Experi-Metal v. Comerica

Last updated

Experi-Metal v. Comerica Bank
CourtUnited States District Court for the Eastern District of Michigan
Full case nameExperi-Metal, Inc., v. Comerica Bank
DecidedJune 13, 2011
Citation(s)Docket Number: 2:2009cv14890
Court membership
Judge(s) sittingHon. Patrick J. Duggan
Case opinions
"Good faith" in accepting orders for online bank transfers requires a bank to meet reasonable commercial standards of fair dealing. Failure to meet those standards may render the transactions void.
Keywords
Online banking attacks, phishing and internet bank fraud, wire transfer fraud, Zeus Trojan

Experi-Metal, Inc., v. Comerica Bank (docket number: 2:2009cv14890) is a decision by the United States District Court for the Eastern District of Michigan in a case of a phishing attack that resulted in unauthorized wire transfers of US$1.9 million through Experi-Metal's online banking accounts. The court held Comerica liable for losses of US$560,000 that could not be recovered from the phishing attack, on the ground that the bank had not acted in good faith when it failed to recognize the transfers as fraudulent.

Contents

Background

Experi-Metal, a Macomb, Michigan-based company, held accounts with Comerica, headquartered in Dallas, Texas. Experi-Metal had signed up for a NetVision Wire Transfer service allowing it to send and receive payments and incoming fund transfers through the Internet. [1]

Phishing attack

At approximately 7:35 am on January 22, 2009, an Experi-Metal employee opened a phishing email containing a link to a web page purporting to be a "Comerica Business Connect Customer Form". Following the email's link, the employee then proceeded to provide his security token identification, WebID and login information to a phony site. As a result, the fraudulent third parties gained access to Experi-Metal's accounts held with Comerica. [1]

In a six-and-a-half-hour period between 7:30 am and 2:02 pm, 93 fraudulent transfers were made from Experi-Metal's accounts totaling US$1,901,269.00. The majority of the transfers were directed to bank accounts in Russia, Estonia and China. [1]

Between 7:40 am and 1:59 pm, transfers totaling US$5.6 million were executed among accounts using the information obtained from the phishing attack. In one account, the transfers resulted in an overdraft of US$5 million. [1]

At 11:30 am, Comerica was alerted to the potential fraud by a telephone call from a JP Morgan Chase employee who had noticed suspicious wire transfers sent from an Experi-Metal account to a bank in Moscow, Russia. Sometime between 11:47 am and 11:59 am, Comerica alerted Experi-Metal to the transfers and confirmed that the legitimate account holder had not made any transactions during the course of the day. By 12:25 pm, Comerica put a hold on Experi-Metal's online banking transactions and began to "kill" its user session in an attempt to forcefully remove the people making the transfers from the Comerica online service. [1]

Comerica was successful in recovering a portion of the transfers. In total, US$561,399 was lost in the fraudulent transfers arising out of the phishing scheme. [1]

Opinion of the US District Court in Michigan

The court considered two main issues in its decision. The first issue was whether the Experi-Metal employee whose confidential information was used to initiate the fraudulent transfers was authorized to initiate transfers on behalf of the company, and in turn, whether Comerica complied with its own security procedures in accepting the orders. The second issue was whether Comerica acted in "good faith" in accepting the orders on Experi-Metal's account. [1]

User information initiating fraudulent transfers

There was some question as to whether the Experi-Metal employee who fell victim to the phishing incident was authorized to make wire transfers on behalf of the company. The issue was raised in the context of whether Comerica was complying with its security procedures when it accepted the wire transfers that were made using his account user information on January 22, 2009.

After considering several contextual factors, the court concluded that the employee who had provided his account user information was authorized to initiate transfers with Comerica on behalf of Experi-Metal. As a result, Comerica was found to be in compliance with its own security protocols when it accepted the orders.

Good faith

A second issue in the case concerned the issue of 'good faith' on Comerica's part in accepting the wire transfers initiated by the fraudulent third parties.

Under Michigan law, wire transfer orders are effective as orders of the customer even if they are not actually ordered by the customer, provided certain criteria are met. [2] The issue in this case was whether the orders were accepted in good faith and in compliance with the security procedures, written agreements or instructions of the customer. If the orders made to Comerica on Experi-Metal's account were not received in "good faith", they would not be effective.

While the court found that Comerica's security procedures were commercially reasonable, it found the bank failed to prove it had accepted orders for the fraudulent transfers in good faith. Under Michigan law good faith requires "honesty in fact and the observance of reasonable commercial standards for fair dealing." [3]

Because there was no suggestion that Comerica's employees acted dishonestly in accepting the fraudulent orders, the court moved to the element of the good faith test dealing with reasonable commercial standards for fair dealing. Here, the court found Comerica failed to meet the burden of proving that its employees met reasonable commercial standards of fair dealing in the context of the fraudulent transfers, and in particular with respect to the unusual overdrafts to the Experi-Metal accounts. On this last point, the court made specific reference to the overdrafts of US$5 million on an Experi-Metal account that usually had a $0 balance.

Result

Primarily on the basis that Experi-Metal's online wire transfer orders were not received in good faith, the court ordered Comerica to compensate Experi-Metal for its losses. Comerica reportedly reached an out of court settlement [4] with Experi-Metal soon after the court's decision.

Significance

Experi-Metal v. Comerica represents a relatively early decision in an emerging area of case law relating to online banking fraud in the US.

Similar US online banking fraud cases

In Patco Construction v. People's United Bank [5] a US District Court in Maine held that the defendant bank was not liable for US$588,000 in fraudulent transfers that were believed to result from Zeus keylogger malware attacks.

Patco was an online banking customer and account holder at People's Bank at the time of the malware attacks. Between May 7 and May 16, 2009, unknown third parties made multiple online transfers totaling US$588,851 out of Patco's account. Ultimately, the bank was able to block US$243,406 of the fraudulent transfers.

Patco alleged that its losses were related to People's Bank's deficient online security. The court found that People's Bank did suffer from some security weaknesses, but that on the whole, its security procedures were commercially reasonable. Accordingly, it found that the bank was not liable for the losses resulting from the fraudulent transfers. Although the facts of this case differ from those in Experi-Metal v. Comerica, it may be a challenge to reconcile the contrast between the two decisions.[ according to whom? ] However, in July 2012, this decision was reversed by an appellate court. The parties later settled out of court, with People's United Bank paying the remainder of what was stolen from Patco's account, as well as $45,000 in interest.

"In a landmark decision, the 1st Circuit Court of Appeals held in "Patco Construction Company, Inc. v. People's United Bank", No. 11-2031 (1st Cir. July 3, 2012) that People's United Bank (d/b/a Ocean Bank) was required to reimburse its customer, PATCO Construction Co., for approximately $580,000 that had been stolen from PATCO'S bank account. In so doing, the court reversed the decision of the U.S. District Court for the District of Maine that had granted summary judgment in the bank's favor." [6]

In Village View v. Professional Business Bank [7] a similar claim was filed in the Superior Court of California in June 2011. Village View sued for losses incurred as a result of unauthorized and fraudulent wire transfers made from its account with Professional Business Bank on March 16–17, 2010, totaling US$195,874.

The attacks began with a banking Trojan disguised as a UPS shipping receipt, which was accepted and opened into the Village View network by unsuspecting employees. The file was later found to contain malware that did several things including disabling of email notifications normally sent by the bank each time a transfer was made from Village View's account. [8] The fraudulent transfers were made to international accounts, including banks in Latvia. [9]

Village View Escrow alleges in its claim that the unauthorized transfers were a result of Professional Business Bank's inadequate security system. Specifically, Village View alleges a failure on the part of Professional Business Bank to provide 'commercially reasonable security' procedures in accordance with California law [10] and an accompanying failure to accept the orders for wire transfers in 'good faith.' [11]

Wire transfer fraud and phishing are the sub-types of bank fraud used against Experi-Metal.

Among US banking institutions, December 2011 saw US national banks targeted most frequently by phishing at 85%, followed by regional US banks at 9% and US credit unions at 6%. [12] In terms of overall volume of phishing worldwide during the same period, the UK was a target 50% of the time, followed by the US at 28%, Brazil at 5%, South Africa at 4% and Canada at 2%. [13]

Malware such as the Zeus Trojan has been used extensively by criminals to steal personal banking information which can then be used to make fraudulent transfers out of the victims' bank accounts. In some cases, the perpetrators of the attacks have been caught and prosecuted, both within the US, [14] as well as in other countries. [15]

Challenge of prosecuting online banking fraud

While the types of activities in Experi-Metal v. Comerica might fall under the Computer Fraud and Abuse Act as an offense, the challenges of determining jurisdiction in an online environment, identifying perpetrators and collecting evidence remain as potentially significant obstacles in any attempts to enforce such legislation. [16]

Related Research Articles

<span class="mw-page-title-main">Phishing</span> Form of social engineering

Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of computer crime.

Bank fraud is the use of potentially illegal means to obtain money, assets, or other property owned or held by a financial institution, or to obtain money from depositors by fraudulently posing as a bank or other financial institution. In many instances, bank fraud is a criminal offence.

<span class="mw-page-title-main">Comerica</span> American financial services company

Comerica Incorporated is an American financial services company, headquartered in Dallas, Texas. It is the parent of Comerica Bank, a regional commercial bank with 413 branches in the U.S. states of Texas, Michigan, California, Florida and Arizona. Comerica is among the largest U.S. financial holding companies, with offices in a number of U.S. cities.

<span class="mw-page-title-main">Online banking</span> Internet-based financial transactions

Online banking, also known as internet banking, virtual banking, web banking or home banking, is a system that enables customers of a bank or other financial institution to conduct a range of financial transactions through the financial institution's website or mobile app. Since the early 2000s this has become the most common way that customers access their bank accounts.

Email fraud is intentional deception for either personal gain or to damage another individual using email as the vehicle. Almost as soon as email became widely used, it began to be used as a means to defraud people, just as telephony and paper mail were used by previous generations.

A cashier's check is a check guaranteed by a bank, drawn on the bank's own funds and signed by a bank employee. Cashier's checks are treated as guaranteed funds because the bank, rather than the purchaser, is both the drawee and drawer and is responsible for paying the amount. They are commonly required for real estate and brokerage transactions.

A transaction authentication number (TAN) is used by some online banking services as a form of single use one-time passwords (OTPs) to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single-password authentication.

A spoofed URL involves one website masquerading as another, often leveraging vulnerabilities in web browser technology to facilitate a malicious computer attack. These attacks are particularly effective against computers that lack up-to- security patches. Alternatively, some spoofed URLs are crafted for satirical purposes.

Voice phishing, or vishing, is the use of telephony to conduct phishing attacks.

A money mule, sometimes called a "smurfer", is a person who transfers money acquired illegally, such as by theft or fraud. Money mules transfer funds in person, through a courier service, or electronically, on behalf of others. Typically, the mule is paid for services with a small part of the money transferred. Money mules are often recruited on-line under the guise of legitimate employment, not aware that the money they are transferring is the product of crime. Similar techniques are used to transfer merchandise illegally.

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

Crime rates in Singapore are some of the lowest in the world, with petty crimes such as pickpocketing and street theft rarely occurring, and violent crime being extremely rare. Penalties for drug offences such as trafficking in Singapore are severe, and include the death penalty.

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

Trusteer is a Boston-based computer security division of IBM, responsible for a suite of security software. Founded by Mickey Boodaei and Rakesh K. Loonkar, in Israel in 2006, Trusteer was acquired in September 2013 by IBM for $1 billion.

Avalanche was a criminal syndicate involved in phishing attacks, online bank fraud, and ransomware. The name also refers to the network of owned, rented, and compromised systems used to carry out that activity. Avalanche only infected computers running the Microsoft Windows operating system.

<i>United States v. Clark</i> Court case

United States of America v. Clark is the name of a lawsuit against Jason Elliott Clark by the U.S. government based on identity theft, bank fraud and conspiracy. This was an appeal from the United States District Court for the District of Minnesota. Clark appealed his conviction for aggravated identity theft based on the sufficiency of the evidence and the court's admission of certain prior acts of evidence.

Tiny Banker Trojan, also called Tinba, is a malware program that targets financial institution websites. It is a modified form of an older form of viruses known as Banker Trojans, yet it is much smaller in size and more powerful. It works by establishing man-in-the-browser attacks and network sniffing. Since its discovery, it has been found to have infected more than two dozen major banking institutions in the United States, including TD Bank, Chase, HSBC, Wells Fargo, PNC, and Bank of America. It is designed to steal users' sensitive data, such as account login information and banking codes.

SpyEye is a malware program that attacks users running Google Chrome, Opera, Firefox and Internet Explorer on Microsoft Windows operating systems. This malware uses keystroke logging and form grabbing to steal user credentials for malicious use. SpyEye allows hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account

<span class="mw-page-title-main">Maksim Yakubets</span> Ukrainian national and a computer expert (born 1987)

Maksim Viktorovich Yakubets is a Russian computer expert and alleged computer hacker. He is alleged to have been a member of the Evil Corp, Jabber Zeus Crew, as well as the alleged leader of the Bugat malware conspiracy. Russian media openly describe Yakubets as a "hacker who stole $100 million", friend of Dmitry Peskov and discussed his lavish lifestyle, including luxury wedding with a daughter of FSB officer Eduard Bendersky and Lamborghini with "ВОР" registration plate. Yakubets impunity in Russia is perceived as clue of his close ties with FSB, but also criticized by domestic information security experts such as Ilya Sachkov.

References

  1. 1 2 3 4 5 6 7 "Experi-Metal, Inc., v. Comerica Bank (Docket Number: 2:2009cv14890)". U.S. District Court, Eastern District of Michigan. June 13, 2011.
  2. "UNIFORM COMMERCIAL CODE (EXCERPT) Act 174 of 1962 s. 440.4702". Michigan State Legislature.
  3. "UNIFORM COMMERCIAL CODE (EXCERPT) Act 174 of 1962 s. 440.4605(1)(f)". Michigan State Legislature.
  4. "Comerica Settles After Updated Security Rules Weaken Its Case". American Banker. August 3, 2011. Retrieved February 25, 2012.
  5. "Patco Construction Company, Inc., v. People's United Bank d/b/a Ocean Bank, No. 2:09-cv-503-DBH (D.Me. May 27, 2011)" (PDF). U.S. Dist. Ct. Maine, and upheld at "Civil No. 09-503-P-H (D.Me. August 4, 2011) PATCO CONSTRUCTION COMPANY INC v. PEOPLES UNITED BANK". Justia.com.
  6. "First Circuit Court Of Appeals Holds Bank's Online Security Measures "Commercially Unreasonable" In Landmark Decision - Insurance - United States". Mondaq.com. Retrieved November 3, 2013.
  7. "Village View, Inc., vs. Professional Business Bank, Case No. YC064405 (Cal Sup Ct) - Plaintiff's First Amended Complaint Against Professional Business Bank (June 27, 2011)". November 27, 2006. ismgcorp.com.
  8. "Information Security Media Group - ISMG". ISMGCorp.com. Retrieved February 14, 2017.
  9. "Company in Debt from Thousands of Dollars lost as Cybercrooks Use Trojan to hack Firm – SpywareRemove.com". SpywareRemove.com. June 29, 2010. Retrieved February 14, 2017.
  10. "Alleged failure to provide commercially reasonable security" in accordance with California commercial Code Section 11202(b)(i)-(ii) and (c).
  11. "Alleged failure to accept the orders in good faith" under California Commercial code section 11202.
  12. RSA. "RSA Monthly Online Fraud Report -- January 2012 -- The Year In Phishing" (PDF). RSA.com. p. 3. Archived from the original (PDF) on May 12, 2012.
  13. RSA, p. 4.
  14. "Nikolay Garifulin Pleads Guilty in Manhattan Federal Court to Involvement in Global Bank Fraud Scheme that Used "Zeus Trojan" to Steal Millions of Dollars from U.S. Bank Accounts". FBI.gov. September 23, 2011. Retrieved February 14, 2017.
  15. Kovacs, Eduard (October 5, 2011). "ZeuS Trojan Bank Robbers Finally Convicted". Softpedia.com. Retrieved February 14, 2017.
  16. "What makes cybercrime laws so difficult to enforce - TechRepublic". TechRepublic.com. January 26, 2011. Retrieved February 14, 2017.