An Oregon agricultural products company is suing its bank to recover nearly a quarter-million dollars stolen in a 2010 cyberheist. The lawsuit is the latest in a series of legal challenges seeking to hold financial institutions more accountable for costly corporate account takeovers tied to cybercrime.
On Sept. 1, 2010, unidentified computer crooks began making unauthorized wire transfers out of the bank accounts belonging to Oregon Hay Products Inc., a hay compressing facility in Boardman, Oregon. In all, the thieves stole $223,500 in three wire transfers of just under $75,000 over a three day period.
According to a complaint filed in Umatilla County Circuit Court, the transfers were sent from Oregon Hay’s checking account at Joseph, Ore. based Community Bank to JSC Astra Bank in Ukraine. Oregon Hay’s lawyers say the company had set a $75,000 daily limit on outgoing wires, so the thieves initiated transfers of $74,800, $74,500 and $74,200 on three consecutive days.
Unfortunately for both parties in this dispute, neither Oregon Hay nor Community Bank detected anything amiss until almost two weeks after the fraud began; on Sept. 14, the victim firm found it was unable to access its accounts online. But by that time, the money was long gone.
Both Oregon Hay and Community Bank declined to be interviewed for this story.
Businesses do not enjoy the same legal protections afforded to consumer banking customers hit by cyber thieves, and most organizations can be held responsible for any losses due to phishing or account takeovers. But as cyberheists have ramped up dramatically over the past several years, a number of victim companies have opted to sue their financial institutions in the hopes of recovering the losses.
Oregon, like most states, has adopted the Uniform Commercial Code, which means that a payment order received by the bank is effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer.
In its complaint, Oregon Hay targets Article 4A of the UCC, alleging that Community Bank’s online account security procedures were not commercially reasonable given the sophistication of today’s threats, and that the bank did not accept the fraudulent payment orders in good faith.
The plaintiffs claim that the bank’s security systems did not rise to the level of recommendations issued by banking regulators at the U.S. Federal Financial Institutions Examination Council (FFIEC), which urged the use of multi-factor authentication to verify the identity of users attempting to log in to a financial institution’s online banking software. Multi-factor authentication requires the presentation of two or more of the three authentication factors: something the user knows, such as a password or PIN; something the user has, such as a smart card or one-time token; and something the user is, such as a fingerprint or iris scan.
According to the lawsuit, at the time of the theft Community Bank relied on a Jack Henry product called “Multifactor Premium with Watermark,” which relied on a combination of “device IDs” — a software “cookie” that identifies the user’s computer — and “challenge/response” questions, which attempt to verify a user’s identity by asking him for answers to questions about his personal or financial history.
Lance James, chief scientist at Jersey City, NJ based security firm Vigilant, said Community Bank’s use of secret images and challenge questions did not constitute multi-factor authentication because these approaches are simply multiple solutions from the same authentication category.
James noted that all three fraudulent wires were sent from Internet addresses that the victim firm had never before used. In addition, James said, records show that in the course of their robbery, the thieves made 37 unsuccessful login attempts from five different IP addresses over a six-day period.
“If the ‘IP restriction’ and ‘RSA Blocked Access Setting’ features had been turned on, the individuals using other IP addresses would not have been able to log in to Oregon Hay’s online account with Community Bank, their log in efforts would have been automatically blocked, and Community Bank alerts to such deviations, including the use of different IP addresses,” James wrote in a declaration in support of the plaintiffs filed with the circuit court.
Mark Hargrave, a partner with the law firm Stinson Morrison Heckler in Kansas City, said given the number of these cyberheist cases being brought and the media attention paid to them, the odds of a commercial customer bringing some kind of claim against a financial institution in the wake of a cyberheist are a lot higher than they were just two- to three years ago.
“It’s now much more likely that a business that’s been victimized is going to consider legal action,” Hargrave said.
Hargrave said that judges will look at all relevant cases, whether or not the decision is binding in their jurisdiction.
“Even if it’s not mandatory precedent, these decisions are persuasive because by and large article 4A of the UCC is uniform across the states, and so a court in Georgia looking at one of these cases, for example, is likely to look what other states are doing,” he said. “The definition of what constitutes ‘good faith’ definitely is squishy, it gives the court wide discretion to determine that an action was or was not carried out in good faith. It used to be in the UCC that ‘good faith’ meant you were acting honestly. Now, the courts are asking, ‘In the totality of the circumstances, was the bank treating the customer unfairly or trying to take advantage?’”
A copy of the complaint in this case is available here (PDF).
If you run a small business and manage your company’s accounts online, please take a moment to read my list of recommendations here: Online Banking Best Practices for Businesses.