Bank customer’s lawsuit raises questions about fraud liability

Posted March 16th, 2014 by Gerry La Rocca & filed under Financial Accounting, Fraud.

$80K fraud case highlights caveats and conditions giving banks a backdoor for liability

$80K fraud case highlights caveats and conditions giving banks a backdoor for liability

Security of online credit cards in question

The case of an Ontario man who was charged more than $80,000 on his credit card for purchases he claims he didn’t make is raising new questions about the security of online and credit card transactions and whether banks are shifting liability for fraud to their customers.

Three years ago, Jason Monaco sued the Canadian Imperial Bank of Commerce after the bank insisted he was responsible for charging the cost of a custom-built race car to his bank-issued Visa card, a purchase Monaco says he never made.

Monaco, the founder and managing partner of a Toronto investment relations firm, alleges in his lawsuit that he discovered the charge of $81,276 “during a routine check of his Visa account balance” in June 2010.

After CIBC was alerted, the bank ultimately removed a second charge of $4,972 that Monaco also disputed. His lawsuit alleges that although both transactions bore the same fraudulent signature on the transaction receipts, CIBC is holding Monaco responsible for the car purchase because that transaction was completed using a personal identification number (PIN) in conjunction with the card’s embedded chip.

Fraudulent PIN transactions ‘impossible’

“It’s actually quite an old technology — between 15 and 20 years old.”

Several years ago Murdoch and his colleagues demonstrated a number of flaws in the system.

One allows criminals to use a bit of hardware to fool the card into accepting any random PIN entered on a merchant’s card terminal. That acceptance, and not the PIN itself, is then sent to the bank, making it appear that the correct PIN was entered.

“And sometimes as a result, customers are refused a refund,” Murdoch says. “Even though they’ve been the victim of fraud and they have not been negligent.”

Murdoch managed to shrink the hardware required to the size of a deck of cards, but he says criminals in France were able to put it on a microchip and embed it on counterfeit cards.

Caveats and conditions

But the Ontario lawsuit does more than raise questions about chip and PIN security.

CIBC’s lawyers say the caveats in Monaco’s cardholder agreement also make him responsible for the charge.

“The primary cardholder is liable for any transactions made on the Visa account” the language reads, “if any cardholder uses a PIN to make the transaction.”

CIBC also points to a condition that stipulates cardholders are responsible for all charges until the bank is alerted that a card is lost or stolen.

Monaco claims his card was neither lost, stolen nor did he divulge his PIN to anyone.

Further, his lawsuit claims that CIBC’s reliance on fine print and an “exclusion of liability clause is unconscionable.”

Conditions ‘quite reasonable’

Maura Drew-Lytle, a spokeswoman for the Canadian Bankers Association, says the various conditions aren’t onerous.

“[The banks] are quite reasonable in my opinion,” Drew-Lytle said.

“Generally, if they don’t think you have knowingly contributed to the fraud, then chances are you will get reimbursed. Again, it’s case by case. They have to look at that.”

Last year, Canada’s six largest banks reimbursed clients some $9 million for fraudulent online transactions. The most recent statistics (2012) on credit card and debit card payouts top half a billion dollars.

But the banks don’t provide statistics on the value of fraud they don’t cover, or the number of clients they refuse to make whole.

Ombudsman for Banking Services and Investments Douglas Melville says he isn’t seeing a significant number of clients complaining about caveat-laden agreements.

Banks offered blanket assurances

Glenn Thibeault, the NDP’s consumer affairs critic, notes that a number of bank and credit card officials recently testified at finance committee hearings into mobile digital payments. He said they offered blanket assurances that clients are protected from electronic fraud losses.

“Zero-liability also has 10 asterisks beside it,” Thibeault said. “Zero liability isn’t actually going to be in effect if this is the way banks are doing this.”

The debate about what’s reasonable to expect from bank customers in the digital frontier will only become more pointed, said Larry Keating, CEO of NPC, an Ontario firm that helps professionals and organizations secure their computers.

He said efforts of cybercriminals to exploit security weaknesses can be brilliant, nasty and difficult for unsophisticated users to completely prevent.