Who Loses When Companies Suffer a Cyber Heist?
An account holder has their bank access credentials compromised and a crook, either alone or with the assistance of money mules (willing or coerced accomplices) remove funds. Who suffers the loss? How many businesses didn’t even try to recover the funds? Here are a few of the cases we know of.
Decisions in Favor of Businesses
Decisions in Favor of Banks
Consumers vs Businesses
Consumers, who use electronic banking and promptly (within 60 days, but faster is better) notifies their financial institution of fraudulent activity, are generally well protected by Regulation E.
Companies have lesser protections under the Uniform Commercial Code (UCC), specifically Article 4A-Funds Transfer(1989) which, under section 4A-202, says:
§ 4A-202. AUTHORIZED AND VERIFIED PAYMENT ORDERS.
(a) A payment order received by the receiving bank is the authorized order of the person identified as sender if that person authorized the order or is otherwise bound by it under the law of agency.
(b) If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. The bank is not required to follow an instruction that violates a written agreement with the customer or notice of which is not received at a time and in a manner affording the bank a reasonable opportunity to act on it before the payment order is accepted.
(c) Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated. A security procedure is deemed to be commercially reasonable if (i) the security procedure was chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer, and (ii) the customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by the customer [highlighting ours – ed]
“Question of law” means that different jurisdiction may have different decisions. Banks generally argue that they are not responsible if someone uses a customer’s valid login credentials to improperly transfer funds to another account or initiate wire transfer requests. The argument is that it is the account holder’s responsibility (not the banks) to protect the credentials to access bank accounts. Also, in some states, even if the suit is successful, businesses can generally recover only what was stolen and not legal fees which can, depending on the size of the breach, greatly exceed the actual theft.
If you are holding other people’s money (banks, escrow company etc.) and make wire transfers, consider using a highly secure, non-Windows, dedicated device in the physical custody of an employee who does not have the passwords to actually make wire transfer. That is dual control, also called segregation of duties. Making such as device is not expensive or complicated. Read why from October 2009 and How to Make a Live CD which was updated 7/12/2012. Or consider an alternative to a live CD 7/16/2014 ZeusGuard, a USB flash drive system to make it easier.
Businesses can be driven out of business by a single employee who got infected from a social media site, or got a virus laden email spoofed to look like the IRS. Read this 6/14/2012 New York Times article about two businesses and what happened to them.
In Favor of the Businesses
A company’s credentials had been taken and almost $600,000 in wire transfers were made to money mules (willing or unwilling participants). Patco sued arguing that the bank failed to adhere terms of their contract when it allowed customers to easily access accounts with a user name and password. More on the story.
On May 27, 2011 a magistrate recommended the court deny Patco’s motion for summary judgment. On August 4, 2011 in civil case 09-503-P-H, United States District Court, District of Maine, Patco Construction Company (plaintiff) vs Peoples United Bank (doing business as Ocean Bank) United States District Judge D. Brock Hornby agreed with the magistrate and ordered that the Recommended Decision of the Magistrate Judge to be adopted. See also Krebs
The Court of Appeals for the First Circuit, a three-judge panel, overturned the lower court ruling and held that the bank was responsible for the breach because it had failed to implement reasonable security measures, actually calling the bank security systems “commercially unreasonable”. More on the story The order An analysis and Security Measures for Funds Transfers: The Scope of “Commercially Reasonable” Transfers
2010 Village View Escrow Inc
A real estate escrow firm in Redondo Beach, California
In March 2010, via an email reportedly from “UPS”, crooks were able to plant a malicious program that allowed them to set up a password stealer. Eventually crooks were able to send 26 wire transfers to 20 locations world wide. None of those had existing business with the Village View. More on the story from Brian Krebs.
6/27/2011 Village View vs Professional Business Bank of Pasadena, California
Village View’s contract with PBB required electronic transfers be authorized by two Village View employees, and confirmed by a call from specific Village View phone numbers. PBB used a third-party service NetTeller, which allowed commercial customers to authenticate to the bank’s site with little more than a username and password. Thus Village View’s lawsuit challenges PBB’s claims that its systems used “multi-factor,” and “state-0f-the-art” ebanking systems. More on the story from security researcher Brian Krebs. Here is the 48-page first amended complaint against Professional Business Bank and “Does” 1 through 10. Those are ten un-named persons unknown at the time of filing, but will be named as, and if, they are discovered.
May 2012 PBB acquired
Professional Business Bank was acquired by The Bank of Manhattan.
Village View reached a settlement that covered the loss and attorney fees. A press release from Village View. The source for the $600,000 settlement amount. The settlement does not make new case law and sets no precedent. Read a discussion and interview with two attorneys for Village View.
TRC Operating Company. Inc. of Taft, California, had an account at United Security Bank based in Fresno, California. The account was compromised Friday November 10, 2011. Almost $3.5 million was wired to multiple accounts in Ukraine. The bank was able to block or recall all but one of the wires for $299,000. TRC sued USB to recover the funds and expenses. The bank said the compromise occurred on TRC’s computers without ever examining those computers.
California law follows UCC Article 4A-204(a) limiting recovery of companies to funds lost plus interest, not the expenses of the lawsuit or other ancillary expenses.
§ 4A-204. REFUND OF PAYMENT AND DUTY OF CUSTOMER TO REPORT WITH RESPECT TO UNAUTHORIZED PAYMENT ORDER.
(a) If a receiving bank accepts a payment order issued in the name of its customer as sender which is (i) not authorized and not effective as the order of the customer under Section 4A-202, or (ii) not enforceable, in whole or in part, against the customer under Section 4A-203, the bank shall refund any payment of the payment order received from the customer to the extent the bank is not entitled to enforce payment and shall pay interest on the refundable amount calculated from the date the bank received payment to the date of the refund. However, the customer is not entitled to interest from the bank on the amount to be refunded if the customer fails to exercise ordinary care to determine that the order was not authorized by the customer and to notify the bank of the relevant facts within a reasonable time not exceeding 90 days after the date the customer received notification from the bank that the order was accepted or that the customer’s account was debited with respect to the order. The bank is not entitled to any recovery from the customer on account of a failure by the customer to give notification as stated in this section. Reference [ highlighting ours -ed ]
Early in June 2014 the bank’s insurance company settled the case by paying $350,000 to TRC. As part of the settlement neither side admits fault. Because the case never went to trial there is no precedent set. This is counted as a win in favor of the business because they at least recovered what was taken. More from Krebs and TRC’s attorney
5/17/2012 Original Complaint Filed
TRC Operating Company, Inc. vs. United Security Bank, et. al. case S-1500-CV-276652-LHB in Superior Court of California, County of Kern, Metropolitan Division in Bakersfield, California
May-June 2014 dismissal of suit by TRC
(8 page PDF)
In Favor of the Banks
2010 Choice Escrow vs BankcorpSouth / $440k
Springfield, Mo. based Choice Escrow and Land Title LLC sued Tupelo, Mississippi based BancorpSouth Inc., after hackers made a single unauthorized wire transfer of $440,000 to a corporate bank account in Cyprus. What happened explained.
US District Court for the Western District of Missouri Southern Division 10-03531-CV-S-JTM. Easier reading from Brian Krebs.
The United States Court of Appeals For the Eighth Circuit in deciding No. 13-1879 Choice Escrow and Land Title, LLC (Plaintiff – Appellant) v. BancorpSouth Bank Defendant – Appellee) and No. 13-1931 Choice Escrow and Land Title, LLC (Plaintiff – Appellee) v. BancorpSouth Bank (Defendant – Appellant) and in a decision filed June 11, 2014, ruled in favor of the bank and against the escrow firm who suffered the cybertheft.
The appeals court held that the bank had acted in good faith when it executed several money transfer orders that appeared to come from the escrow firm but in fact were initiated by crooks. The court rejected the escrow firm’s claims that the bank should have spotted the fraudulent transactions, and instead said the theft occurred because the firm had failed to follow the bank’s security advice.
Choice Escrow’s Appeal Brief and Appeals court ruling affirming the district court’s grant of summary judgment to BancorpSouth and ordered that BancorpSouth’s legal fees be paid by Choice Escrow (the company that suffered the loss). Explained in clearer terms by security researcher Brian Krebs and in ComputerWorld.
2012 Luna & Luna vs Texas Brand Bank / $1.7M
Luna & Luna, LLP is a real estate escrow firm based in Garland, Texas. L&L bank at Texas Brand Bank (TBB). L&L’s online banking credentials were compromised in late June 2012. Between June 21, 2012 and July 2, 2012, crooks made three wire transfers. Totaling about $1.75 million, three separate wire transfers were sent, two to one bank in China and one to a company in the United States. The later was for $89,651 and was recovered. After each wire the bank emailed L&L. That account was an escrow for U.S. Department of Housing and Urban Development (HUD).
On July 2, 2012 TBB notified L&L it was about to overdraw its accounts. L&L was able to convince TBB to replace the funds, but TBB reserved the right to recover the reimbursement. Later TBB asked for reimbursement, L&L refused, TBB filed a complaint on 7/1/2013. Texas Brand Bank (Plaintiff) vs Luna & Luna, LLC (Defendant) Cause #CC-13038540c (10 page PDF) in County Court at Law in Dallas County, Texas.
Under factual matters, in paragraph 8, “In the six months prior to the events subject of the lawsuit, Luna had instructed and Bank had processed over one thousand (1,000) wire transfers from Luna’s accounts to third-party accounts.” In other words, they had done many wire transfers. The next paragraph described the terms under which those wire transfers had been made. Paragraph 10 lists the requirements: 1) Under $2 million for each wire and 2) a valid access id and password. Luna specifically declined to require a telephone confirmation. The bank claims Luna was negligent, and that the bank was indemnified against the loss due to the nature of its agreements with Luna,
[ at this point we’re pretty sure that by declining advanced protection and that the bank was following the rules as agreed, L&L wasn’t in a strong position. -ed ]
In June 2014 (almost two years after the event) L&L attorneys were discussing the investigation with the FBI. During the conversations the FBI reported, and later confirmed, that a large amount of the fraudulently transferred funds might have been, and continues to be, frozen due to a federal seizure warrant issued in 2012, shortly after the fraudulent transfers took place. L&L are trying (3 page PDF) to get those funds from where they are so they can reimburse TBB.
It could have been worse. If TBB hadn’t returned the funds then L&L would possibly been driven out of business for losing the escrow. It could have been better. The $2M limit is good, but a simple id and password is too easy to compromise. L&L could have had a procedure to match the bank’s emails to a running list of requested wire transfers and noticed the fraud faster. Or, they could have opted for the confirming telephone call. (more from KOS)
2012 TEC vs TriSummit / $300k – $200k
Tennessee Electric Company, an industrial and construction company in Kingsport, Tennessee had their own payroll account compromised in May 2012. Over $300,000 was removed from their account at TriSummit Bank. Eventually $135,000 was recovered by the bank leaving the company out almost $200,000. What happened is explained here.
In early July 2013 the amended complaint was made in the Circuit Court for Sullivan County sitting at Kingsport, Tennessee as case number C40137(M). Tennessee Electric Company, Inc,. (doing business as TEC Industrial Maintenance & Construction) (Plaintiff) vs. TriSummit Bank (Defendant) can be found here. The amended complaint is about 20 pages with another 20 pages of exhibits. The plaintiff asks the amount of the losses plus interest (page 18 paragraph 2) and an award of two million dollars in punitive damages (page 18, paragraph 3).
The case hasn’t made it to trial yet.
05/09/2012 Wallace & Pittman PLLC
a law firm in Charlotte, North Carolina
May have lost $330,000+ in a compromised wire transfer. More on the story.
In an interesting twist, their bank Park Sterling Bank, filed a 21-page suit against the company on 7/3/2012. In September 2012 a 54-page answer and counterclaim the company claims their bank did not maintain “commercially reasonable security measures” per UCC §4A-202(b) (see above). In addition to 28 pages of legal material there were 26 pages of interesting material in the exhibits.
Don’t know if the case has made it to trial yet.
December 2012 Efficient Services Escrow Group
An escrow company in Huntington Beach, California
Two fraudulent wire transfers, $432,215 in December 2012 to a Moscow bank and $1.1 to two accounts in China. They were able to recover the wire to Russia, the two wires to China were long gone. California requires title companies to immediately report any lost funds. Efficient reported the incident to state regulators, the California Department of Corporations gave the firm three days to come up with money to replace the stolen funds. At that time, absent any progress toward recovery the state shut down the firm. Meanwhile, the firm’s remaining money is in the hands of a court-appointed state receiver who is preparing for a lawsuit against the victim’s bank to recover the stolen funds.
More on the story
2/25/2014 Amended Complaint Filed
An attorney, the receiver for Efficient Services, in case 30-2013-00691661-CU-MC-CJC filed an 86 page amended complaint for damages against First Foundation Bank, Bentson, Vuona and Westersten, LLP and fifty “Does”. Interesting reading. More from Krebs.
April 2013 Hospital vs Bank Of America
Cascade Medical Center in Leavenworth, Washington manages several hospitals including Chelan County Hospital Number 1 (CCH#1). On April 19 through April 20, 2013 crooks made three unauthorized ACH (automated clearing house, the direct deposit type) payroll payments taking about a million dollars. Eventually Bank of America was able to retrieve about $400,000. Chelan wants the remainder from Bank of America alleging breach of their ACH agreement. Here is the second amended complaint (8 page PDF) filed on 7/21/2014. BOA filed a response (10 page PDF) on 8/14/2014. denying all allegations citing the Uniform Commercial Code (UCC see above).
There are arguments for both sides. CCH#1 used BOA software so who has the burden to make that software meets the requirements of UCC 4A? Was CCH#1 negligent in allowing some form of malware to invade their systems? In the end the court will decide, or there will be a settlement, but in the meantime (which has been going on for more than two years now) a hospital is out over $600k and generating legal bills.
More on the story at Krebs On Security.
A Ex/Im firm victimized once, twice, maybe three times.
Tuesday, December 24, 2013, Christmas Eve, an accountant logged on to the company’s bank portal. After submitting username and password the user was redirected to another page reporting the bank site was experiencing technical difficulties and requested a one-time token to validate the request. That request didn’t come from the bank. Cybercrooks had infected the computer with a password-stealing program that had taken complete control over the web browser. The token was supplied and the crooks used the hijacked browser session to initiate a wire transfer of almost $200,000 to a company in the city of Harbin, China, in the Heilongjiang province on the border with Russia. The next business day (Thursday December 26, 2013) the bank said the money was already gone and the transfer could not be reversed. So far, we’ve heard this sad story before. What we haven’t heard was the bank’s response that the company was on their own, after all, the crime was committed against the company, not the bank. Some specifics were withheld due to pending litigation.
So, who loses? Did the bank not do enough to protect their customers? Or, did the business not follow adequate security procedures? The court is still out (literally), but the story continues …
Harbin is the largest city in Heilongjiang province. An associate had a cousin in China, a lawyer who offered assistance. Apparently the police in Harbin required an official report from the US FBI before starting an investigation. Eventually that request was changed to a report from the local police. Why? According to the business owner the Chinese lawyer met the Harbin police officers with a gift-wrapped carton of cigarettes and promised of a percentage of the recovered funds. Just two days later the Harbin police reportedly found the business, then froze the account, recovered funds, received the percentage, and after more difficulty, the remaining funds repatriated to the United States. (lots more at KrebsOnSecurity)
All done? Maybe not. According to The Foreign Corrupt Practices Act of 1977, 15 USC §§78dd-1 (FCPA) payment to a foreign official to influence them in their official capacity, to do, or omit to do, an act in violation of their lawful duty may be a violation of US law. The argument against a violation is the Harbin police were not acting in their official capacity. Even so, defending against a federal FCPA charge could easily generate expenses in excess of the funds at risk. In the end this company may have been the victim of a cyber crime, victimized again by police-who-may-be-acting-as-private-citizens, and may be victimized again for their actions in paying for the recovery of their funds.
To avoid these nightmares consider adopting Online Banking Best Practices for Businesses and use a live CD to boot to a more secure Linux environment before connecting to your bank. Both thanks to KrebsOnSecurity.