A bank that gave a business customer a short term loan to cover $336,000 stolen in a 2012 cyberheist is now suing that customer to recover the fronted funds, after the victim company refused to repay or even acknowledge the loan.
On May 9, 2012, cyber crooks hit Wallace & Pittman PLLC, a Charlotte, N.C. based law firm that specializes in handling escrow and other real-estate legal services. The firm had just finished a real estate closing that morning, initiating a wire of $386,600.61 to a bank in Virginia Beach, Virginia. Hours later, the thieves put through their own fraudulent wire transfer, for exactly $50,000 less.
At around 3 p.m. that day, the firm’s bank — Charlotte, N.C. based Park Sterling Bank (PSB)– received a wire transfer order from the law firm for $336,600.61. According to the bank, the request was sent using the firm’s legitimate user name, password, PIN code, and challenge/response questions. PSB processed the wire transfer, which was sent to an intermediary bank — JP Morgan Chase in New York City — before being forwarded on to a bank in Moscow.
Later that day, after the law firm received an electronic confirmation of the wire transfer, the firm called the bank to say the wire transfer was unauthorized, and that there had been an electronic intrusion into the firm’s computers that resulted in the installation of an unspecified strain of keystroke-logging malware. The law firm believes the malware was embedded in a phishing email made to look like it was sent by the National Automated Clearing House Association (NACHA), a legitimate network for a wide variety of financial transactions in the United States.
As some banks do in such cases, Park Sterling provided a provisional credit to the firm for the amount of the fraudulent transfer so that it would avoid an overdraft of its trust account (money that it was holding for a real estate client) and to allow a period of time for the possible return of the wire transfer funds. PSB said it informed Wallace & Pittman that the credit would need to be repaid by the end of that month.
But on May 30, 2012 — the day before the bank was set to debit the loan amount against the firm’s trust account — Wallace & Pittman filed a complaint against the bank in court, and obtained a temporary restraining order that prevented the bank from debiting any money from its accounts. The next month, the law firm drained all funds from all three of its accounts at the bank, and the complaint against the bank was dismissed.
Park Sterling Bank is now suing its former client, seeking repayment of the loan, plus interest. Wallace & Pittman declined to comment on the ongoing litigation, but in their response to PSB’s claims, the defendants claim that at no time prior to the return of the funds did the bank specify that it was providing a provisional credit in the amount of the fraudulent transfer. Wallace & Pittman said the bank didn’t start calling it a provisional credit until nearly 10 days after it credited the law firm’s account; to backstop its claim, the firm produced an online ledger transaction that purports to show that the return of $336,600.61 to the firm’s accounts was initially classified as a “reverse previous wire entry.”
But beyond that, Wallace & Pittman argues that the bank’s claims are barred by its failure to maintain commercially reasonable security measures for its online banking services. The law firm says the fraudulent wire did not come from an IP address associated with the firm, and that it had never before initiated a wire transfer to Russia or to any other location outside the United States.
“The bank was aware or should have questioned the legitimacy of an international wire transfer,” and “was aware or should have been aware of various schemes involving fraudulent funds transfers, particularly those involving parties located in Russia,” the firm argued.
Wallace & Pittman claim that the bank’s authentication procedures amount to little more than a series of passwords. According to the law firm, the process of authenticating its account PSB involved merely entering an account username and password. To move money via wire transfer, FSB customers must enter an online banking ID and static 4-digit “wire code.” After the wire transfer request is submitted, the system generates two “challenge questions.” Wallace & Pittman said these two challenge questions never changed, and that the answers to both questions were pre-programmed by the bank to the same common and intuitive four-letter word.
Dan Mitchell, an attorney with the law firm of Bernstein Shur in Portland, Me., said that if PSB indeed relied on just user IDs, static passwords and static challenge questions, it may be hard for them to argue that these were commercially reasonable security procedures at of the time of the theft in 2012. On the other hand, if as the bank alleges — that the law firm declined the bank’s suggestion of using “dual controls,” or requiring two people to verify and sign off on all money transfers — the bank may have a defense under the Uniform Commercial Code (UCC), Section 202(c) of Article 4A.
“This allows a bank to shift the risk of loss back to a customer if the customer was offered, but declined, a security procedure that would have been commercially reasonable (this presupposes that dual-control is a commercially reasonable procedure,” said Mitchell, an attorney who represented Maine construction firm Patco in its successful lawsuit against its bank following a $588,000 cyberheist in May 2009.
This scenario is the very one that played out in the Choice Escrow case that was decided by a federal district court in Missouri back on March 18th of this year. In its response to the bank’s lawsuit, however, Wallace & Sterling denies that it was offered and rejected the dual-control option.
Mitchell said the other interesting variable in this case is the account at issue was a trust account – in other words, it was not the customer’s money, but was being held and managed by the customer for others – in real estate transactions.
“The bank apparently knew this, yet it still planned to debit the customer’s account and leave the customer on the hook,” Mitchell said. “That was a pretty aggressive move by the bank, probably too aggressive given the facts.”
Unfortunately, cyberheists hit new businesses every week. These attacks are imminently preventable, but blocking the bad guys responsible for these attacks takes awareness, vigilance and forethought. If you run a small business and manage your company’s accounts online, please take a moment to read my list of best practices here: Online Banking Best Practices for Businesses.