The CIBC says an Ontario man is responsible for more than $80,000 charged to his card for a car purchase he claims he never made because that transaction was completed using a Personal Identification Number (PIN) in conjunction with the card's embedded chip. Nathan Denette/Canadian Press
The case of an Ontario man who was charged more than $80,000 on his credit card for purchases he claims he didn't make is raising new questions about the security of online and credit card transactions and whether banks are shifting liability for fraud to their customers.
Three years ago, Jason Monaco sued the Canadian Imperial Bank of Commerce after the bank insisted he was responsible for charging the cost of a custom-built race car to his bank-issued Visa card, a purchase Monaco says he never made.
Monaco, the founder and managing partner of a Toronto investment relations firm, alleges in his lawsuit that he discovered the charge of $81,276 "during a routine check of his Visa account balance" in June 2010.
After CIBC was alerted, the bank ultimately removed a second charge of $4,972 that Monaco also disputed. His lawsuit alleges that although both transactions bore the same fraudulent signature on the transaction receipts, CIBC is holding Monaco responsible for the car purchase because that transaction was completed using a personal identification number (PIN) in conjunction with the card's embedded chip.
Fraudulent PIN transactions 'impossible'
Monaco declined to speak about the case. Monaco and CIBC have also filed claims against the business where the fraudulent transaction took place.
In its statement of defence, CIBC argues that "it is not possible to process a chip and PIN transaction without the Visa card and the confidential PIN."
Steven Murdoch, a researcher with the computer laboratory at Britain's Cambridge University, disagrees that "chip and PIN" security is impenetrable.
"It's actually quite an old technology — between 15 and 20 years old."
Several years ago Murdoch and his colleagues demonstrated a number of flaws in the system.
One allows criminals to use a bit of hardware to fool the card into accepting any random PIN entered on a merchant's card terminal. That acceptance, and not the PIN itself, is then sent to the bank, making it appear that the correct PIN was entered.
"And sometimes as a result, customers are refused a refund," Murdoch says. "Even though they've been the victim of fraud and they have not been negligent."
Murdoch managed to shrink the hardware required to the size of a deck of cards, but he says criminals in France were able to put it on a microchip and embed it on counterfeit cards.
Caveats and conditions
But the Ontario lawsuit does more than raise questions about chip and PIN security.
CIBC's lawyers say the caveats in Monaco's cardholder agreement also make him responsible for the charge.
"The primary cardholder is liable for any transactions made on the Visa account" the language reads, "if any cardholder uses a PIN to make the transaction."
CIBC also points to a condition that stipulates cardholders are responsible for all charges until the bank is alerted that a card is lost or stolen.
Monaco claims his card was neither lost, stolen nor did he divulge his PIN to anyone.
Further, his lawsuit claims that CIBC's reliance on fine print and an "exclusion of liability clause is unconscionable."
CIBC declined to discuss the case.
The bank, along with ScotiaBank, National bank, Royal Bank and TD Canada Trust, also declined to answer specific questions about the lengthy agreements customers implicitly accept by using bank-issued credit and debit cards, or on-line banking services.
Interview requests to Bank of Montreal were not acknowledged.
A spokesperson for TD offered a general reply that the "spirit" of the bank's online security guarantee is to cover clients' losses in case of fraud, adding that the bank looks "at every situation case by case".
A survey of the electronic banking agreements for the big six institutions reveals a variety of conditions imposed on clients. They include requirements such as having the latest anti-virus software on any computer used for banking, and not using a PIN, password or security question that's too easy to guess.
CIBC's electronic access agreement also makes customers potentially liable if they use software that collects and displays financial information from different sources. One such aggregation service is a popular one offered by Mint.com.
Conditions 'quite reasonable'
Maura Drew-Lytle, a spokeswoman for the Canadian Bankers Association, says the various conditions aren't onerous.
"[The banks] are quite reasonable in my opinion," Drew-Lytle said.
"Generally, if they don't think you have knowingly contributed to the fraud, then chances are you will get reimbursed. Again, it's case by case. They have to look at that."
Last year, Canada's six largest banks reimbursed clients some $9 million for fraudulent online transactions. The most recent statistics (2012) on credit card and debit card payouts top half a billion dollars.
But the banks don't provide statistics on the value of fraud they don't cover, or the number of clients they refuse to make whole.
Ombudsman for Banking Services and Investments Douglas Melville says he isn't seeing a significant number of clients complaining about caveat-laden agreements.
"I think the bank's legal departments are going to do what they need to in order to protect the interests of the banks," Melville says.
"If there's truly no evidence of clients being in some kind of compromising situation like having written down the PIN on their wallet or their card, our experience is that banks have generally been looking after their customers quite well."
Conservative MP James Rajotte, who chairs the parliamentary finance committee, said he was surprised the banks wouldn't talk about their agreements.
"I mean they're agreements that are easily obtainable, so I would think it would be entirely reasonable to expect they would be willing to discuss those publicly."
Banks offered blanket assurances
Glenn Thibeault, the NDP's consumer affairs critic, notes that a number of bank and credit card officials recently testified at finance committee hearings into mobile digital payments. He said they offered blanket assurances that clients are protected from electronic fraud losses.
"Zero-liability also has 10 asterisks beside it," Thibeault said. "Zero liability isn't actually going to be in effect if this is the way banks are doing this."
The debate about what's reasonable to expect from bank customers in the digital frontier will only become more pointed, said Larry Keating, CEO of NPC, an Ontario firm that helps professionals and organizations secure their computers.
He said efforts of cybercriminals to exploit security weaknesses can be brilliant, nasty and difficult for unsophisticated users to completely prevent.
"When the bank has requirements in those agreements," Keating says, "in my mind that hasn't been resolved as to who will be responsible for what and how. The banks can hold their ground and they're going to have an enormous public relations issue."