Victim of $440K wire fraud can’t blame bank for loss, judge rules
Jaikumar Vijayan March 26, 2013 (Computerworld)
A federal court in Missouri has rejected an escrow firm’s attempt to blame its bank for a $440,000 cyberheist in March 2010.
In a ruling last week, the U.S. District Court for the Western District of Missouri held that Choice Escrow and Title LLC had essentially failed to follow its bank’s recommended security procedures and therefore had only itself to blame for the loss.
Choice filed a lawsuit against BancorpSouth in November 2010 after unknown attackers stole the username and password to the company’s online bank account and used the credentials to transfer $440,000 to an account in Cyprus.
Choice alleged that the theft occurred only because the bank failed to implement commercially reasonable security measures as defined in the Funds Transfer Act provisions of the Uniform Commercial Code (UCC). Choice Escrow maintained that BancorpSouth should have known the wire transfer request was fraudulent because it was initiated from outside the U.S — something that had never happened before with its account.
In a countersuit, BancorpSouth noted that the wire transfer had been initiated by someone using Choice Escrow’s legitimate login in credentials and from an IP address associated with the escrow firm’s bank account.
Importantly, the bank said it had specifically asked Choice to adopt a dual-control process where two individuals would be needed to sign off on all wire transfer requests. Choice officials had declined the control, despite being warned about the risk of fraudulent wire transfers, the bank noted in a motion seeking a summary dismissal of the lawsuit.
U.S. District Court Judge John Maughmer held that BancorpSouth had indeed implemented commercially reasonable security measures and acted in good faith in handling the wire transfer request.
The judge noted that Choice had been informed about the importance of the dual-control process, but declined to use it. The escrow firm also declined to place a daily transfer limit on wire transfers, despite being informed about the risk of fraud.
“The court finds that the ‘Dual Control’ option offered by [Bancorpsouth] and refused by Choice did indeed meet the prevailing standards for good banking practices,” Maughmer wrote in a 16-page ruling.
This is the second time that BancorpSouth has tried to dismiss the case against it. Last year, the bank claimed that it should not have been sued over the incident because Choice Escrow had signed a contract that included an agreement not to hold BancorpSuth responsible for losses stemming from a failure to use the online services in a secure manner. Maughmer however < href=" http://www.computerworld.com/s/article/9230730/Judge_dismisses_BancorpSouth_ defense_in_online_theft_suit”>threw out that motion.
The decision is the latest involving disputes between banks and commercial customers over losses stemming from fraudulent wire transfers. Over the past few years, cybercriminals have looted tens of millions of dollars from numerous small businesses, municipalities, school districts, and other entities using the same technique.
In almost all cases, the attackers first managed to steal their victims’ banking credentials, then used those credentials to gain access to their accounts to initiate the illegal wire transfers.
Banks have insisted that the thefts occurred only because the victims allowed attackers to gain access to their bank login credentials. Victims like Choice, meanwhile, have blamed the banks for failing to prevent the illegal wire transfers despite what they say should have been obvious red flags.
In a similar dispute last July between Ocean Bank and Patco Construction Company of Maine, a federal appeals court held that the bank had not implemented commercially viable measures to detect and protect against fraudulent wire transfers. A Michigan federal court ruled the same way in 2011 in a case involving Comerica Bank and Experi-Metal, a maker of automobiles parts that was robbed of $560,000 through fraudulent wire transfers.
Maughmer’s ruling in the case was first reported by security blogger Brian Krebs.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar’s RSS feed . His e-mail address is jvijayan@computerworld.com.
.