Yet Another Bank Sued By A Small Business For Fraudulent Hacker Transfers

According to Village View, Professional Business Bank says bank responsible for $465K loss to hackers, plus fees and damages suffered in online account breach

A new court case brought to bear against Professional Business Bank by Village View Escrow Inc. continues the battle waged over whos to blame for hacking attacks that leave small-business accounts drained following online password theft. Filed in late June in the California Superior Court in Los Angeles, the case is the latest in a string of lawsuits filed in U.S courts by small businesses that believe their banks are to blame for failing to properly protect their accounts from predatory hackers.
Village Views
lawyers say
(PDF) the bank should be on the hook for $465,000 siphoned off by hackers in March 2010, plus bank fees and damages incurred by the loss. Village View told the court that Professional Business Bank led it to believe that the institution employed safe online banking practices when it signed with the bank in 2008.
Prior to entering into a banking relationship and contract with Professional Business Bank, Village View Escrow was not informed of any unsafe and unsound business practices employed by the bank, the complaint read, claiming that the fraudulent account transfers incurred by hackers were caused by the banks failure to employ a commercially reasonable security system and to accept funds transfers orders in good faith and in compliance with the security procedures selected by Village View Escrow.
Its a scenario that has played itself out many times during the past several years, says George Tubin, analyst for Tower Group. He estimates that small businesses have lost $250 million due to similar attacks, and says the banks in charge of securing those accounts are skirting legal responsibility due to the inadequacies of the Authentication in an Internet Banking Environment guidance released by the Federal Financial Institutions Examination Council (FFIEC) in 2005.
Though best practices in these times of increasingly sophisticated attacks would dictate that a bank acting in good faith apply fraud detection and anomaly detection software, the old FFIEC guidance only recommends outdated two-factor authentication technologies that can easily be gamed by hackers today. Many financial institutions have been skating by on the letter of the law, and very often they get away with it because small-business owners dont know how to ask their banks about Internet security practices.
Ive always believed its incumbent upon those banks to put those protections in place, [but] they can do a bare minimum and get by, Tubin says. Ideally, a small business would be able to go in and ask their bank what kind of security procedures they have, knowing that if fraud does occur, its probably going to be contentious as to whos liable. Because of that, you should know whats in place. Unfortunately, most small businesses arent very conversant in Internet technology and fraud detection technology -- and they shouldnt be. Theyre in business to run their business.
Nevertheless, Tubin reports that in most instances where bank practices left SMB accounts open to fraud, the small business is only able to settle out of court for pennies on the dollar for money that was stolen. In other cases, lawsuit complaints never even go to trial.
Take the suit lodged by
PATCO Construction against Oceans Bank
, which was thrown out of court before going to trial. PATCO lost $500,000 from its Oceans Bank commercial account in 2009 after a malware attack made off with its authentication credentials, but the judge ruled that Oceans was following FFIEC protocol.
The bank can claim that they relied on the FFIEC guidance, and a large percentage of the market can claim the same thing: that they looked at the guidance and followed it, says Terry Austin, CEO of fraud detection company Guardian Analytics. And theyre right. The 2005 guidance was not nearly specific enough, and its woefully out of date.
For its part, though, the FFIEC guidance defense might not hold water for long. The banking authority recently announced
tightened regulations
, effective Jan. 1, 2012, that will require banks to use anomaly detection software and risk management best practices.
For those hit by fraudsters before then, though, the tide of legal precedence could be changing in favor of SMBs -- if a recent case between Experi-Metal Inc. and Comerica Bank is any indication. Experi-Metal sued Comerica for more than $550,000 in fraudulent wire transfers that it says the bank should have disallowed had it been scrupulous about looking for anomalous behavior on the account.
The latest case, Experi-Metal versus Comerica, was the first time weve seen that an SMB has won against their bank. If you read the bench opinion, essentially they are saying that there are two aspects of this: Did you have commercially reasonably security in place, and did you act in good faith? Tubin says. They were fine on the reasonable security, but [the court] felt they didnt act in good faith because they werent looking for anomalies. The bank didnt spot that Experi-Metal was doing things [with the account] that they typically never do.
If the judge in Village Views case takes the argument of good faith seriously, then the escrow company could have a good chance of winning -- especially if Village Views claims that its bank didnt even live up to the FFIECs outdated requirement for two-factor authentication stand up in court. Whats more, Village View says that the bank also failed to tell it that the institution had suffered a third-party hacking attack a month before the fraudulent transfers; had the escrow company known about the attack, it would have taken additional protective measures.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Yet Another Bank Sued By A Small Business For Fraudulent Hacker Transfers