Firm Sues Bank over Cyberheist

Suit Claims Lax Security to Blame for Wire Fraud
Firm Sues Bank over Cyberheist

The receiver for the now-defunct California-based Efficient Services Escrow Group is suing its former bank over a $1.5 million account takeover fraud incident that between December 2012 and January 2013 drained the escrow company's account.

See Also: Simplifying Microsoft Azure Deployments with Cloud-Friendly Security

Peter Davidson of the California law firm Ervin, Cohen & Jessup LLP, the appointed receiver for Efficient Services Escrow, alleges First Foundation Bank of California had insufficient security procedures in place when cybercriminals hacked Efficient Services Escrow Group's bank account.

Ultimately, he argues, the bank failed to act in good faith when it approved the fraudulent transactions on Efficient Services Escrow's behalf, according to the lawsuit.

The lawsuit is asking the court to award Efficient Services Escrow $1.1 million that was never recovered.

Davidson and the bank did not immediately reply to requests for comment. The lawsuit was first reported by security blogger Brian Krebs.

Analyzing the Claims

Dan Mitchell, the attorney who represented fraud victim PATCO Construction Inc. in its federal appeal of an account-takeover ruling, says the claims made about the bank's security practices in this case are fuzzy at best.

"It's hard to fathom exactly what is going on here," Mitchell says. "It seems like what they're saying [in the claim] is that the bank said they were going to investigate this in a couple of days and somehow that was fraud and resulted in harm."

But in an addendum to the claim provided by First Foundation, the bank suggests that employees within Efficient Services Escrow were receiving e-mail notifications about all wire transfers that left the escrow company's account. Mitchell says if that was the case, then the escrow company should have alerted the bank about the suspicious activity sooner.

"It still is very odd to me when you look at the dates here," he says. "You have the first transaction Dec. 17 and then two more transactions in January. But it's not until Feb. 22 that the escrow company contacts the bank. It's over a couple of months. Why didn't they see it?"

And the claim's assertion that tokens used to authenticate wire transfers were somehow overridden by the bank is never really explained, Mitchell adds.

"To me, this one, frankly, looks like it doesn't fall into the categories of cases where the bank really fell down on security," he says. "That's just my initial read of it, however."

Mitchell does note that if this case is claiming that tokens used for transactional authentication are not commercially reasonable, that could be "a big deal" in the realm of account takeover.

Three Transactions: $1.5 Million

Three separate wire transfers to accounts in Russia and China totaling $1.5 million drained Efficient Services Escrow's account. Yet none of those payments raised a flag until Feb. 22, 2013, when it was too late for the bank to recover most of the funds, the lawsuit alleges (see A $1.5MM Fraud Mystery).

On Feb. 28, 2013, the California Department of Corporations stepped in and froze the escrow company's activity. Because the company was unable to sufficiently cover the losses, its business closed.

The first fraudulent transfer, sent Dec. 17, 2012, for more than $432,000 was eventually recovered. On Jan. 24 and Jan. 30, 2013, two more fraudulent transfers, each totaling about $563,000, were approved by the bank and completed. Those funds were not recovered.

The Department of Corporations was notified of the losses by Escrow Agents' Fidelity Corp., the fidelity insurer for the independent escrow industry. According to public records, Efficient Services Escrow reported to the EAFC on Feb. 22, 2013, that its trust accounts reflected shortages totaling more than $1.5 million.

At that point, the department launched an investigation and determined that a "cybertheft" was to blame. On Feb. 28, 2013, the department froze the company's escrow activity. In March, it appointed Davidson to be the company's conservator.

In a complaint filed March 7, 2013, by the department against Efficient Services Escrow, it noted that the escrow had previously been cited for lax bookkeeping and record-keeping practices.

The department says the escrow company, at the time the unauthorized wires were sent in January, was not in compliance with state regulations regarding monthly trust account reconciliation.

A regulatory examination conducted in September 2012 also noted that Efficient Services Escrow was not maintaining books and records in accordance with the Escrow Law, according to the complaint.

(Tracy Kitten, executive editor, contributed to this story.)

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network