Yet Another Bank Sued By A Small Business For Fraudulent Hacker Transfers
According to Village View, Professional Business Bank says bank responsible for $465K loss to hackers, plus fees and damages suffered in online account breach
Jul 19, 2011 | 10:34 PM | 1 Comments
By Ericka Chickowski, Contributing Writer
A new court case brought to bear against Professional Business Bank by Village View Escrow Inc. continued the battle waged over who's to blame for hacking attacks that leave small business accounts drained following online password theft. Filed in late June in the California Superior Court in Los Angeles, the case is the latest in a string of suits filed in U.S courts by small businesses who believe their banks are to blame for failing to properly protect their accounts from predatory hackers.
Village View's lawyers say the bank should be on the hook for $465,000 siphoned off by hackers in March 2010, plus bank fees and damages incurred by the loss. Village View told the court that Professional Business Bank led it to believe that the institution employed safe online banking practices when signed with the bank in 2008.
"Prior to entering into a banking relationship and contract with Professional Business Bank, Village View Escrow was not informed of any unsafe and unsound business practices employed by the bank," the complain read, claiming that the fraudulent account transfers incurred by hackers were caused by the bank's failure to "employ a commercially reasonable security system" and to "accept funds transfers orders in good faith and in compliance with the security procedures selected by Village View Escrow."
It's a scenario that's played itself out many times over the last several years, says George Tubin, analyst for Tower Group. He estimates that small businesses have lost $250 million due to similar attacks over the last few years and says the banks in charge of securing those accounts are skirting legal responsibility due to the inadequacies of the “Authentication in an Internet Banking Environment" guidance released by the Federal Financial Institutions Examination Council (FFIEC) in 2005.
Though best practices in these times of increasingly sophisticated attacks would dictate that a bank acting in good faith apply fraud detection and anomaly detection software, the old FFIEC guidance only recommends outdated two-factor authentication technologies that can easily be gamed by hackers today. Many financial institutions have been skating by on the letter of the law and very often they get away with it because small business owners don't know how to ask their banks about Internet security practices.
"I've always believed it's incumbent upon those banks to put those protections in place, [but] they can do a bare minimum and get by," Tubin says. "Ideally, a small business would be able to go in and ask their bank what kind of security procedures they have. Knowing that if fraud does occur, it's probably going to be contentious as to who's liable. Because of that, you should know what's in place. Unfortunately, most small businesses aren't very conversant in Internet technology and fraud detection technology -- and they shouldn't be. They're in business to run their business."
Nevertheless, Tubin reports that in most instances where bank practices left SMB accounts open to fraud, the small business are only able to settle out of court for pennies on the dollar for money that was stolen. In other cases lawsuit complaints never even go to trial.
Take the suit lodged by PATCO Construction company against Oceans Bank, which was thrown out of court before going to trial. PATCO lost $500,000 from its Oceans Bank commercial account in 2009 after a malware attack made away with its authentication credentials, but the judge ruled that Oceans was following FFIEC protocol.
"The bank can claim that they relied on the FFIEC guidance and a large percentage of the market can claim the same thing:that they looked at the guidance and followed it," says Terry Austin, CEO of fraud detection company Guardian Analytics. "And they're right; the 2005 guidance was not nearly specific enough and it's woefully out of date."
For its part, though, the FFIEC guidance defense may not hold water for long. The banking authority recently announced tightened regulations, effective January 1, 2012, that will require banks to use anomaly detection software and risk management best practices.
For those hit by fraudsters before then, though, the tide of legal precedence may be changing in favor of SMBs, if a recent case between Experi-Metal Inc. and Comerica Bank is any indication. Experi-Metal sued Comerica for over $550,000 in fraudulent wire transfers that it says the bank should have disallowed if it had been scrupulous about looking for anomalous behavior on the account.
"The latest case, the Experi-Metal versus Comerica was the first time we've seen that a SMB has won against their bank. If you read the bench opinion, essentially they are saying that there are two aspects of this: did you have commercially reasonably security in place and did you act in good faith?" Tubin says. "They were fine on the reasonable security, but [the court] felt they didn't act in good faith because they weren't looking for anomalies. The bank didn't spot that Experi-Metal was doing things [with the account] that they typically never do."
If the judge in Village View's case takes the argument of good faith seriously, the escrow company could have a good chance of winning--especially if Village View's claims that its bank didn't even live up to the FFIEC's outdated requirement for two-factor authentication stand up in court. What's more, Village View says that the bank also failed to tell it that the institution had suffered a third-party hacking attack a month before the fraudulent transfers, and had the escrow company known about the attack, it would have taken additional protective measures.
AI
