Man in the Middle Attacks
NEW JERSEY LAW JOURNAL JANUARY 11, 2016 222 N.J.L.J. 98
Man in the Middle Attacks
Understanding and combating this form of wire fraud
Bick is of counsel at Brach Eichler in Roseland. He is also an adjunct professor at Pace and Rutgers law schools, and the author of "101 Things You Need to Know About Internet Law" (Random House 2000).
During the last week of December 2015, several New Jersey firms were the victims of non-trivial data breaches. While three involved real estate closings and the rest involved commercial transactions, all resulted in funds being wired to an Internet hacker. Each firm was a victim of "man-in-the-middle" attacks, whereby a hacker first acquires access to a firm's server, then, using said access, the hacker redirects all e-mails associated with the firm's server to a hacker's server and subsequently changes payment information and other information in those e-mails to defraud the firm and others working with the firm
While the Fair Credit Reporting Act and other federal laws encourage the implementation of policies, programs and procedures to keep data safe by requiring entities to maintain reasonable procedures designed to avoid the disclosure of information, not all entities are covered, and the obligations impose on covered entities is not specific. Even covered entities may not be required to protect themselves from man-in-the-middle attacks, because typically regulations implementing these obligations primarily detail disposal obligations, such as implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing information so that the information cannot practicably be read or reconstructed. 16 C.F.R. §682.3(b)(2).
States also encourage the implementation of policies, programs and procedures to keep data safe by requiring the imposition of another layer of data security requirements on entities that collect and maintain information. Typically, states have general data security laws in place that require businesses to act reasonably so as to maintain data safely within their possession. See, e.g., Md. Code Ann. Comm. Law §13-3503 (2013), and Cal. Civ. Code
§1798.81.5(b) (2013). Regrettably, reasonable data security normally lags data breach activities. Once a data breach has been discovered, reasonable firms must both combat future technological and procedural exposures and assess responsibility for liability. Internet enabled wire transfers were an element of each of the transactions connected to the New Jersey firm data breaches noted above.
U.C.C. §4A-202(b) (2005) is applicable to Internet enabled wire transfers. It provides an incentive to the bank that receives a payment order from an account holder to create a security procedure to ensure that the payment order is authorized. If the receiving bank puts in place "a commercially reasonable method of providing security against unauthorized payment orders" and "complies with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer," even an unauthorized payment order will be treated as if it were authorized. However, if the receiving bank did not use a commercially reasonable security procedure, it would have the evidentiary burden of proving that an allegedly unauthorized payment order was in fact authorized. Thus, a bank acts at its peril in accepting a payment order that may be unauthorized.
The customer is strictly liable to supervise its employees. In particular, according to the UCC, the customer is to supervise its employees to ensure compliance with security procedures and to safeguard confidential security information and access to transmitting facilities so that the security procedure cannot be breached. Thus, the account holder cannot argue that all the appropriate measures to prevent an unauthorized transaction were taken. In addition, it is no longer the bank's burden to prove that the account holder was negligent.
It should be noted that PA-203(a) (2) offers another way to hold the bank liable. The comment notes indicate that the confidential information necessary to institute an unauthorized payment order must be obtained either from a source controlled by the customer or from a source controlled by the receiving bank The customer can shift the liability for loss if it can be proved that the person committing the fraud did not obtain the confidential information from an agent or former agent of the customer or from a source controlled by the customer. Internet breaches- are not limited to man-in-the-middle attacks. Such breaches include phishing, IP spoofing, denials-of-service and distributed denials-of-service. While some breaches result in financial fraud, others are undertaken purely for the publicity.
Effectively, combating man-in-the-middle attacks and other Internet breaches can be as simple as calling a party to confirm wiring instructions prior to wiring funds. Substantial compliance may also require a firm wide memo. A memo, such as the following, is likely to be sufficient:
Before wiring any funds from this office, you must call the recipient's law firm, identify the person you are speaking with, and confirm the wire information that you received. This information should then be noted on the wire transfer document before it is signed by an authorized person here to initiate the wire. Do not merely rely on written wire information that you received previously.
Such a memo would be useful for protecting the firm from some liability due to the activities of a rogue employee.
Equally effective technological changes may be implemented, such as specifying that transmission of data take place over a connection protected by 128-bit Secure Sockets Layer (SSL), which is a standard security technology for establishing an encrypted link between a server and a client—typically a web server and a browser; or a mail server and a mail client. SSL certificates are widely and cheaply available, and root certificates are built into all major browsers. While man-in-the-middle attacks against an SSL are still theo¬retically possible, firms are typically sophisticated enough to take steps such as verifying certificate signatures to safeguard against such hacks.
Additionally, firms should not only attempt to prevent loss but should also take steps to reduce its effects. One effective process for reducing the effects of lost data is to require firm servers to automatically log transactions that provide access to sensitive data. This process cannot prevent a hacker from copying information displayed on a computer monitor, but can aid an institution to detect what has been revealed in the breach, and perhaps to minimize its spread
In Sovereign Bank v. BJ's Wholesale Club, 533 F.3d 162 (3d Cir. 2008), and Hammond v. Bank of N.Y Mellon Corp., 2010 WL 2643307 (S.D.N.Y. June 25, 2010), courts have interpreted the causation requirements built into tort law to exempt data owners or storehouses from liability. This interpretation has acted as a disincentive to take precautions.