Settlement Reached in ACH Fraud Case California Escrow Company and Bank Agree to Terms

A lingering legal dispute over a corporate account takeover incident at an escrow company in California has finally come to a close.

See Also: Cyber Weapons of 2015: Know Your Enemy (Because They Know You)

Village View Escrow Inc., which in March 2010 lost nearly $400,000 after its online bank account with Professional Business Bank was taken over by hackers, has reached a settlement with the bank for an undisclosed amount, says Michelle Marsico, Village View's owner and president.

As a result of the settlement, Village View recovered more than the full amount of the funds that had been fraudulently taken from the account, plus interest, the company says in a statement.

More details about the settlement are expected to be issued in coming weeks.

"While we remain confident in the strength of our legal position, we entered into the settlement agreement to bring this matter to a conclusion and to focus all our energy on our business," Marsico says in the statement. "With this settlement, we can now put the litigation behind us and move forward with a clear conscience that we did everything we could to correct this situation."

The case dates back to 2011, when Village View sued the bank for reimbursement of direct financial losses suffered from the attack as well as damages. In the complaint, Village View also requested reimbursement of maintenance and service fees it paid to the bank between 2008 and 2010.

Investigations conducted by the California Department of Corporations, the Federal Deposit Insurance Corp. and the Redondo, Calif., Police Department, determined that Village View Escrow played no role in the cybertheft it suffered and took all necessary precautions to avoid the losses, according to the statement.

The Case Premise

At its core, Village View's suit raised questions about "good faith," reasonable security and Professional Business Bank's compliance with existing FFIEC authentication guidelines.

The complaint alleged that Professional Business Bank failed to have procedures in place for the recovery of stolen funds, in essence ignoring "numerous warnings from the FFIEC and the FDIC of the prevalence of" online attacks and incidents of corporate account takeover.

Hackers broke into Village View's network, but Village view now says it was never determined whether that access led to the theft of Village View's bank credentials. However the hackers gained access to the network, once in, they successfully scheduled and sent 26 consecutive wire transfers out of the country. Dual controls were not used by the business, but an e-mail verification service offered by Professional Business Bank was successfully disabled by the criminals. Village View says the bank only offered single-factor authentication.

When the hackers disabled the bank's e-mail notification service, an alert should have automatically been generated and sent to the bank's department responsible for applications and systems maintenance, Village View contended.

Two similar cases, PATCO Construction Inc. vs. Ocean Bank and Experi-Metal Inc. vs. Comerica Bank, raised questions about liability and reasonable security, yet each resulted in a different verdict.

In 2010, PATCO sued Ocean Bank for the more than $500,000 it lost in May 2009, after its commercial bank account with Ocean Bank was taken over. PATCO argued that Ocean Bank was not complying with existing FFIEC requirements for multifactor authentication when it relied solely on log-in and password credentials to verify transactions.

Last year, a District Court magistrate found the bank met legal requirements for multifactor authentication and dismissed the suit.

In December 2009, EMI sued Comerica after more than $550,000 in fraudulent wire transfers left EMI's account.

In the EMI ruling, the court found that Comerica should have identified and disallowed the fraudulent transactions, based on EMI's history, which had been limited to transactions with a select group of domestic entities. The court also noted that Comerica's knowledge of phishing attempts aimed at its clients should have caused the bank to be more cautious.

In the ruling, the court required Comerica to reimburse EMI for the more than $560,000 it lost after the bank approved the fraudulent wire transfers.


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.





Around the Network