BankInfoSecurity.com - Information Security News, Regulations, & Education

Just Released: Our Online Webinar Catalog

Bank Information Security Articles

Customer Sues Bank After Phishing Attack

Credit
EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

MI-Based Business Lost $550,000 in Breach

February 11, 2010 - Linda McGlasson, Managing Editor

Save

Digg

Delicious

Please login or register to save this article.

Comment on this article

A Michigan-based metal supply company is suing Comerica Bank, claiming that the bank exposed its customers to phishing attacks.

A lawsuit filed by Experi-Metal Inc. (EMI) in Sterling Heights, MI alleges that Dallas-based Comerica opened its customers to phishing attacks by sending emails asking customers to click on a link to update the bank's security software. EMI says even though the bank had two-factor authentication using digital certificates for its online banking portal, the phishing scam was able to circumvent these measures.

EMI contends that Comerica's actions opened its online bank account to a successful phishing attack where more than $550,000 was stolen from the company's bank accounts and sent overseas.

News of this suit comes days after news of another Dallas-based bank, PlainsCapital Bank, suing one of its customers in a dispute over a similar hack.

EMI is but one of many companies across the U.S. being targeted by hackers in this fashion. The crimes have become so numerous that federal banking regulator FDIC issued a warning about this form of fraud.

EMI vs. Comerica

The complaint filed by EMI in December in a Michigan circuit court states that for many years Comerica used digital certificates for authenticating online banking. Once a year from 2000 to 2008, the suit alleges, Comerica sent emails to EMI and other bank customers instructing them to click on a link in the email, and then log in at the resulting website in order to renew the Comerica digital certificate.

Click to Get Updates on the Latest Information Security News

Company*

Title*

Email*

Subscription Type:

Healthcare Enews

General Healthcare Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Government Enews

General Government Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Banking Enews

General Banking Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Credit Union Enews

General Credit Union Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Need Help?

Then, in 2008, Comerica began telling its customers to adopt a different security solution -- a security token to use along with user names and passwords. The tokens would generate a random set of numbers to be entered with the customer's user name and password to access the online bank account.

The suit claims that on January 22, 2009, an EMI employee opened and clicked on links within a phishing email that said it was from Comerica. The email duped the employee into believing the bank needed to update its banking software. It gave instructions to the EMI employee to log in at a linked website that mimicked Comerica's online banking site. The EMI employee provided the site with the company's online banking credentials, as well as the code generated by the bank's security token.

The phishers began to quickly move money out of EMI's account. Between 7:30 a.m. and 10:50 a.m. the same day, the phishers made 47 wire transfers to various accounts in Russia, Estonia, Scotland, Finland, China, as well as domestic accounts from which funds were quickly disbursed or withdrawn.

The bank's response says that the EMI credentials were used to initiate the wire transfers and were valid, and the phishing website the employee went to would have been discovered as fake, "to any reasonably alert person who was responsible for safeguarding EMI's financial records and digital credentials."

The bank also says its online security approach was reasonable "because they were in general used by other similarly situated customers of other banks."

Next Related Article:

Beware Phishing via Fax

We're seeing increasing litigation between banks and customers. Who ultimately will be held accountable for these hacks?

Here's your chance to be a part of the dialogue and engage with your peers! Just enter your comment to the right, click submit to send it to our Editor. All entries are posted anonymously.

Please login if you would like to post a comment on this question.

There should be a loss share between the bank and the customer. The customer should be held responsible for being phished. The banks security best practices were weak at best, sending links for security updates and allowing 47 wires in 3 hours??

I agree that this should have been halted in the wire deaprtment!

The banks will ultimately come to be held responsible if they keep acting as Comerica is reported to be acting. This clearly is a case of the blind leading the blind. There are very few true MFA applications for online banking out there. Just because they (and other banks) use poor MFA and other weak information security procedures does not make it reasonable or secure.

The leading legal text on privacy & security is "Proskauer on Privacy". A reasonably thorough read will indicate there are many more of these suits to come. I agree with the final poster -- lack of stewardship on the part of both parties facilitated the incident.

It won't be long before some of these suits specifically name executive management, consultants and vended relationships, as their outsourced business arrangements have created an environment of shirked responsibilities and have enabled the rapid adoption of xml-based technologies on unfounded measures of security, productivity and reliability.

By in large, institutions are paying way too much for unneeded application complexity. I keep waiting to see improvements in the contract/purchase process where price is less the subject and what/how comprises more of the agreements.

This is the huge dilemma that we have created with technology. Who takes the hit when it goes bad? While I agree that banks bear a responsibility to make things as secure as they can, I also think that each individual user of this technology bears an equal amount of responsibility. Everyone wants the convenience that technology offers, but no one wants to take the risks. Doesn't that seem to be the problem, charge full speed ahead, and if I have a problem it surely must be someone else's responsibility to bail me out?

We can go ahead and tighten security on this stuff to the point that there is no risk to anyone. The problem is that it will no longer be functional. So, what do you want: conveninece or absolute security and no responsibility for failure?

The banks. They are acting with such indifference as far as customers being hurt by ID Theft. I was and am a victim and I was told by a fraud investagator that they deny 9 out of 10 of fraud affidavits. The reason, she said, is that 9 out of 10 people just don't want to pay their bill. I feel so strongly that my money would have been safer under my bed!!!

I am curious - what is the precedent or is there one yet for this? Both parties hold various types of responsibility here, but the legal responsibility and thus the decision in this case, I'd assume, will be set by precedent.

Transferring via 47 wire transfers $550,000 to various accounts in Russia, Estonia, Scotland, Finland, China, as well as domestic accounts in a little over 3 hours... This should have been easily been flagged as aberrant behavior to the staff a Comerica that allowed the transfers. Large wire transfers should be validated especially if not in the customer's history. Multiple wire transfers in one day should be validated. Wire transfers off shore to new locations not in the member's history.

Should have been discovered as fake, to any reasonably alert person, who was responsible for safeguarding Comerica's financial accounts. The wire Transfer department was asleep at the wheel.

Email contact containing links to bank websites is just a non starter. If Comerica has used this method of contacting customers in the past it bears at least partial responsibility for the loss.

You cannot hold the Bank at fault for this--they provided reasonable security measures (tokens) and are meeting their regulatory responsibility. If the customer chooses to leap-before-they-look and provide information that was not needed, that is their fault. This is similar to a person getting into a car accident and blaming the manufacturer because the driver chose to drive recklessly without their seat belt. I would bet that the Bank likely sent out notices to its customers that they would never ask for that information.

I would question the bank's fraud detection mechanisms on this one. Was this a normal set of transactions for EMI? If not, then the fraud detection processes should have alerted the customer and frozen the transfers.

I strongly suspect sloppiness on the part of both EMI and Comerica. EMI may not have a strong awareness program. Comerica should not rely on 'other banks are doing it' as an excuse for poor security practices in the past. Legitimate online transactions should have required EMI's 2FA to complete; if it did not, then as far as I am concerned the bank is liable for not requiring stronger authentication.

Don't even get me started on the 'cute little picture and passphrase' slop that is being pawned off as 2FA. It isn't.

Topics of Interest

Vendor Management

Enterprise Authentication: Increasing Security Without Breaking the Bank
5 Steps to Managing Third Party Application Security Risk

National Credit Union Admin.

Identity Theft Red Flags Rule Survey: Executive Summary
NCUA Board Member Gigi Hyland on Careers in Credit Union Leadership

Compliance

How to Prioritize Risk & Justify Security Investments
Understanding Man-in-the-Browser Attacks and Addressing the Problem

E-SIGN Act

ELECTRONIC SIGNATURES IN GLOBAL AND NATIONAL COMMERCE ACT
Electronic Record Keeping

Sarbanes-Oxley Act

Five Ways to Reduce Your IT Audit Tax
Real-Time Compliance Monitoring

FACTA

Identity Theft Red Flags Rule Compliance Survival Guide
ID Theft Red Flags Examinations: What to Expect?

Latest Tweets & Mentions

Recent Content
Most Popular

1Heartland, Discover Settle at $5 Million
2How to Protect Consumers from ID Theft
3The Mobile Mandate
4Church Latest Victim of ACH Fraud
5Video: Why Cyber Challenge is Needed
6FDIC: 829 Troubled Banks
7ID Theft: Courts Cracking Down
810 Tips to Thwart Skimming
9Skimming: Old Crime, New Tools
10Key Elements of Risk Management

1Failed Banks and Credit Unions, 2010
22010 Data Breach Timeline
3Pay-At-The-Pump Skimming on the Rise
4Account Takeover: The New Wrinkle
5Tapping the Power of Social Media
6ATM Skimming: How Effective is Jitter?
741 Banking Breaches So far in 2010
8New Fraud Spree Investigated
9Social Media Policy - The 6 Essentials
10FDIC: Top 5 Fraud Threats

BankInfoSecurity.com Research

Podcast:Mortgage Fraud: Compliance to be a Challenge
Webinar:Board Responsibilities for IT Risk Management: Building Blocks for a Secure System
Handbook:2010 Webinar Catalog
White Paper:Understanding Man-in-the-Browser Attacks and Addressing the Problem
Regulation:FHFA: Issues Subpoenas for PLS Documents

Recent Blog Entries

Be Mindful of Insider Fraud Against Seniors

California's Financial Abuse Reporting Act, SB 1018, which r…

Read The Agency Insider by Linda McGlasson

Vendor Solutions

Lumension

Solutions For:

End-Point Security, Security Configuration Management, Vulnerability Assessment
VeriSign

Solutions For:

Anti-Phishing, Identification and Authentication, Web Services Security, E-Commerce Security

Marketplace

Information Security Media Group - Family of Websites

Banking

BankInfoSecurity.com
Careers
Blogs

Credit Unions

CUInfoSecurity.com
Careers
Blogs

Government

GovInfoSecurity.com
Careers
Blogs

Healthcare

HealthcareInfoSecurity.com
Careers
Blogs

About Us
Contact Us
Site Map
Terms of Service
Advertise
RSS

BankInfoSecurity NewsGet the RSS Feed
Agency ReleasesGet the RSS Feed
Latest ArticlesGet the RSS Feed
WebinarsGet the RSS Feed
BankInfoSecurity.com BlogGet the RSS Feed

Home
Training
Resources
Content Library
- Agency Releases
- Articles
- Handbooks
- Podcasts
- Surveys
- Webinars | Calendar
- White Papers
Careers
Blog

Advanced Search

Browse Topics

Agencies

Federal Deposit Insurance Corp
Federal Reserve Board
Federal Trade Commission
FFIEC
FHFA
FinCEN
Government Accountability Office
National Credit Union Admin.
NIST
Office Comptroller of Currency
Office of Thrift Supervision

Anti-Money Laundering

Banking Today

Confidence In Banking

Business Continuity & Disaster Recovery

Pandemic Preparation

Compliance

Bank Secrecy Act
Basel II
CA Bill 1386
E-SIGN Act
FACTA
Gramm-Leach-Bliley Act
Guidance
Identity Theft Red Flags Rule
NCUA Part 748
Patriot Act
PCI DSS
Sarbanes-Oxley Act

Emerging Technology

Application Security
Authentication
Cloud Computing
Data Loss
Encryption
GRC
ID Access & Management
Messaging
Mobile Banking
Network/Perimeter
Remote Capture
SIM/SEM
Social Media
Storage
Web Security

Fraud

ACH
ATM
Check
Debit, Credit, Prepaid Cards
First Party
Insider
Mortgage
Payments
Wire

Governance & Standards

BITS
Cobit
COSO
FFIEC Handbook
ISO
ITGI
ITIL
PCAOB

Identity Theft

Pharming
Phishing
Skimming

Leadership & Management

Physical Security

Biometrics

Risk Management

HR
Incident Response
Information Security Compliance
Insider Threat
IT Audit
Privacy
Risk Assessment
Social Engineering
Vendor Management

Training & Education

FHFA: Issues Subpoenas for PLS Documents..Next Topic
The Electronic Funds Transfer (EFT) Act - Regulation E..Next Topic
The Electronic Funds Transfer (EFT) Act - Regulation E..Next Topic
DoJ: Report to Congress on Implementation of Section 1001 of the USA PATRIOT Act..Next Topic
FFIEC Issues 2009 Mortgage Fraud White Paper:The Detection and Deterrence of Mortgage..Next Topic
FDIC: Fraudulent Work-at-Home Funds Transfer Agent Schemes..Next Topic
Joint Statement by Education Secretary Duncan, Homeland Security Secretary Napolitano and..Next Topic
Obama's Cyberspace Policy Review: Assuring a Trusted and Resilient Information and..Next Topic
Obama's Cyberspace Policy Review: Assuring a Trusted and Resilient Information and..Next Topic
NIST: PIV Card Application and Middleware Interface Test Guidelines, SP800-85A-1..Next Topic

A-
A
A+