Bank Sues Cyberheist Victim to Recover Funds

[Erica Absetz <erica () riskbasedsecurity com>]

http://krebsonsecurity.com/2013/04/bank-sues-cyberheist-victim-to-recover-funds/

A bank that gave a business customer a short term loan to cover
$336,000 stolen in a 2012 cyberheist is now suing that customer to
recover the fronted funds, after the victim company refused to repay
or even acknowledge the loan.

On May 9, 2012, cyber crooks hit Wallace & Pittman PLLC, a Charlotte,
N.C. based law firm that specializes in handling escrow and other
real-estate legal services. The firm had just finished a real estate
closing that morning, initiating a wire of $386,600.61 to a bank in
Virginia Beach, Virginia. Hours later, the thieves put through their
own fraudulent wire transfer, for exactly $50,000 less.

At around 3 p.m. that day, the firm’s bank — Charlotte, N.C. based
Park Sterling Bank (PSB)– received a wire transfer order from the law
firm for $336,600.61. According to the bank, the request was sent
using the firm’s legitimate user name, password, PIN code, and
challenge/response questions. PSB processed the wire transfer, which
was sent to an intermediary bank — JP Morgan Chase in New York City —
before being forwarded on to a bank in Moscow.

Later that day, after the law firm received an electronic confirmation
of the wire transfer, the firm called the bank to say the wire
transfer was unauthorized, and that there had been an electronic
intrusion into the  firm’s computers that resulted in the installation
of an unspecified strain of keystroke-logging malware. The law firm
believes the malware was embedded in a phishing email made to look
like it was sent by the National Automated Clearing House Association
(NACHA), a legitimate network for a wide variety of financial
transactions in the United States.

As some banks do in such cases, Park Sterling provided a provisional
credit to the firm for the amount of the fraudulent transfer so that
it would avoid an overdraft of its trust account (money that it was
holding for a real estate client)  and to allow a period of time for
the possible return of the wire transfer funds. PSB said it informed
Wallace & Pittman that the credit would need to be repaid by the end
of that month.

But on May 30, 2012 — the day before the bank was set to debit the
loan amount against the firm’s trust account — Wallace & Pittman filed
a complaint against the bank in court, and obtained a temporary
restraining order that prevented the bank from debiting any money from
its accounts. The next month, the law firm drained all funds from all
three of its accounts at the bank, and the complaint against the bank
was dismissed.

Park Sterling Bank is now suing its former client, seeking repayment
of the loan, plus interest. Wallace & Pittman declined to comment on
the ongoing litigation, but in their response to PSB’s claims, the
defendants claim that at no time prior to the return of the funds did
the bank specify that it was providing a provisional credit in the
amount of the fraudulent transfer. Wallace & Pittman said the bank
didn’t start calling it a provisional credit until nearly 10 days
after it credited the law firm’s account; to backstop its claim, the
firm produced an online ledger transaction that purports to show that
the return of $336,600.61 to the firm’s accounts was initially
classified as a “reverse previous wire entry.”

But beyond that, Wallace & Pittman argues that the bank’s claims are
barred by its failure to maintain commercially reasonable security
measures for its online banking services. The law firm says the
fraudulent wire did not come from an IP address associated with the
firm, and that it had never before initiated a wire transfer to Russia
or to any other location outside the United States.

“The bank was aware or should have questioned the legitimacy of an
international wire transfer,” and “was aware or should have been aware
of various schemes involving fraudulent funds transfers, particularly
those involving parties located in Russia,” the firm argued.

Wallace & Pittman claim that the bank’s authentication procedures
amount to little more than a series of passwords. According to the law
firm, the process of authenticating its account PSB involved merely
entering an account username and password.  To move money via wire
transfer, FSB customers must enter an online banking ID and static
4-digit “wire code.” After the wire transfer request is submitted, the
system generates two “challenge questions.”  Wallace & Pittman said
these two challenge questions never changed, and that the answers to
both questions were pre-programmed by the bank to the same common and
intuitive four-letter word.

Dan Mitchell,  an attorney with the law firm of Bernstein Shur in
Portland, Me., said that if PSB indeed relied on just user IDs, static
passwords and static challenge questions, it may be hard for them to
argue that these were commercially reasonable security procedures at
of the time of the theft in 2012. On the other hand, if as the bank
alleges — that the law firm declined the bank’s suggestion of using
“dual controls,” or requiring two people to verify and sign off on all
money transfers — the bank may have a defense under the Uniform
Commercial Code (UCC), Section 202(c) of Article 4A.

“This allows a bank to shift the risk of loss back to a customer if
the customer was offered, but declined, a security procedure that
would have been commercially reasonable (this presupposes that
dual-control is a commercially reasonable procedure,” said Mitchell,
an attorney who represented Maine construction firm Patco in its
successful lawsuit against its bank following a $588,000 cyberheist in
May 2009.

This scenario is the very one that played out in the Choice Escrow
case that was decided by a federal district court in Missouri back on
March 18th of this year. In its response to the bank’s lawsuit,
however, Wallace & Sterling denies that it was offered and rejected
the dual-control option.

Mitchell said the other interesting variable in this case is the
account at issue was a trust account – in other words, it was not the
customer’s money, but was being held and managed by the customer for
others – in real estate transactions.

“The bank apparently knew this, yet it still planned to debit the
customer’s account and leave the customer on the hook,” Mitchell said.
“That was a pretty aggressive move by the bank, probably too
aggressive given the facts.”

Unfortunately, cyberheists hit new businesses every week. These
attacks are imminently preventable, but blocking the bad guys
responsible for these attacks takes awareness, vigilance and
forethought. If you run a small business and manage your company’s
accounts online, please take a moment to read my list of best
practices here: Online Banking Best Practices for Businesses.

The complaint filed by Park Sterling Bank is here (PDF). A copy of
Wallace & Pittman’s response is at this link (PDF).
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.