[caption id="attachment_334" align="aligncenter" width="444" caption="Story Header from YourMoneyIsNotSafeInTheBank.org"]
[/caption]
As reported on YourMoneyIsNotSafeInTheBank.org, another suit from a company seeking to rebound from a major financial loss resulting from a large and unusual fraudulent funds transfer is making its way through the court system, this time in Missouri (Escrow Co. Sues Bank Over $440K Cyber Theft). This time, the issue centers around authentication that was purely password based, which allowed thieves to make a single $440,000 funds transfer to Cyprus before the fraud could be detected and reported. The company involved in the theft, Choice Escrow, is suing BancorpSouth to recover its losses, alleging "...that because BancorpSouth allowed wire or funds transfers using two options which were both password-based, its commercial online banking security procedures fell short of the 2005 guidance from the FFIEC (Federal Financial Institutions Examination Council), which warned that single-factor authentication as the only control mechanism is inadequate for high-risk transactions involving the movement of funds to other parties."
As with the case from Patco discussed in our 2/22/2011 blog, this suit seeks to establish that the bank failed to comply with FFIEC directives and did not move to "...provide its customers with secure authentication methods, as evidenced from the numerous documents it received, and/or knew about or should have known about from the FFIEC and FDIC," as further language in the complaint reads. We know that the FFIEC is pondering a new draft of guidelines for 2011, and will very probably recommend even more stringent and secure technologies than in its 2005 guidelines. Thus, the outcome of this case should be very interesting for banks all around the USA. It's very likely that other fraud victims are watching this case (and other similar cases) closely, and a ruling in favor of the plaintiff would very likely spur a rash of similar filings.
The amount of the transfer was actually more than the company had on deposit with BancorpSouth when the fraudulent transfer occurred, so Choice Escrow found itself in a position of being forced to borrow money to cover a transfer from its account that it itself did not actually make. The company is now saddled with monthly payments of $4,300 to repay a 10-year-note it was forced to take out to cover the loss of its clients' money, and its own substantial losses in this theft. As YourMoneyIsNotSafeInTheBank.org puts it in its story on this incident: "The attack is the latest reminder that small businesses should assume that they are completely responsible for the security of their online transactions: Businesses do not enjoy the same legal protections afforded to consumers, and thus are responsible for any losses due to cyber theft or fraud"
All we can say is "Ouch! Ouch! Ouch! Ouch!" One more painful tidbit from the end of this story: "According to the FBI, organized thieves have attempted to steal more than $220 million from small to mid-sized organizations in recent years, and have succeeded in making off with more than $70 million. "
Stu Sjouwerman
[/caption]As reported on YourMoneyIsNotSafeInTheBank.org, another suit from a company seeking to rebound from a major financial loss resulting from a large and unusual fraudulent funds transfer is making its way through the court system, this time in Missouri (Escrow Co. Sues Bank Over $440K Cyber Theft). This time, the issue centers around authentication that was purely password based, which allowed thieves to make a single $440,000 funds transfer to Cyprus before the fraud could be detected and reported. The company involved in the theft, Choice Escrow, is suing BancorpSouth to recover its losses, alleging "...that because BancorpSouth allowed wire or funds transfers using two options which were both password-based, its commercial online banking security procedures fell short of the 2005 guidance from the FFIEC (Federal Financial Institutions Examination Council), which warned that single-factor authentication as the only control mechanism is inadequate for high-risk transactions involving the movement of funds to other parties."
As with the case from Patco discussed in our 2/22/2011 blog, this suit seeks to establish that the bank failed to comply with FFIEC directives and did not move to "...provide its customers with secure authentication methods, as evidenced from the numerous documents it received, and/or knew about or should have known about from the FFIEC and FDIC," as further language in the complaint reads. We know that the FFIEC is pondering a new draft of guidelines for 2011, and will very probably recommend even more stringent and secure technologies than in its 2005 guidelines. Thus, the outcome of this case should be very interesting for banks all around the USA. It's very likely that other fraud victims are watching this case (and other similar cases) closely, and a ruling in favor of the plaintiff would very likely spur a rash of similar filings.
The amount of the transfer was actually more than the company had on deposit with BancorpSouth when the fraudulent transfer occurred, so Choice Escrow found itself in a position of being forced to borrow money to cover a transfer from its account that it itself did not actually make. The company is now saddled with monthly payments of $4,300 to repay a 10-year-note it was forced to take out to cover the loss of its clients' money, and its own substantial losses in this theft. As YourMoneyIsNotSafeInTheBank.org puts it in its story on this incident: "The attack is the latest reminder that small businesses should assume that they are completely responsible for the security of their online transactions: Businesses do not enjoy the same legal protections afforded to consumers, and thus are responsible for any losses due to cyber theft or fraud"
All we can say is "Ouch! Ouch! Ouch! Ouch!" One more painful tidbit from the end of this story: "According to the FBI, organized thieves have attempted to steal more than $220 million from small to mid-sized organizations in recent years, and have succeeded in making off with more than $70 million. "
Stu Sjouwerman
