PlainsCapital Bank, a $4.4 billion bank headquartered in Dallas, has filed suit against Texas-based Hillary Machinery Inc., following a series of incidents that began last November, when cyber thieves made a series of ACH transactions that totaled $801,495 from Hillary Machinery Inc.'s bank account.
The bank was able to retrieve about $600,000 of the money, but when Hillary subsequently sent a letter requesting that the bank refund the remaining $200,000, PlainsCapital responded by filing the lawsuit in U.S. District Court for the Eastern District of Texas. The lawsuit requests that the court certify that PlainsCapital's security was in fact reasonable, and that it processed the wire transfers in good faith. Documents filed with the court allege that the fraudulent transactions were initiated using the defendant's valid online banking credentials.
'Scratching Our Heads'
Hillary Machinery joins a growing list of businesses that have been hit by similar attacks from hackers using the ACH channel to fraudulently move money out of bank accounts.
Troy Owen, Hillary's vice president of sales and marketing, says the company was "hoping to solve this reasonably." Owen says the bank has not produced proof that its network was not breached, and questions the bank's claim that it has two-factor authentication processes in place for online banking.
According to a copy of a Nov. 12 memo between two PlainsCapital employees that was given to Owen, the institution's commercial banking platform requires that each customer not only enter a user name and password, but also register their computer's Internet address by entering a secure access code sent to the e-mail address on file for the customer.
On Nov. 8, according to the memo, secure access code e-mails were sent to a Hillary email address, but that the request came from a computer with an Internet address in Italy. The memo then says the actual wire transfer requests were made from IP addresses in Romania.
Owen says when Hillary Machinery people saw this, "We were all scratching our heads. Because we don't even do international business, let alone have anyone working in Italy or Romania." Owen says no one at Hillary received any of the secure access request emails.
The company is also using a website alert to warn other small businesses about this kind of fraud. "In the cyber world, bank robbers carry keyboards; not guns," the alert says. "And, you will be surprised to learn that not only have banks been alerted by many regulatory agencies, many are still ill-prepared to prevent it, and may not return your money if it's stolen from your account."
Whatever the outcome of this lawsuit, security experts say that institutions and customers alike must increase their vigilance and strength when securing and authorizing online transactions. "There is a need for transaction verification," says Vatsal Sonecha, vice president at TriCipher, a security vendor. "By making an effort to contact the customer before a transaction occurs, banks are protecting themselves from a faulty transaction. There is a need for communicating the details of each transaction, so that customers have the ability to stop a non-authorized fund transfer,"
Fund transfers have the potential for terrible consequences, Vatsal warns. He suggests institutions employ multi-factor authentication and transaction verification, a single-use password sent to a smart phone or mobile device acts as an additional layer of security that customers need.
"As we can see from this case, wire and funds transfers are transactions that can cause quick and devastating results for banks and online bankers," Vatsal says. "Banks need to think about safeguarding the channels that hackers traditionally take to steal sensitive log-in information with strong multi-factor authentication."
Phil Neray, vice president of security strategy for Guardium, an IBM Company, sees the fraudsters winning the battle, as they seem to be targeting the regional banks and community bank commercial customers. "It's a game of catch-up for those institutions that don't have the layered protections and checks and balances across their network," Neray says.