A California escrow firm that sued its bank last year after losing nearly $400,000 in a 2010 cyberheist has secured a settlement that covers the loss and the company’s attorneys fees. The settlement is notable because such cases typically favor the banks, and litigating them is often prohibitively expensive for small- to mid-sized businesses victimized by these crimes.
In March 2010, organized computer crooks stole $465,000 from Redondo Beach, Calif. based Village View Escrow Inc., sending 26 consecutive wire transfers from Village View’s accounts to 20 individuals around the world who had no legitimate or previous business with the firm. The escrow firm clawed back some of the stolen funds — $72,000 — but that still left Village View with a $393,000 loss, forcing the company’s owner to take out a personal loan at 12 percent interest to cover the loss of customer funds).
In June 2011, Village View sued its financial institution —Professional Business Bank — arguing that the bank was negligent because it protected customer accounts solely with usernames and passwords. Last week, Village View announced that it had reached a settlement with its bank to recover more than just the full amount of the funds taken from the account plus interest for Village View Escrow.
Kim Dincel, a shareholder at Silicon Valley Law Group, which represented the plaintiffs, said the Uniform Commercial Code and its corresponding California Commercial Code limits the damages resulting from wire transfer fraud to only the actual amount of money lost plus interest – nothing more. Common law claims such as negligence, breach of contract and fraud, and the damages that attached to them, are generally precluded from being asserted by a victim of wire transfer fraud in a lawsuit involving wire transfer fraud, he added.
“Banks typically deny liability for the cyber-theft which forces small businesses to spend money they do not have on legal fees and regulatory expenses in order to recover a limited and defined set of damages under the Uniform Commercial Code (UCC),” Dincel said in a prepared statement released Monday.
The Bank of Manhattan, which acquired Professional Business Bank last month, did not return calls seeking comment.
I’ve written dozens of stories about cyberheist victims, yet few of those cases have bubbled up into full-fledged lawsuits. Those that did have produced mixed or inconclusive results. In the case of Experi-Metal vs. Comerica, the judge ruled that the bank failed to act “in good faith” when it processed almost 100 consecutive wire transfers initiated by the perpetrators of the break-in. The case of Patco vs. Ocean Bank, however, did not end so well for the plaintiffs, and produced a ruling that passwords and secret questions (which many experts consider indistinguishable from passwords) are reasonable security procedures for a bank to offer its commercial customers. In that case, the bank reportedly spent nearly twice the amount that Patco lost, just to avoid setting a precedent. Patco is appealing that ruling.
Escrow and title firms remain an attractive target for cyber thieves, probably because fraudulent transfers can be hidden in the daily banking activities of these firms, which frequently move large amounts of money around on any given day. At least two other cases brought by title and escrow firms remain outstanding.
Springfield, Mo. based Choice Escrow and Land Title LLC sued its bank — Tupelo, Miss. based BancorpSouth Inc — after a $440,000 ebanking robbery that occurred just one day before the attack on Village View. Jim Payne, Choice Escrow’s director of business development, said the company hopes to begin depositions in their case next month.
“It’s fairly typical for these banks to try to wear you out and confuse you,” Payne said. “They don’t take you seriously unless you let them know you’re willing to go all the way to trial with it.”
Sophisticated cyber attacks on small- to mid-sized businesses — and title and escrow firms in particular — have not subsided. In the past three months, I’ve spoken with two other title companies that suffered significant losses from cyber heists, including one in Maryland that saw nearly $1.7 million worth attempted fraudulent transfers (that firm ended up losing a little more than $500,000, and is currently in negotiations with its bank).
Experts say smaller financial institutions traditionally have outsourced security for their commercial banking platforms to third party firms, many of which are only now starting to offer more robust security solutions.
“We are are seeing more out of band security solutions being made available to banks, such device identification, browser application encapsulation (Trusteer, Quarri), and realtime HTML parsing [products] such as Silvertail,” said Charisse Castagnoli, a bank fraud expert and independent security consultant.
Castagnoli said that while she’s encouraged by the Village View settlement, it may have little, if any, effect on other outstanding cases nationwide.
“From a legal perspective, other cases don’t gain much from a settlement,” she said. “But it is encouraging that law firms are finally building expertise in this type of litigation.”
The FS-ISAC, a banking industry consortium, released a report earlier this month stating that although cyber attacks against banks and their customers are increasing, the losses from individual attacks have decreased. Even so, recent surveys indicate that many banks and credit unions still don’t understand how to comply with new banking industry security regulations, and question whether the new guidelines really address the right fraud-prevention needs.
It’s difficult to say whether the FS-ISAC’s findings are indeed indicative of decreased losses on the part of ebanking heist victims. But Castagnoli said that unless and until U.S. banks are required to report fraud losses to regulators in a form that is aggregated and published on a regular basis, the true scope of the losses from cyber fraud will remain a giant question mark.
“Until we get true disclosure, we’re not going to have good statistics to judge what the real risk is,” she said.
Just seen this a half hour ago on UK televison
The story says it was published in August of 2010.
Oh dear wrong link (old) sorry try this one
Perhaps this was the link you were looking for: http://news.sky.com/story/952931/fraud-ring-in-hacking-attack-on-60-banks
Yep, not one of my better days i must drink less red wine.
Good news, BancorpSouth customers: you’re all going to help pay the settlement.
Now we need to see more cases where small merchants fight back against Visa and Mastercard! I’ve seen small merchants, despite being PCI, fall victim to a breach. They end up getting fines upward of $150K. This is enough to shutter most small businesses. They were not negligent. They were protecting card data, following PCI standards, etc.
Don’t you all think it should ALSO be the responsibility of Visa and Mastercard to protect their card holders? They have the technology to detect these common point of purchases pretty quickly from what I’ve seen. They don’t tell the small business about the red flags until SEVERAL MONTHS after the incident. By then it’s too late.
Is it actually profitable Visa to have a breach? I know it sounds like a crazy question, but I’m guessing that they are insured, and on top of that they are getting paid back in fines on top of that. Not to mention all the fees they can charge for PCI (5K/year to be listed on their site, kickbacks from forensics, QSAs, etc).
I’d like to see something done about this.
We all know that no matter how safe you are, a hacker is always trying to get one step ahead of you. Even the best of us are vulnerable in some way, whether it’s social engineering or otherwise.
How about Visa detects a Common Point of Purchase, and then mandates that merchant immediately stops their website until you find the breach or hire a QSA to do so?
Let’s hold Visa and Mastercard accountable too!
In the Patco vs. Ocean Bank case, it’s possible that the defense was willing to spend much more than the case was worth on lawyer’s fees because the loss was covered by insurance. One bank might not be much affected, but a company providing insurance to banks would have a lot at stake. Conversely, an insurance company that fears an adverse precedent is about to be set will often settle for more than the case is worth, as apparently happened in the Village View Escrow case.
Should that first link be ..
It seems to be “unclickable” here.
Oops. It’s working now.
I’m not sure if it’s ignorance, or simply feeling helpless. Most of the “solutions” to this problem are also exorbitantly expensive. Small businesses probably think they have no choice but to play the lottery of not getting burned. It also doesn’t help that all the incumbent security vendors say “me too” when new defenses against new attacks are brought out by new vendors, even though the existing solutions (like anti-virus and content filtering) don’t really work against these threats.
The WSJ has a blog about this issue today as well. I blogged about it on the ThreatSTOP blog:
We must differentiate among the solutions between expensive big vendor solutions & other solutions that just work, with costs varying from free to reasonable. Brian himself has mentioned a number of inexpensive strategies to avoid malware that would have stopped these losses from happening.
The dedicated PC strategy is one of my favorites due to simplicity, low cost, and compatibility with most banking/ACH offerings. The technical expertise is low. The business can buy a cheap used (potential risks, but low) or new PC ($199+). They can apply patches, remove all unnecessary software, apply step-by-step hardening guides online & use that PC ONLY FOR banking, ACH, etc. Additional measures can be had such as using no USB sticks, periodically restoring to clean state, etc.
The Schneier blog discussion I linked to below took it further. The main three competing solutions were my high assurance transaction appliance, tommy’s better-than-usual LiveCD scheme, and Mark Currie’s $10 USB device prosal that protects logins & sessions with minimal site modification. Looking at how court stuff was going, I decided an interim solution that’s dirt cheap is appropriate & the contest was between LiveCD & Mark’s device. They can actually be combined, but let me focus on the LiveCD idea & build on it.
A number of banks could work together on a LiveCD to keep support & dev costs low. The LiveCD could connect via a browser or include a client app designed for security. The LiveCD would have a burned-in copy of the bank’s public key. The main application would be programmed to only connect to the bank upon load & to ensure a good SSL connection. At this point, unless one is under targeted attack, the system is likely to be clean enough for anything happening during the session to be safe for important info both ways.
This idea can be expanded into a cheap, dedicated appliance I designed. Each appliance is registered to a specific user account upon issuance. The user does the first part of the wire transfers on their untrusted GUI. Once everything is ready, the details are sent to the appliance in a simple text format & displayed on the trusted appliance. The user can do a side-by-side visual on transfer details to be sure, optionally comparing to a paper copy of account numbers. Once approved, the information is signed by a protected private key on the device, the signed data is sent to the untrusted PC, untrusted PC sends to bank, bank verifies signature, & bank executes transfers if the signature is valid.
(Note: I retain copyright on that design, whatever the patent trolls can’t sue over. 😉
The cool parts about the appliance are usability, assurability & versatility. It’s very easy to use: setup, plug it in, get transfer going, visual comparison, authorize (maybe with appliance password), & you’re done. It’s assurable b/c the trusted components of it are tiny/simple, allowing us to use high assurance software components & engineering techniques to build it. It’s versatile b/c the application it’s running can be changed with an update to use the device in other ways. All of this could technically be done on a $199 NetTop or one of these sub-$100 PC’s. (Original concept was an electronic organizer style hardware with big LCD screen, keypad, & connector.)
My favorite temporary solution is the dedicated cheap PC that’s locked down to call only the bank. It might be a LiveCD. It might just have minimal software & be suitably locked down. The important thing is it’s hard to infect, cheap, easy to use, has a trusted path for the user, & provides a good way to authenticate the transaction.
I’ve got two questions about online banking security, especially for consumers:
1) Given the increasing incidence of “post-transaction fraud” where your online balances are fiddled with to cover up the fraudulent transfer, do you think it is best practice to return to paper statements, or is “post-transaction fraud” risk outweighed by the risks associated with paper statements (e.g. ID theft through the mail)?
2) Has anyone had any luck with asking their banks and brokers to “lock down” their account to make outgoing transfers more difficult (except perhaps for a whitelist)? It seems that banks could throw up more non-IT barriers.
Our bank (Chase) allows us to specify that certain transactions and sizes need to be done in person. So, we disabled ACH on the website, and require in-person verification for any cashing of a check.
Ill repeat what ive pointed out in the past in case newcomers are reading. Thre are quite a few solutions to this problem, ranging from LiveCD’s to trusted appliances. Just verification on a separate, cheap, dedicated device with a private signing key onboard and a display can beat spoofing, forgery and a number of other issues. I did such a design on another blog (link below). There’s also many competing options from other parties that get rid of low hanging fruit malware authors are using. It’s not that it can’t be done cheaply or much better: the courts just arent forcing them to do it yet.
My basic scheme & discussion with others presented
(Note: My transaction appliance was designed to be retargeted for many different use cases to keep development & hardware costs down. Others include digital signatures and acting as security-critical part for legacy systems.)
Your approach works, but unfortunately, only the most tech-savvy can use it. It only takes one (typical for accountants) login from something other than the appliance for this to fail.
Anything that relies on non-techies being tech savvy and following policies set by techies is doomed.
Thanks for the reply. That issue was implicitly considered. So, strategies that security guys commonly push like generic LiveCD’s and using Mac’s will suffer from the problem you mentioned. The cool thing about my transaction appliance is that it MUST be used for the transaction to succeed. A bank trip is required otherwise.
The improved LiveCD, dedicated box, etc. idea can also do the same. The thing can have an onboard key or identifier that the bank recognizes, mutual TLS/SSL authentication at least, to keep the transactions from being done on an unauthorized device.
There’s one more issue with it. The banks can make it optional. They can say, “You can follow our malware avoidance advice & take on full liability.” or “You can buy this thing, follow these procedures, & absolve yourself of liability.” They can give many examples from Krebs’ articles about six figure theft for motivation.
So, our designs prevent the incompetent user from failing to use the technology. It also solves the remote, invisible attack issue. What’s left is some sort of social engineering attack to get people to sabotage their device’s functioning or an innocent failure to do a proper visual comparison. Good procedures/policies can reduce risk on both. Employees can be reminded that failing to do this can result in their loss of a job or paycheck, simply because the money won’t be there anymore.
@ Brian Krebs & regulars
There’s been plenty of discussion about methods to beat the hackers & also how courts are ruling on usernames/passwords as reasonable security. Speculating, I’m thinking the judges haven’t been suitably informed by expert 3rd parties of what alternatives banks might have used & how reasonable the cost might have been to the banks. So, here’s an idea for you readers.
Perhaps, security experts should collectively contribute to a reference of the various technologies and [realistic] strategies banks can use to stop today’s threats, maybe the next likely targets too. The various options should have a lay person readable description, mention implemenation difficultly, cost, etc. Then, we can encourage affected parties to sue & present the alternatives (esp. cheap ones) as evidence in court. This might create precedents that we can use to force more banks into real malware prevention.
What do the rest of you think of this proposal?
Nick P: RE: forcing more banks to take measures to ward off malware-based attacks on online banking, any bank that is paying attention will have already seen the writing on the cyber-wall on this matter. I predicted in my June 1, 2012 testimony
in the hearing on “Cyber Threats to Capital Markets and Corporate Accounts”
that the bank’s legal doctrine that they are not responsible for keeping their commercial-account depositors’ money from being stolen via attacks on online banking would not hold up in the courts. That is, no extension of Regulation E is needed–the banks are responsible for these losses under *current* law. In less than six weeks, the Court of Appeals for the First Circuit agreed:
However, the settlement between Professional Business Bank and Village View Escrow reported in this blog entry may prove to be more significant to getting the banks to take responsibility for stopping malware-based commercial-account online banking funds transfer fraud than even the 1st Circuit’s scathing reversal of PATCO Construction vs. People’s United Bank.
The reason is simple. Silicon Valley Law Group is signaling that it is seeking to take cases like Village View Escrow vs. Professional Business Bank on contingency. And note that SVLG did so *before* the First Circuit handed down its decision. The only reason the banks have only had to defend 12 lawsuits so far rather than 1, 200 is that UCC-4A *apparently* limits recovery in cases like Village View Escrow’s to the amount stolen plus interest. Being able to bring suit on a contingency basis makes the courts available to essentially all victims.
Let me take this opportunity to opine that the notion that *customers* should have to take actions to protect themselves online is ridiculous from a technical point of view and insane from a business point of view. If every commercial customer of Professional Business Bank knew what Michelle Marsico knows–that the bank does not consider itself responsible for the safety of their funds–PBB would *have* no business customers. How, then, could such a policy be legally viable long-term?
There is also the matter of political viability. The 112th Congress has held something like 35 hearings on “cyber” so far, and no one, not McAfee, not Symantec, not Microsoft, *nobody* has stated that they have a means of even being sure that a given PC is not *currently* under enemy control, much less keeping it from becoming infected. In the June 1, hearing, when Rep. Dan Manzullo (R, IL-16) described how his Yahoo Email account had been taken over and asked my panel’s members how he could keep his Windows PC from being taken over, my fellow panel members replied, “You can’t”. And note some of these panel members were from banks who are officially supporters of “Shared Responsibility”, and they did not appreciate my quoting the testimony they had just give as technical experts in support of my position that their employers’ positions on this issue are risible.
For those on this forum who disagree with my assertion, I offer the following thought experiment. Suppose you are the CEO of People’s United Bank, who, along with your predecessor (Philip Sherringham, who was forced out by his board of directors in April of 2010), has decided to spend over $1 million in legal fees to avoid reimbursing PATCO Construction for a loss less than half that size. The First Circuit has just emphatically told you that you should be spending money on cybersecurity, rather than lawyers. A month earlier, Congress had taken sufficient notice of this issue that they have just held a the hearing with the title I mention above. You have the FFIEC’s 2005 and 2011 Guidances sitting on your desk. A small charity that has its account at your bank is robbed via ZeuS of $500,000, a sum that will bankrupt it. Would you still tell them that, since it was not your IT that was breached (an inherently unprovable assertion, by the way), they are stuck with the loss?
If so, let’s continue my thought experiment. After you give the charity that fatal bad news, you learn (because you get angry phone calls from them) that said small charity’s board of directors includes Linda Bachus and Barbara Johnson. Still willing to hold fast to “Shared Responsibility”? Even though the two ladies mentioned above are wives, respectively, of the chairman of the House Committee on Financial Services and the Senate Committee on Banking, Housing, and Urban Affairs?
Anyone who would say “yes” would lie about other things too. I actually enjoyed testifying before one of Bachus’ subcommittees, but I really doubt your appearance would be as much fun. Also, I enjoyed speaking with Silicon Valley Law Group’s Julie Rogers, but do you think you would enjoy a conversation with her as much? Her firm is signaling in articles like this one that they sure would like to talk with you!
As reported in
European Network and Information Security Agency (ENISA) has just issued the “Krebs Rule” as an advisory–all banking-related business processes must be secured by means that work even when the user’s PC is under the total control of the enemy. Reading the FFIEC’s 2005 and 2011 Guidances, this has really become the “standard of care” in online banking security.
PATCO lost its money at Ocean Bank, which is now a part of a much larger institution, People’s United Bank. I don’t know if People’s United runs its own online banking information technology or outsources it, but whoever is running it needs to take responsibility for securing the business processes it expresses, regardless of how they are attacked. Or at least have the courtesy to tell your customers that you don’t so they can move their accounts to a bank that does.
America’s small- and medium-sized enterprises are not going to buy new PCs just for the privilege of doing online banking at *your* bank, much less run Live-CD versions of Linux so they have a shot at hanging onto their money (which could still be stolen via a true man-in-the-middle attack out in the Internet infrastructure. If they hear they are at risk, they will either turn off online payments, or move to a bank whose Internet banking security procedures are Krebs-Rule-Compliant.
It is not in the national interest for either America’s small- and medium-sized enterprises or its small- and medium-sized banks to be charged with a task as complex as cybersecurity for online banking. Neither can do it technically and neither can bear the financial risks of even trying. At the end of the written version of my testimony I argue for a “Third Way”.
First off, thanks for replying & nice prediction. The Congressional testimony was well-presented. I give you bonus points for the idea of only putting tax dollars in banks that reimburse losses. I doubt it will happen, but I had to smile at the thought. The overall jist of your strategy seems to be pushing the issue to payment processors, who will solve the problem. You cite the larger banks as evidence. Those banks are still hit with plenty of fraud, although the losses are MUCH smaller than these incidents. So, I see it as risk reduction. Mitigation is possible. Brings me to this.
“Let me take this opportunity to opine that the notion that *customers* should have to take actions to protect themselves online is ridiculous from a technical point of view and insane from a business point of view.”
I disagree. I’ve posted technical solutions that are very usable, inexpensive, a bit resistant to social engineering, & can be provably resistant to malware. That’s risk mitigation: they pay for the solution, use it, & don’t worry from there. So, it technically can be done: it’s just not being done. (A key difference that often shows up in the “security” industry.) I blame the banks for that, though, not the customers.
As for business, I think it’s far from insane: it’s worked so far for the majority of these banks, hasn’t it? Seems like one of those issues where they figure they can sqeeze more profit out of dodging the issue for a while, then worry about it in the future when the courts or law force them to. That future has arrived. Now, they must worry. NOW, it might not make business sense to force things on customer. If banks can be reliably forced to cover losses, then my technical proposals might not be needed. That also assumes the bank is forced to make an immediate loan in the event of a loss so that the business doesn’t crash waiting for the reimbursement. (A benefit of using mitigation right now is that neither issue is likely. Some business owners might prefer that.)
“European Network and Information Security Agency (ENISA) has just issued the “Krebs Rule” as an advisory–all banking-related business processes must be secured by means that work even when the user’s PC is under the total control of the enemy.”
“asked my panel’s members how he could keep his Windows PC from being taken over, my fellow panel members replied, “You can’t”. And note some of these panel members were from banks who are officially supporters of “Shared Responsibility”, and they did not appreciate my quoting the testimony they had just give as technical experts in support of my position that their employers’ positions on this issue are risible.”
I appreciate the irony of they’re reply. Good you called them on it. However, there is a difference between “can you stop attackers from remotely initiating fraudulent transfers?” and “can you stop them from subverting a PC & apps on it?” My original technical solution was a simple device (or dedicated , cheap PC) that ran limited software, employed a Trusted Path, allowed visual verification of transfers to be performed, digitally signed approved transfers & could use a malware-infected PC for user & bank interaction without violating security (only DOS was possible). It’s all about design choices & special-purpose systems are inherently easier to protect.
That’s just one idea. There are many others. So, they CAN stop this kind of thing from happen with pretty good confidence, even though they can’t protect a malware bait PC. Solve a simple problem rather than an impossible one. See how that works?
“America’s small- and medium-sized enterprises are not going to buy new PCs just for the privilege of doing online banking at *your* bank”
It’s certainly a touchy issue. I’d have to see field attempts to really be sure of outcome of various approaches. If I were them, I’d inform customers of the risks of online banking & offer the extra stuff as a differentiator. Would have to sell them on the worthwhile benefits, obviously. I’d cite the issues other banks are creating, like bankruptcy, & offer to reimburse total losses for anyone using our mitigation technology. The image to promote is that many banks offer benefits of the online banking, but this bank protects that service so well they’re willing to bet their own money on it. Would it work? I don’t know, but I see success on the issue being a perception management task.
“For those on this forum who disagree with my assertion, I offer the following thought experiment.”
The first paragraph of this thought experiment essentially says a bank wasn’t doing things right, court called them on it, a bunch of money was lost, I was CEO of the bank, I played the evil/greedy role of throwing lawyers at the problem, & now what do I do? That is so different from how I approach asset protection, which is MY function, that I can’t say I’m qualified to respond. My bank would take precautions to reduce risk of large losses, for its sake.
“After you give the charity that fatal bad news, you learn (because you get angry phone calls from them) that said small charity’s board of directors includes Linda Bachus and Barbara Johnson. Still willing to hold fast to “Shared Responsibility”?”
Which happens all the time in these cases, right? Initially, I feel you’re using an uncommon situation as evidence for the rule that applies to very different majority. That said, and without expertise in those situations, I would say the bank might make an exception, do a settlement, apologize, donate to the charity, etc. You know… the “diplomatic” ways that companies sometimes treat elites/regulators vs the rest of their clients. I’d love to see such a scenario play out & it result in legislation. Did it happen or is it one of those fun, hypothetical scenarios? So far, I only see a court or two laying the groundwork for solving the problem.
“Anyone who would say “yes” would lie about other things too. I actually enjoyed testifying before one of Bachus’ subcommittees, but I really doubt your appearance would be as much fun. ”
I agree. I’m a technical- and business-oriented thinker and doer. They’re politicians. The two types rarely mix well. 😉 Also, I’m quick to call out an ineffective solution rather than compromise so the proposer can save face (resulting in problems for others later, sometimes death). However, if I WANT to, I can work with those types of people… fairly well. This issue, for instance, would be worth talking a careful, humble & diplomatic approach to discussion and conversation if I was in the presence of people with influence. I’d probably imitate the presentation style of someone like yourself.
“Also, I enjoyed speaking with Silicon Valley Law Group’s Julie Rogers, but do you think you would enjoy a conversation with her as much? Her firm is signaling in articles like this one that they sure would like to talk with you!”
If you’re being serious, then I might be willing to in the future. Up to my neck in things to handle right now, but I’d seriously like to discuss with one the depths of the issue (solutions, their costs, feasibility, etc.). Might also be able to draw on some banker sources of mine to help figure out ways that they can implement your strategy or mine with minimal fuss. (Increases likelihood of their taking action)
Good luck to your organization on influencing legislation. You’re off to a good start. Payment processors should certainly be the first line of defense & aren’t doing enough. Only liability on banks or processors will change this. Until then, we have Krebs/NickP-style risk reduction & mitigation solutions that are cheap & work. We have people getting word out to the customers. What more can be done? (Meant half-rhetorically, half-seriously.)