A California real estate escrow company that lost more than $465,000 in an online banking heist last year is suing its former financial institution, alleging that the bank was negligent and that it failed to live up to the terms of its own online banking contract.

The plight of Redondo Beach, Calif. based Village View Escrow, first publicized by KrebsOnSecurity last summer, began in March 2010. That’s when organized crooks broke into the firm’s computers and bank accounts, and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm.

Village View’s bank, Professional Business Bank of Pasadena, Calif., relied on third-party service provider NetTeller, which allowed commercial customers to authenticate to the bank’s site with little more than a username and password. Village View’s contract with Professional Bank stated that electronic transfers would only be allowed if they were authorized by two Village View employees, and confirmed by a call from specific Village View phone numbers.

The attack on Village View demonstrates the sophistication of malicious software like the ZeuS Trojan. The thieves disguised a banking Trojan as a UPS shipping receipt, and the company’s owner acknowledged opening the attachment and forwarding it to another employee who also viewed the malware-laced file. Once inside Village View’s systems, the attackers apparently disabled email notifications from the bank.

Nevertheless, Village View’s lawsuit challenges Professional Bank’s claims that its systems used “multi-factor,” and “state-0f-the-art” ebanking systems, and accuses the bank of negligence for not having procedures to help the company recover the fraudulent transfers.

This lawsuit comes just weeks after a decision in a similar case brought by another victim of ebanking fraud. In June, a U.S. district court in Michigan ruled that Dallas-based Comerica failed to act “in good faith” in January 2009, when it processed almost 100 unauthorized wire transfers from the account of Experi-Metal Inc. (EMI), a custom metals shop based in Sterling Heights, Mich. The transfers that were not recovered in that case amounted to $560,000.

Julie Bonnel-Rogers, an attorney for Village View Escrow, said the Experi-Metal decision “cracked the door open” for her client’s lawsuit against the bank, because there is limited case law on the subject, and because claims against banks for wire transfer fraud have traditionally been very narrowly defined.

Charisse Castagnoli, an independent security consultant and adjunct professor at the John Marshall Law School, said the Village View lawsuit relies on similar claims made by Experi-Metal, arguing that its financial institution failed to act in good faith and that its online banking security procedures were not commercially reasonable.

“If the bank didn’t even follow their own written procedure for funds transfer verification as alleged in the pleadings, I’d be surprised if the bank didn’t lose just on breach of contact,” Castagnoli said. Still, she noted that the Experi-Metal decision was not binding on any other court, and that the court could review the issues of good faith and reasonable security, or decide that those issues don’t need to be addressed at all.

A copy of Village View Escrow’s complaint is available here (PDF).

Comerica Bank is liable for more than a half a million dollars stolen in a 2009 cyber heist against a small business, a Michigan court ruled. Experts say the decision is likely to spur additional lawsuits from other victims that have been closely watching the case.

Judge Patrick J. Duggan found that Dallas-based Comerica failed to act “in good faith” in January 2009, when it processed almost 100 wire transfers within a few hours from the account of Experi-Metal Inc. (EMI), a custom metals shop based in Sterling Heights, Mich. The transfers that were not recovered amounted to $560,000.

“A bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier,” Duggan wrote. Judge Duggan has yet to decide how much Comerica will have to pay.

The problems for Experi-Metal started when company controller Keith Maslowski responded to an e-mail that appeared to be from its bank, Comerica. The message said the bank needed to carry out scheduled maintenance on its banking software, and instructed the EMI employee to log in at a Web site that appeared to be Comerica’s online banking site. Maslowski said the email resembled the annual e-mails Comerica used to send, prompting customers to renew EMI’s digital certificates.

The year before the cyber theft, Comerica had switched from using digital certificates to requiring commercial customers to enter a one-time passcode from a security token. The site linked to in the e-mail asked for that code, and Maslowski complied. Within the span of a few hours, the attackers made 97 wire transfers from EMI’s account to bank accounts in China, Estonia, Finland, Russia and Scotland.

Comerica became aware of the fraudulent transfers four hours after the attack began. Although it took steps to isolate Experi-Metal’s account, the bank also failed to stop more than a dozen additional fraudulent transfers from the company’s account after the bank’s initial response. Experi-Metal sued the bank after it refused to cover any of the losses.

Businesses do not enjoy the same legal protections afforded to consumer banking customers hit by cyber thieves, and most organizations can be held responsible for any losses due to phishing or account takeovers.

Michigan’s adoption of the Uniform Commercial Code means that a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”

David Navetta, founding partner of the Information Law Group and co-chair of the American Bar Association’s Information Security Committee, said the court signaled early on that it would not consider whether Comerica’s security was commercially reasonable.

“The real focus here was the good faith requirement, [and] the burden to establish good faith was on Comerica according to the court,” Navetta said. “While the court did not find any evidence of intentional wrongdoing, it did focus on whether Comerica observed ‘reasonable commercial standards of fair dealing.’  It found that such commercial standards had not been met by the bank.”

But Navetta said the reasoning behind the court’s opinion was “a little confused,” noting that the court indicated that the bank had established commercially reasonable security, but that the court based its decision in part on the lack of fraud detection mechanisms employed by Comerica.

“In the Court’s view there should have been fraud detection mechanisms to detect and analyze various ‘risk factors,’ including: Prior wire transfer activity;  the length of EMI’s prior online banking sessions;  the pace at which payment orders were entered;  the destinations of the payment orders;  and the identity of the wire transfer beneficiaries,” Navetta said. “In my view, fraud detection mechanisms are a form of security, so this contradicts on some level the findings around commercially reasonable security, and I think makes the analysis confusing; where do the security measures end and the ‘good faith’ measures begin?”

The Comerica decision comes less than two weeks after a tentative decision in another widely watched cyber heist case — this one involving a $345,000 loss that stemmed from a similar attack on Sanford, Maine-based Patco Construction. Experts said the Patco decision, if adopted by a U.S. district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks.

But Charisse Castagnoli, an independent security consultant and adjunct professor at the John Marshall Law School, said she thinks the decision in the Comerica case could be a boon for victim organizations that have been hesitant about suing banks to recoup their losses.

“I think you’re going to see litigators more willing to take on these cases,” Castagnoli said.

Comerica’s lawyers say they are planning to appeal the decision. Comerica spokeswoman Kathleen A. Pitton said the bank’s security procedures were in compliance with those suggested by federal banking regulators.

“While we respect the judge’s opinion, Comerica believes it acted in good faith and plans to appeal,” Pitton said. “We presented evidence that disputes the allegations made against us and believe that, following a review of the evidence, the appellate court will agree and reverse this decision.”

The decisions in this case and the Patco case are being made at the trial level in different federal districts. They are not “case law.” Case law requires a published decision at the appellate level, and is only binding on the courts in the district where it is made. Other district courts may consider and quote trial and appellate rulings, but they are not bound to follow them. Establishing a uniform national standard for judging all cases involving cyber theft would require a decision by the U.S. Supreme Court. Banks and organizations may not be willing to carry their appeals to this level, fearing that a national standard may not be in their best economic interests.

KrebsonSecurity will continue to follow and report on these and other cases. If cyber theft remains out of control and legislators are unwilling to deal with the problem, then litigation and case law will be the only way to resolve the liability issues.

A copy of the court’s opinion is available here (PDF).

A metals supply company in Michigan is suing its bank for poor security practices after a successful phishing attack against an employee allowed thieves to steal more than half a million dollars last year.

Experi-Metal sells metal stampings, trim moldings and specialty items.

The lawsuit, filed by Experi-Metal Inc. (EMI), in Sterling Heights, Mich., charges that Dallas-based Comerica Bank effectively groomed its customers to become phishing victims by routinely sending them e-mail messages that asked recipients to click a link to update the bank’s security technology. The company also alleges that Comerica’s security protections for customers are not commercially reasonable, because the phishing scam routed around the bank’s 2-factor authentication system.

According to a complaint EMI filed in December with a Michigan circuit court, for many years Comerica used “digital certificates” for authenticating online banking customers. Digital certificates are the browser-based counterparts to ATM cards, and many banks require customers to include the bank’s cryptographically signed digital certificate in their browser before the bank’s online system will allow users access.

Once a year from 2000 to 2008, Comerica sent emails to EMI and other customers directing them to click on a link in the email, and then log in at the resulting Web site in order to renew the digital certificate that Comerica required.

The trouble with relying on digital certs, of course, is that phishers have been using the e-mail ruse of “Hey, this is your bank, please update your digital certificate” for several years now in a bid to fool people into giving away their credentials or installing malicious software. Also, several families of malware will steal digital certs from victim PCs.

An RSA token used for multi-factor authentication

Perhaps in response to these fraud trends, Comerica in 2008 began urging customers to adopt a different security solution that supplemented user names and passwords with a security token. These small devices periodically generate a new, random numeric code, which must be entered along with the customer’s user name and password in order to access online banking at many commercial banks.

On Jan. 22, 2009, an EMI employee fell for a phishing e-mail that spoofed Comerica, and claimed the bank needed to carry out scheduled maintenance on its banking software. The e-mail instructed the EMI employee to log in at a linked Web site that mimicked Comerica’s online banking site. The EMI employee provided the site with the company’s online banking credentials, as well as the the code generated by the security token.

Thieves almost immediately began wiring money out of EMI’s account. Between 7:30 a.m. and 10:50 a.m., the attackers initiated 47 wire transfers — to China, Estonia, Finland, Russia and Scotland.

EMI claims Comerica inquired about the transfers at 10:50 a.m., and that EMI asked the banks not to honor any requested wire transfers until future notice. But over the next three hours, thieves would initiate another 38 wires from EMI’s account. EMI also noted that, prior to this burst of fraudulent wires, the company had requested a total of two wire transfers in as many years. EMI says it lost more than $560,000 from the fraud.

In an answer to EMI’s complaint, Comerica denied that the bogus Web sites that lured the EMI employee would appear to be Comerica’s real Web site “to any reasonably alert person who was responsible for safeguarding EMI’s financial records and digital credentials.” The bank also argued that its banking security technologies were commercially reasonable “because they were in general use by other similarly situated customers of other banks.”

As I noted in a first-of-its-kind story back in 2006 about a phishing scam that attacked Citibank business customers, the use of security tokens adds very little — if any — additional protection. For one thing, as in the Citi example and now this case, we can see that tokens work great provided the phishers don’t also ask for the token code as well as the visitor’s banking credentials.

Also, thieves are routinely defeating security tokens through the use of malicious software like the ZeuS Trojan, which can re-write the bank’s actual Web site as displayed in the victim’s browser, so as to inject code asking the victim’s user name, password and security token number. The victim is usually then redirected to a fake maintenance page telling them to try again in a few minutes, while the thieves are submitting that intercepted information on behalf of the victim, and then initiating unauthorized money transfers.

EMI’s complaint is here (.pdf). Comerica’s line-by-line response is available here (.pdf).