren obtained the information requested by PNC, Truist and US Bank.

“Overall, the three banks that provided comprehensive datasets reported 35,848 scam cases, involving more than $25.9 million in payments in 2021 and the first half of 2022,” the report summarizes. “In the vast majority of these cases, banks did not reimburse customers who said they had been scammed. Overall, these three banks reported refunding customers in just 3,473 cases (representing nearly 10% of scam claims) and refunding only $2.9 million.

Importantly, the report distinguishes between cases involving direct takeovers of bank accounts and unauthorized transfers (fraud), and losses resulting from “fraudulently induced payments”, where the victim is tricked into authorizing the transfer of funds to scammers (scams).

A common example of the latter is the Zelle Fraud Scam, which uses an ever-changing set of come-ons to trick people into transferring money to fraudsters. The Zelle Fraud scam often uses spoofed text messages and phone calls to make it look like they are from your bank, and the scam usually involves tricking the customer into thinking they are sending themselves money. money when he really sends it to the crooks.

Here’s the catch: when a customer issues a payment order to their bank, the bank is required to honor that order as long as it passes a two-step test. The first question is: is the request really coming from an account owner or signing authority? In the case of Zelle scams, the answer is yes.

Trace Foosheestrategic advisor in anti-money laundering practice at Aite Novaricasaid the second stage requires banks to give the customer’s transfer order a kind of “detection test” using “commercially reasonable” fraud checks that are not generally designed to detect patterns involving the social engineering.

Fooshee said the legal term “commercially reasonable” is the main reason no bank has much – if anything – in the way of scrutinizing scam detection.

“For them to deploy something that would detect a good deal of fraud on something so hard to detect, they would generate extremely high rates of false positives which would also make consumers (and, subsequently, regulators) very unhappy” , Fooshee said. “It would undermine the business case for the service as a whole, making it something the bank can claim is NOT commercially reasonable.”

Senator Warren’s report makes it clear that banks in general not reimburse consumers if they are fraudulently enticed to make Zelle payments.

“Simply put, Zelle indicated that it would provide redress to users for unauthorized transfers in which a user’s account is accessed by a bad actor and used to transfer payment,” the report continues. “However, EWS’ response also indicated that neither Zelle nor its parent bank owners would reimburse users fraudulently enticed by a bad actor to make a payment on the platform.”

Yet data suggests that banks refunded at least some of the funds stolen from scam victims about 10% of the time. Fooshee said he was surprised that number was so high.

“The fact that banks pay anything to victims of authorized payment scams is remarkable,” he said. “It’s money they pay out of pocket almost entirely for goodwill. One could argue that reimbursing all victims is a good strategy, especially in the climate we find ourselves in, but to say that this should be what all banks do remains opinion until Congress changes the law.

UNAUTHORIZED FRAUD

However, when it comes to reimbursing victims of fraud and account takeovers, the report suggests banks are toughening up their customers whenever they can get away with it. “Overall, the four banks that provided complete datasets indicated that they only reimbursed 47% of the dollar amount of fraud claims they received,” the report noted.

How did the banks behave individually? From the report:

-In 2021 and the first six months of 2022, NCP Bank reported that its customers reported 10,683 instances of unauthorized payments totaling more than $10.6 million, of which only 1,495 instances totaling $1.46 were refunded to consumers. PNC Bank left 86% of its customers who reported fraud without recourse for fraudulent activity that occurred on Zelle.

– Over this same period, American bank customers reported a total of 28,642 instances of unauthorized transactions totaling over $16.2 million, while refunding only 8,242 instances totaling less than $4.7 million.

-In the period between January 2021 and September 2022, Bank of America customers reported 81,797 instances of unauthorized transactions, totaling $125 million. Bank of America only paid out $56.1 million in fraud claims, less than 45% of the total dollar value of claims made at that time.

Truist indicated that the bank had a much better record of reimbursing defrauded customers during this same period. During 2021 and the first half of 2022, Truist clients filed 24,752 unauthorized transaction claims amounting to $24.4 million. Truist paid off 20,349 of those claims, totaling $20.8 million – 82% of Truist’s claims were paid off during this period. Overall, however, the four banks that provided complete datasets reported that they only reimbursed 47% of the dollar amount of fraud claims they received.

Fooshee said there has long been a lot of inconsistency in how banks reimburse unauthorized fraud claims – even after the Consumer Financial Protection Bureau (CPFB) came out with tips on what is considered an unauthorized fraud claim.

“Many banks have reported that they still do not meet these standards,” he said. “As a result, I imagine the CFPB will crack down on those who issue fines and we will see a correction.”

Fooshee said many banks have recently adjusted their refund policies to bring them more in line with CFPB guidelines from last year.

“So it’s going in the right direction, but not with enough vigor and speed to satisfy the critics,” he said.

Seth Ruden is a payment fraud expert who serves as a global consulting director for a digital identity company BioCatch. Ruden said Zelle recently made “significant changes to monitoring its fraud program due to consumer influence.”

“It’s clear to me that despite the sensational headlines, progress has been made to improve outcomes,” Ruden said. “Currently, in-network losses on a volume-adjusted basis are lower than typical for credit cards.”

But he said any failure to reimburse victims of fraud and account takeover only adds to the pressure on Congress to do more to help victims of those defrauded to authorize Zelle payments.

“The bottom line is that regulations haven’t kept pace with payment technology in the United States, and we’re not alone,” Ruden said. “For the first time in the UK, authorized losses from payment scams have exceeded credit card losses and a regulatory response is now on the table. Banks have a choice now to act and strengthen the controls or waiting for regulators to impose a new regulatory environment.

Senator Warren’s report is available here (PDF).

There are, of course, some versions of the fraudulent Zelle scam that can confuse financial institutions as to what constitutes “authorized” payment instructions. For example, the variant I wrote about earlier this year started with a text message that spoofed the target’s bank and warned of a suspicious pending transfer.

Those who responded received a call from a spoofed number to make it look like the victim’s bank call, and were asked to validate their identity by re-reading a one-time password sent via text message. In reality, the thieves had simply asked the bank’s website to reset the victim’s password, and this unique code texted by the bank’s site was the only thing the crooks needed to reset the password. target’s password and clear the account using Zelle.

None of the above discussions imply the risks affecting businesses that bank online. Businesses in the United States don’t have the same fraud protection as consumers, and if a banking trojan or clever phishing site causes a business account to be drained, most banks won’t refund this loss.

That’s why I have always and will continue to urge small business owners to only bank online from a dedicated, restricted, and secure device – and preferably a non-Windows machine.

For consumers, the same old advice remains best: watch your bank statements like a hawk, and immediately report and dispute any charges that appear fraudulent or unauthorized.

Previous Supersonic BRAHMOS - The unrivaled tactical asset of the IAF
Next At Home with Gary: Home Sellers: Creative Incentives Can Sell Your Home, Part II