Subscribe to RSS
Follow me on Twitter
Join me on Facebook
A California real estate escrow company that lost more than $465,000 in an online banking heist last year is suing its former financial institution, alleging that the bank was negligent and that it failed to live up to the terms of its own online banking contract.
The plight of Redondo Beach, Calif. based Village View Escrow, first publicized by KrebsOnSecurity last summer, began in March 2010. That’s when organized crooks broke into the firm’s computers and bank accounts, and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm.
Village View’s bank, Professional Business Bank of Pasadena, Calif., relied on third-party service provider NetTeller, which allowed commercial customers to authenticate to the bank’s site with little more than a username and password. Village View’s contract with Professional Bank stated that electronic transfers would only be allowed if they were authorized by two Village View employees, and confirmed by a call from specific Village View phone numbers.
The attack on Village View demonstrates the sophistication of malicious software like the ZeuS Trojan. The thieves disguised a banking Trojan as a UPS shipping receipt, and the company’s owner acknowledged opening the attachment and forwarding it to another employee who also viewed the malware-laced file. Once inside Village View’s systems, the attackers apparently disabled email notifications from the bank.
Nevertheless, Village View’s lawsuit challenges Professional Bank’s claims that its systems used “multi-factor,” and “state-0f-the-art” ebanking systems, and accuses the bank of negligence for not having procedures to help the company recover the fraudulent transfers.
This lawsuit comes just weeks after a decision in a similar case brought by another victim of ebanking fraud. In June, a U.S. district court in Michigan ruled that Dallas-based Comerica failed to act “in good faith” in January 2009, when it processed almost 100 unauthorized wire transfers from the account of Experi-Metal Inc. (EMI), a custom metals shop based in Sterling Heights, Mich. The transfers that were not recovered in that case amounted to $560,000.
Julie Bonnel-Rogers, an attorney for Village View Escrow, said the Experi-Metal decision “cracked the door open” for her client’s lawsuit against the bank, because there is limited case law on the subject, and because claims against banks for wire transfer fraud have traditionally been very narrowly defined.
Charisse Castagnoli, an independent security consultant and adjunct professor at the John Marshall Law School, said the Village View lawsuit relies on similar claims made by Experi-Metal, arguing that its financial institution failed to act in good faith and that its online banking security procedures were not commercially reasonable.
“If the bank didn’t even follow their own written procedure for funds transfer verification as alleged in the pleadings, I’d be surprised if the bank didn’t lose just on breach of contact,” Castagnoli said. Still, she noted that the Experi-Metal decision was not binding on any other court, and that the court could review the issues of good faith and reasonable security, or decide that those issues don’t need to be addressed at all.
A copy of Village View Escrow’s complaint is available here (PDF).
Related posts:
- Texas Bank Sues Customer Hit by $800,000 Cyber Heist
- Court Favors Small Business in eBanking Fraud Case
- Escrow Co. Sues Bank Over $440K Cyber Theft
- e-Banking Bandits Stole $465,000 From Calif. Escrow Firm
- Texas Firm Blames Bank for $50,000 Cyber Heist
Tags: Charisse Castagnoli, comerica, experi-metal, NetTeller, Professional Businses Bank, Village View Escrow, ZeuS Trojan
Hidden due to low comment rating. Click here to see.
It sounds like the case hinges on whether the bank received a phone call from the customer’s phone number. The agreement should have required the bank to call the customer rather than the other way around, since caller ID can easily be spoofed. But it sounds like the bank and customer agreed on a less secure plan, in which the customer would call the bank and the bank would have to verify the caller based on the incoming phone number. (While the attackers inactivated emails from the bank, the plan specified a phone call, not an email.)
Also, how is the phone confirmation for transactions carried out under normal procedures? By pushing “1″ to confirm a transaction with a voice mail system? Or by leaving an audio message in voice mail (that could be an edited recording of someone with an American accent)? Was there a human at the bank who was expected to take these calls and talk to the customers and ask questions if the call sounded like it was from overseas?
The bank and customer did not “agree on a less secure plan”. The bank promised to only accept calls that are actually from specific phone numbers. If the bank in fact based their authentication on spoofable caller IDs, the bank is in breach of contract.
Bank customers cannot reasonably be expected to know the current state of phone spoofing, anti-spoofing, and authentication technologies. Banks can.
If you been following the phone hacking scandal in Britain, it would appear that almost no-one knows how to have phone security, least of all the phone companies which issue insecure phone systems.
Hidden due to low comment rating. Click here to see.
That was honestly the last thing I expected from a commenter named after an Ayn Rand character.
Hidden due to low comment rating. Click here to see.
Whatever the legal outcome here, it sounds like both the compromised company and the bank were quite negligent in their practices. If the new FFIEC guidance does nothing else, hopefully it gives these type of lawsuits better grounds. Which in turn will hopefully drive banks to developer better practices, and require their customers to maintain better practices.
Do we know for a fact that the company had proper anti-virus etc. installed?
Do we know for a fact that there was some system of checking that the proper installed stayed installed?
A company in Evansville Indiana lost $ 1 million because:
1. Some employees installed some software that said they had to de-activate anti-virus to do the install, then they never re-activated it. They did not volunteer to the IT staff that they had this strange instruction.
2. An e-mail arrived with one of those phony “see the attached document, for details on the complaint against your business” which various people forwarded to see if someone else could open it.
3. Then they called the Better Business Bureau to ask specifically about the complaint, there was one, and they did not pursue the mystery.
4. One of the people infected with the keylogger was the clerk who did billing, payroll, payables, and a bunch more financials.
5. You can guess the rest.
Oops – el typo
There was no complaint at the BBB.
Small businesses can’t afford their own IT departments. Many businesses consist of only a single person. Except for tech companies, few of the employees of small businesses are likely to know anything about computer security, and even if they have outside vendors setting up systems of security procedures for them, they may gradually stop following them because no one on-site understands why they’re set up the way they are. (And the IT vendors don’t explain much to them, because that could potentially compromise security.) On top of that, the business owners who are really motivated to keep their computers secure are probably downloading fake antivirus products. They want to do the right thing, and they don’t know enough to know they’re doing the wrong thing.
If a bank encourages even the smallest business to use online banking, they have to expect there will be malware on their customers’ computers. It’s not an unanticipated event: You can rely on it happening. Rather than relying completely on every customer having a sufficient security procedures to prevent every infection — when even security companies get hacked, after all — the bank needs procedures of its own that still work even if the customer’s computer is pwned.
>Small businesses think that their own IT department would just consume funds for nothing.
Then these businesses lose their money and give way to other businesses with different views on IT departments. That’s, boys and girls, is an example how free market works.
It is not just top management which uses IT unwisely, it is end users who try to put stuff on their PCs which may be in violation of company rules.
Many companies of company handbooks with rules about photo-copy machines, PCs, all sorts of things, which routinely get violated. The challenge is rules enforcement without creating a hostile working environment.
Hidden due to low comment rating. Click here to see.
This quote was a translation from politically correct language of euphemisms to dirty language of real life. It’s like a “Quantitative easing” means “printing money”.
IT awareness gives advantage. Those who think that it is not really necessary, that their business education s much more important, will part with their money.
Hidden due to low comment rating. Click here to see.
The company’s owner had no responsibility to scan incoming e-mail for trojans? Or was there no anti-virus software capable to detecting the Zeus Trojan at that time?
Gary,
Every victim I’ve ever interviewed was running anti-virus software. All of the products failed to detect the malware until the victim had lost money.
Anti-virus software is next to useless against these ZeuS Trojan attacks. The malware tends to be uniquely packed for each target and usually slips past AV detection for the first 24-48 hours, the most crucial time, unfortunately.
So a question that arises in my mind, is why do these victim companies not go after their anti-virus vendors as well? Isn’t the anti-virus vendor making a promise of security, but being seriously misleading about the quality of their product. The anti-virus commercials on TV all advertise their effectiveness, and awesomeness in general. Your paying 75$ a year per computer for your business, but given five minutes I can pull out around 15-20 malware samples in the wild that have a 10% detection rate across the board.
Looking at the incident in its timeline, the anti-virus product is the first failure. The second failure is poorly configured controls whether on the banks part or the customers. I just don’t buy the argument that customers aren’t responsible for the security quality of their machines. I agree 100% that banks are responsible for making the assumption that a customer’s PC is infected, and there is plenty of driving force that way. Its extremely strange to me though how unbalanced this equation is.
Hidden due to low comment rating. Click here to see.
The licensing agreements for OS and AV software likely contain the same generic clauses in all software licenses; the developers are not liable for any damages due to the use of their software in any manner.
Suing Microsoft for the security flaws that led to the trojan will quickly eat up more cash than was lost to the criminals. Going after the AV developers has a slim chance of succeeding, despite their tendency to over-promise and under-deliver on security.
Hidden due to low comment rating. Click here to see.
Sorry, Terry, but trusting Wikipedia to be a source of comprehensive legal information is equivalent to trusting an AV program to catch every strain of malware.
Hidden due to low comment rating. Click here to see.
I agree entirely with your points about AV and its ineffectiveness. But ultimately your point seems to be there is nothing the customer should be responsible for in regard to the security of their devices?
Its an approach like this that allows groups like Anonymous and LulzSec to so easily compromise PCs and sites. They aren’t sophisticated attackers, or even using sophisticated malware. They are taking advantage of the fact the security is perpetually somebody else’s problem. Its trivially easy for me to find thousands of sites completely open to compromise because security isn’t a concern.
Don’t get me wrong plenty of banks aren’t doing things properly, but letting the victim here off the hook because “hey they can’t be expected to not get infected” isn’t the right approach either. In these situations the breached companies should be responsible for a portion of the loss. A valid defense can’t and shouldn’t be “I shouldn’t have to try and secure my computer….”
Hidden due to low comment rating. Click here to see.
I disagree with you on this particular one, Terry.
The customers can significantly reduce the risks (to almost zero!) associated with their online banking sessions by using (for instance) a Linux LiveCD or at least a non-Windows machine. Few banks, if any, nowadays will say is not supported to use their banking website from at least one alternative OS. The point is: there should be incentives at both ends to keep fraud out, if the security compromise involved the customer in any way they should support a part of the loss. I don’t think they should support the whole loss either, as it happens now, especially when I read in Brian’s column how some banks understand now they should provide multi-factor authentication, methods which would not stand even to an attack with 2006 generation malware.
Hidden due to low comment rating. Click here to see.
As the owner of a computer repair shop, I’ve been amazed that the AV companies have no interest in gathering samples from shops like mine. After all, every machine I work on is infected with a virus that was not detected by the AV.
If they were really interested in improving their detection rate, wouldn’t they want samples of malware that has escaped their honeypots and signature-based detection?
@BGC,
I think the main reason here would be customer privacy. I don’t think the mainstream computer technician would be able to “lift” a modern virus or trojan and upload to an antivirus vendor’ website without risking to go through much of the private information, after all, this malware is good at hiding, it goes into Alternate Data Streams, in hidden partitions, injected into legitimate files, and so on. I would guess the antivirus vendors would need a complete disk image for proper viral analysis, which is, you would agree, unacceptable for most customers.
The primary concern of AV products is stopping the malware before it installs. At that point, it’s in a much different form that it will be by the time it has been unzipped and unencrypted, has inactivated the antivirus, has called home, and has downloaded and installed the real payload. I believe that many infections even delete the malicious file that was initially downloaded and delete the browser history to remove evidence of what was downloaded and where it came from.
They do accept submissions of false negative files from their users, get feeds from sites like VirusTotal, and run test machines in their labs to see what happens when they get infected. There’s no shortage of samples to check out, unfortunately.
@BGC;
Probably because they actually know that signature detection is obsolete, but can’t be bothered with the cost of developing better technologies. It really is up to the user to find better solutions.
However, the bank is not completely off the hook in all situations either.
“Do you really insist that every customer should have to re-install their OS from scratch before every online banking session? Because that is what it would take.”
Actually, yes. That’s exactly what running Linux from a Live USB / CD does. It takes less time to “install and boot” Linux into a RAM-based session then it does to simply boot Windows.
I boot a Live USB with a custom remix of Ubuntu on a 10-year old Dell Inspiron that has no hard disk and 1.25GB of RAM — it takes less than two minutes. I use it nearly every day, because it’s so quick, easy, and fully-featured.
Emails with attachments slipping past the anti-virus -why not just block all attachments or at least have them quarantined and examined on a standalone workstation or even in a VM running on Linux? I guess blocking all attachments is the easiest method. Incoming and outgoing.
Whatever happens, the banks need to assume that the customers computers may be compromised and the customer may not know enough about computer security. The bank should then take appropriate measures. One of those should be educating the customer on computer security, trojans and viruses, epsecially ones like Zeus.
Customers should take precautions as well, but if they don’t know about the threat how will they know what to do? There is a requirement for documentation to be available to everyone, that is updated regularly, say once a month or as frequently as necessary, on threats and solutions. it shouild be sent to any and all businesses that use the Internet for anything including banking. Perhaps ISPs could have a hand in this.
You can’t block attachments if you have to do business with people who think their messages are too important to be sent without being formatted in .doc or .pdf. I think some people have never learned how to type into an email window.
But not all attachment types are a risk and not all links within normal emails are benign. My strategy: My email client is set to not execute scripts or load images without my specifically enabling it. My email filters include two for potentially malicious email attachments or links that look for the RegEx string: \.pif”|\.vbs”|\.cpl”|\.zip”|\.exe”|\.bat”|\.cmd”|\.scr” One of the filters overrides whitelisting and the other doesn’t. The result is that emails from people I don’t know with potentially executable attachments or links are marked as spam. Emails from people I do know are marked for more careful analysis. There will be false positives, and isn’t practical for identifying .com when it’s a file extension rather than a TLD, but it catches lots more than an antivirus ever could. I’d rather be warned to be careful in the few cases where a good email is going to have an executable attachment.
Sounds like my hotmail account. Nothing from a new source is open on unknown emails. Known emails are simply not clicked on.
That may work as long as the email address hasn’t been spoofed to look like it has come from someone you know. I had several emails from a friend last night. At least they appeared to come from this friend and all that was in the body was a link, ending in google.php. There were about 4 or 5 different sites in different emails but the file listed at the end of the link was was google.php Needless to say I didn’t click on the links and I did tell her what had happened. Her account has not been hijacked, just the emails sent out with a spoofed senders address
Examples :
http://.snookergear.com/google.php
http://supadjpascha.com/google.php
http://rossitersofbath.com/google.php
http://www.indiadancewales.com/google.php
It also happened last year with a friend at work. The emails looked very good, but the subject was just not something he wouild send an email about. His account had been hijacked and his email provider got it all back for him, including emails that had been deleted. he had turned his antivirus off for a short while while downloading something and forgot to turn it back on. He had to rebuild his PC.
I didn’t know how to stop the links being links instead of plain text that is why they appear as links. Perhaps Brian can change them?
Just google how to change the default reader pane to plain text in Outlook or whatever email client you are using. I believe even the popular big three web-based email services have the same setting. That way you can at least preview.
In hotmail, if it is not actually from your friend and is spoofed; it will treat it as some new source, as hotmail is never fooled by fake header information. So it will be blocked anyway. I got a fake partially blocked phishing email that looked totally legit from supposedly Paypal. I didn’t touch the thing – I just forwarded it to the abuse address at Paypal – they affirmed it was a phishing email.
Usually the header tells the tail.
Given that there isn’t much differentiation between the services, and level of service, offered by most banks it’s time one or two of them took the lead and invested in security to stand out from the crowd.
In many companies only one or two people process payments – how much would it cost the bank to develop/provide a tablet with a single banking use for their customers?
Turn on the tablet and it’s only got that bank’s app on it; download/access anything else is blocked/reported and disables the app.
The banks could even make a profit selling the single use tablets to their customers…
“Village View’s contract with Professional Bank stated that electronic transfers would only be allowed if they were authorized by two Village View employees, and confirmed by a call from specific Village View phone numbers.”
It seems pretty cut and dry. If the bank did not follow the contract to the letter then they are in breach and should be held responsible for the loss.
So why is all the discussion around AV? The case is going to hinge upon the phone calls which were (presumably) not made in accordance with the contract.
The new FFIEC guidance is very specific that a username and password are not adequate to authorize transfers out of a business account. Auditors have also been hitting this under the current guidance, so it’s not new.
Based on information in the post, I would find for the plaintiff. But I’m just an infosec guy, not a lawyer.
I agree there Mike R!
My recommendation to any victim of a cyber bank heist would be to tell the world about it; companies hate negative publicity regardless of who the courts ultimately decide is to blame. Simply telling the story to the world on Facebook, Twitter, various websites, creating a website, doing radio and TV interviews, etc is the best way to recover your losses. Simply telling the story about what happened without laying blame is provocative enough to create concern among the FI’s customer base and target market. Remember, it’s only defamatory if you unjustly point the finger. Keeping it simple like, “We banked at [bank name] and we had our money taken without our consent, and [bank name] did not cover the losses as they would had it been a personal checking account or consumer credit card.” Soon enough, many people will realize that banks are not created equal. Some banks, particularly the larger world banks have the resources to implement much better security than their smaller competitors. Even many of the large domestic banks that were getting hacked are starting to implement tighter security than what the government requires; not because of the threat from actual thieves, but from the trials taking place in the court of public opinion that ends of costing them more than if they would have simply refunded the banking customer and tightened up to begin with.