TRENDING:

Account Takeover: Bank Faces Two Suits

How Should Banks React When Suspicious Activity Occurs? Tracy Kitten (FraudBlogger) • March 31, 2014    
Account Takeover: Bank Faces Two Suits

Two lawsuits filed against a California bank in the aftermath of account takeover incidents dating back to 2012 and 2013 raise questions about how banking institutions should respond when suspicious account activity occurs.

See Also: Forward Facing Fraud Prevention

One suit filed on behalf of a now-defunct California-based escrow company, Efficient Services Escrow Group, revolves around three suspicious wire transactions approved by Irvine-based First Foundation Bank and sent to Russia and China (see A $1.5MM Fraud Mystery).

Not only were the transactions big - totaling $1.5 million in allegedly fraudulent wires - but in the aftermath, Efficient Services Escrow Group closed after the California Department of Corporations stepped in and froze its activity.

Since then, debate has circulated around how and why these transactions were approved by the bank, and whether insider collusion at the former escrow company possibly could have been to blame.

The other lawsuit, filed by California-based firm Capobianco Law Offices and the firm's owner, Anthony Capobianco, alleges First Foundation should not have approved an $18,000 wire transfer to a Ukrainian account in December 2012.

Attorneys representing the former escrow company say they believe other California businesses banking with First Foundation Bank have suffered similar account takeover losses, and they want them to come forward.

Online banking glitches brought on by First Foundation's transition to a new Internet-banking platform are to blame for the takeovers, attorneys involved in both lawsuits contend. And they allege the bank put customers at risk by not performing due diligence when it came to vendor management.

First Foundation Bank declined to comment about the litigation.

Allegations Against Bank

Derek Wallen, a California attorney who's representing Capobianco and Capobianco's firm in the suit against First Foundation, contends the bank has not acted in good faith, as it's defined by the California Uniform Commercial Code.

"The bank just told him the money was gone and would not be credited back," Wallen says. And the problem was compounded by the fact that the allegedly fraudulent transactions went to a woman in Ukraine who appeared to be affiliated with a mail-order-bride service, he adds.

In the Efficient Escrow Services case, attorneys Julie Rogers and Kim Dincel argue that not only were the bank's security procedures insufficient, but the bank failed to address suspicious activity in a timely manner.

"With other, more diligent banks, their protocol is to shut down their online banking if they get a report that something may have been impacted by a fraudulent transaction," Dincel says. "Banks typically immediately investigate what happened, and that usually happens within 24 hours. But in this case, they never did that."

Ultimately, Efficient Escrow Services had to close its business because of the losses, they argue.

Unique Circumstances

In December 2013, Peter Davidson, a receiver appointed by the California Department of Corporations, sued First Foundation Bank on behalf of Efficient Services Escrow, alleging that the bank had insufficient security procedures in place when cybercriminals hacked the escrow company's bank account.

In February 2014, Rogers and Dincel filed an amended complaint against First Foundation on behalf of Davidson and Efficient Services Escrow.

Dincel says the fact that two suspicious wire transactions going to Russia hit Efficient Escrow's account within a week of each other should have garnered the bank's attention. Efficient Escrow had never sent wires to overseas accounts, he contends.

Questions Raised

The Efficient Services Escrow and Capobianco cases against First Foundation Bank raise a number of questions about how to define reasonable security and how banking institutions are expected to react when suspicious account activity occurs, says data security attorney Dan Mitchell, who represented Maine-based PATCO Construction in its high-profile account-takeover dispute with People's United Bank, formerly Ocean Bank (see PATCO Fraud Dispute Settled).

"You have two customers of this bank that allegedly had account takeover problems at the same time," Mitchell says. "It's not normal to have two lawsuits filed against the same bank for account takeover occurring around the same time."

A Complex Turn of Events

In the Efficient Escrow incident, three separate wire transfers conducted between Dec. 17, 2012, and Jan. 30, 2013, were sent to accounts in Russia and China. Yet none of those payments raised a flag until Feb. 22, 2013, when the California Department of Corporations was notified of the losses by a fidelity insurer that was servicing Efficient Escrow at the time.

According to public records, Efficient Services Escrow on Feb. 22, 2013, reported to its fidelity insurer that its trust accounts reflected shortages.

Wallen argues that the bank's transition of its online-banking platform to a new provider is to blame for the losses.

"In the summer of 2012, the bank undertook an extensive conversion of its online banking systems," he says. "After the conversion took place, the online banking system was just fraught with banking technology glitches."

Rogers says platform conversion was implemented in September 2012, just three months before Efficient Escrow Services' account was drained. And he alleges problems with online-banking performance were evident and reported to the bank then, but the bank failed to sufficiently address those concerns.

"There were a series of issues and complaints after the new online banking platform was in place," she says. "Customers would have to call the bank several times to conduct an online transaction, and there is actual documentation that the bank said it could not deal with the issue right then."

In fact, Rogers claims tokenization used for transaction authentication was even turned off in some cases, sometimes for several months at a time.

But Mitchell warns that in cases such as this, it's too early to jump to any conclusions.

"People can allege a lot in a complaint," he says. "Whether it plays out to be true, will be decided by the court."

Previous
Prepaid Cards' Role in Fraud
Next
Sally Beauty: Breach Is Bigger

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.



Around the Network

Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.