ACH Fraud Sparks Another Suit

Maine Business Sues Bank After Fraudsters Steal $500,000+
ACH Fraud Sparks Another Suit
In another round of bank vs. customer, a Maine business has sued its bank, alleging that the institution failed to prevent fraudulent ACH transactions totaling more than $500,000.

Patco, a Sanford, Maine-based construction company, had its corporate bank account raided over a six-day period last May by cyber thieves who were able to move over $588,000 to dozens of money mules throughout the country.

The business was able to recover only $230,000 of the stolen funds and has sued its bank, Ocean Bank of Portsmouth, NH, for failing to detect and prevent the bogus transfers.

"I told them 'We don't want to sue you; can you at least make up part of the loss?'" says Mark Patterson, co-owner of the business. But he describes the bank's response as "This is your problem. It wasn't our firewall that was penetrated."

When contacted for comment, Ocean Bank spokesperson David Reid declined, citing confidentiality concerns.

This is but the latest example of banks and business customers battling over responsibility for losses resulting from ACH fraud, or corporate account takeover. Most recently, PlainsCapital Bank and Hillary Machinery of Texas settled their lawsuits over a similar dispute.

Bank: 'It's Your Problem'
Patco's complaint, filed in York County, Maine, Superior Court, alleges that Ocean Bank didn't do enough to prevent cyber thieves from moving about $100,000 each day over a period from May 7 to May 13, 2009.

Ocean Bank has 37 branches in New Hampshire and Maine. It is a division of People's United Bank, ($20 billion in assets) of Bridgeport, CT.

According to the complaint, cyber thieves were able take over Patco's online banking credentials and began sending money to people who had never done business with the construction company. This pattern continued every day for a week, with a total of more than $532,000 sent in fraudulent transfers.

Patterson says the company did not discover these transfers until he received notices in his home mail on May 13, 2009, that several of the recent transfers had been rejected. Patterson says the company uses only ACH transactions for payroll and positive pay of certain vendors the company does business with, so he was puzzled. Patco officials say they contacted the bank on the morning of May 14, telling them that the transfers in question were improper, at the same time the cyber thieves were transferring another set of withdrawals totaling $111,963.

Patco's suit is rooted in the Uniform Commercial Code for commercial banks that says institutions must offer "commercially reasonable" security to protect online customers from fraud. A set of strong authentication guidelines issued by the FFIEC in 2005 sets the bar for banks. Offering a user name and password is not enough protection. Instead, the FFIEC recommends banks use multi-factor authentication methods to check a customer's credentials. Examples of multi-factor authentication include a user name and password coupled with some other form of authentication; a single-use password or code generated by a token held by the customer; or a special code sent via text message to the user's cell phone.

Patco alleges Ocean Bank did not offer any form of token-based authentication, and that its multi-factor approach only asked for the user to enter a second password. For any transfer of more than $1,000, Patco says, Ocean Bank commercial customers initiating ACH transfers are required to answer two "challenge" questions. The complaint states that "because almost every transfer Patco made exceeded the $1,000 threshold, Patco employees had to answer the challenge questions practically every time they initiated a direct deposit payroll via ACH transfer." The company says because the low thresholds meant the challenge questions were used so often, the questions provided little to no additional security and "were effectively no more than extensions of the employee's passwords."

The company also points out in its complaint that even though the bank says it monitors customer online accounts for signs of unauthorized access, all of the fraudulent transfers were initiated from Internet addresses that Patco had never before used to conduct online banking. "Someone at the bank should have seen something was out of the ordinary, even to the extreme opposite of what we'd been doing with ACH transactions," says Patterson. "Security procedures at the bank weren't where they should be."

Days after the company's suit was filed, Patterson says, Ocean Bank told Patco's owners they needed to find another bank to handle their business. "We found another local bank who took our accounts and gave us a line of credit," Patterson says. "The other local banks we talked with during time we were looking for a new bank, all of them had stronger security measures than what Ocean Bank offered."

All online banking transactions done with the company's new bank are authenticated with a six-digit numeric token on top of a username and password.

The judge has not yet set a trial date, but depositions are being taken from Patco and Ocean Bank, says Patterson. Patco's legal team sees the case going to trial in late August, early September.

Trend Escalates
The number of businesses that have reported to law enforcement that they've been hit with this type of criminal attack number more than 205 since 2004, according to the FBI, with a total of $40 million in losses reported.

David Navetta, an attorney specializing in security and privacy law, sees no abatement of the criminals attacking businesses in this method. "These crimes are low risk/high reward," he says. "It often appears that the money is transferred to foreign countries, and there has been little reporting indicating that law enforcement is actually catching anybody."

Navetta sees that these crimes are attractive because of the relatively straight line from A to B for the criminals. "If the thief can access an online banking account with legitimate access, he or she in many cases simply needs to directly transfer money to their accounts (often large sums of money)," he notes. This is in contrast to a crime like identity theft where there are often many more steps to get to the final payout.

Finally, Navetta says it appears that the bad guys have found weaknesses and found a way to exploit them. "They will likely do so until those weaknesses are addressed (either on the bank side and/or the customer side). In fact, more and more bad guys will be trying to get into the game if they perceive these weaknesses to still exist."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network