Network News

X My Profile
View More Activity

La. firm sues Capital One after losing thousands in online bank fraud

An electronics testing firm in Louisiana is suing its bank, Capital One, alleging that the financial institution was negligent when it failed to stop hackers from transferring nearly $100,000 out of its account earlier this year.

In August, Security Fix wrote about the plight of Baton Rouge-based JM Test Systems, an electronics testing firm that in February lost more than $97,000 from two separate unauthorized bank transfers a week apart.

According to JM Test, Capital One has denied any responsibility for the losses. On Friday, JM Test filed suit in a Louisiana district court, alleging breach of contract and negligence by the bank. The firm says it is still out a total of $89,000, and that it has spent roughly $70,000 investigating and responding to the breaches.

"Capital One was not willing to make good on our losses or attempt any type of settlement," said Happy McKnight, JM Test's controller. "The banks are clearly taking a 'Hey, don't look at me!' stance. It is so sad to wonder how many business failures this type of fraud has caused."

Capital One declined to comment for this story.

The lawsuit is the latest to challenge whether banks are doing enough to help customers prevent losses when a virus infection, phishing attack or hacker break-in jeopardizes a company's online banking credentials, said David Johnson, a digital media lawyer with the Los Angeles law firm Jeffer Mangels Butler & Marmaro LLP.

Johnson said that under the Uniform Commercial Code, banks generally are required to maintain "commercially reasonable" methods of providing security against unauthorized payment orders." But he said just what constitutes "commercially reasonable" security practices has only recently been challenged, citing a recent court case in Illinois expected to go to trial soon in which a couple is suing their bank over $26,500 lost when cyber thieves stole the user name and password needed to access their home equity line of credit.

"The banks try to limit their responsibility by saying that customers have to monitor their accounts and notify the bank immediately if there is some kind of suspicious transfer," Johnson said. "And it's very rare that businesses are going to be that diligent in reviewing their online accounts."

For its part, JM Test maintains that it alerted Capital One to the fraud on the same day as the fraudulent activity, and that the bank still failed to stop the fraud. The plaintiffs charge that Capital One violated its own online banking terms and conditions, which it said provide that once a Capitol One customer calls to report fraudulent activity, Capital One will close the affected customer's existing account to prevent further unauthorized charges.

According to court documents, on Feb. 20, 2009 JM Test discovered that an unauthorized $45,640 wire transfer had been made against its account to an account at Alpha-Bank in Moscow. JM Test claims that it alerted Capital One by telephone of the fraudulent wire transfer that same day, and that the bank said it would investigate.

JM Test alleges that five days later, Capital One issued it a new user name and password. But then on March 2, the company found that thieves had broken into its online bank account yet again, this time initiating a batch of unauthorized payroll payments totaling $51,556.44. The money was sent to at least five different money mules, individuals who the attackers had apparently hired via online job Web sites to receive the transfers and then wire them out of the country.

The lawsuit further states that neither of the fraudulent transfers was initiated from an Internet address that JM Test had used previously to conduct online banking. In addition, court documents state that Capitol One advised JM Test on March 3 that it had blocked JM Test's account, and that March 4 was the first day that it was contacted by a fraud investigator for the bank.

Businesses do not have the same legal protections against online banking fraud that consumers enjoy. Consumers generally have 60 days from receiving a bank statement to dispute any fraudulent charges, and typically those charges will be reversed. But organizations that experience fraud with their online banking accounts usually lose any money from unauthorized transactions that aren't immediately reported to the bank, and even then there is no guarantee that all or any of the fraudulent transfers will be reversed or halted.

Cases such as JM Test's may become more common. Many of the more than six dozen companies that I have interviewed over the past six months, and who have been vicitims of similiar fraud, said they are weighing whether to sue their banks. In September, Security Fix publicized the case of Patco Construction, a firm in Maine that sued its bank after thieves stole the company's online banking credentials and used them to transfer at least $588,000 to dozens of money mules throughout the United States.

"The banks cannot let this situation go on or people will start to lose confidence in them." Johnson said. "If people start thinking they can lose real money when they deposit their money into the bank...that becomes a real business issue. If they're going to survive, the banks are going to have to crack down on this type of fraud and stop it, and I think they know this."

A copy of the petition filed with the Louisiana court is available here.

I should note that I finally got around to creating a separate category -- Small Business Victims -- that tracks this series of stories I've been writing about small businesses hit by cyber fraud. This piece marks the 25th story in that series.

By Brian Krebs  |  December 7, 2009; 4:15 PM ET
Categories:  Small Business Victims  | Tags: ach fraud, jm test  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Phishers angling for Web site administrators
Next: Security Fix author named 'cybercrime hero'


It seems like someone could intentionally infect a machine, and then feed special blocked bank accounts to it - sort of like a honeypot, I guess. The objective is that ultimately the authorities could identify many of the money mules, and they could be warned about the true nature of their activities..

Posted by: jackrussell252521 | December 7, 2009 7:41 PM | Report abuse

It's time to give small businesses the same rights as individuals when dealing with banks.
I am the sole proprietor of a small firm, and I am forced to watch my business checking daily... even when I'm on vacation or celebrating a holiday. I deserve the same rights as any individual account holder.

Posted by: williehorton | December 7, 2009 7:49 PM | Report abuse

Bank Robbery is bank robbery, even if it's one account at a time. Dig out some old statutes (circa 1850) and explain to Capitol One that they are self-insured. They delay and the interest mounts.

If an Airline sells all the planes, and still sells tickets, they are guilty of fraud. If the vault is just for show and the bank still moves money ...

Posted by: gannon_dick | December 7, 2009 8:24 PM | Report abuse

I have advised all of my business customers to only use a dedicated machine for online banking. Unfortunately, the need to monitor the accounts every single day make it difficult to keep the banking sequestered to a single unipurpose machine. From now on, I will also advise that they not bank with Capital One.

Posted by: lostinthemiddle | December 8, 2009 7:43 AM | Report abuse

...and the motral of the story is...

"Don't bank with Capital One".

Posted by: citigreg | December 8, 2009 8:40 AM | Report abuse

It's time for commercial customers to have the same rights as individuals when dealing with banks.

Posted by: fchaffin | December 8, 2009 8:41 AM | Report abuse

Interesting that almost nobody is talking about moving to a more secure operating system. It's a good bet that those cracked machines were all running Windows.

Another thing banks could do is provide accounts with Read Only access. That would make monitoring easier, and allow only a few people with authority to conduct transactions.

Posted by: chrisviking | December 8, 2009 10:48 AM | Report abuse

No terrorist will go broke as long as the American banks fail to secure these bank accounts and fail to improve the credit card system to finally stop fraud.

Posted by: john65001 | December 8, 2009 11:43 AM | Report abuse

This kind of thing is EASILY preventable using two-factor authentication.

RSA Security and plenty of other companies make hardware tokens that rotate numeric codes in sync with the bank's servers.

This, combined with the old username+password requirement prevents bad guys from accessing your account with information stolen from your PC via hostile code, etc.

Without the constantly changing code number (you have to enter the currently displayed number, in addition to your username+password) the bad guys are kept at bay.

Posted by: jsmith021961 | December 8, 2009 12:59 PM | Report abuse

Welcome to America! It'a about time businesses got a taste of what consumers have been talking about for several years now.

Are you unaware that, with the blessing of our Congress, our banking and credit reporting agencies conspire to leave ALL our financial info open to fraud?

Why, you may ask? So those same institutions can then charge consumers for "safeguarding" their personal financial information which THEY gather on us and resell to outside interests. Consumers, pay attention and learn.

The banking industry and credit reporting agencies don't give a hoot what the fallout may be to consumers of all kinds because all they're focused on is making more money. They don't care how consumers are hurt, disadvantaged, and otherwise abused by their business practices.

Consumers everywhere are now paying good money to credit reporting agencies to "safeguard" the very same information those reporting agencies gather on consumers and resell.

Get a clue, stop being ignorant, contact your elected officials and let them know what you think of these perfectly legal scams.

Posted by: Jubileedoo1 | December 8, 2009 1:14 PM | Report abuse

Also, when is American industry going to take on the Captain of Computers, Bill Gates, for his terribly flawed operating system?

Posted by: Jubileedoo1 | December 8, 2009 1:19 PM | Report abuse

Jubileedoo1 wrote:

"Also, when is American industry going to take on the Captain of Computers, Bill Gates, for his terribly flawed operating system?"

Ummm, Bill Gates retired several years ago.

Steve Ballmer is the guy you want to talk to.

Posted by: frantaylor | December 8, 2009 3:10 PM | Report abuse

@Jsmith -- Lots of people like to tout RSA tokens and other two-factor token-based approaches as the answer. They raise the hurdle, but not by much. If you really want real-world, actual, recent examples of bad guys defeating tokens, see the following stories from this series:

Posted by: BTKrebs | December 8, 2009 3:37 PM | Report abuse

Bruce Schneier has said it again and again - authenticate the transaction not the account !

Posted by: jaarbokczel | December 8, 2009 4:26 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company