Posts Tagged: Choice Escrow

Aug 14

Tenn. Firm Sues Bank Over $327K Cyberheist

An industrial maintenance and construction firm in Tennessee that was hit by a $327,000 cyberheist is suing its financial institution to recover the stolen funds, charging the bank with negligence and breach of contract. Court-watchers say the lawsuit — if it proceeds to trial — could make it easier and cheaper for cyberheist victims to recover losses.

teciIn May, 2012, Kingsport, Tenn.-based Tennessee Electric Company Inc. (now TEC Industrial) was the target of a corporate account takeover that saw cyber thieves use a network of more than four dozen money mules to siphon $327,804 out of the company’s accounts at TriSummit Bank.

TriSummit was able to claw back roughly $135,000 of those unauthorized transfers, leaving Tennessee Electric with a loss of $192,656. Earlier this month, the company sued TriSummit in state court, alleging negligence, breach of contract, gross negligence and fraudulent concealment.

Both companies declined to comment for this story. But as Tennessee Electric’s complaint (PDF) notes (albeit by misspelling my name), I called Tennessee Electric on May 10, 2012 to alert the company about a possible cyberheist targeting its accounts. I’d contacted the company after speaking with a money mule who’d acknowledged receiving thousands of dollars pulled from the firm’s accounts at TriSummit.

According to the complaint, the attackers first struck on May 8, after Tennessee Electric’s controller tried, unsuccessfully, to log into the bank’s site and upload that week’s payroll batch (typically from $200,000 to $240,000 per week). When the controller called TriSummit to inquire about the site problems, the bank said the site was probably undergoing maintenance and that the controller was welcome to visit the local bank branch and upload the file there. The controller did just that, uploading four payroll batches worth $202,664.47.

[SIDE NOTE: When I spoke with Tennessee Electric’s controller back in 2012, the controller for the company told me she was asked for and supplied the output of a one-time token upon login. This would make sense given the controller’s apparent problems accessing the bank’s Web site. Cyber thieves involved in these heists typically use password-stealing malware to control what the victim sees in his or her browser; when a victim logs in at a bank that requires a one-time token, the malware will intercept that token and then redirect the victim’s browser to an error page or a “down for maintenance” message — all the while allowing the thieves to use the one-time token and the victim’s credentials to log in as the legitimate user.]

On May 9, Tennessee Electric alleges, TriSummit Bank called to confirm the $202,664.47 payroll batch — as per an agreement the bank and the utility had which called for the bank to verbally verify all payment orders by phone. But according to Tennessee Electric, the bank for some reason had already approved a payroll draft of $327,804 to be sent to 55 different accounts across the United States — even though the bank allegedly never called to get verification of that payment order.

Tennessee Electric alleges that the bank only called to seek approval for the fraudulent batch on May 10, more than a day after having approved it and after I contacted Tennessee Electric to let them know they’d been robbed by the Russian cyber mob.


This lawsuit, if it heads to trial, could help set a more certain and even standard for figuring out who’s at fault when businesses are hit by cyberheists (for better or worse, most such legal challenges are overwhelmingly weighted toward banks and quietly settled for a fraction of the loss).

Consumers who bank online are protected by Regulation E, which dramatically limits the liability for consumers who lose money from unauthorized account activity online (provided the victim notifies their financial institution of the fraudulent activity within 60 days of receiving a disputed account statement).

Businesses, however, do not enjoy such protections. States across the country have adopted the Uniform Commercial Code (UCC), which holds that a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”

Under state interpretations of the UCC, the most that a business hit with a cyberheist can hope to recover is the amount that was stolen. That means that it’s generally not in the business’s best interests to sue their bank unless the amount of theft was quite high, because the litigation fees required to win a court battle can quickly equal or surpass the amount stolen. Continue reading →

Jun 14

Ruling Raises Stakes for Cyberheist Victims

A Missouri firm that unsuccessfully sued its bank to recover $440,000 stolen in a 2010 cyberheist may now be on the hook to cover the financial institution’s legal fees, an appeals court has ruled. Legal experts say the decision is likely to discourage future victims from pursuing such cases.

Choice Escrow and Land Title LLC sued Tupelo, Miss. based BancorpSouth Inc., after hackers who had stolen the firm’s online banking ID and password used the information to make a single unauthorized wire transfer for $440,000 to a corporate bank account in Cyprus.

BancorpSouth’s most secure option for Internet-based authentication at the time was “dual control,” which required the customer to have one user ID and password to approve a wire transfer and another user ID and password to release the same wire transfer. The other option — if the customer chose not to use choose dual control — required one user ID and password to both approve and release a wire transfer.

Choice Escrow’s lawyers argued that because BancorpSouth allowed wire or funds transfers using two options which were both password-based, its commercial online banking security procedures fell short of 2005 guidance from the Federal Financial Institutions Examination Council (FFIEC), which warned that single-factor authentication as the only control mechanism is inadequate for high-risk transactions involving the movement of funds to other parties.

A trial court was unconvinced, and last week The 8th Circuit Court of Appeals found essentially the same thing, while leaning even more toward the defendants.

“It’s a good opinion for banks [and] it’s definitely more pro-bank than pro-consumer,” said Dan Mitchell, a lawyer who chairs the data security practice at Bernstein Shur in Portland, Maine. “The appellate court found the same thing as the basic court. The customer was offered dual controls — that two people should be required to sign off on all transactions — and they were informed that it was important for them to take advantage of this. So, when [Choice Escrow] made an informed decision in writing not to use dual controls, the bank was careful to document that.”

Perhaps most significantly, Mitchell said, the decision could be a blow to companies trying to recover cyberheist losses from their banks. Bancorp South had asserted at the trial court level that its contract with Choice Escrow indemnified it against paying legal fees in such a dispute. The trial court dismissed that claim, but the appeals court said in its decision that the bank could recover the costs from the escrow firm. Continue reading →

Apr 13

Bank Sues Cyberheist Victim to Recover Funds

A bank that gave a business customer a short term loan to cover $336,000 stolen in a 2012 cyberheist is now suing that customer to recover the fronted funds, after the victim company refused to repay or even acknowledge the loan.

robotrobkbOn May 9, 2012, cyber crooks hit Wallace & Pittman PLLC, a Charlotte, N.C. based law firm that specializes in handling escrow and other real-estate legal services. The firm had just finished a real estate closing that morning, initiating a wire of $386,600.61 to a bank in Virginia Beach, Virginia. Hours later, the thieves put through their own fraudulent wire transfer, for exactly $50,000 less.

At around 3 p.m. that day, the firm’s bank — Charlotte, N.C. based Park Sterling Bank (PSB)– received a wire transfer order from the law firm for $336,600.61. According to the bank, the request was sent using the firm’s legitimate user name, password, PIN code, and challenge/response questions. PSB processed the wire transfer, which was sent to an intermediary bank — JP Morgan Chase in New York City — before being forwarded on to a bank in Moscow.

Later that day, after the law firm received an electronic confirmation of the wire transfer, the firm called the bank to say the wire transfer was unauthorized, and that there had been an electronic intrusion into the  firm’s computers that resulted in the installation of an unspecified strain of keystroke-logging malware. The law firm believes the malware was embedded in a phishing email made to look like it was sent by the National Automated Clearing House Association (NACHA), a legitimate network for a wide variety of financial transactions in the United States.

As some banks do in such cases, Park Sterling provided a provisional credit to the firm for the amount of the fraudulent transfer so that it would avoid an overdraft of its trust account (money that it was holding for a real estate client)  and to allow a period of time for the possible return of the wire transfer funds. PSB said it informed Wallace & Pittman that the credit would need to be repaid by the end of that month.

But on May 30, 2012 — the day before the bank was set to debit the loan amount against the firm’s trust account — Wallace & Pittman filed a complaint against the bank in court, and obtained a temporary restraining order that prevented the bank from debiting any money from its accounts. The next month, the law firm drained all funds from all three of its accounts at the bank, and the complaint against the bank was dismissed.

Park Sterling Bank is now suing its former client, seeking repayment of the loan, plus interest. Wallace & Pittman declined to comment on the ongoing litigation, but in their response to PSB’s claims, the defendants claim that at no time prior to the return of the funds did the bank specify that it was providing a provisional credit in the amount of the fraudulent transfer. Wallace & Pittman said the bank didn’t start calling it a provisional credit until nearly 10 days after it credited the law firm’s account; to backstop its claim, the firm produced an online ledger transaction that purports to show that the return of $336,600.61 to the firm’s accounts was initially classified as a “reverse previous wire entry.”

Continue reading →