A title insurance firm in Virginia is suing its bank after an eight-day cyber heist involving more than $2 million in thefts and more than $200,000 in losses last year. In an unusual twist, at least some of the Eastern European thieves involved in the attack have already been convicted and imprisoned for their roles in the crime.
Sometime before June 2010, crooks infected computers of Vienna, Va. based Global Title Services with the ZeuS Trojan, giving them direct access to the company’s network and online banking passwords at then-Chevy Chase Bank (now Capital One). On June 1, 2010, the thieves made their move, and began sending a series of unauthorized wire transfers to money mules, individuals who were hired to help launder the funds and relay them to crooks overseas.
The first three wires totaled more than $200,000. When Global Title’s owner Priya Aurora went to log in to her company’s accounts 15 minutes prior to the first fraudulent transfers went out, she found the account was locked: The site said the account was overdue for security updates.
When Aurora visited the bank local Chase branch to get assistance, she was told she needed to deal with the bank’s back office customer service. Between June 2 and June 8, the thieves would send out 15 more wires totaling nearly $1.8 million. The bank ultimately was able to reverse all but the first three fraudulent wires on June 1.
Capital One declined to comment for this story, citing the ongoing litigation.
Global Title is suing Capital One, alleging the bank failed to act in good faith and failed to implement commercially reasonable security procedures for its online banking clients. The lawsuit notes that at the time of the breach, Capital One’s online banking system used single-factor authentication; it allowed commercial clients to log in and to transfer millions of dollars using nothing more than a username and password.
“By operating a single factor identification online banking system, Capital One lefts its customers open to identity theft and failed to take sufficient safeguards to prevent unauthorized access to its client’s online banking accounts, including the ability to send wire transfers,” the company charged in its complaint.
Global Title also alleges that Capital One should have known that the transfers were fraudulent and unauthorized.
“Capital One was put on notice through Ms. Aurora’s phone call at 2:09 on June 1, 2010, and on subsequent calls that same day, that Global Title had no access to its online banking system,” the complaint states. “Accordingly, Capital One knew or should have known that any wire transfer that afternoon would be unauthorized.”
BUSY, BUSY MULES
Some of the fraudulent activity was tied to money mule activity that was busted up by federal prosecutors last year. Two wires totaling more than $234,000 were sent to Key Marius Import LLC, a company flagged by federal investigators as a fraudulent front for organized cyber thieves. In November 2010, Wisconsin police arrested two men who were wanted as part of a crackdown in late Sept. 2010 on so-called “J1” money mules who were in the United States on work/travel visas. According to an FBI press release from last fall, Key Marius and the commercial bank account attached to it were set up by one of those men, Dorin Codreanu, a Moldovan who pleaded guilty to conspiracy charges earlier this year.
Codreanu was sentenced to three years in prison, and ordered to pay restitution of more than $110,000 to his victims. The court judgment against him (PDF) states that the company Codreanu was ordered to pay restitution was not Global Title but a Dinkels Bakery; the remainder of the $110,000 restitution was to be paid to court services, Level One Bank and JP Morgan Chase.
Other companies that received large wire transfers may also have been fronts set up in advance of the attack. Key Marius Import LLC was established in April 2010, as were; Alvarez Here and Now, Inc. of Ontario, Calif, which received a fraudulent wire of $39,560 on June 2; Sharp and Bright Designs Inc. of Simi Valley, Calif., which was sent a bogus wire of $19,583 from Global Title on June 2; PWD Properties, incorporated in late January 2010 in Wilmington, Del., was sent a fraudulent wire of $28,582 on June 2.
Capital One was able to reverse all but the first three fraudulent wires ($119,500 to Key Marius, $39,560 to Alvarez Here and Now, and $48,698 to a Dwaine Peterson), leaving Global Title with a $207,758 loss. As a result, it was forced to take out a loan to make the required cash distributions from the firm’s escrow account.
UNCERTAIN LEGAL GROUND
Banks in the United States are supposed to adhere to online banking authentication guidance issued in 2005 by regulators at the Federal Financial Institutions Examination Council (FFIEC), but many institutions have been slow to comply with the guidelines.
Several victims of corporate account takeovers have sued their banks, claiming similar negligence, but with mixed results. In June 2011, a Michigan court held Comerica Bank liable for more than half a million dollars stolen in a 2009 cyber heist. Two months later, a district court judge in Maine ruled that banks which protect accounts with little more than passwords and secret questions are in compliance with the FFIEC’s security guidance.
Faced with an explosion of corporate account takeovers in the past two years, the FFIEC recently updated its guidance, which calls for “layered security programs” to deal with riskier commercial banking transactions, including methods for detecting transaction anomalies, the use of out-of-band verification, and enhanced customer awareness campaigns. Those requirements, which will inform the activities of bank security examiners, are set to take effect on Jan. 1, 2012.
Avivah Litan, a fraud analyst with Gartner Inc., said many banks are still out of compliance with the FFIEC’s older guidance.
“The new guidance isn’t that radical, and it basically re-affirms the previous guidelines and clarifies some points,” Litan said. “This case sounds like a clear violation of the FFIEC guidance, which says put controls in place that are commensurate with the risk, and many banks still aren’t doing that.”
Global Title is asking the court for a $500,000 judgment, plus pre- and post-judgment interest and attorney’s fees. Their legal challenged has cleared its first major set of procedural hurdles, and unless both parties settle before then, the case is scheduled to go to trial on April 10, 2012.
A copy of the company’s complaint is available here (PDF).
Update, 12:36 p.m. ET: Fixed the link to Global Title’s complaint filing.
Update, Nov. 15, 4:53 p.m. ET: Capital One provided the following statement in response to this article:
“Capital One’s authentication controls protecting our commercial platforms are compliant with the federal multifactor authentication guidance. These controls are the subject of annual risk assessments to ensure they remain appropriate in light of the threat environment. In the funds transfer realm, among the controls utilized are hard tokens and out-of-band confirmation of payment instructions.
As part of our broader security measures, Capital One provides security – and safe computing – related ‘best practice’ tips and recommendations to let our small business and commercial clients know what they can do to protect themselves and reduce their fraud risk.”