Online:
Visits:
Stories:
Profile image
By Dickinson Mackaman Tyler & Hagen PC
Contributor profile | More stories
Story Views

Now:
Last Hour:
Last 24 Hours:
Total:

The losses keep coming

Friday, May 27, 2016 10:44
% of readers think this story is Fact. Add your two cents.

(Before It's News)

This blog has previously covered instances of corporate account takeover that have resulted in litigation between account holders and banks. Chelan County, Wash. v. Bank of America Corp., a 2015 case from Washington, provides yet another example of the risk that banks and account holders have from cyberattacks and corporate account takeover.

The case follows what is becoming a familiar pattern. A county hospital in Washington state had several bank accounts at Bank of America. Bank of America offered the hospital the ability to initiate ACH transfers online though an internet module.

Over the course of two days hackers accessed the hospital’s bank accounts through malware installed on a hospital employee’s computer. The hackers used their access to transfer over $1,000,000 out of the hospital’s accounts. When the hospital identified the fraud it asked Bank of America to reverse the transactions, but only a portion of the funds could be recovered.

According to the court, before an ACH transfer from the hospital’s accounts could occur the following steps had to be completed:

1. The module created a digital fingerprint of each computer that accessed the online module. If the system did not recognize the computer then it would issue a challenge question for the user to answer.
2. A digital certificate was installed on approved computers. Computers without the digital certificate would be denied access.
3. The system would generate a fraud score based on login patterns and would identify high-risk logins for further review.

The parties disputed whether the following security procedures were also required:

1. The system denied transfers if there was a $0 balance in the account.
2. A call back procedure that required the bank to call the account holder before approving transactions.
3. Transfers could be reversed within 24 hours of authorization if the account holder requested reversal.

Bank of America and the hospital disputed the efficacy of the security procedures outlined above, and which parts of the procedures the parties had actually agreed to implement.

The dispute in the case centered on whether the hospital and Bank of America had agreed to use a commercially reasonable security procedure to verify the authenticity of ACH transactions through the online system. If Bank of America and the hospital agreed to a commercially reasonable procedure, and the bank followed it in good faith, then the hospital was liable for the loss. The hospital vigorously disputed that it had agreed to a procedure that was commercially reasonable.

The court did not decide whether the procedures above were commercially reasonable or not. The court instead required the parties to proceed to trial where the court would resolve the factual disputes, and then rule on the commercial reasonableness of the procedure. After the court’s ruling requiring the case to go to trial the parties settled, so we won’t know whether a court would find the security procedures outlined above commercially reasonable.

Banks have the potential to shift liability for certain fraudulent wire and ACH transfers to account holders. To do so the bank must (1) develop a commercially reasonable security procedure, (2) agree with its account holders to implement it, (3) comply with the procedure for every ACH and wire transfer, (4) and act in good faith when accepting ACH and wire transfer orders from account holders. This blog has covered the recent increase in email ghosting attacks, malvertising, and email phishing attacks. These threats mean attacks like the one in Washington will continue. Banks should review their online money transfer systems and account holder agreements to determine whether they have the option to shift liability to account holders. Otherwise, banks may be forced to reimburse account holders for losses of hundreds of thousands of dollars.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.



Source: http://www.dickinsonlaw.com/2016/05/losses-coming/

Report abuse

Comments

Your Comments
Question   Razz  Sad   Evil  Exclaim  Smile  Redface  Biggrin  Surprised  Eek   Confused   Cool  LOL   Mad   Twisted  Rolleyes   Wink  Idea  Arrow  Neutral  Cry   Mr. Green

Top Stories
Recent Stories

Register

Newsletter

Email this story
Email this story

If you really want to ban this commenter, please write down the reason:

If you really want to disable all recommended stories, click on OK button. After that, you will be redirect to your options page.