July 25, 2011

A California real estate escrow company that lost more than $465,000 in an online banking heist last year is suing its former financial institution, alleging that the bank was negligent and that it failed to live up to the terms of its own online banking contract.

The plight of Redondo Beach, Calif. based Village View Escrow, first publicized by KrebsOnSecurity last summer, began in March 2010. That’s when organized crooks broke into the firm’s computers and bank accounts, and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm.

Village View’s bank, Professional Business Bank of Pasadena, Calif., relied on third-party service provider NetTeller, which allowed commercial customers to authenticate to the bank’s site with little more than a username and password. Village View’s contract with Professional Bank stated that electronic transfers would only be allowed if they were authorized by two Village View employees, and confirmed by a call from specific Village View phone numbers.

The attack on Village View demonstrates the sophistication of malicious software like the ZeuS Trojan. The thieves disguised a banking Trojan as a UPS shipping receipt, and the company’s owner acknowledged opening the attachment and forwarding it to another employee who also viewed the malware-laced file. Once inside Village View’s systems, the attackers apparently disabled email notifications from the bank.

Nevertheless, Village View’s lawsuit challenges Professional Bank’s claims that its systems used “multi-factor,” and “state-0f-the-art” ebanking systems, and accuses the bank of negligence for not having procedures to help the company recover the fraudulent transfers.

This lawsuit comes just weeks after a decision in a similar case brought by another victim of ebanking fraud. In June, a U.S. district court in Michigan ruled that Dallas-based Comerica failed to act “in good faith” in January 2009, when it processed almost 100 unauthorized wire transfers from the account of Experi-Metal Inc. (EMI), a custom metals shop based in Sterling Heights, Mich. The transfers that were not recovered in that case amounted to $560,000.

Julie Bonnel-Rogers, an attorney for Village View Escrow, said the Experi-Metal decision “cracked the door open” for her client’s lawsuit against the bank, because there is limited case law on the subject, and because claims against banks for wire transfer fraud have traditionally been very narrowly defined.

Charisse Castagnoli, an independent security consultant and adjunct professor at the John Marshall Law School, said the Village View lawsuit relies on similar claims made by Experi-Metal, arguing that its financial institution failed to act in good faith and that its online banking security procedures were not commercially reasonable.

“If the bank didn’t even follow their own written procedure for funds transfer verification as alleged in the pleadings, I’d be surprised if the bank didn’t lose just on breach of contact,” Castagnoli said. Still, she noted that the Experi-Metal decision was not binding on any other court, and that the court could review the issues of good faith and reasonable security, or decide that those issues don’t need to be addressed at all.

A copy of Village View Escrow’s complaint is available here (PDF).


44 thoughts on “Calif. Co. Sues Bank Over $465k eBanking Heist

  1. Al Mac

    Thanks

    This sounds like the security contract between bank and company used non-Internet verification for some activity, which malware cannot (yet) get at, but social engineering can.

    I will be interested to hear if judge rules contract is not important, because bank acted reasonably.

    On People’s TV court, contracts always are more important than what sounds reasonable.

  2. AlphaCentauri

    It sounds like the case hinges on whether the bank received a phone call from the customer’s phone number. The agreement should have required the bank to call the customer rather than the other way around, since caller ID can easily be spoofed. But it sounds like the bank and customer agreed on a less secure plan, in which the customer would call the bank and the bank would have to verify the caller based on the incoming phone number. (While the attackers inactivated emails from the bank, the plan specified a phone call, not an email.)

    Also, how is the phone confirmation for transactions carried out under normal procedures? By pushing “1” to confirm a transaction with a voice mail system? Or by leaving an audio message in voice mail (that could be an edited recording of someone with an American accent)? Was there a human at the bank who was expected to take these calls and talk to the customers and ask questions if the call sounded like it was from overseas?

    1. Jesse Ruderman

      The bank and customer did not “agree on a less secure plan”. The bank promised to only accept calls that are actually from specific phone numbers. If the bank in fact based their authentication on spoofable caller IDs, the bank is in breach of contract.

      Bank customers cannot reasonably be expected to know the current state of phone spoofing, anti-spoofing, and authentication technologies. Banks can.

      1. Al Mac

        If you been following the phone hacking scandal in Britain, it would appear that almost no-one knows how to have phone security, least of all the phone companies which issue insecure phone systems.

        1. John David Galt

          The phone companies know how. It’s just easier for them to build phone systems the way cars were built before Ralph Nader.

          1. Taylor

            That was honestly the last thing I expected from a commenter named after an Ayn Rand character.

  3. Robert P. Burke

    ANOHER BANK ADVENTURE: I was told my (debit Acct) at a N. H. CU could have the balance pulled out/put in to cause an $8.00 default.

    I ended up at the NH AGs office with the story, but they cannot add and subtract a debit/credit list on withdrawls later. I did not over-draw down the list afterward the default, however the bank won’t withdrae the $200.00 “fee”

    Our Banking Commissioner position hasn’t been filled. Waiting for something to happen.

  4. Helly

    Whatever the legal outcome here, it sounds like both the compromised company and the bank were quite negligent in their practices. If the new FFIEC guidance does nothing else, hopefully it gives these type of lawsuits better grounds. Which in turn will hopefully drive banks to developer better practices, and require their customers to maintain better practices.

    1. Al Mac

      Do we know for a fact that the company had proper anti-virus etc. installed?
      Do we know for a fact that there was some system of checking that the proper installed stayed installed?

      A company in Evansville Indiana lost $ 1 million because:
      1. Some employees installed some software that said they had to de-activate anti-virus to do the install, then they never re-activated it. They did not volunteer to the IT staff that they had this strange instruction.
      2. An e-mail arrived with one of those phony “see the attached document, for details on the complaint against your business” which various people forwarded to see if someone else could open it.
      3. Then they called the Better Business Bureau to ask specifically about the complaint, there was one, and they did not pursue the mystery.
      4. One of the people infected with the keylogger was the clerk who did billing, payroll, payables, and a bunch more financials.
      5. You can guess the rest.

  5. AlphaCentauri

    Small businesses can’t afford their own IT departments. Many businesses consist of only a single person. Except for tech companies, few of the employees of small businesses are likely to know anything about computer security, and even if they have outside vendors setting up systems of security procedures for them, they may gradually stop following them because no one on-site understands why they’re set up the way they are. (And the IT vendors don’t explain much to them, because that could potentially compromise security.) On top of that, the business owners who are really motivated to keep their computers secure are probably downloading fake antivirus products. They want to do the right thing, and they don’t know enough to know they’re doing the wrong thing.

    If a bank encourages even the smallest business to use online banking, they have to expect there will be malware on their customers’ computers. It’s not an unanticipated event: You can rely on it happening. Rather than relying completely on every customer having a sufficient security procedures to prevent every infection — when even security companies get hacked, after all — the bank needs procedures of its own that still work even if the customer’s computer is pwned.

    1. laughingpanda

      >Small businesses think that their own IT department would just consume funds for nothing.
      Then these businesses lose their money and give way to other businesses with different views on IT departments. That’s, boys and girls, is an example how free market works.

      1. Al Mac

        It is not just top management which uses IT unwisely, it is end users who try to put stuff on their PCs which may be in violation of company rules.

        Many companies of company handbooks with rules about photo-copy machines, PCs, all sorts of things, which routinely get violated. The challenge is rules enforcement without creating a hostile working environment.

      2. Chris

        >Small businesses think that their own IT department would just consume funds for nothing.

        Where did you get that quote from? You’re the one who said it. And no, crooks stealing money from folks is not how the free market works. It’s what drives legislatures to pass new laws, which in turn allows free markets to work.

        1. laughingpanda

          This quote was a translation from politically correct language of euphemisms to dirty language of real life. It’s like a “Quantitative easing” means “printing money”.

          IT awareness gives advantage. Those who think that it is not really necessary, that their business education s much more important, will part with their money.

        2. laughingpanda

          About laws

          Laws don’t stop people from breaching the laws, and stealing money via internet has been already outlawed for, well, quite a long time.

          Even more, most successful businesses built on breaching the laws one way or another. I think it was said a long time ago by Marx, and it is still true. So if you want your business to succeed, don’t rely on laws, try to do it yourself, as the law could appear on the stage too late for you.

  6. Gary

    The company’s owner had no responsibility to scan incoming e-mail for trojans? Or was there no anti-virus software capable to detecting the Zeus Trojan at that time?

    1. BrianKrebs Post author

      Gary,

      Every victim I’ve ever interviewed was running anti-virus software. All of the products failed to detect the malware until the victim had lost money.

      Anti-virus software is next to useless against these ZeuS Trojan attacks. The malware tends to be uniquely packed for each target and usually slips past AV detection for the first 24-48 hours, the most crucial time, unfortunately.

  7. Helly

    So a question that arises in my mind, is why do these victim companies not go after their anti-virus vendors as well? Isn’t the anti-virus vendor making a promise of security, but being seriously misleading about the quality of their product. The anti-virus commercials on TV all advertise their effectiveness, and awesomeness in general. Your paying 75$ a year per computer for your business, but given five minutes I can pull out around 15-20 malware samples in the wild that have a 10% detection rate across the board.

    Looking at the incident in its timeline, the anti-virus product is the first failure. The second failure is poorly configured controls whether on the banks part or the customers. I just don’t buy the argument that customers aren’t responsible for the security quality of their machines. I agree 100% that banks are responsible for making the assumption that a customer’s PC is infected, and there is plenty of driving force that way. Its extremely strange to me though how unbalanced this equation is.

    1. Terry Ritter

      “So a question that arises in my mind, is why do these victim companies not go after their anti-virus vendors as well?”

      Another question is why they do not go after Microsoft for selling a product which often fails to function securely even when used as expected. In what way is that product suitable for online banking?

      Anti-virus scanning technology flat out cannot be trusted to prevent, or even detect, malware infection:

      First, essentially the same malware can be released with a slightly different form (thus having a different signature) every few hours. Each new form cannot be prevented until that signature is in the user’s anti-vi list. The malware must first be detected somewhere, put into the anti-vi signature list, and delivered to the user, all before protection starts. By that time, a new form of that same malware (with yet another signature) may have been released.

      Next, the malware install process often will “encrypt” the malware with a key unique to that particular computer. That encrypted file never will occur anywhere else, and so never will appear in the virus signature list. In general, anti-vi will not detect a “polymorphic” malware infection.

      Last but not least, modern malware designs include “rootkit” functionality which modifies the OS. On such an infected machine, the OS may not report malware files as even present, although they are. Anti-vi scanning may be automatically diverted from an infected file to the original uninfected file. Scanning for malware from within a potentially-infected OS is thus likely to be ineffective at finding all malware.

      “I just don’t buy the argument that customers aren’t responsible for the security quality of their machines.”

      And I don’t buy that a customer should be held responsible for something they cannot even detect: Anti-vi simply cannot be depended upon to detect malware. And Microsoft certainly provides no tool which can certify their product as clean.

      Exactly what does a customer have to do to be responsible in your eyes? There is NO WAY to guarantee that a normal system has no malware, other than a full OS re-install (or recovery of an uninfected image). Do you really insist that every customer should have to re-install their OS from scratch before every online banking session? Because that is what it would take.

      1. Leper

        The licensing agreements for OS and AV software likely contain the same generic clauses in all software licenses; the developers are not liable for any damages due to the use of their software in any manner.

        Suing Microsoft for the security flaws that led to the trojan will quickly eat up more cash than was lost to the criminals. Going after the AV developers has a slim chance of succeeding, despite their tendency to over-promise and under-deliver on security.

        1. Terry Ritter

          “The licensing agreements for OS and AV software likely contain the same generic clauses in all software licenses; the developers are not liable for any damages due to the use of their software in any manner.”

          Sure, but is that legal? From Wikipedia.org under “Implied warranty”:

          “An implied warranty is one that arises from the nature of the transaction, and the inherent understanding by the buyer, rather than from the express representations of the seller.”

          “An implied warranty of fitness for a particular purpose is a warranty implied by law that if a seller knows or has reason to know of a particular purpose for which some item is being purchased by the buyer, the seller is guaranteeing that the item is fit for that particular purpose.”

          “In the United States, the obligation is in Article 2, Section 315 of the Uniform Commercial Code.”

          “Some jurisdictions, however, limit the ability of sellers or manufacturers to disclaim the implied warranty of merchantability or fitness, such as Massachusetts. (Massachusetts General Laws, Chapter 106: Section 2-316A).”

          1. JBV

            Sorry, Terry, but trusting Wikipedia to be a source of comprehensive legal information is equivalent to trusting an AV program to catch every strain of malware.

            1. Terry Ritter

              “Sorry, Terry, but trusting Wikipedia to be a source of comprehensive legal information is equivalent to trusting an AV program to catch every strain of malware.”

              Sorry JBV, but complaining about Wikipedia as a source for content would seem to require first showing a problem in the content. Since the quoted content supports my long-time understanding, I guess it to be close to correct, but also specifically included the reference to the actual law, plus sections of their text with various searchable keywords. This is a start of research, not an end; a short blog comment, not a refereed treatise.

              Microsoft is selling a system to ordinary nontechnical consumers for use on the Web. Although that system has a software firewall, a free anti-virus and frequent free patches, it nevertheless almost cannot be used securely by ordinary consumers. By experience we know that many installations do in fact become invisibly infected with malware, some of which can expose online banking operations. The consumer is given no way to certify their system as clean before an online banking session. As a result, the product inherently supports dangerous infection which is exposed only *after* economic damage occurs. If no consumer protection law or rule applies to hold Microsoft responsible for damages, there needs to be one.

      2. Helly

        I agree entirely with your points about AV and its ineffectiveness. But ultimately your point seems to be there is nothing the customer should be responsible for in regard to the security of their devices?

        Its an approach like this that allows groups like Anonymous and LulzSec to so easily compromise PCs and sites. They aren’t sophisticated attackers, or even using sophisticated malware. They are taking advantage of the fact the security is perpetually somebody else’s problem. Its trivially easy for me to find thousands of sites completely open to compromise because security isn’t a concern.

        Don’t get me wrong plenty of banks aren’t doing things properly, but letting the victim here off the hook because “hey they can’t be expected to not get infected” isn’t the right approach either. In these situations the breached companies should be responsible for a portion of the loss. A valid defense can’t and shouldn’t be “I shouldn’t have to try and secure my computer….”

        1. Terry Ritter

          @Helly: “…ultimately your point seems to be there is nothing the customer should be responsible for in regard to the security of their devices?”

          How can anyone possibly be “responsible” for something they cannot prevent and cannot detect? What could that sort of “responsibility” possibly mean?

          Until the equipment and system software are designed properly, it simply is not possible for an ordinary customer to prevent malware infection, or detect a hiding bot. The “responsibility” thus lies in the design, and so mostly in Microsoft. The continued production and sale of a known-vulnerable and thus known-dangerous design could and should have legal consequences for the manufacturer, just like it would with an automobile design known to cause costly accidents.

          1. george

            I disagree with you on this particular one, Terry.
            The customers can significantly reduce the risks (to almost zero!) associated with their online banking sessions by using (for instance) a Linux LiveCD or at least a non-Windows machine. Few banks, if any, nowadays will say is not supported to use their banking website from at least one alternative OS. The point is: there should be incentives at both ends to keep fraud out, if the security compromise involved the customer in any way they should support a part of the loss. I don’t think they should support the whole loss either, as it happens now, especially when I read in Brian’s column how some banks understand now they should provide multi-factor authentication, methods which would not stand even to an attack with 2006 generation malware.

            1. Terry Ritter

              Hi george: “The customers can significantly reduce the risks (to almost zero!) associated with their online banking sessions by using (for instance) a Linux LiveCD or at least a non-Windows machine.”

              I use Puppy Linux booted from DVD online all day, every day (I am using it now). I also have a couple of older Puppy install articles on my site. So, yes, customers obviously can be more secure online by learning to use a Live DVD.

              But for those who do not, most are running Microsoft Windows, and some even “need” Windows for their point-of-sale apps and so on. Those people need equipment and software which does not support infection. If they are hurt as a result, I think they have a case against the manufacturer.

              Now, any design can be found to have flaws, and not all fixes will be perfect. But when flaws are found that damage the customer, the appropriate response is to fix the design. People with older equipment may have to buy something, but a Windows DVD version for online banking and buying would be a big help.

              We have had an obvious bot problem for years, and still get new product with the old flaws. The software manufacturer obviously knows about the problem, obviously knows they cannot prevent it by scanning or patching, and obviously knows customers are getting hurt, yet continues to sell the same unfixed flaws. Something is wrong with this picture.

      3. BGC

        As the owner of a computer repair shop, I’ve been amazed that the AV companies have no interest in gathering samples from shops like mine. After all, every machine I work on is infected with a virus that was not detected by the AV.

        If they were really interested in improving their detection rate, wouldn’t they want samples of malware that has escaped their honeypots and signature-based detection?

        1. george

          @BGC,
          I think the main reason here would be customer privacy. I don’t think the mainstream computer technician would be able to “lift” a modern virus or trojan and upload to an antivirus vendor’ website without risking to go through much of the private information, after all, this malware is good at hiding, it goes into Alternate Data Streams, in hidden partitions, injected into legitimate files, and so on. I would guess the antivirus vendors would need a complete disk image for proper viral analysis, which is, you would agree, unacceptable for most customers.

        2. AlphaCentauri

          The primary concern of AV products is stopping the malware before it installs. At that point, it’s in a much different form that it will be by the time it has been unzipped and unencrypted, has inactivated the antivirus, has called home, and has downloaded and installed the real payload. I believe that many infections even delete the malicious file that was initially downloaded and delete the browser history to remove evidence of what was downloaded and where it came from.

          They do accept submissions of false negative files from their users, get feeds from sites like VirusTotal, and run test machines in their labs to see what happens when they get infected. There’s no shortage of samples to check out, unfortunately.

        3. JCitizen

          @BGC;

          Probably because they actually know that signature detection is obsolete, but can’t be bothered with the cost of developing better technologies. It really is up to the user to find better solutions.

          However, the bank is not completely off the hook in all situations either.

      4. c.cobb

        “Do you really insist that every customer should have to re-install their OS from scratch before every online banking session? Because that is what it would take.”

        Actually, yes. That’s exactly what running Linux from a Live USB / CD does. It takes less time to “install and boot” Linux into a RAM-based session then it does to simply boot Windows.

        I boot a Live USB with a custom remix of Ubuntu on a 10-year old Dell Inspiron that has no hard disk and 1.25GB of RAM — it takes less than two minutes. I use it nearly every day, because it’s so quick, easy, and fully-featured.

  8. Andy

    Emails with attachments slipping past the anti-virus -why not just block all attachments or at least have them quarantined and examined on a standalone workstation or even in a VM running on Linux? I guess blocking all attachments is the easiest method. Incoming and outgoing.

    Whatever happens, the banks need to assume that the customers computers may be compromised and the customer may not know enough about computer security. The bank should then take appropriate measures. One of those should be educating the customer on computer security, trojans and viruses, epsecially ones like Zeus.

    Customers should take precautions as well, but if they don’t know about the threat how will they know what to do? There is a requirement for documentation to be available to everyone, that is updated regularly, say once a month or as frequently as necessary, on threats and solutions. it shouild be sent to any and all businesses that use the Internet for anything including banking. Perhaps ISPs could have a hand in this.

    1. AlphaCentauri

      You can’t block attachments if you have to do business with people who think their messages are too important to be sent without being formatted in .doc or .pdf. I think some people have never learned how to type into an email window. 😉

      But not all attachment types are a risk and not all links within normal emails are benign. My strategy: My email client is set to not execute scripts or load images without my specifically enabling it. My email filters include two for potentially malicious email attachments or links that look for the RegEx string: \.pif”|\.vbs”|\.cpl”|\.zip”|\.exe”|\.bat”|\.cmd”|\.scr” One of the filters overrides whitelisting and the other doesn’t. The result is that emails from people I don’t know with potentially executable attachments or links are marked as spam. Emails from people I do know are marked for more careful analysis. There will be false positives, and isn’t practical for identifying .com when it’s a file extension rather than a TLD, but it catches lots more than an antivirus ever could. I’d rather be warned to be careful in the few cases where a good email is going to have an executable attachment.

      1. JCitizen

        Sounds like my hotmail account. Nothing from a new source is open on unknown emails. Known emails are simply not clicked on.

  9. Andy

    That may work as long as the email address hasn’t been spoofed to look like it has come from someone you know. I had several emails from a friend last night. At least they appeared to come from this friend and all that was in the body was a link, ending in google.php. There were about 4 or 5 different sites in different emails but the file listed at the end of the link was was google.php Needless to say I didn’t click on the links and I did tell her what had happened. Her account has not been hijacked, just the emails sent out with a spoofed senders address

    Examples :

    http://.snookergear.com/google.php
    http://supadjpascha.com/google.php
    http://rossitersofbath.com/google.php
    http://www.indiadancewales.com/google.php

    It also happened last year with a friend at work. The emails looked very good, but the subject was just not something he wouild send an email about. His account had been hijacked and his email provider got it all back for him, including emails that had been deleted. he had turned his antivirus off for a short while while downloading something and forgot to turn it back on. He had to rebuild his PC.

    1. Andy

      I didn’t know how to stop the links being links instead of plain text that is why they appear as links. Perhaps Brian can change them?

      1. JCitizen

        Just google how to change the default reader pane to plain text in Outlook or whatever email client you are using. I believe even the popular big three web-based email services have the same setting. That way you can at least preview.

        In hotmail, if it is not actually from your friend and is spoofed; it will treat it as some new source, as hotmail is never fooled by fake header information. So it will be blocked anyway. I got a fake partially blocked phishing email that looked totally legit from supposedly Paypal. I didn’t touch the thing – I just forwarded it to the abuse address at Paypal – they affirmed it was a phishing email.

        Usually the header tells the tail.

  10. emv x man

    Given that there isn’t much differentiation between the services, and level of service, offered by most banks it’s time one or two of them took the lead and invested in security to stand out from the crowd.
    In many companies only one or two people process payments – how much would it cost the bank to develop/provide a tablet with a single banking use for their customers?
    Turn on the tablet and it’s only got that bank’s app on it; download/access anything else is blocked/reported and disables the app.
    The banks could even make a profit selling the single use tablets to their customers…

  11. John Thompson

    “Village View’s contract with Professional Bank stated that electronic transfers would only be allowed if they were authorized by two Village View employees, and confirmed by a call from specific Village View phone numbers.”

    It seems pretty cut and dry. If the bank did not follow the contract to the letter then they are in breach and should be held responsible for the loss.

  12. Mike R

    So why is all the discussion around AV? The case is going to hinge upon the phone calls which were (presumably) not made in accordance with the contract.

    The new FFIEC guidance is very specific that a username and password are not adequate to authorize transfers out of a business account. Auditors have also been hitting this under the current guidance, so it’s not new.

    Based on information in the post, I would find for the plaintiff. But I’m just an infosec guy, not a lawyer.

  13. mybankwashacked

    My recommendation to any victim of a cyber bank heist would be to tell the world about it; companies hate negative publicity regardless of who the courts ultimately decide is to blame. Simply telling the story to the world on Facebook, Twitter, various websites, creating a website, doing radio and TV interviews, etc is the best way to recover your losses. Simply telling the story about what happened without laying blame is provocative enough to create concern among the FI’s customer base and target market. Remember, it’s only defamatory if you unjustly point the finger. Keeping it simple like, “We banked at [bank name] and we had our money taken without our consent, and [bank name] did not cover the losses as they would had it been a personal checking account or consumer credit card.” Soon enough, many people will realize that banks are not created equal. Some banks, particularly the larger world banks have the resources to implement much better security than their smaller competitors. Even many of the large domestic banks that were getting hacked are starting to implement tighter security than what the government requires; not because of the threat from actual thieves, but from the trials taking place in the court of public opinion that ends of costing them more than if they would have simply refunded the banking customer and tightened up to begin with.

Comments are closed.