In December, I wrote about how a Louisiana electronics testing firm was suing its bank, Capital One, to recover the losses after cyber thieves broke in and stole nearly $100,000. It looks like another small firm in that state that was similarly victimized by organized crooks also is suing Capital One to recover their losses.
Joseph Mier and Associates Inc., a real estate appraisal company based in Hammond, L.a., lost more than $27,000 last year when five four unauthorized automated clearing house (ACH) withdrawals were made from its accounts and sent to individuals around the United States.
“I immediately contacted the bank, and for about a week dealt with them to correct the error,” Owner Joseph Mier said. “Finally, they said, ‘From what we can see, whoever did this used your credentials, but nobody breached our system and we’re not responsible.’ I told them maybe they should change their slogan to, “Who’s in your wallet?'”
A spokesperson for Capital One said the company does not comment on pending litigation.
Mier said a computer forensics firm that he hired to scour his systems found no indication that any of them were infected with malicious software.
“They came in and pulled my hard drives and did thorough scan to see if they can indicate if anyone hacked into my system,” Mier said.
It’s been slightly more than a year since he filed the lawsuit, but Capitol One has is still asking for more time for the discovery process, Mier said. He said even though his local region of Louisiana has been somewhat insulated from the housing market implosion, he’s had to lay off two employees due to low cash flow.
“Twenty-seven thousand may not seem like a lot next to some of these six-figure losses we keep reading about at different companies that have been hit like me, but that’s still working capital, and if you ain’t got money to fall back on you’ve sometimes got to let people go.”
The original complaint for Joseph Mier & Associates Inc. vs. Capital One is available here (.pdf).
Quote: ” …. lost more than $27,000 last year when five unauthorized automated clearing house withdrawals were made from its accounts and sent to individuals around the United States ….”
Page 1 of the court filing states four (4) withdrawals for $27,620. However the attached exhibits show that originally there were four withdrawals totaling $36,495. However, it appears according to an exhibit dated 03/10/2009 that the fourth withdrawal for $8,875 was subsequently reversed, leaving the actual loss at three withdrawals totaling $27,620, as follows:
ELAINE LEE SHELBY WELLS FARGO MN. 02/25/2009 $9,200
KERRY ALYSSA DIXON JPM CHASE MO. 02/26/2009 $9,720
ZERRIN KARAGOZ JPM CHASE FL. 02/26/2009 $8,700
Brian, since there is no record of a ZEUS / zbot infection, have you attempted to contact any of the recipients and confirm that the funds were sent via Money Gram / Western Union to the usual eastern European places ?. At least one of them appears easy to locate. One anomaly in the exhibits is that the last transfer for $8,700 lists an invalid account number, it is a duplicate of the bank id code.
Also surprising from a security standpoint, the account is listed as a Payroll account, is that these are large unusual amounts for a small business payroll account, and are being sent to accounts over a thousand miles away in other states. If one were to write fraud detection algorithms, those are two criteria flags for a SB payroll account.
The Capitol One web page for matching to the small business account services on the exhibits has in its meta data:
“With TowerNET from Capital One, your small business is in control of its finances anytime from anywhere from a single point of access.”
In the current cyber environment that statement almost sounds like a security flaw !
This case, and many of the other suits may hinge on whether statements made by banks regarding their security procedures, such as this from Capital, are really true:
“* We build information security right into our systems and networks using internationally recognized security standards, regulations, and industry-based best practices.
* We employ strong authentication controls following guidance provided to us by the Federal Government’s banking regulators”
Not finding Zeus doesn’t mean anything when forensic tests show Zeus can only be detected 23% of the time.
CC companies employ extraordinary measures to prophylactically prevent crime and yet people get ripped off all the time. It might be interesting to compare stats for CCs with online banking.
FYI From CERT:
Energizer DUO USB Battery Charger Software Allows Remote System Access
added March 8, 2010 at 10:26 am
US-CERT is aware of a backdoor in the software for the Energizer DUO USB battery charger. This backdoor may allow a remote attacker to list directories, send and receive files, and execute programs on an affected system. The software, which has been discontinued, was available for both Windows and Apple Mac OS X versions. Only the Windows version is affected by this vulnerability.
US-CERT encourages users and administrators to review Vulnerability Note VU#154421 and apply the recommended solutions.
On the one hand: most of these businesses are hopelessly locked into Windows and hopelessly infected with a cocktail of malware, most often Zeus, even if they say otherwise and even if they have supposed ‘experts’ supporting the claim. We all know they are/were infected at one point or another.
On the other hand: the banks lose nothing. The contracts state the businesses must absorb the losses.
There are two solutions. Either legislation makes the banks liable – and that’s never going to happen because the banks know how bad security is out there in the field – or the businesses have to stop using Windows. There’s either the one or the other. There’s no ‘in between’.
Thing is, these transactions originated from the ACH (automated check clearinghouse) system — which has nothing to do with Zeus on his own systems, nothing originated on his own systems. The authorization tokens for the ACH system are the bank account number and the bank routing number. In other words, EVERY SINGLE PERSON HE HAS EVER MAILED A CHECK TO could be the culprit here. That’s just how weak the ACH system’s “authentication” really is.
The banks set it up that way on purpose, for their own convenience, back when the original ACH system was set up by the Federal Reserve because they didn’t want to have to authenticate that each transaction was authorized by the person who’d issued the check. But that was back when only Federal Reserve banks had ACH terminals and you could at least validate that an actual physical check was involved. Nowadays, a friggin’ *health club* can make an unauthorized withdrawal from your account just using the routing number and account number off a check you once mailed them. Yes, I know this for a fact — it happened to me.
In short: the ACH system has clear authorization issues that the banks are *not* in any hurry to fix since they’re not on the hook. Any talk of “Zeus” or whatnot is ridiculous here — no amount of Zeus on his own system would create a transaction that originated from the ACH system. Zeus could have stole his account number, but the same is true of anybody else that this guy has ever mailed a check to since the day he opened the account. The banks chose convenience over security when they created the ACH system, and now they’re making the small businesses pay once scammers exploit the very security hole that the banks themselves put into their system? Yeah, that sounds about right…
This seems to be true… My bank, BB&T told me that they cannot prevent unauthorized ACH debits on my business account. I have had it happen. They told me to go back to the initiator and fight them for refund. They told me the best defense was to close the account and open a new one. Bottom line… guard your account number and don’t send checks unless absolutely necessary.