May 20, 2016

Financial Institution Liability for Rogue Mobile Apps

Introduction

According to the latest Mobility Report by Ericsson, there are currently over seven billion mobile phone subscriptions globally, and that number is predicted to increase to over nine billion by 2021. With the increasing trend of mobile computing, unauthorized mobile apps, or “rogue” apps as they are commonly called, are being offered by an increasing number of unscrupulous individuals in a wide range of authorized and unauthorized mobile app stores. Financial institutions are increasingly being forced to monitor for rogue apps and address the significant threats that rogue apps pose. Rogue apps generally fall into one of two categories: (i) counterfeit apps that are merely designed to profit on the popularity of the originals; and (ii) counterfeit apps that are designed to scam the unsuspecting user by stealing sensitive data. While financial institutions are not prime targets of the former type because they generally do not charge users a fee to download their apps, financial institutions are among the prime targets of the latter type because, when installed on a mobile device, such rogue apps can steal sensitive data, such as nonpublic personal information, banking logins and passwords, bank account numbers, or anything else stored on the mobile device. Making this problem even more disturbing for consumers is the fact that these latter type rogue apps are mostly indistinguishable from legitimate mobile apps offered by their financial institutions.

There are actions that financial institutions can and should take to mitigate the risk posed by these rogue apps. Financial institutions should (i) dedicate in-house staff to detect and respond to rogue apps in the marketplace or (ii) outsource rogue app detection and response services to a credible cyber threat intelligence service provider. Financial institutions can also purchase application integrity protection services to help prevent future efforts to compromise their mobile apps.

Creation of Rogue Apps and the Risks They Impose

Developing an enterprise mobile app can be a costly and time-consuming process for a financial institution; by contrast, compromising a mobile app is becoming easier and faster than ever before. In some cases, the initial compromise of a legitimate mobile app may take only minutes to complete. Whether financial institutions license their mobile apps from a third-party service provider or develop their mobile apps in-house, the reality is that in today’s technological world, knowledgeable hackers are able to compromise many mobile apps with relative ease. Using readily available code analysis tools, hackers are often able to reverse-engineer the mobile apps’ binary code, which is the code that consumers (or hackers) download to access mobile apps from an app store like Apple’s App Store or Google’s Play Store. This allows hackers to extract valuable code (including source code), sensitive data, or proprietary intellectual property from the mobile app. Once hackers have access to such information, they can develop rogue apps that contain unauthorized code modifications (e.g., disabled security controls) or malicious code, such as spyware, worms, and viruses, and post them on unauthorized app stores where unsuspecting customers will download the rogue apps under the guise of them being trusted legitimate apps. Such rogue apps are usually the most difficult to detect by sight checking app stores because, in addition to the malicious behavior that these rogue apps have been modified to do, the rogue app will often times continue to perform the normal processing functions as originally intended. Hackers can also easily scam unsuspecting customers by creating rogue apps from scratch that simply utilize a financial institution’s brand name, logo, or other parts of the financial institution’s brand as part of the rogue app icon or interface without the financial institution’s permission. Unfortunately, both types of rogue apps provide hackers with easy access to steal the personal and financial information of consumers, likely presenting grave consequences for both financial institutions and their customers.

The relative ease with which hackers can exploit a mobile app and the fact that financial institutions are among the top targets of hackers seeking high-value sensitive and financial information is troubling because, in some cases, financial institutions do not have adequate security measures in place to protect their mobile apps. As a result, consumers who use mobile banking apps may be subject to a higher risk of identity theft, which can have disastrous consequences for the consumer. Once a hacker has a consumer’s financial and personal information, the hacker can usually gain easy access to and take money from the consumer’s bank accounts or investment accounts or create a credit card account in the consumer’s name, which can negatively affect his or her credit. Identity theft via a rogue app also negatively impacts financial institutions by damaging their business reputations, driving traffic away from their legitimate mobile apps, and fostering mistrust and anger in their loyal customer base. What can financial institutions do to shield themselves and their customers from the adverse effects caused by rogue apps?

Financial Institutions’ Efforts to Mitigate the Risk of Rogue Apps

One approach that financial institutions can take to shield themselves and their customers from the adverse effects caused by rogue apps is to dedicate in-house staff to monitor the mobile app marketplace for rogue apps. But detection of such rogue apps is only half the battle. Once a rogue app is detected, financial institutions must be prepared to take swift action to remove the rogue app from the marketplace. Typically, this means sending a cease and desist letter to the developer of the rogue app in order to put the developer on legal notice and to demand that the rogue app be removed from the app store. Of course, this approach is only possible if the financial institution is able to identify the developer of the rogue app, which can be difficult, especially if the rogue app is only being offered by an unauthorized app store. If, however, the app is being offered by an authorized app store (e.g., Apple’s App Store or Google’s Play Store), financial institutions typically can rely on the app stores themselves to assist. For example, both Apple and Google have responsive policies in place to allow brand owners to report incidents of copyright and trademark infringement and then will put brand owners in contact with the developers of the suspected rogue apps. This greatly reduces the time and effort expended by such brand owners in identifying and locating the developers of the suspected rogue apps. Additionally, because the rogue app will most likely involve copyright infringement, the financial institution can initiate a notice of infringement under the Digital Millennium Copyright Act to request that the rogue app be removed from the app store.

Another and arguably better approach for financial institutions to deal with existing rogue apps effectively and efficiently is to outsource rogue app detection and response services to a cyber-threat intelligence provider. Not only does this approach prevent financial institutions from having to dedicate in-house staff to spend valuable time monitoring the authorized and unauthorized mobile app stores for rogue apps, it also allows financial institutions to focus their efforts toward other actions designed to mitigate the risk of being impacted by rogue apps; these actions are (i) maintaining an up-to-date inventory of all legitimate apps they currently offer in the marketplace, (ii) keeping their employees and customers informed regarding all such legitimate mobile apps, and (iii) encouraging their employees and customers to practice their own due diligence when downloading mobile apps (e.g., read user reviews and comments regarding the mobile app and permissions requested by the mobile app).

The two aforementioned approaches address what financial institutions can do to lessen the risks posed by existing rogue apps, but what can financial institutions do to prevent rogue apps from being created? According to leading security advisors, inadequate protection of a mobile app’s binary code is arguably the biggest risk factor for the security of mobile apps. As a result, protection (or hardening) of a mobile app’s binary code is paramount. Such protection, which is commonly called application integrity protection, is accomplished by inserting a network of “guards” (i.e., security measures) directly into the binary code of the mobile app before the app is released to the marketplace. Once implemented, these guards proactively defend, detect, and react to attempted compromises of the mobile apps, effectively protecting both the guards themselves and the mobile app from attack. With such self-aware and self-protecting mobile apps, hackers are faced with a much more difficult task in compromising mobile apps.

Financial Institutions’ Liability for Rogue Apps

The increasing number of rogue apps in the marketplace in conjunction with the damages that can result from a consumer’s use of a rogue app opens the door for an alarming potential for legal actions against financial institutions arising from their customers’ use of rogue apps. Do financial institutions have any liability to their customers regarding their use of rogue apps?

For years, cybersecurity advocates have taken the position that the only way to improve the security of software is to hold software vendors liable for security flaws in their software. In support of their position, these advocates point to evidence suggesting that software vendors know how to make software more secure. The problem is that software vendors do not have any legal or regulatory obligation to put such knowledge to use on a consistent basis. Thus, it is impractical to impose such liability on software vendors without providing some safe harbor for them. To that point, several years ago, a consortium of cybersecurity experts suggested that software vendors should be held to a minimum standard of care that requires developers to be held liable for the existence of certain common vulnerabilities in their software that pose a high risk of attack. Not only would such a standard provide software vendors with a clearer picture of what they are required to do to limit their liability, it also would provide end users with some protection in the event they are victimized as a result of the existence of such common vulnerabilities. While, in theory, this may seem like a sensible solution to the software vendor liability debate, it is not practicable in the context of rogue apps. Financial institutions, unlike other software vendors, cannot fully protect their customers from rogue apps simply by practicing better coding habits. Rogue apps are created by nefarious actors and are made available through third-party app stores over which financial institutions have little or no control. As a result, some would argue that financial institutions should not be held liable for the damages that rogue apps cause.

A customer victimized by rogue apps could seek to recover his or her damages under a breach of contract claim; however, such a customer would likely have a difficult time identifying a specific contractual obligation that the financial institution breached, especially if the rogue app at issue was a counterfeit app made from scratch instead of a counterfeit app made by exploiting some vulnerability in the financial institution’s legitimate mobile app. Even if a customer can overcome this hurdle, the customer would likely still have a difficult time recovering a significant amount of damages from his or her financial institution because a financial institution’s liability for such claims is typically severely limited by the terms of its customer agreement, which their customers must accept prior to using the financial institution’s services. Such agreements, which courts have generally treated as enforceable contracts, typically either limit or disclaim the financial institution’s liability for any direct damages suffered by their customers and disclaim the financial institution’s liability for any incidental, special, indirect or consequential damages suffered by their customers even if the financial institution has been advised of the possibility of such damages. In effect, customers may, at best, recover direct damages from their financial institutions up to the limit set forth in the customer agreement. Since a majority of the damages suffered by customers as a result of their use of rogue apps would arguably be characterized as consequential damages rather than direct damages, the risk of financial institutions incurring significant amounts of liability is minimal.

To avoid such limitations and disclaimers of liability, an aggrieved customer could attempt to bring a legal action against his or her financial institution under some tort theory. However, in order to be successful, customers may be required to overcome the economic loss rule, which has been adopted, in some form, by most states. Simply put, the economic loss rule prohibits a party who suffers only damages for economic loss from recovering such damages based on a tort theory, such as negligence, when unaccompanied by physical property damage or personal injury. This creates an issue for tort claims related to rogue apps because most damages suffered by victimized customers would be purely economic losses. Rather than address the difficult and unprecedented issue of whether financial institutions have some duty to protect their customers from rogue apps, courts may choose to rely on the economic loss rule to avoid the difficulties that could result from such a decision. Customers would therefore likely receive little if any relief under any tort theory.

Despite the lack of legal remedies, customers are provided some level of protection under the Electronic Funds Transfer Act (EFTA) of 1978 (15 U.S.C. §1693 et seq.). The EFTA, which is implemented through Regulation E, sets forth rules and procedures for electronic fund transfers, which include transfers through automated teller machines, point-of-sale terminals, automated clearinghouse systems, telephone bill-payment plans, contemplated, and remote banking programs. It also limits individual consumers’ liability for unauthorized electronic fund transfers, which are transfers initiated by someone other than the account holder. However, the EFTA only limits a consumer’s liability to the extent the consumer provides his or her financial institution proper notice of the unauthorized transfer. If the consumer fails to provide such notice to his or her financial institution upon discovery of the unauthorized transfer, the consumer risks unlimited liability. Moreover, the EFTA only protects consumers from unauthorized electronic funds transfers. It offers no protection for any other damages arising from the consumer’s use of a rogue app. Thus, while the EFTA provides some means for customers to shield themselves from the risk posed by rogue apps in the marketplace, it does not provide complete protection. The lack of remedies afforded to customers under contract and tort theories and the limited protection offered by the EFTA suggest that in the absence of some new legislation or regulation – for example, restricting financial institutions’ ability to limit or disclaim their liability to their customers, customers victimized by rogue apps may have little success in holding their financial institutions liable. However, should financial institutions be held liable? Some would argue that the app stores and customers are in better positions to mitigate the risks posed by rogue apps and thus, should be held accountable. After all, the app stores are ones that allow rogue apps to be made available to unsuspecting customers. Shouldn’t they have some duty to police their own storefronts? Moreover, customers are the ones who knowingly download mobile apps from unauthorized app stores rather than from the authorized app stores. Shouldn’t they be held accountable for their own risky behavior? While these questions have yet to be answered by the courts, it is only a matter of time before one is addressed.

Conclusion

As more people utilize their mobile phones, mobile apps will play an increasingly pivotal role in our daily lives. To stay competitive in the industry, financial institutions will have no choice but to continue to invest heavily in this ongoing trend in order to provide their customers increased connectivity and functionality with respect to their mobile banking services. Equally important will be the efforts of financial institutions to shield their customers from the risk posed by the rogue apps that will inevitably infiltrate the marketplace. Despite the lack of legal duty or risk of significant liability, financial institutions will not be able to afford to take a hands-off approach in the fight against rogue apps.

Additional Resources

For other materials on this topic, please refer to the following. 

Business Law Section Program Library

The Scary Side of Social Media (PDF) (Audio)
Presented by: Consumer Financial Services
Location: 2014 Committee Meeting