|
By Cara Garretson
A construction company based in Maine has filed suit against its bank, claiming that its funds were not adequately protected from cybercriminals.
In a Sept. 18 complaint posted on the Washington Post's Web site, Patco Construction Co. says it is seeking a refund, damages, attorneys' fees, related costs and interest from People's United Bank -- also known as Ocean Bank -- after cybercriminals moved $580,000 dollars out of Patco's account without authorization and without the bank flagging the unusual activity.
"This action arises out of Ocean Bank's failure to fulfill one of its most basic obligations, namely to protect its customers' funds against theft," reads the complaint.
From May 8 to May 15, cybercriminals made a series of transfers out of Patco's account using the Automated Clearing House system, according to the complaint. That happened despite the bank's assurances that customer accounts are monitored by "behind the scenes" security systems, which Patco says were not correctly applied to its account, leaving it vulnerable.
Despite any lapses in its security system, Patco maintains that the transfers should have raised eyebrows at the bank, since they were "far larger" than any Patco has made throughout its history with the bank, and were transferred to accounts that Patco had never dealt with before.
"Ocean Bank either never suspected or turned a blind eye to the possibility that these transactions might be fraudulent," reads the complaint.
Making matters worse, Ocean Bank drew on Patco's credit line in order to cover the transactions that more than drained the construction company's account. Ocean Bank asked Patco to repay the credit line with interest.
Patco's claim says that unauthorized persons on May 7 leveraged the user ID and password of an authorized employee to gain access to the Patco account. The standard two challenge questions were asked by Ocean Bank's security system, and were answered correctly, resulting in a $57,000 transfer. A similar process was used on May 11 when $116,000 was transferred from Patco's account.
In both cases, portions of the money were returned to the bank because some of the many accounts that the cybercriminals provided had invalid account numbers. Neither time did the bank investigate, and it sent a standard notice via mail telling Patco that some of its funds had been returned. These transfers were followed by three additional ones of similar dollar amounts.
On May 14, Patco notified Ocean Bank that it hadn't authorized the transfers, stating that they must have been fraudulent. But that notification either didn't reach Ocean Bank in time, or the bank didn't act upon it, as another unauthorized transfer was made the next day.
Ocean Bank was able to block or recover a portion of the funds transferred, leaving Patco's loss at $345,000 plus interest.
Patco's complaint that the bank failed to protect its funds stems from the fact that the bank does not use multi-factor authentication to protect its account; that the trigger for challenge-question authentication is unreasonably low; the bank offered no IP blocking to protect against unauthorized IP addresses making transfers; and the bank didn't detect or prevent the fraudulent activity.
An Ocean Bank spokeswoman told the Washington Post that her firm was aware of the lawsuit but would not discuss it further.
Only registered users can write comments.
Please login or register. |
