19
Apr 13

Bank Sues Cyberheist Victim to Recover Funds

facebooktwittergoogle_plusredditpinterestlinkedinmail

A bank that gave a business customer a short term loan to cover $336,000 stolen in a 2012 cyberheist is now suing that customer to recover the fronted funds, after the victim company refused to repay or even acknowledge the loan.

robotrobkbOn May 9, 2012, cyber crooks hit Wallace & Pittman PLLC, a Charlotte, N.C. based law firm that specializes in handling escrow and other real-estate legal services. The firm had just finished a real estate closing that morning, initiating a wire of $386,600.61 to a bank in Virginia Beach, Virginia. Hours later, the thieves put through their own fraudulent wire transfer, for exactly $50,000 less.

At around 3 p.m. that day, the firm’s bank — Charlotte, N.C. based Park Sterling Bank (PSB)– received a wire transfer order from the law firm for $336,600.61. According to the bank, the request was sent using the firm’s legitimate user name, password, PIN code, and challenge/response questions. PSB processed the wire transfer, which was sent to an intermediary bank — JP Morgan Chase in New York City — before being forwarded on to a bank in Moscow.

Later that day, after the law firm received an electronic confirmation of the wire transfer, the firm called the bank to say the wire transfer was unauthorized, and that there had been an electronic intrusion into the  firm’s computers that resulted in the installation of an unspecified strain of keystroke-logging malware. The law firm believes the malware was embedded in a phishing email made to look like it was sent by the National Automated Clearing House Association (NACHA), a legitimate network for a wide variety of financial transactions in the United States.

As some banks do in such cases, Park Sterling provided a provisional credit to the firm for the amount of the fraudulent transfer so that it would avoid an overdraft of its trust account (money that it was holding for a real estate client)  and to allow a period of time for the possible return of the wire transfer funds. PSB said it informed Wallace & Pittman that the credit would need to be repaid by the end of that month.

But on May 30, 2012 — the day before the bank was set to debit the loan amount against the firm’s trust account — Wallace & Pittman filed a complaint against the bank in court, and obtained a temporary restraining order that prevented the bank from debiting any money from its accounts. The next month, the law firm drained all funds from all three of its accounts at the bank, and the complaint against the bank was dismissed.

Park Sterling Bank is now suing its former client, seeking repayment of the loan, plus interest. Wallace & Pittman declined to comment on the ongoing litigation, but in their response to PSB’s claims, the defendants claim that at no time prior to the return of the funds did the bank specify that it was providing a provisional credit in the amount of the fraudulent transfer. Wallace & Pittman said the bank didn’t start calling it a provisional credit until nearly 10 days after it credited the law firm’s account; to backstop its claim, the firm produced an online ledger transaction that purports to show that the return of $336,600.61 to the firm’s accounts was initially classified as a “reverse previous wire entry.”

But beyond that, Wallace & Pittman argues that the bank’s claims are barred by its failure to maintain commercially reasonable security measures for its online banking services. The law firm says the fraudulent wire did not come from an IP address associated with the firm, and that it had never before initiated a wire transfer to Russia or to any other location outside the United States.

“The bank was aware or should have questioned the legitimacy of an international wire transfer,” and “was aware or should have been aware of various schemes involving fraudulent funds transfers, particularly those involving parties located in Russia,” the firm argued.

Wallace & Pittman claim that the bank’s authentication procedures amount to little more than a series of passwords. According to the law firm, the process of authenticating its account PSB involved merely entering an account username and password.  To move money via wire transfer, FSB customers must enter an online banking ID and static 4-digit “wire code.” After the wire transfer request is submitted, the system generates two “challenge questions.”  Wallace & Pittman said these two challenge questions never changed, and that the answers to both questions were pre-programmed by the bank to the same common and intuitive four-letter word.

Dan Mitchell,  an attorney with the law firm of Bernstein Shur in Portland, Me., said that if PSB indeed relied on just user IDs, static passwords and static challenge questions, it may be hard for them to argue that these were commercially reasonable security procedures at of the time of the theft in 2012. On the other hand, if as the bank alleges — that the law firm declined the bank’s suggestion of using “dual controls,” or requiring two people to verify and sign off on all money transfers — the bank may have a defense under the Uniform Commercial Code (UCC), Section 202(c) of Article 4A.

“This allows a bank to shift the risk of loss back to a customer if the customer was offered, but declined, a security procedure that would have been commercially reasonable (this presupposes that dual-control is a commercially reasonable procedure,” said Mitchell, an attorney who represented Maine construction firm Patco in its successful lawsuit against its bank following a $588,000 cyberheist in May 2009.

This scenario is the very one that played out in the Choice Escrow case that was decided by a federal district court in Missouri back on March 18th of this year. In its response to the bank’s lawsuit, however, Wallace & Sterling denies that it was offered and rejected the dual-control option.

Mitchell said the other interesting variable in this case is the account at issue was a trust account – in other words, it was not the customer’s money, but was being held and managed by the customer for others – in real estate transactions.

“The bank apparently knew this, yet it still planned to debit the customer’s account and leave the customer on the hook,” Mitchell said. “That was a pretty aggressive move by the bank, probably too aggressive given the facts.”

Unfortunately, cyberheists hit new businesses every week. These attacks are imminently preventable, but blocking the bad guys responsible for these attacks takes awareness, vigilance and forethought. If you run a small business and manage your company’s accounts online, please take a moment to read my list of best practices here: Online Banking Best Practices for Businesses.

The complaint filed by Park Sterling Bank is here (PDF). A copy of Wallace & Pittman’s response is at this link (PDF).

Tags: , , , , , , , , , , , ,

21 comments

  1. What are we missing something here? You wrote:

    “PSB processed the wire transfer, which was sent to an intermediary bank — JP Morgan Chase in New York City — before being forwarded on to a bank in Moscow.”

    Doesn’t that imply that PSB was unaware of the final destination of the wire transfer since they just sent it to JPM? How would they know it was going to Moscow?

  2. PSB would have known where the wire was ultimately headed, but these international wires generally route through a correspondence bank before heading to their destination, and JPM is one of the more common correspondent banks for int’l wires.

  3. It looks to me like PSB needs to go after the bank in Moscow where the money transfer ended up, to find out who’s name(s) where on the account.

  4. Every time I read about one of these instances, I always wonder if there is a way to flag your account so no foreign transfers are allowed, and if it isn’t available, why isn’t it available.

    • I imagine anyone proactive enough to put limits on foreign deposits is savvy enough to have other protection mechanisms in place.

  5. This type of bank fraud is becoming more common. And it always appears that the ultimate destination of the funds is somewhere in the Eastern Block of countries. That seems true wether its a transferring bank such as JPM or a network of money mules–the money always goes east.
    This type of robbery is far safer and more lucrative for the bank robbers than the old fashion “Bonnie & Clyde” style strong arm bank robbery.
    Unlike conventional bank robberies, the FBI does not release annual statistics on cyberhiests. But the amount of money taken each year through digital fraud dwarfs the amount stolen the old fashioned way.

    The banking/finance industry have taken steps to fortify infrastucture on the back end, but I do not see regulatory agencies or Payment Card agencies enforcing those same stringent safeguards upon individual banks and/or their clients. I suspect that imposing such strict security standards at the retail end would be too expensive and/or severely impact the retail side of the business.

    But until they do, we will see more of these in the future. Eventually the finance industry as a whole will be forced to respond.

  6. So who’s responsible, the bank (an intermediary) or the victim (the compromised law firm)? Collectively, the banking industry has made strides to raise the bar for “reasonable security measures” taken to reduce risk for these kinds of attacks but unless they control the endpoint on each side of the transaction, what can they do? Even with two-factor someone has to enter the passcode from the token on a terminal which can then be intercepted by malware residing on the system. Is it the bank’s responsibility to know where the money/data is going? Do ISP’s have that responsibility too? A bank is a bank, not an ISP/MSSP.

    It seems expedient that every single law firm that doesn’t have stringent requirements for securing their systems can simply blame the bank for not doing enough to control things beyond their scope.

    I have to sympathize with the banks on this one.

    • Can’t say I agree. Banks live in this world, it’s their bread and butter. They should be able to build in much more secure controls for those clients that want to take advantage of them. Most banks don’t. Case in point – a bank I know about forbids customers from using more than 8 characters in their password. They do allow customers to add a security token, but that token is not required for all operations. They allow customers to limit the amount of transfers, but that goes both ways – they don’t allow a customer to limit (or stop) outgoing transfers, but not incoming.
      All my suggestions to improve have fallen on deaf ears. So I’m all in favor of lawsuits that might banks rethink the economics of their current horrible security measures.

      • Bruce,

        Could you elaborate on what it means that “banks live in this world”; don’t law firms live in it too; don’t we all live in it and have a responsibility to follow-up and perform due diligence? The bread and butter of banks is to store money and transfer it to other parties at the behest of their clients. Again, it is not their responsibility to act as an ISP, MSSP, and ensure the security posture of their client systems are sufficient. You’re insinuating that banks should go further than they are now. At what point does anyone else take responsibility for doing business with them and taking risks associated with not performing due diligence? Again, the bank didn’t get hacked, nor did exposing data or loose password requirements on there end result in the incident. Could they have prevented it? Sure, as could any other institution that faces millions in potential cost overruns implementing a 2-factor/OOB/biometric solution (ah but wait, they offered it and the client refused).

        Look at banking systems over the past decade in light of Hannaford, Heartland, etc. and GLBA/SOX/PCI. They *have* been baking in more controls, to the point where it it is prohibitively expensive for smaller institutions to get a foothold in the industry because of economies of scale. Assuming the law firm chose this bank because of ease of use and did opt out of additional controls as the article suggests, whose fault is that? If they decide to go to another bank and the same thing occurs (per the definition of insanity), is it the other institution’s responsibility too for not mandating more stringent controls? Are banks permitted to send inspectors out to assure that the clients they do business with are not infected? There is no FDIC for law firms.

        My understanding is that in security we treat each system in a transaction as a chain link where a consistent baseline of protection is needed to ensure integrity and authenticity. The bank may have met that baseline (or at least offered it), but the client did not. This is why I find the client’s behavior expedient.

        • Josh,

          Why do you presume that the bank offered the dual controls to the customer? The response from the defendant denies that this occurred, and I couldn’t see anywhere in the agreement that documented where security controls had been specifically declined – or even offered.

          I am just hesitant to believe that the bank has any interest in security when they can’t even get personal information redacted in a document properly.

          • Bruce,

            I’ve worked with law firms that do closings and title transfers for real estate in a market of the country that is rife with these deals. In most cases, banks are fairly proactive in offering additional controls that assure authenticity of both parties during a wire transfer. Unfortunately, the people who are initially entrusted with client funds (the law firms) aren’t obligated to follow best practices and therefore, in many chases, eschew them. The sum of money in this particular case was $350,000. On a routine basis, a boutique firm will do 3-4 closings a day, performing wire transfers ranging from hundreds of thousands to millions. Think about this the next time you hire an outfit to represent you when you purchase your next home.

            You state that I’m making a presumption, and yet your original argument is a presumption of the general state of the banking industry (not enacting adequate controls, poor password policy) based on a few cases of observation, insinuating that they are solely responsible for these types of occurrences. Banks, as you say, exist in this world (particularly one of fines and increased regulations), and they acknowledge that these risk exists. Law firms, however, don’t have to abide by the same rules, and therefore don’t, even if they easily have the funds to re-invest in better security hygiene.

            Again, regardless of whether the client was explicitly offered the control, the firm was compromised. Whether the bank, Amazon, or some other intermediary institution processed their order is irrelevant. Put it short, s**t is on them.

            • I’m not Bruce, btw. Just jumping in with my two cents. :)

              My background – I have been a GLBA IT auditor for banks, and currently work at one, so I am familiar with their security offerings.

              Where most banks fail epically, is that they don’t explain the risks involved to the customer. Asking them if they want dual control is not enough. Sure, they should do their own research, but the vast majority emphasize only the convenience their products provide, instead of educating customers on the risks involved in those services.

              To oversimplify my position – if I go skydiving, I sign a waiver saying the skydiving company is in no way responsible should something go wrong. But, if the plane crashes because they forgot to gas it up, then they are (or should) be found negligent and liable. In no way do I blame the bank solely for this, but nor do I feel that the firm was entirely at fault. Yes, they were compromised. But according to the documents, bank personnel manually entered the wire transfers, and common sense alone should have noticed that one amount was for exactly 50k less than the previous, and headed to Russia. It’s not like bank personnel have never heard of wire fraud.

              I didn’t mean to put words in your mouth regarding presumptions; I was merely pointing out that it is pretty much he said/she said regarding the additional controls. The bank hasn’t produced anything that says the firm declined the additional controls, which is why I feel they are somewhat on the hook.

              Actually one of the easiest solutions for this would be to have the bank require dual control, not have it optional.

              • Sorry for the confusion MC.

                And I agree that banks can do more to educate consumers about the risks of doing business online. However, for their failure to do so, there exist multiple avenues of dissemination (conferences/seminars, newsletters, headlines, Brian Krebs) that have repeatedly and mind-numbingly articulated the dangers of malware and doing wire transfers without verifying authenticity. You don’t have to be a specialist to seek this information out, especially if you’re working in the fields affected. A better analogy than the skydiver would be going to Egypt to visit the Pyramids without watching current events. The client knows about the landscape, they *accept* the risk, and they got burnt. The bank is not responsible for simply issuing them a ticket without a travel advisory.

                The problem MC, isn’t that these firms aren’t aware (as they should be if they deal with large sums of money like banks). It’s that they just. don’t. care. As you mentioned, convenience is a large factor, and for some firms, processing more closings and getting clients out the door matters more than deploying AV on their desktops. As this case shows, they’ll even go so far as to absolve themselves of any responsibility for securing their systems and attribute any failure to their bank, as if its their MSSP (who’s to say that isn’t why they chose this bank)!

                The problem with your solution is that it proposes a singular control to address an issue that is endemic to a clientele that is negligent in their fiduciary responsibility to handle their clients money responsibly and therefore exposes their funding (and most likely other personal information) to hackers. I agree that dual control would be effective, but I don’t believe the bank itself should be culpable for not mandating it, particularly when it does little to mitigate the exposure that already exists by virtue of the client not performing their own due diligence.

  7. Thanks for keeping up the good work Brian. I would love to see you add in a suggestion to your online banking best practices article that commercial customers who use online banking for ACH and Wire transfers choose a bank that offers phone based out of band authentication for all outgoing payments.

    http://krebsonsecurity.com/2013/04/bank-sues-cyberheist-victim-to-recover-funds/

  8. It would seem as though a law firm holding funds in their own accounts in trust for clients should be subject to more stringent standards than an ordinary business. They are acting as a financial institution in this case, not as a depositor.

  9. This looks like the legal firm got scammed, so they turned around and scammed the bank. It is a (less frequent) courtesy by this bank that they gave a temporary credit to the legal firm, and usually there are very well-written caveats attached to these temporary credits. In return, the legal firm turned around and scammed the bank. Because legal firm got ‘ripped off’ does not give legal firm the right to turn around and ‘rip off’ the bank, no? That was obviously scammy timing.

    Brian, I have a question: In cases like this why isn’t a firm acting as a real estate intermediary required to have to have some sort of insurance or bond through a third party if they are holding money in escrow? Especially considering as a corporation they do not even generally have “FDIC Insurance” (at least if one assumes that the property the money was originally for was owned by an individual that would have qualified partially for federal insurance coverage)?

    • For all we know the Law Firm maybe the source of the scam in the first place and the unspecified strain of keystroke-logging malware was an office employee. Where is the police report.

  10. In the last article Brian wrote about this topic, I thought the bank should be at fault (37 failed logins and they didn’t shut down access to the account!)

    But in the case, I would most definitely side with the bank, particularly if the customer did indeed decline additional security measures.

    The way the company went about the entire thing was extremely shady. Temporary injunction to prevent the bank from recovering the “credit” they gave to the company? Only to then empty all of the accounts, and then drop the complaint afterwards? That’s just not right on a number of levels.

  11. What I found interesting, was that the complaint filed by the bank, says that in paragraph #9 that has redacted account confidential information and account numbers in Exhibit A, then leave them wholly intact in the document. A NC Driver’s License number, and SSN for a defendant are clearly visible.

    I will give them 1/10 credit for identifying the confidential information at lease (they put boxes around what should have been redacted, but just failed to actually do so.)

    I can’t think of a poorer reflection on the bank in regards to their attitude and actions protecting customer’s information and money, than publishing a fraud victim’s personal information in a public record.

    CW: The way I understood the complaint/response, they didn’t have much of a choice regarding moving the accounts – since the funds were held in trust, there could be severe professional penalties if they could not cover the account. Given that the bank intended to debit the account for the whole amount 2 days after notifying P&W, I can’t really blame them for bailing for an institution that couldn’t leave them holding the bag.

    I think the bank will get the short end of the stick. Just depends on whose version is true, specifically with the way the wire was processed manually by the bank.

    • That is very strange, MC.

      In U.S. federal courts by law anything filed with PACER must have all PII redacted. This looks to be a local case. Maybe the local court or state court record filing system does not have the same rule? Although I am somewhat sure that it must.

  12. In addition to following Brian Kreb’s Best Practices, sole proprietors, not-for-profits, and small businesses may apply for CyberHeist insurance at http://www.cdiaus.com for as little as $100 per year.

    Your choices:
    1) Beg your banker for your money back
    2) Sue your banker for your money back
    3) Get your money back from CDIA