Inside the Comerica/Experi-Metal Case

Court Filings Offer New Details on Customer vs. Bank Lawsuit

By Linda McGlasson, July 19, 2010.
Inside the Comerica/Experi-Metal Case


See Also: Cloud Infrastructure: Same Security Needs, Dynamic New Environment

n just a matter of hours on Jan. 22, 2009, Experi-Metal Inc., a Michigan manufacturer, saw $1,901,269 pilfered from its Comerica Bank commercial account by fraudsters who systematically transferred the funds to accounts in Russia, Estonia and elsewhere. In response to this fraudulent activity, Dallas-based Comerica was able to freeze the account, recall some of the wire transfers and recover all but $560,000 of Experi-Metal's money.

These are the facts that nobody disputes in the Experi-Metal vs. Comerica legal battle over responsibility for the fraud losses.

But beyond those basic facts, there is little agreement in this case, which now seems headed for a courtroom showdown over who is responsible for the remaining fraud losses. A close examination of court documents, in fact, sheds new light on the events of this case and where the bank and its customer differ most on the question of "What is reasonable security?"

Timeline: What Happened

Judge Patrick Duggan of Michigan's Eastern District Court in Detroit recently rejected Comerica's motion for summary judgment in this case. In reviewing Duggan's 16-page opinion, this timeline emerges:

Experi-Metal, or EMI, began banking with Comerica upon incorporating in September 2000. It entered into agreements with Comerica to permit the business to access its bank accounts via the Internet using Comerica's online banking system.

In November 2003, EMI's President, Valiena Allison, signed an agreement with Comerica to send payment orders or receive incoming funds transfers using Comerica's NetVision Wire Transfer Service. The business did not sign up for the dual control feature that Comerica offered on wire transfers.

From 2001 until May 2008, Comerica employed a security process known as digital certificates for its wire transfer service. Users had to routinely renew these digital certificates in order to initiate monetary transfers for their accounts. To do this, Comerica sent emails to users and made them click on a link in the email. Once on the linked website, users were required to log in and enter certain information to obtain the renewal of the digital certificate.

In April 2008, Comerica notified the administrators for all online banking accounts that, though it still would be providing online banking services through TM Connect Web, it was switching its security process from digital certificates to secure token technology. Comerica then sent account administrators a list of the users for their accounts who had been active for the last six months, user IDs, and a secure token for each user. Comerica asked account administrators to notify Comerica if the registration for any user should be removed. EMI received this information from Comerica on April 25, 2008.

On January 22, 2009, Keith Maslowski, EMI's controller, received an email purported to be from Comerica. Maslowski says the email was similar to previous emails that he got from Comerica, prompting him to renew EMI's digital certificates. As in previous emails sent by Comerica, he was directed to click on a link specified in the email. After clicking on the link, he was diverted to a website that appeared to be a Comerica website. He was then prompted to log in and enter his confidential customer ID number and password and EMI's confidential customer ID number and password. When he did this, he unknowingly gave an unauthorized third party access to EMI's account through Comerica's wire transfer service, from which this third party began transferring funds out of EMI's account to various accounts in Russia, Estonia, Scotland, Finland, and China, and U.S.-based accounts.

A total of 47 wire transfers were initiated from EMI's account between 7:30 a.m. and 10:50 a.m. on January 22, 2009. Sometime between 11:39 a.m. and 12:04 p.m., Comerica's wire transfer room called its Treasury Management Relationship Center regarding the activity in EMI's account. A representative of Comerica's Treasury Management Services reviewed the activity, and then called EMI at approximately 12:05 p.m. EMI's president informed Comerica that EMI had not made any wire transfers that day and instructed the bank that it should not honor any requested wire transfers or other transfers until further notice.

After speaking with EMI, Comerica immediately notified its wire transfer room and asked that all wires out of EMI's account be recalled and future wires stopped.

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Adobe Flash Is Under Attack - Again

For the third time in recent weeks, in-the-wild attacks are exploiting a newly discovered zero-day...

Latest Tweets and Mentions

ARTICLE Adobe Flash Is Under Attack - Again

For the third time in recent weeks, in-the-wild attacks are exploiting a newly discovered zero-day...

The ISMG Network