In an unexpected turn of events, a Missouri court has ruled against the plaintiff in a cyberheist case. According to the plaintiff, a local escrow firm, its bank was supposed to be held liable for the theft of $440,000 from its account in a 2009 cyberheist.
According to the court, the company carried more responsibility for the crime. It ruled that the company had refused to use the recommended security measures put in place and recommended by the bank. The bank recommended that two employees transact a single wire transfer.
In this case, Choice Escrow & Land Title LLC which is based in Springfield sued BancorpSouth Inc., which is based in Tupelo Mississippi. Criminals accessed the banking Password and ID of the escrow firm and used these critical details to make one illegal wire transfer of $440,000. The funds ended up in a corporate bank account in Cyprus.
According to Choice Escrow, BancorpSouth’s security procedures could not pass the commercial reasonableness test. It argued that the best online authentication option that the bank had offered was a dual-controls process which was optional. This system requires that two people from the company have two different IDs and passwords. One person is to initiate while the other is to release the transfer.
BancorpSouth Inc. offered its customers two security authentication options. Both of the options were based on the use of a password. The plaintiff’s lawyers argued that according to the Federal Financial Institutions Examination Council’s (FFIEC) banking security procedure guidance released in 2005, the bank’s security was inadequate. FFEIC advised that using only single-factor authentication was inadequate and risky especially when transacting with other parties online.
On 18th March 2013, a judge with the U.S District Court for the Western District of Missouri ruled based on the fact that Choice Escrow had been deliberately offered the dual controls by the bank but declined in writing. Thieves were, therefore, able to steal from its account using a single password and ID. Moreover, the court observed that the company refused to set a daily outgoing limit on transfers from its account which had also been pointed out by the bank. The court also observed that since the escrow company was used to sending huge amounts, it wasn’t unusual in the eyes of the bank when the thieves ‘transferred’ the large sum.
Missouri, like a majority of the states in the U.S, has gone forward and applied the Uniform Commercial Code. UCC states that a bank should process a payment order from a customer whether it is authorized or not. The conditions are that the bank should have in place commercially reasonable security authentication procedures to prevent thieves stealing from customers’ accounts. The bank should also have received the payment order in good faith and in compliance with the security procedures while bearing in mind any payment order instructions given by the customer.
According to Dan Mitchell, an attorney from Maine, judgments and arguments will start following precedence of the Choice Escrow judgment. If under Article 4(a) of UCC a client refuses to adopt the dual controls, a bank might later argue that its security procedures were commercially viable.
Mitchell adds that this sort of judgments will definitely follow given that the court never wasted its time determining whether the bank’s security procedures were commercially reasonable or not. He adds that the court spent its time and money on analyzing whether the bank had dual controls and whether the customer declined them when offered by the bank. Mitchell recently successfully represented the Maine-based Patco Construction firm on a similar case which saw the company recover $588,000 stolen in a 2009 cyberheist.
However, the current banking security guidelines were introduced way later after the Choice Escrow incident happened. According to Charisse Castagnoli, an Independent security, and bank fraud expert, banks should make the reasonable step of protecting its customers. Banks should educate their customers of the many sophisticated threats that the current online world poses.
While BancorpSouth Inc.’s controls might fall short of today’s security requirements, it nevertheless made a significant initiative of offering the customer an additional security measure which unfortunately got declined. Castagnoli adds that every bank should advise its customers on the need to employ additional security measures. In view of the fact that the bank was actively advising its customers on the need to employ dual-controls security procedure in 2009, it shows that it was committed to protecting its customers.
Great progress has been made in the modification and implementing the dual-controls. It seems certain the current dual controls would have stopped the cyberheist.