ACH Fraud Sparks Another Suit

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

In another round of bank vs. customer, a Maine business has sued its bank, alleging that the institution failed to prevent fraudulent ACH transactions totaling more than $500,000.

Patco, a Sanford, Maine-based construction company, had its corporate bank account raided over a six-day period last May by cyber thieves who were able to move over $588,000 to dozens of money mules throughout the country.

The business was able to recover only $230,000 of the stolen funds and has sued its bank, Ocean Bank of Portsmouth, NH, for failing to detect and prevent the bogus transfers.

"I told them 'We don't want to sue you; can you at least make up part of the loss?'" says Mark Patterson, co-owner of the business. But he describes the bank's response as "This is your problem. It wasn't our firewall that was penetrated."

When contacted for comment, Ocean Bank spokesperson David Reid declined, citing confidentiality concerns.

This is but the latest example of banks and business customers battling over responsibility for losses resulting from ACH fraud, or corporate account takeover. Most recently, PlainsCapital Bank and Hillary Machinery of Texas settled their lawsuits over a similar dispute.

Bank: 'It's Your Problem'
Patco's complaint, filed in York County, Maine, Superior Court, alleges that Ocean Bank didn't do enough to prevent cyber thieves from moving about $100,000 each day over a period from May 7 to May 13, 2009.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Ocean Bank has 37 branches in New Hampshire and Maine. It is a division of People's United Bank, ($20 billion in assets) of Bridgeport, CT.

According to the complaint, cyber thieves were able take over Patco's online banking credentials and began sending money to people who had never done business with the construction company. This pattern continued every day for a week, with a total of more than $532,000 sent in fraudulent transfers.

Patterson says the company did not discover these transfers until he received notices in his home mail on May 13, 2009, that several of the recent transfers had been rejected. Patterson says the company uses only ACH transactions for payroll and positive pay of certain vendors the company does business with, so he was puzzled. Patco officials say they contacted the bank on the morning of May 14, telling them that the transfers in question were improper, at the same time the cyber thieves were transferring another set of withdrawals totaling $111,963.

Patco's suit is rooted in the Uniform Commercial Code for commercial banks that says institutions must offer "commercially reasonable" security to protect online customers from fraud. A set of strong authentication guidelines issued by the FFIEC in 2005 sets the bar for banks. Offering a user name and password is not enough protection. Instead, the FFIEC recommends banks use multi-factor authentication methods to check a customer's credentials. Examples of multi-factor authentication include a user name and password coupled with some other form of authentication; a single-use password or code generated by a token held by the customer; or a special code sent via text message to the user's cell phone.

Patco alleges Ocean Bank did not offer any form of token-based authentication, and that its multi-factor approach only asked for the user to enter a second password. For any transfer of more than $1,000, Patco says, Ocean Bank commercial customers initiating ACH transfers are required to answer two "challenge" questions. The complaint states that "because almost every transfer Patco made exceeded the $1,000 threshold, Patco employees had to answer the challenge questions practically every time they initiated a direct deposit payroll via ACH transfer." The company says because the low thresholds meant the challenge questions were used so often, the questions provided little to no additional security and "were effectively no more than extensions of the employee's passwords."

The company also points out in its complaint that even though the bank says it monitors customer online accounts for signs of unauthorized access, all of the fraudulent transfers were initiated from Internet addresses that Patco had never before used to conduct online banking. "Someone at the bank should have seen something was out of the ordinary, even to the extreme opposite of what we'd been doing with ACH transactions," says Patterson. "Security procedures at the bank weren't where they should be."