Cyberheist: The Real Bite in Company Suits Against Banks for Negligence

As we've mentioned repeatedly in this blog, the FDIC does not insure SMBs against losses to fraudulent account access the same way that it covers individual bank accounts. This has left some small businesses scrambling to deal with losses related to fraudulent account access and funds transfers, none so flagrant or obvious as what befell Patco, a Maine-based construction company that had $588,000 siphoned out of its commercial accounts. Once the dust settled, Patco incurred actual losses of $345,000 after its bank decided to block some remaining pending funds transfers once the fraud was discovered. See this Washington Post story "Maine Firm Sues Bank after $588,000 Cyber Heist" for a nice general overview of the cirsumstances surrounding their loss.

When Patco failed to recover its complete losses it filed suit against the bank alleging that Section 4A-202 (Issue and Acceptance of Payment Order) in the Uniform Commercial Code (UCC) had been violated. A summary of the language detailing those alleged violations from the Information Lawgroup's 1/14/2010 newsletter entitled "Online Banking and 'Reasonable Security' Under the Law: Breaking New Ground?" makes fascinating reading:

* failure to offer/use multi-factor authentication to authenticate the plaintiffs’ identity for online transactions;

* use of an unreasonably low trigger for “challenge question” authentication;

* failure to provide an IP address block that would block orders originating from unapproved IP addresses;

* failure to detect fraud because the amounts of the payments were the largest ever made under the account, were sent to accounts to which funds had never been transferred, originated from an IP address that had never previously been used and occurred on days that the plaintiff normally did not make payments;

* failure to offer a dual control option requiring two people to log on in order to complete a payment transaction;

* allowing a transfer limit that exceeded the needs of the plaintiff;

* failure to manually review ACH payment batches prior to submission for payment; and

* failure to provide email alerts concerning unusual transactions.

As an indictment of the state of security at People's United Bank, it's amazing to read that such fundamental security protections as described in the foregoing language were NOT in place. But careful reading of the Information Lawgroup article reveals similar allegations in two other lawsuits, one of which is nation giant Capital One, and another is a regional bank of the same approximate size and scale as the plaintiff in the Patco filing.

What does this tell us? That the state of banking security around online services and funds transfers is pretty abysmal, and that some serious remedial effort is required throughout the entire banking industry to address these reported oversights, and make sure systems do not remain wide open to phishing scams and fraudulent access. In particular, the IP check and the use of a security token device (or some "moral equivalent" thereof, like a cellphone message or a fax with a one-time key) would pretty much eliminate this kind of fraud. Even so, the technical fraud detection measures also outlined in the allegations — particularly reacting to patterns related to time of day/week/month, size, and destinations for funds transfers — could also help to identify fraud as soon as it gets underway, and prevent it from succeeding.

To me (and apparently to Patco as well) what is particularly galling about their case is that a whole series of fraudulent transfers were allowed to proceed, even after an initial transfer of over $56,000 showed all of the hallmarks of obvious funds transfer fraud. No wonder the company finds the bank's behavior not in compliance with the exercise of prudent security and fiduciary responsibility!

Stu Sjouwerman

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews