Network News

X My Profile
View More Activity

Maine Firm Sues Bank After $588,000 Cyber Heist

A construction firm in Maine is suing a local bank after cyber thieves stole more than a half million dollars from the company in a sophisticated online bank heist.


On Friday, Sanford, Maine based Patco Construction Co. filed suit in York County Superior Court against Ocean Bank, a division of Bridgeport, Conn. based People's United Bank. The lawsuit alleges that Ocean Bank did not do enough to prevent cyber crooks from transferring approximately $588,000 to dozens of co-conspirators throughout the United States over an eight-day period in May.

People's United Bank spokeswoman Valerie Carlson declined to comment for this story, saying the company is aware of the lawsuit but does not discuss pending litigation.

According to the complaint, the fraudulent transfers began on Thursday, May 7, when thieves who had hijacked the company's online banking credentials initiated a series of transfers totaling $56,594 to several individuals that had no prior businesses with Patco. The company alleges that this pattern of fraud continued each day of the following business week, during which time the thieves made additional batches of fraudulent transfers totaling $532,257.

The complaint says the fraud was discovered on May 13, when one of Patco's co-owners went home for the day and found a notice in his mailbox sent from Ocean Bank, stating that several recent transfers had been rejected. The company later determined that the notices were sent only because some of the account numbers to which the perpetrators tried to transfer money turned out to be invalid.

Patco claims that on the morning of May 14, it notified Ocean Bank that the transfers in question were improper, even as another set of fraudulent transfers were going out the door.

"Also that morning, the unknown third parties had initiated a sixth withdrawal of $111,963, and despite Patco's 11:45 a.m. notice of fraudulent activity, the bank did not check the outgoing [transfers] already initiated until it was too late," the complaint alleges.

The complaint says the company has recovered or blocked $243,406 of the fraudulent transfers, but that it is still missing at least $345,000 in stolen funds. In addition, because Patco's available funds in its account were less than the total fraudulent withdrawals, the bank drew $223,237.83 on Patco's line of credit to cover the bogus transfers. Patco claims it has been paying interest on that amount in order to avoid being declared in default on its loans, and as a result, it is seeking recovery of interest paid to date on that line of credit.

Businesses do not have the same legal protections against online banking fraud that consumers enjoy. Consumers generally have 60 days from receiving a bank statement to dispute any fraudulent charges, and in nearly all cases those charges will be reversed. But organizations that experience fraud with their online banking accounts usually lose any money from unauthorized transactions that aren't immediately reported to the bank, and even then there is no guarantee that all or any of the fraudulent transfers will be reversed or halted.

Indeed, Ocean Bank's ebanking and bill payment agreement states that customers who choose to allow these so-called automated clearinghouse (ACH) transactions on their commercial accounts "assume all liability and responsibility to monitor those commercial accounts on a daily basis. In the event that you object to any ACH debit, you agree to notify us of your objection on the same day the debit occurs."

Patco's attorney, Daniel J. Mitchell said the contract his client signed with its bank does not absolve the financial institution of its responsibility to protect customers from fraud.

"The bank says that under the law, it's all our problem, and we disagree," Mitchell said.

Mitchell said commercial banks are governed under the Uniform Commercial Code, which holds that institutions must take "commercially reasonable" steps to protect customers against fraud. For most banks, the bar for what is considered reasonable for online banking authentication was set by a 2005 document issued by the Federal Financial Institutions Examination Council, which concluded that simply requiring customers to enter just a user name and password was inadequate.

Rather, the FFIEC said, banks should employ what's called "multi-factor authentication," which involves requiring the customer to log in with a user name and password in combination with some other form of authentication, such as a single-use password or code generated by a token the customer has in his or her possession, or a special code sent via text message to the customer's mobile phone.

Patco's lawsuit claims the bank failed to offer any form of token-based authentication, and that its multi-factor approach amounted to little more than requiring the entry of yet another password. The company said that for any transfer of more than $1,000, Ocean Bank commercial customers initiating ACH transfers are required to answer two "challenge" questions.

"Because almost every transfer Patco made exceeded the $1,000 threshold, Patco employees had to answer the challenge questions practically every time they initiated a direct deposit payroll via ACH transfer," the company charged in its complaint. "Because the low thresholds meant the challenge questions were used so often, the questions provided little to no additional security and were effectively no more than extensions of the employee's passwords."

In addition, the suit alleges that while the bank represents to clients that it monitors customer online accounts for signs of unauthorized access, all of the fraudulent transfers were initiated from Internet addresses that Patco had never before used to conduct online banking.

"The statute we deal with in Maine is very specific and mentions a whole host of factors that the bank needs to have in place, and in this case we don't think the bank had in place commercially reasonable security procedures," Mitchell said.

This type of online banking fraud once again highlights the critical role of "money mules," willing or unwitting accomplices that are hired via e-mail to help launder the stolen funds. In the attack on Patco's account, Mitchell said the perpetrators sent the fraudulent payments to more than 30 mules around the country.

Potential mules typically are approached via e-mail by would-be employers who claim to have found the recipient's resume on job search Web sites. Recruits usually are told they can make hundreds or thousands of dollars a month working from home helping companies move money.

Mitchell said one of the mules hired to receive money on behalf of the perpetrators was actually another business, called LRS Reyes Inc., in North Carolina. According to the North Carolina Secretary of State database, Cary, N.C. based LRS Reyes operated as a Medicaid reimbursement company until its business license was suspended in 2007.

Security Fix spoke with the owner of that company, Lourdes Reyes, who said her son, Arnold, got involved after he responded to an e-mail from a company in New York that claimed it had found his resume on

"A lady in New York told him he was going to be some project manager of computer people based in Eastern Europe, and that he needed to open up a checking account so that he could expedite some money to those consultants," Mrs. Reyes said. She confirmed that the thieves deposited two payments of just under $13,000 each, into LRS Reyes' business account with a local bank, and that Arnold withdrew the cash and wired it to his employers, as instructed.

"It was all a scam," Lourdes Reyes said. "Please write about this to let other people know about these scams."

A signed copy of the complaint filed by Patco is available
here (PDF).

Further reading:

Data Breach Highlights Role of Money Mules

Cyber Crooks Target Public and Private Schools

Cyber Thieves Steal $447,000 from Wrecking Firm

More Business Banking Victims Speak Out

Clamping Down on the Clampi Trojan

PC Invader Costs Ky. County $415,000

The Growing Threat to Business Banking Online

Tighter Security Urged for Business Banking Online

European Cyber-Gangs Target Small U.S. Firms, Group Says

Clampi Trojan: The Rise of Matryoshka Malware

Just Say No to Work-at-Home Money Mule Scams

By Brian Krebs  |  September 23, 2009; 2:10 PM ET
Categories:  Cyber Justice , Fraud , Small Business Victims  | Tags: $588000 heist, ocean bank, patco  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Issues Stopgap Fix for Windows Flaw
Next: 'Money Mule' Recruitment Network Exposed


That stinks for Patco.

I'll be surprised if they win though. There's the waiver to begin with. Then their argument w/ the UCC is that the bank didn't take extra steps b/c they took the extra step too often by requiring added authentication of $1k transfers?

Plus who should the court be putting the burden on? Should banks be expected to keep track of business's customers? Or should the Patco's CFO take 10 minutes every other day to glance over the checking account activity?

Posted by: Booyah5000 | September 23, 2009 3:32 PM | Report abuse

Ocean Bank's management has absolutely no clue. Given the off-the-shelf tools available today, those goofballs were criminally negligent with Patco's money.

Ocean Bank will end up having to, not only pay Patco back, but explain why they are so incredibly stupid.

It is likely that a person who knew absolutely NOTHING about running a bank, could have done a much better job than Ocean Bank did and not have gotten swindled repeatedly.

Posted by: Heerman532 | September 23, 2009 4:38 PM | Report abuse

Small and Medium sized Banks are often very much behind the times when it comes to security. Also the more cumbersome the log in the higher the likelihood that the customer will go to another bank. The Bank security department and IT department should have known that their log in was ineffective and should have forced some sort of process that made the customer change passwords or provide a token.

Also, the concept of cross checking transfers to accounts that have never been transferred to in the past and flagging them if an abnormal number of transfers to new accounts are made that are in excess of X dollars is not rocket science.

The failure is on the bank because obvious measures could have been taken at a reasonable cost with common IT Security and Systems knowledge.

Last but not least it is very bad branding for a bank to tell customers that they need to check their account every day to make sure that they have not been victims of theft. And if someone does steal money from your commercial account, well... Your up a creek.

Posted by: rcc_2000 | September 23, 2009 5:03 PM | Report abuse

1. Patco has a real case here. Although they signed a waiver, my understanding is that Ocean Bank can not exempt itself from legal obligations via contractual agreements. Caveat: IANAL.

2. "LRS Reyes operated as a Medicaid reimbursement company." So basically, these folks were scammed into operating one kind of late-night infommercial useless business idea, and when that collapsed, they allowed themselves to get suckered into an even more disreputable operation. Word to the Reyes family: Flipping burgers or mopping floors may not pay well or be glamorous, but at least you can say you have do honest work and get a steady paycheck.

Posted by: conspirator5 | September 23, 2009 10:24 PM | Report abuse

It strikes me as being odd that a bank has no fraud detection department that would block suspicious fund transfers based on a company's transaction history.

A few years ago, I received a call on my cell phone from MBNA about a suspicious transaction taking place on line at Best Buy for about $3500. I notified the CS representative that it was not me making that purchase and it was concluded that my account information had be compromised, the transaction canceled, and the account was promptly closed and a new card was reissued.

How hard would it be for a bank to upgrade its security measures?

Posted by: cobollives | September 24, 2009 9:37 AM | Report abuse

Patco Construction Co needs to institute some controls in their accounting dept. First order of business is to find a reputable bank and set up controls on all electronic money transfers with bank notification set for amounts over a certain minimum. Second order of business is to settle previous day financial activity, identifying every transaction, on a daily basis. This fraud started May 7th and wasn't discovered until May 13th. Ridiculous!

Posted by: featherstep1 | September 24, 2009 10:09 AM | Report abuse

Bruce Schneier has written extensively about security. His position is that the responsibility for security properly belongs to the party which has control over security.

Patco may have been able to take some steps to make their account more secure, but Ocean Bank had a lot more control, including the ability to implement the sort of validation procedures that keep online credit card transactions secure.

Posted by: charles_lembke | September 24, 2009 10:34 AM | Report abuse

Me thinks that Ocean bank is up to its neck in salt water in this case.

This is perhaps the 'flip side' of doing business with a local bank of excellent reputation [that is presumed here] and perhaps more secure lending practices than National banks.

While a precedent here would be helpful as to what minimal security efforts are required by ALL BANKS, be they large or small, there appears to be at least one instance of clear negligence set forth regarding the final transactions.

NOW IF THIS CASE GETS SETTLED, no precedent will result.

Posted by: | September 24, 2009 2:23 PM | Report abuse

Brian - Great thanks to you for exposing the extent of the cybercrime problem.

Ocean Bank is not the first bank that I've seen mistake two-layers of single-factor authentication with multifactor authentication. Like the protest song from the '60s: "When will they ever learn."

Even when banks are following commercially reasonable practices [like true multifactor authentication] that may not be sufficient. An attorney colleague and I wrote about this way back in 2005 in an article entitled "An Emerging Information Security Minimum Standard of Due Care." In that paper we discuss a well-known 1932 case - T. J. Hooper v. Northern Barge - in which Judge Learned Hand wrote: "in most cases reasonable prudence is in fact common prudence; but strictly it is never its measure ... there are precautions so imperative that even their universal disregard will not excuse their omission." (The paper is available from our website or our blog

Keep up your good work.

Cheers - Stan Stahl

Posted by: stan-at-citadel-information | September 25, 2009 2:37 PM | Report abuse

All banks should be offering a hardware authentication method whereby a device generates a code based on an algorithm that is synced with the bank's computer systems. The algorithm generates a code that changes every 30-60 seconds. This guarantees that any keyboard logging device is ineffective. It is not full proof against attacks- for that you have to stop using Microsoft Windows- and other Microsoft products. If it can be shown that the business owners computers were compromised I think it absolves the bank of responsibility for the fraud. However- the bank should still be held responsible for inadequate security. The amount of money the bank should have to forfeit should be just significant enough to force change. It should not be so small that the bank would write it off as a cost of doing business.

Posted by: joeyweed | September 27, 2009 6:07 PM | Report abuse

For anybody wondering what alternatives to Microsoft Windows exist you can look at Apple's Mac platform or GNU/Linux. Dell sells Ubuntu computers as well as a number of other companies. Ubuntu is a version of GNU/Linux. Some of the other companies that sell GNU/Linux systems are: System76, ThinkPenguin, and LinuxCertified. Pretty much everybody who is anybody supports GNU/Linux and Ubuntu in some capacity. HP, Sun, Dell, Adobe, IBM, amongst others. GNU/Linux is pretty much the only real solution to the problem that is practical. Apple uses many of the same tactics as Microsoft- so relying on that one company in the long term is a really dumb move.

Posted by: joeyweed | September 27, 2009 6:13 PM | Report abuse

While I agree there should be some balancing of customer and business responsibilities that are often skewed by regulation, lets agree on some facts.
First, in this article, the author contends that the FFIEC guidance of 2005 requires the use of (sic) "multi-factor authentication". This is inaccurate if someone cares to read it (see pg. 2 of the FFIEC guidance memo). The guidance only offers multifactor as a possible risk mitigating alternative.
Secondly, there are those clamoring for hardware solutions in the posts. Not only is this extremely costly, but most of those individuals would be up in arms if they couldn't access their accounts due to misplaced/broken devices. Many don't even appreciate that one time passwords and similar solutions don't make keylogging ineffective as they can be stolen and used before the customer in automated attacks.
Understandably, banks need to have fraud prevention and other control measures in place (e.g. holds on new ACH instructions), but they also understand that in most situations convenience trumps security in the minds of consumers. In those circumstances where businesses including banks optionally offer higher levels of authentication such as tokens, the adoption rate by customers is ridiculously low. This results in businesses not wanting to "security" themselves out of the market.

Posted by: my-two-cents | September 28, 2009 8:56 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company