Mobile banking has grown to more than 800 million users since smartphones entered widespread use. That growth has created an irresistible target for cyber criminals. They recently hit the bullseye.
In March 2015 ESET reported that a malware Trojan on mobile devices using the Android operating system was stealing users’ login credentials for mobile banking applications. The malware mimics the login screen of a bank’s mobile app and locks the screen until the user inputs his or her username and password. It can even copy text messages so that codes received in a SMS text message for use in two-factor authentication are compromised. Once the criminals have the login information they are able to access users’ bank accounts.
The malware spreads by pretending to be Adobe Flash Player. It can be installed only if the device’s default settings have been changed to allow apps to be obtained from locations other than the Google Play app store. Once installed the malware looks for mobile banking apps that are on its target list. For apps that are present the malware downloads the corresponding false login screens. The user then sees those screens when he or she opens one of the target banking apps. Login information is then sent to the criminals.
According to ESET the malware is targeting 20 banks, including the largest retail banks in Australia, New Zealand, and Turkey. Ominously, the malware also targets other online accounts such as Google, Skype, eBay, and PayPal. The ESET report states that development of the malware is ongoing, and that there is no reason it couldn’t be modified to include additional banks and other targets.
The extent of any losses resulting from this latest malware isn’t clear. The potential for losses is significant, however.
Would those losses be covered under a bank’s insurance policies? Possibly. That question begs a different question though: would the banks be responsible for the customers’ losses?
Many banks shield customers from loss arising from fraudulent mobile banking transactions and assume responsibility for the losses. Those banks have limited insurance options to recover amounts repaid. Computer fraud coverage in a bank’s fidelity bond might apply. That coverage is designed to respond to losses the bank sustains as a result of fraudulent data entered into, or changes made to, a computer system maintained by the bank. Depending on how the loss takes place, it is possible that the bond will cover amounts stolen as the direct result of the fraud.
For banks that do not make customers whole after losses are incurred, claims are a definite possibility. Those claims may be weak though. Based on what we know now, it does not appear that the banks have done anything to cause the losses. The fault arguably rests with customers who exposed themselves to the risk of malware like this by changing the settings on their devices so that they could install apps from unofficial sources. I doubt that customers and their lawyers will agree, however.
While we can’t know what aggrieved customers might allege that a bank did wrong, I think we can make a few educated guesses.
It seems likely that customers will allege that banks failed to adequately protect their accounts by ensuring that they could only be accessed by customers. They may also claim that banks misrepresented the safety of mobile banking. Customers may also claim that the banks’ mobile app is defective because it allows criminals to steal login information when the apps are used.
Faced with a consumer claim many banks might look for coverage under their bankers professional liability (BPL) policies. Coverage under those policies is doubtful though. BPL policies typically exclude claims arising from unauthorized access to computer systems. They may also exclude claims arising from technology services and failures of computer security.
Claims almost certainly will not be covered under a general liability policy. Those policies only cover bodily injury, property damage, personal injury, and advertising injury. The loss caused by this malware would not fall within the standard definitions of these terms. Further, professional services exclusions in the policies may also apply. Finally, new cyber exclusions developed within the past couple of years, if included in the policy, will make it very difficult to trigger coverage.
As I see it, cyber, technology E&O, and fidelity policies are the ones most likely to respond to customer claims.
A cyber policy very likely would cover any claim for a failure to protect account information. It would be critical to ensure that the policy’s definition of private information is broad enough to include the information compromised by the malware.
A technology E&O policy is the one best suited to respond to a claim alleging that the bank’s mobile app is defective. Such policies can include coverage for losses arising from failures of software such as mobile apps. This can often be included in cyber policies. This is coverage that banks, and any other company with a mobile app, should seriously consider carrying.
As I mentioned earlier, the fidelity bond may cover a bank for amounts taken from customer accounts. The fidelity insurer is unlikely to defend a suit, however.
The growing problem of malware on Android devices needs to be taken seriously by Android users. Avoiding installation of apps from unofficial sources is the best defense.