When a computer virus infection at a business allows thieves to steal tens of thousands of dollars from the company’s commercial banking account, banks typically don’t reimburse the victim company. But the truth is, most banks make that decision on a case-by-case basis.
Take, for example, the case of two Umpqua Bank customers in Vancouver, Wash., both of which suffered major financial losses last year after compromises at employee computers allowed thieves to access their accounts remotely.
Libby Tucker, a reporter for The Columbian, set the stage nicely in an A1 story on Dec. 5, 2009:
Battle Ground Cinema Clark County businessman Elie Kassab watched more than $81,000 vanish from his Battle Ground Cinema bank account in March. Umpqua was alerted to the thefts and traced the money to several East Coast accounts but was only able to recover $18,193.53 before the money disappeared offshore.
Similarly, Shared Hope International, a Vancouver-based nonprofit for impoverished women, lost $179,000 in May when three unauthorized transfers swept the funds away to a Russian bank. That money was not recovered.
In both cases, Umpqua confirmed the thefts, and identified security breaches in its clients’ computer systems that it says allowed the thieves to access their accounts remotely. Umpqua has since refunded the entire amount lost by Shared Hope but is still battling with Kassab over who’s to blame for the fraudulent transfers.
So what happened? According to The Columbian, both companies were refunded the lost money, but the bank demanded Kassab give the money back after its forensic examiner reportedly found a number of virus infections on his PC. The bank never asked for the $179,000 back from the other victim organization, which was founded by former U.S. Congresswoman Linda Smith (R)
In a phone interview with krebsonsecurity.com, Kassab said Umpqua has since frozen more than $22,000 in his business bank account. When asked why he thought the bank treated him differently than the charity, Kassab said he had no clue, but shared with me some very interesting information. Turns out, the guy who conducted the forensic review on his computer also conducted the same review on the compromised Shared Hope PCs.
As readers can see from viewing these reports — one for the Battle Ground Cinema PC (.pdf) and the other for the Shared Hope system (.pdf) — password-stealing banking Trojans were found on both computers. Shared Hope’s scan shows the presence of the file “sdra64.exe,” which is a common component of the Zeus banking Trojan. Kassab’s scan indicates his system was also infected with a banking Trojan (“Win32.Banker,” the name some anti-virus products assign to Zeus infections).
Neither Shared Hope nor Umpqua Bank returned calls seeking comment.
Kassab said the bank’s action caused a number of checks he’d written for his business to bounce. “I had written checks for about $11,000, and now they’re holding that money,” he said. “[The bank] came back and said we want you to agree to forfeit the money and pay our experts’ fees. I pretty much told them to go screw themselves. Right now, I’m sort of just waiting for them to sue me.”
I have interviewed more than 100 victims of this type of crime in the past year, and I can say that while the larger banks are almost equally the targets of such attacks, they tend to settle customer disputes quietly. If they do reimburse victim customers, banks often require those customers to sign a non-disclosure agreement that prohibits them from discussing the terms.
Not all smaller banks are as inconsistent as Umpqua in the way they treat different customers victimized by the same scam. For example, Delaware based WSFS Bank disclosed last year on its quarterly financial report that wire fraud against two of its customers cost the bank more than $1.5 million. Stephanie Heist, vice president of marketing at WSFS, declined to discuss the details of the attacks, but said the unauthorized wires occurred as a result of compromises on the customers’ computer systems.
“It wasn’t our systems that were affected,” Heist said. “There was no breach into WSFS systems.”
According to WSFS’s 2nd quarter 2009 earnings statement and transcript of the earnings call with investors, WSFS reimbursed two clients for fraudulent wire transfers totaling $1.3 million, and paid an additional $200,000 in computer forensics charges.