A California real estate escrow company that lost more than $465,000 in an online banking heist last year is suing its former financial institution, alleging that the bank was negligent and that it failed to live up to the terms of its own online banking contract.
The plight of Redondo Beach, Calif. based Village View Escrow, first publicized by KrebsOnSecurity last summer, began in March 2010. That’s when organized crooks broke into the firm’s computers and bank accounts, and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm.
Village View’s bank, Professional Business Bank of Pasadena, Calif., relied on third-party service provider NetTeller, which allowed commercial customers to authenticate to the bank’s site with little more than a username and password. Village View’s contract with Professional Bank stated that electronic transfers would only be allowed if they were authorized by two Village View employees, and confirmed by a call from specific Village View phone numbers.
The attack on Village View demonstrates the sophistication of malicious software like the ZeuS Trojan. The thieves disguised a banking Trojan as a UPS shipping receipt, and the company’s owner acknowledged opening the attachment and forwarding it to another employee who also viewed the malware-laced file. Once inside Village View’s systems, the attackers apparently disabled email notifications from the bank.
Nevertheless, Village View’s lawsuit challenges Professional Bank’s claims that its systems used “multi-factor,” and “state-0f-the-art” ebanking systems, and accuses the bank of negligence for not having procedures to help the company recover the fraudulent transfers.
This lawsuit comes just weeks after a decision in a similar case brought by another victim of ebanking fraud. In June, a U.S. district court in Michigan ruled that Dallas-based Comerica failed to act “in good faith” in January 2009, when it processed almost 100 unauthorized wire transfers from the account of Experi-Metal Inc. (EMI), a custom metals shop based in Sterling Heights, Mich. The transfers that were not recovered in that case amounted to $560,000.
Julie Bonnel-Rogers, an attorney for Village View Escrow, said the Experi-Metal decision “cracked the door open” for her client’s lawsuit against the bank, because there is limited case law on the subject, and because claims against banks for wire transfer fraud have traditionally been very narrowly defined.
Charisse Castagnoli, an independent security consultant and adjunct professor at the John Marshall Law School, said the Village View lawsuit relies on similar claims made by Experi-Metal, arguing that its financial institution failed to act in good faith and that its online banking security procedures were not commercially reasonable.
“If the bank didn’t even follow their own written procedure for funds transfer verification as alleged in the pleadings, I’d be surprised if the bank didn’t lose just on breach of contact,” Castagnoli said. Still, she noted that the Experi-Metal decision was not binding on any other court, and that the court could review the issues of good faith and reasonable security, or decide that those issues don’t need to be addressed at all.
A copy of Village View Escrow’s complaint is available here (PDF).