Village View's lawyers say (PDF) the bank should be on the hook for $465,000 siphoned off by hackers in March 2010, plus bank fees and damages incurred by the loss. Village View told the court that Professional Business Bank led it to believe that the institution employed safe online banking practices when it signed with the bank in 2008.
"Prior to entering into a banking relationship and contract with Professional Business Bank, Village View Escrow was not informed of any unsafe and unsound business practices employed by the bank," the complaint read, claiming that the fraudulent account transfers incurred by hackers were caused by the bank's failure to "employ a commercially reasonable security system" and to "accept funds transfers orders in good faith and in compliance with the security procedures selected by Village View Escrow."
It's a scenario that has played itself out many times during the past several years, says George Tubin, analyst for Tower Group. He estimates that small businesses have lost $250 million due to similar attacks, and says the banks in charge of securing those accounts are skirting legal responsibility due to the inadequacies of the "Authentication in an Internet Banking Environment" guidance released by the Federal Financial Institutions Examination Council (FFIEC) in 2005.
Though best practices in these times of increasingly sophisticated attacks would dictate that a bank acting in good faith apply fraud detection and anomaly detection software, the old FFIEC guidance only recommends outdated two-factor authentication technologies that can easily be gamed by hackers today. Many financial institutions have been skating by on the letter of the law, and very often they get away with it because small-business owners don't know how to ask their banks about Internet security practices.
"I've always believed it's incumbent upon those banks to put those protections in place, [but] they can do a bare minimum and get by," Tubin says. "Ideally, a small business would be able to go in and ask their bank what kind of security procedures they have, knowing that if fraud does occur, it's probably going to be contentious as to who's liable. Because of that, you should know what's in place. Unfortunately, most small businesses aren't very conversant in Internet technology and fraud detection technology -- and they shouldn't be. They're in business to run their business."
Nevertheless, Tubin reports that in most instances where bank practices left SMB accounts open to fraud, the small business is only able to settle out of court for pennies on the dollar for money that was stolen. In other cases, lawsuit complaints never even go to trial.
Take the suit lodged by PATCO Construction against Oceans Bank, which was thrown out of court before going to trial. PATCO lost $500,000 from its Oceans Bank commercial account in 2009 after a malware attack made off with its authentication credentials, but the judge ruled that Oceans was following FFIEC protocol.
"The bank can claim that they relied on the FFIEC guidance, and a large percentage of the market can claim the same thing: that they looked at the guidance and followed it," says Terry Austin, CEO of fraud detection company Guardian Analytics. "And they're right. The 2005 guidance was not nearly specific enough, and it's woefully out of date."
For its part, though, the FFIEC guidance defense might not hold water for long. The banking authority recently announced tightened regulations, effective Jan. 1, 2012, that will require banks to use anomaly detection software and risk management best practices.
For those hit by fraudsters before then, though, the tide of legal precedence could be changing in favor of SMBs -- if a recent case between Experi-Metal Inc. and Comerica Bank is any indication. Experi-Metal sued Comerica for more than $550,000 in fraudulent wire transfers that it says the bank should have disallowed had it been scrupulous about looking for anomalous behavior on the account.
"The latest case, Experi-Metal versus Comerica, was the first time we've seen that an SMB has won against their bank. If you read the bench opinion, essentially they are saying that there are two aspects of this: Did you have commercially reasonably security in place, and did you act in good faith?" Tubin says. "They were fine on the reasonable security, but [the court] felt they didn't act in good faith because they weren't looking for anomalies. The bank didn't spot that Experi-Metal was doing things [with the account] that they typically never do."
If the judge in Village View's case takes the argument of good faith seriously, then the escrow company could have a good chance of winning -- especially if Village View's claims that its bank didn't even live up to the FFIEC's outdated requirement for two-factor authentication stand up in court. What's more, Village View says that the bank also failed to tell it that the institution had suffered a third-party hacking attack a month before the fraudulent transfers; had the escrow company known about the attack, it would have taken additional protective measures.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.