A California escrow firm that was forced out of business last year after a $1.5 million cyberheist is now suing its former bank to recoup the lost funds.
A state-appointed receiver for the now defunct Huntington Beach, Calif. based Efficient Services Escrow has filed suit against First Foundation Bank, alleging that the bank’s security procedures were not up to snuff, and that it failed to act in good faith when it processed three fraudulent international wire transfers totaling $1,558,439 between December 2012 and February 2013.
The lawsuit, filed in the Superior Court for Orange County, is the latest in a series of legal battles over whether banks can and should be held more accountable for losses stemming from account takeovers. In the United States, consumers have little to no liability if a computer infection from a banking Trojan leads to the emptying of their bank accounts — provided that victims alert their bank in a timely manner. Businesses of all sizes, however, enjoy no such protection, with many small business owners shockingly unaware of the risks of banking online.
As I wrote in an August 2013 story, the heist began in December 2012 with a $432,215 fraudulent wire sent from the accounts of Huntington Beach, Calif. based Efficient Services Escrow Group to a bank in Moscow. In January, the attackers struck again, sending two more fraudulent wires totaling $1.1 million to accounts in the Heilongjiang Province of China, a northern region in China on the border with Russia.
This same province was the subject of a 2011 FBI alert on cyberheist activity. The FBI warned that cyber thieves had in the previous year alone stolen approximately $20 million from small to mid-sized businesses through fraudulent wire transfers sent to Chinese economic and trade companies.
Efficient Services and its bank were able to recover the wire to Russia, but the two wires to China totaling $1.1 million were long gone. Under California law, escrow and title companies are required to immediately report any lost funds. When Efficient reported the incident to state regulators, the California Department of Corporations gave the firm three days to come up with money to replace the stolen funds.
Three days later, with Efficient no closer to recovering the funds, the state stepped in and shut the company down. As a result, Efficient was forced to lay off its entire staff of nine employees.
On Dec. 6, the lawyer appointed to be Efficient’s receiver sued First Foundation in a bid to recover the outstanding $1.1 million on behalf of the firm’s former customers. The suit alleges that the bank’s security procedures were not “commercially reasonable,” and that the bank failed to act in “good faith” when it processed international wire transfers on behalf of the escrow firm.
Like most U.S. states, California has adopted the Uniform Commercial Code (UCC), which holds that a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”
As evidenced by the dozens of stories in my series, Target: Small Businesses, companies do not enjoy the same protections as consumers when banking online. If a banking Trojan infection results in cyber thieves emptying the bank accounts of a small business, that organization is essentially at the mercy of their financial institution, which very often in these situations disavows any responsibility for the breach, and may in fact stonewall the victim company as a result. That can leave victim organizations in a quandary: They can swallow their pride and chalk it up to a learning experience, or opt to sue the bank to recover their losses. Of course, suing your bank can be cost-prohibitive unless the loss is significantly larger than the amount the victim might expect to spend hiring lawyers to pursue the case on the often long road to settlement or trial.
The plaintiffs in this case allege that part of the reason the bank’s security procedures were not commercially reasonable was that one component of the bank’s core security protection — the requirement that customers enter a code generated by a customer-supplied security token that changes every 32 seconds — had failed in the days leading up to the fraudulent transfers. I would argue that security tokens are a mere security speed bump whose effectiveness is easily bypassed by today’s cyber thieves. But in any case, this lawsuit claims that rather than address that failure, the bank simply chose to disable this feature for Efficient Services.
First Foundation did not return calls seeking comment. But the bank did produce an incident report that is now public record, thanks to this lawsuit (see the “Exhibit J” section of this PDF case document). The document states that the company had previously performed international wire transfers, and so it saw nothing unusual about half-million-dollar transfers to China. According to the plaintiffs, however, Efficient escrow had merely inquired about the possibility of international wires, yet had not actually performed wire transfers outside of the United States previously.
First Foundation’s incident report also appears to suggest that bank very quickly reached the conclusion that the fraud was the result of misdeeds by Efficient’s controller — Julie Gardner — and not the result of a cyberheist.
“The transaction and session history of Ms. Gardner suggests the possibility of internal fraud,” reads the bank’s report. “Ms. Gardner’s employment with ESE ended with reasons unknown to FFB. Her access from Business Online was removed on Feb. 20, 2013.”
Julie Rogers is an attorney with the Dincel Law Group, which is working with the plaintiffs in this case. In an interview with KrebsOnSecurity, Rogers said that if the bank looked at its processes honestly, it would have asked the customer before processing the international wire. Rogers noted that the bank’s incident report also brought repercussions that spilled out beyond the errant processing of several fraudulent international wire transfers.
“To name a specific employee and say, ‘We don’t think this was cyber hacking at all,’ that’s pretty egregious, and you can’t un-ring that bell,” Rogers said, citing the difficulty that some former employees of ESE have had trying to find new work in the industry.
“When you suggest that, it does some damage, not only to that individual but also to the people associated with that individual,” Rogers said. “That conduct spills out beyond just the processing of a wire transfer. It spills out into an area that isn’t covered by the UCC. Some of the individual escrow agents [formerly employed by ESE] have tried to obtain work at other companies, but the two operators and owners of the company have been subjected to license revocation and suspension that precludes them from running a similar business for five years before they can reapply.”
Rogers said there’s a larger point to these lawsuits: “These banking institutions are saying, ‘We’ll give you 24/7 protection for banking online, which is safe, efficient, and affordable.’ But meanwhile, their budgets are getting cut. The people in charge of fraud are getting laid off. And yet the public is getting more and more drawn into cyber banking.”
There is no question that Efficient Escrow should have detected these fraudulent wires a lot sooner than they did. The point of my focus on these cases is to raise awareness about the need for companies to take steps to avoid becoming victims in the first place. If you run a small business and you bank online, please consider adopting some safeguards to prevent your company from being the next victim of a cyberheist. Banking from a Live CD or from an isolated (preferably non-Windows) computer is the surest way to avoid ebanking heists. However, this approach only works if it is consistently observed.
The average small business usually has one person in charge of the books, and they’re lucky if they have one person in charge of security; very often, it’s the CEO who serves as the CTO, CFO, CSO and E-I-E-I-O. These attacks launched by today’s cyber thieves against small businesses are any thing but a fair fight: It’s basically one blue-haired lady against an entire squadron of seasoned criminals.
I’ve been writing about this problem for more than five years now, and for good reason: There are millions of small business owners who have absolutely no clue how vulnerable they are and who they’re up against. I travel quite a bit to speak to audiences around the world about cybercrime, and I frequently find myself seated next to small business owners. I always ask the same thing, and I always get the same response. Do you bank online with your business? Why, sure. Did you know that if you have a virus infection that cleans out your bank account, your bank is under no obligation to do anything on your behalf?
I’ll continue to write about this subject, mainly because awareness remains low and there will continue to be new victims every week losing hundreds of thousands of dollars as a result of these cyberheists. Meanwhile, the crooks responsible are upping their game. According to Gary Warner, co-founder and chief technologist at threat intelligence firm Malcovery (full disclosure: Malcovery is an advertiser on this blog), the latest cyberheist malware deployed by the Asprox botnet (PDF) uses geo-IP location to include the name of the would-be victim’s hometown in the malicious file that gets pushed down when the user clicks on a link.
“It geo-codes you and puts your city name into the filename, and antivirus detection of these variants continues to be very low,” Warner said. “We’ve seen this with Asprox malware spam disguised as court documents, airline tickets, and [spoofed emails made to look like they came] from Wal-Mart, Costco and BestBuy.”
I guess you could say it’s also become a bit personal. One of the most recent versions of Asprox pushes malware that includes the URL of this blog, as well as file descriptor that says “Krebs Systems.”
A copy of the complaint filed by the receiver for Efficient Services is available here (PDF).