Utility Sues Bank When Cybercriminals Raid Utility’s Bank Account
If something sounds oddly familiar about this story, it’s because you’ve likely heard it before. However, the last chapter comes out differently with each telling. The epilogue? That may end up being written by the U.S. Supreme Court. But, we’re getting ahead of ourselves.
In July, TEC Industrial Maintenance & Construction, a utility, sued TriSummit Bank, alleging the bank was to blame for a series of fraudulent payroll drafts sent from TEC’s account in 2012. TEC said the bank failed to have its ACH transactions approved by the utility before they were transmitted. The result was the utility lost $327,804 to cybercriminals, of which $135,148 was recovered by the bank. Now the utility wants the bank to pay the $192,656 the cybercrooks got away with.
In her piece on bankinfosecurity.com Tracy Kitten recounts this latest battle in “who’s on the hook” when cybercriminals raid a company’s account. The following has been edited to fit our format. You may find Kitten’s full article by clicking on this link.
This is but the latest in a series of high-profile account takeover cases, and experts say it is going to put the onus on the bank to prove it took every possible measure to protect its customer from fraud.
Onus is on the institution
In the wake of the 2011 FFIEC authentication guidance update, Doug Johnson, senior vice president of risk management policy for the American Bankers Association, says banking regulators have made it clear that it is [the] banking institutions’ responsibility to ensure they are providing layers of security to protect their customers’ accounts.
And George Tubin, a banking fraud expert …says even if a commercial customer’s account is taken over because of a phishing attack and subsequent malware infection that resulted because of the customer’s negligence, the onus is on the banking institution to detect and stop suspicious transactions.
“A lot of banks think out-of-band, one-time passwords protect them from malware-based fraud – they don’t,” Tubin says. In fact, unless a commercial customer explicitly declines to accept a certain security procedure offered by its bank, as was the case in the Choice Escrow and Land Title LLC account takeover incident, banks have struggled to prove their security measures were reasonable if fraud results….
“Based on the information presented, this case does not have a situation where the customer failed to use…or refused a security procedure….The fact that the customer was infected by malware, which enabled this fraud, will not be viewed as something the customer did wrong. Anybody can get infected with malware, unless they’re utilizing commercial-grade anti-malware software, which is usually only provided via the financial institution.”
Julie Conroy, a financial fraud and security analyst…says TEC has a compelling case, but she sees nothing here that will help banking institutions better understand what constitutes “reasonable security” in the eyes of the courts.
“The confusion and mixed messages that we’ve received from the courts is around what levels of security qualify as ‘commercially reasonable.’ I don’t see anything in this case that would help set a clear precedent in that regard.”
According to the complaint, on May 10, 2012, 55 separate payroll orders totaling $327,804 were sent by TriSummit Bank to different accounts located throughout the U.S. The bank, however, failed to verify those orders with TEC….
Not only did the funds go to accounts that had not previously been paid by TEC, but the amounts, which ranged from $550 to $11,000, were not customary for the utility, the suit alleges.
TEC says its agreement with the bank also required that the bank call the utility before any payroll transactions were authorized. All of those calls, per the agreement between TEC and TriSummit, should have been recorded.
TEC argues that the 55 separate transactions approved in May 2012 were not authorized via a telephone call.
TEC also alleges it alerted the bank of suspicious activity just days before the fraudulent transactions were approved. On May 8, TEC’s controller had trouble accessing the bank’s online-banking site. After contacting the bank, the controller was advised to visit the branch and load the payroll files there. The following day, the controller received a phone call from someone feigning to be from the bank, asking that the employee try once more to access the online banking site to see if it was now working properly.
TEC claims its controller mentioned this suspicious phone call to numerous bank employees the next day, May 9, during a separate authorization call. The bank told TEC it would look into the matter, TEC says. Allegedly, just hours before that call is when the bank approved the fraudulent transactions.
Going to trial?
If the calls between the bank and utility were recorded, then the bank should have a record of the authorization history, [says Tubin]. He [adds] that if the claims made by [the utility] are true, the bank would be wise to settle.
[How the courts viewed other cases]
In the Experi-Metal Inc. and PATCO Construction Inc. cases, the courts ultimately favored the commercial customers. But an appellate court in June supported a lower court’s ruling in the Choice Escrow case that favored the bank
The court found that Choice Escrow’s refusal to use a dual-person authorization service for wire-transfer approval offered by the bank shielded the bank from liability. Choice Escrow is considering an appeal of its case before the U.S. Supreme Court.
[Tubin says] in TEC’s case, the bank now must prove its security measures were ‘commercially reasonable.’
“Based on the information in the complaint, the bank should have detected this fraud….A ‘commercially reasonable’ security approach would have either detected and/or prevented the malware from stealing the user’s credentials, and an anomaly detection system would have picked up the double ACH transactions for double the typical weekly amount.”
Further, if the bank did not follow through on its voice confirmation of the fraudulent ACH transaction, as alleged, Tubin says, “The bank would clearly be at fault for not adhering to the security practice used every week to confirm the ACH transaction.”
ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.
ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.
The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.
For more information, visit www.threatmetrix.com or call 1-408-200-5755.
Join the cybersecurity conversation by visiting the ThreatMetrix blog, Facebook, LinkedIn and Twitter pages.