Attacks/Breaches
7/19/2011
10:34 PM
Connect Directly
RSS
E-Mail
50%
50%

Yet Another Bank Sued By A Small Business For Fraudulent Hacker Transfers

According to Village View, Professional Business Bank says bank responsible for $465K loss to hackers, plus fees and damages suffered in online account breach

A new court case brought to bear against Professional Business Bank by Village View Escrow Inc. continues the battle waged over who's to blame for hacking attacks that leave small-business accounts drained following online password theft. Filed in late June in the California Superior Court in Los Angeles, the case is the latest in a string of lawsuits filed in U.S courts by small businesses that believe their banks are to blame for failing to properly protect their accounts from predatory hackers.

Village View's lawyers say (PDF) the bank should be on the hook for $465,000 siphoned off by hackers in March 2010, plus bank fees and damages incurred by the loss. Village View told the court that Professional Business Bank led it to believe that the institution employed safe online banking practices when it signed with the bank in 2008.

"Prior to entering into a banking relationship and contract with Professional Business Bank, Village View Escrow was not informed of any unsafe and unsound business practices employed by the bank," the complaint read, claiming that the fraudulent account transfers incurred by hackers were caused by the bank's failure to "employ a commercially reasonable security system" and to "accept funds transfers orders in good faith and in compliance with the security procedures selected by Village View Escrow."

It's a scenario that has played itself out many times during the past several years, says George Tubin, analyst for Tower Group. He estimates that small businesses have lost $250 million due to similar attacks, and says the banks in charge of securing those accounts are skirting legal responsibility due to the inadequacies of the "Authentication in an Internet Banking Environment" guidance released by the Federal Financial Institutions Examination Council (FFIEC) in 2005.

Though best practices in these times of increasingly sophisticated attacks would dictate that a bank acting in good faith apply fraud detection and anomaly detection software, the old FFIEC guidance only recommends outdated two-factor authentication technologies that can easily be gamed by hackers today. Many financial institutions have been skating by on the letter of the law, and very often they get away with it because small-business owners don't know how to ask their banks about Internet security practices.

"I've always believed it's incumbent upon those banks to put those protections in place, [but] they can do a bare minimum and get by," Tubin says. "Ideally, a small business would be able to go in and ask their bank what kind of security procedures they have, knowing that if fraud does occur, it's probably going to be contentious as to who's liable. Because of that, you should know what's in place. Unfortunately, most small businesses aren't very conversant in Internet technology and fraud detection technology -- and they shouldn't be. They're in business to run their business."

Nevertheless, Tubin reports that in most instances where bank practices left SMB accounts open to fraud, the small business is only able to settle out of court for pennies on the dollar for money that was stolen. In other cases, lawsuit complaints never even go to trial.

Take the suit lodged by PATCO Construction against Oceans Bank, which was thrown out of court before going to trial. PATCO lost $500,000 from its Oceans Bank commercial account in 2009 after a malware attack made off with its authentication credentials, but the judge ruled that Oceans was following FFIEC protocol.

"The bank can claim that they relied on the FFIEC guidance, and a large percentage of the market can claim the same thing: that they looked at the guidance and followed it," says Terry Austin, CEO of fraud detection company Guardian Analytics. "And they're right. The 2005 guidance was not nearly specific enough, and it's woefully out of date."

For its part, though, the FFIEC guidance defense might not hold water for long. The banking authority recently announced tightened regulations, effective Jan. 1, 2012, that will require banks to use anomaly detection software and risk management best practices.

For those hit by fraudsters before then, though, the tide of legal precedence could be changing in favor of SMBs -- if a recent case between Experi-Metal Inc. and Comerica Bank is any indication. Experi-Metal sued Comerica for more than $550,000 in fraudulent wire transfers that it says the bank should have disallowed had it been scrupulous about looking for anomalous behavior on the account.

"The latest case, Experi-Metal versus Comerica, was the first time we've seen that an SMB has won against their bank. If you read the bench opinion, essentially they are saying that there are two aspects of this: Did you have commercially reasonably security in place, and did you act in good faith?" Tubin says. "They were fine on the reasonable security, but [the court] felt they didn't act in good faith because they weren't looking for anomalies. The bank didn't spot that Experi-Metal was doing things [with the account] that they typically never do."

If the judge in Village View's case takes the argument of good faith seriously, then the escrow company could have a good chance of winning -- especially if Village View's claims that its bank didn't even live up to the FFIEC's outdated requirement for two-factor authentication stand up in court. What's more, Village View says that the bank also failed to tell it that the institution had suffered a third-party hacking attack a month before the fraudulent transfers; had the escrow company known about the attack, it would have taken additional protective measures.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

CVE-2014-3991
Published: 2014-07-11
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu, or (7) leftmenu pa...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.