Account Takeover: Bank Faces Two SuitsHow Should Banks React When Suspicious Activity Occurs?
Two lawsuits filed against a California bank in the aftermath of account takeover incidents dating back to 2012 and 2013 raise questions about how banking institutions should respond when suspicious account activity occurs.
See Also: How to Defend Your Attack Surface
One suit filed on behalf of a now-defunct California-based escrow company, Efficient Services Escrow Group, revolves around three suspicious wire transactions approved by Irvine-based First Foundation Bank and sent to Russia and China (see A $1.5MM Fraud Mystery).
Not only were the transactions big - totaling $1.5 million in allegedly fraudulent wires - but in the aftermath, Efficient Services Escrow Group closed after the California Department of Corporations stepped in and froze its activity.
Since then, debate has circulated around how and why these transactions were approved by the bank, and whether insider collusion at the former escrow company possibly could have been to blame.
The other lawsuit, filed by California-based firm Capobianco Law Offices and the firm's owner, Anthony Capobianco, alleges First Foundation should not have approved an $18,000 wire transfer to a Ukrainian account in December 2012.
Attorneys representing the former escrow company say they believe other California businesses banking with First Foundation Bank have suffered similar account takeover losses, and they want them to come forward.
Online banking glitches brought on by First Foundation's transition to a new Internet-banking platform are to blame for the takeovers, attorneys involved in both lawsuits contend. And they allege the bank put customers at risk by not performing due diligence when it came to vendor management.
First Foundation Bank declined to comment about the litigation.
Allegations Against Bank
Derek Wallen, a California attorney who's representing Capobianco and Capobianco's firm in the suit against First Foundation, contends the bank has not acted in good faith, as it's defined by the California Uniform Commercial Code.
"The bank just told him the money was gone and would not be credited back," Wallen says. And the problem was compounded by the fact that the allegedly fraudulent transactions went to a woman in Ukraine who appeared to be affiliated with a mail-order-bride service, he adds.
In the Efficient Escrow Services case, attorneys Julie Rogers and Kim Dincel argue that not only were the bank's security procedures insufficient, but the bank failed to address suspicious activity in a timely manner.
"With other, more diligent banks, their protocol is to shut down their online banking if they get a report that something may have been impacted by a fraudulent transaction," Dincel says. "Banks typically immediately investigate what happened, and that usually happens within 24 hours. But in this case, they never did that."
Ultimately, Efficient Escrow Services had to close its business because of the losses, they argue.
In December 2013, Peter Davidson, a receiver appointed by the California Department of Corporations, sued First Foundation Bank on behalf of Efficient Services Escrow, alleging that the bank had insufficient security procedures in place when cybercriminals hacked the escrow company's bank account.
In February 2014, Rogers and Dincel filed an amended complaint against First Foundation on behalf of Davidson and Efficient Services Escrow.
Dincel says the fact that two suspicious wire transactions going to Russia hit Efficient Escrow's account within a week of each other should have garnered the bank's attention. Efficient Escrow had never sent wires to overseas accounts, he contends.
The Efficient Services Escrow and Capobianco cases against First Foundation Bank raise a number of questions about how to define reasonable security and how banking institutions are expected to react when suspicious account activity occurs, says data security attorney Dan Mitchell, who represented Maine-based PATCO Construction in its high-profile account-takeover dispute with People's United Bank, formerly Ocean Bank (see PATCO Fraud Dispute Settled).
"You have two customers of this bank that allegedly had account takeover problems at the same time," Mitchell says. "It's not normal to have two lawsuits filed against the same bank for account takeover occurring around the same time."
A Complex Turn of Events
In the Efficient Escrow incident, three separate wire transfers conducted between Dec. 17, 2012, and Jan. 30, 2013, were sent to accounts in Russia and China. Yet none of those payments raised a flag until Feb. 22, 2013, when the California Department of Corporations was notified of the losses by a fidelity insurer that was servicing Efficient Escrow at the time.
According to public records, Efficient Services Escrow on Feb. 22, 2013, reported to its fidelity insurer that its trust accounts reflected shortages.
Wallen argues that the bank's transition of its online-banking platform to a new provider is to blame for the losses.
"In the summer of 2012, the bank undertook an extensive conversion of its online banking systems," he says. "After the conversion took place, the online banking system was just fraught with banking technology glitches."
Rogers says platform conversion was implemented in September 2012, just three months before Efficient Escrow Services' account was drained. And he alleges problems with online-banking performance were evident and reported to the bank then, but the bank failed to sufficiently address those concerns.
"There were a series of issues and complaints after the new online banking platform was in place," she says. "Customers would have to call the bank several times to conduct an online transaction, and there is actual documentation that the bank said it could not deal with the issue right then."
In fact, Rogers claims tokenization used for transaction authentication was even turned off in some cases, sometimes for several months at a time.
But Mitchell warns that in cases such as this, it's too early to jump to any conclusions.
"People can allege a lot in a complaint," he says. "Whether it plays out to be true, will be decided by the court."