Posts Tagged: Uniform Commercial Code


3
Mar 15

Hospital Sues Bank of America Over Million-Dollar Cyberheist

A public hospital in Washington state is suing Bank of America to recoup some of the losses from a $1.03 million cyberheist that the healthcare organization suffered in 2013.

cascadeIn April 2013, organized cyber thieves broke into the payroll accounts of Chelan County Hospital No. 1 , one of several hospitals managed by the Cascade Medical Center in Leavenworth, Wash. The crooks added to the hospital’s payroll account almost 100 “money mules,” unwitting accomplices who’d been hired to receive and forward money to the perpetrators.

On Thursday, April 19, and then again on April 20, the thieves put through a total of three unauthorized payroll payments (known as automated clearing house or ACH payments), siphoning approximately $1 million from the hospital.

Bank of America was ultimately able to claw back roughly $400,000 of the fraudulent payroll payments. But in a complaint (PDF) filed against the bank, the hospital alleges that an employee on the Chelan County  Treasurer’s staff noticed something amiss the following Monday — April 22, 2013 — and alerted the bank to the suspicious activity.

“Craig Scott, a Bank of America employee, contacted the Chelan County Treasurer’s office later that morning and asked if a pending transfer request of $603,575.00 was authorized,” the complaint reads. “No funds had been transferred at the time of the phone call.  Theresa Pinneo, an employee in the Chelan County Treasurer’s Office, responded immediately that the $603,575.00 transfer request was not authorized. Nonetheless, Bank of America processed the $603,575.00 transfer request and transferred the funds as directed by the hackers.” Continue reading →


19
Apr 13

Bank Sues Cyberheist Victim to Recover Funds

A bank that gave a business customer a short term loan to cover $336,000 stolen in a 2012 cyberheist is now suing that customer to recover the fronted funds, after the victim company refused to repay or even acknowledge the loan.

robotrobkbOn May 9, 2012, cyber crooks hit Wallace & Pittman PLLC, a Charlotte, N.C. based law firm that specializes in handling escrow and other real-estate legal services. The firm had just finished a real estate closing that morning, initiating a wire of $386,600.61 to a bank in Virginia Beach, Virginia. Hours later, the thieves put through their own fraudulent wire transfer, for exactly $50,000 less.

At around 3 p.m. that day, the firm’s bank — Charlotte, N.C. based Park Sterling Bank (PSB)– received a wire transfer order from the law firm for $336,600.61. According to the bank, the request was sent using the firm’s legitimate user name, password, PIN code, and challenge/response questions. PSB processed the wire transfer, which was sent to an intermediary bank — JP Morgan Chase in New York City — before being forwarded on to a bank in Moscow.

Later that day, after the law firm received an electronic confirmation of the wire transfer, the firm called the bank to say the wire transfer was unauthorized, and that there had been an electronic intrusion into the  firm’s computers that resulted in the installation of an unspecified strain of keystroke-logging malware. The law firm believes the malware was embedded in a phishing email made to look like it was sent by the National Automated Clearing House Association (NACHA), a legitimate network for a wide variety of financial transactions in the United States.

As some banks do in such cases, Park Sterling provided a provisional credit to the firm for the amount of the fraudulent transfer so that it would avoid an overdraft of its trust account (money that it was holding for a real estate client)  and to allow a period of time for the possible return of the wire transfer funds. PSB said it informed Wallace & Pittman that the credit would need to be repaid by the end of that month.

But on May 30, 2012 — the day before the bank was set to debit the loan amount against the firm’s trust account — Wallace & Pittman filed a complaint against the bank in court, and obtained a temporary restraining order that prevented the bank from debiting any money from its accounts. The next month, the law firm drained all funds from all three of its accounts at the bank, and the complaint against the bank was dismissed.

Park Sterling Bank is now suing its former client, seeking repayment of the loan, plus interest. Wallace & Pittman declined to comment on the ongoing litigation, but in their response to PSB’s claims, the defendants claim that at no time prior to the return of the funds did the bank specify that it was providing a provisional credit in the amount of the fraudulent transfer. Wallace & Pittman said the bank didn’t start calling it a provisional credit until nearly 10 days after it credited the law firm’s account; to backstop its claim, the firm produced an online ledger transaction that purports to show that the return of $336,600.61 to the firm’s accounts was initially classified as a “reverse previous wire entry.”

Continue reading →


26
Mar 13

Missouri Court Rules Against $440,000 Cyberheist Victim

A Missouri court last week handed a legal defeat to a local escrow firm that sued its financial institution to recover $440,000 stolen in a 2009 cyberheist. The court ruled that the company assumed greater responsibility for the incident because it declined to use a basic security precaution recommended by the bank: requiring two employees to sign off on all transfers.

courthouseSpringfield, Mo. based Choice Escrow and Land Title LLC sued Tupelo, Miss. based BancorpSouth Inc., after hackers who had stolen the firm’s online banking ID and password used the information to make a single unauthorized wire transfer of $440,000 to a corporate bank account in Cyprus.

Choice Escrow alleged that BancorpSouth’s security procedures were not commercially reasonable. Choice pointed out that the bank’s most secure option for Internet-based authentication relied principally on so-called “dual controls,” or requiring business customers to have one user ID and password to approve a wire transfer and another user ID and password to release the same wire transfer.

Choice Escrow’s lawyers argued that because BancorpSouth allowed wire or funds transfers using two options which were both password-based, its commercial online banking security procedures fell short of 2005 guidance from the Federal Financial Institutions Examination Council (FFIEC), which warned that single-factor authentication as the only control mechanism is inadequate for high-risk transactions involving the movement of funds to other parties.

But in a decision handed down on March 18, 2013, a judge with the U.S. District Court for the Western District of Missouri focused on the fact that Choice Escrow was offered and explicitly declined in writing the use of dual controls, thereby allowing the thieves to move money directly out their account using nothing more than a stolen username and password.  The court noted that Choice also declined to set a limit on the amount or number of wire transfers allowed each day (another precaution urged by the bank), and that the transfer amount initiated by the thieves was not unusual for Choice, a company that routinely moved large sums of money.

Continue reading →


26
Jun 12

Bank Settles With Calif. Cyberheist Victim

A California escrow firm that sued its bank last year after losing nearly $400,000 in a 2010 cyberheist has secured a settlement that covers the loss and the company’s attorneys fees. The settlement is notable because such cases typically favor the banks, and litigating them is often prohibitively expensive for small- to mid-sized businesses victimized by these crimes.

In March 2010, organized computer crooks stole $465,000 from Redondo Beach, Calif. based Village View Escrow Inc., sending 26 consecutive wire transfers from Village View’s accounts to 20 individuals around the world who had no legitimate or previous business with the firm. The escrow firm clawed back some of the stolen funds — $72,000 — but that still left Village View with a $393,000 loss, forcing the company’s owner to take out a personal loan at 12 percent interest to cover the loss of customer funds).

In June 2011, Village View sued its financial institutionProfessional Business Bank — arguing that the bank was negligent because it protected customer accounts solely with usernames and passwords. Last week, Village View announced that it had reached a settlement with its bank to recover more than just the full amount of the funds taken from the account plus interest for Village View Escrow.

Kim Dincel, a shareholder at Silicon Valley Law Group, which represented the plaintiffs, said the Uniform Commercial Code and its corresponding California Commercial Code limits the damages resulting from wire transfer fraud to only the actual amount of money lost plus interest – nothing more.  Common law claims such as negligence, breach of contract and fraud, and the damages that attached to them, are generally precluded from being asserted by a victim of wire transfer fraud in a lawsuit involving wire transfer fraud, he added.

“Banks typically deny liability for the cyber-theft which forces small businesses to spend money they do not have on legal fees and regulatory expenses in order to recover a limited and defined set of damages under the Uniform Commercial Code (UCC),” Dincel said in a prepared statement released Monday.

The Bank of Manhattan, which acquired Professional Business Bank last month, did not return calls seeking comment.

Continue reading →


19
Jan 11

Experi-Metal vs. Comerica Case Heads to Trial

A lawsuit headed to court this week over the 2009 cyber theft of more than a half-million dollars from a small metals shop in Michigan could help draw brighter lines on how far banks need to go to protect their business customers from account takeovers and fraud.

The case is being closely watched by a number of small to mid-sized organizations that have lost millions to cyber thieves and have been waiting for some sign that courts might be willing to force banks to assume at least some of those losses.

Nearly two years ago, cyber crooks stole more than $560,000 from Sterling Heights, Mich. based Experi-Metal Inc. (EMI), sending the money to co-conspirators in a half-dozen countries.

Continue reading →