On Friday, Sanford, Maine based Patco Construction Co. filed suit in York County Superior Court against Ocean Bank, a division of Bridgeport, Conn. based People's United Bank. The lawsuit alleges that Ocean Bank did not do enough to prevent cyber crooks from transferring approximately $588,000 to dozens of co-conspirators throughout the United States over an eight-day period in May.
People's United Bank spokeswoman Valerie Carlson declined to comment for this story, saying the company is aware of the lawsuit but does not discuss pending litigation.
According to the complaint, the fraudulent transfers began on Thursday, May 7, when thieves who had hijacked the company's online banking credentials initiated a series of transfers totaling $56,594 to several individuals that had no prior businesses with Patco. The company alleges that this pattern of fraud continued each day of the following business week, during which time the thieves made additional batches of fraudulent transfers totaling $532,257.
The complaint says the fraud was discovered on May 13, when one of Patco's co-owners went home for the day and found a notice in his mailbox sent from Ocean Bank, stating that several recent transfers had been rejected. The company later determined that the notices were sent only because some of the account numbers to which the perpetrators tried to transfer money turned out to be invalid.
Patco claims that on the morning of May 14, it notified Ocean Bank that the transfers in question were improper, even as another set of fraudulent transfers were going out the door.
"Also that morning, the unknown third parties had initiated a sixth withdrawal of $111,963, and despite Patco's 11:45 a.m. notice of fraudulent activity, the bank did not check the outgoing [transfers] already initiated until it was too late," the complaint alleges.
The complaint says the company has recovered or blocked $243,406 of the fraudulent transfers, but that it is still missing at least $345,000 in stolen funds. In addition, because Patco's available funds in its account were less than the total fraudulent withdrawals, the bank drew $223,237.83 on Patco's line of credit to cover the bogus transfers. Patco claims it has been paying interest on that amount in order to avoid being declared in default on its loans, and as a result, it is seeking recovery of interest paid to date on that line of credit.
Businesses do not have the same legal protections against online banking fraud that consumers enjoy. Consumers generally have 60 days from receiving a bank statement to dispute any fraudulent charges, and in nearly all cases those charges will be reversed. But organizations that experience fraud with their online banking accounts usually lose any money from unauthorized transactions that aren't immediately reported to the bank, and even then there is no guarantee that all or any of the fraudulent transfers will be reversed or halted.
Indeed, Ocean Bank's ebanking and bill payment agreement states that customers who choose to allow these so-called automated clearinghouse (ACH) transactions on their commercial accounts "assume all liability and responsibility to monitor those commercial accounts on a daily basis. In the event that you object to any ACH debit, you agree to notify us of your objection on the same day the debit occurs."
Patco's attorney, Daniel J. Mitchell said the contract his client signed with its bank does not absolve the financial institution of its responsibility to protect customers from fraud.
"The bank says that under the law, it's all our problem, and we disagree," Mitchell said.
Mitchell said commercial banks are governed under the Uniform Commercial Code, which holds that institutions must take "commercially reasonable" steps to protect customers against fraud. For most banks, the bar for what is considered reasonable for online banking authentication was set by a 2005 document issued by the Federal Financial Institutions Examination Council, which concluded that simply requiring customers to enter just a user name and password was inadequate.
Rather, the FFIEC said, banks should employ what's called "multi-factor authentication," which involves requiring the customer to log in with a user name and password in combination with some other form of authentication, such as a single-use password or code generated by a token the customer has in his or her possession, or a special code sent via text message to the customer's mobile phone.
Patco's lawsuit claims the bank failed to offer any form of token-based authentication, and that its multi-factor approach amounted to little more than requiring the entry of yet another password. The company said that for any transfer of more than $1,000, Ocean Bank commercial customers initiating ACH transfers are required to answer two "challenge" questions.
"Because almost every transfer Patco made exceeded the $1,000 threshold, Patco employees had to answer the challenge questions practically every time they initiated a direct deposit payroll via ACH transfer," the company charged in its complaint. "Because the low thresholds meant the challenge questions were used so often, the questions provided little to no additional security and were effectively no more than extensions of the employee's passwords."
In addition, the suit alleges that while the bank represents to clients that it monitors customer online accounts for signs of unauthorized access, all of the fraudulent transfers were initiated from Internet addresses that Patco had never before used to conduct online banking.
"The statute we deal with in Maine is very specific and mentions a whole host of factors that the bank needs to have in place, and in this case we don't think the bank had in place commercially reasonable security procedures," Mitchell said.
This type of online banking fraud once again highlights the critical role of "money mules," willing or unwitting accomplices that are hired via e-mail to help launder the stolen funds. In the attack on Patco's account, Mitchell said the perpetrators sent the fraudulent payments to more than 30 mules around the country.
Potential mules typically are approached via e-mail by would-be employers who claim to have found the recipient's resume on job search Web sites. Recruits usually are told they can make hundreds or thousands of dollars a month working from home helping companies move money.
Mitchell said one of the mules hired to receive money on behalf of the perpetrators was actually another business, called LRS Reyes Inc., in North Carolina. According to the North Carolina Secretary of State database, Cary, N.C. based LRS Reyes operated as a Medicaid reimbursement company until its business license was suspended in 2007.
Security Fix spoke with the owner of that company, Lourdes Reyes, who said her son, Arnold, got involved after he responded to an e-mail from a company in New York that claimed it had found his resume on Careerbuilder.com.
"A lady in New York told him he was going to be some project manager of computer people based in Eastern Europe, and that he needed to open up a checking account so that he could expedite some money to those consultants," Mrs. Reyes said. She confirmed that the thieves deposited two payments of just under $13,000 each, into LRS Reyes' business account with a local bank, and that Arnold withdrew the cash and wired it to his employers, as instructed.
"It was all a scam," Lourdes Reyes said. "Please write about this to let other people know about these scams."

Credits: Washington Post Brian Krebs Security Fix Column.

Tags: Computer, Security, Construction, Internet, Banking