Hillary, a PlainsCapital customer since 2005, had $801 000 pilfered from its account via what it says was an unauthorized wire transfer in November. The company sent a letter to the bank in December arguing that it had failed to employ security measures, and that it should be responsible for the amount lost in the wire transfer.
PlainsCapital had recovered almost $600 000 of the transfers, and declined Hillary's demand for a refund.
"PlainsCapital is entitled to enforce the wire transfer orders to the extent monies transferred or not otherwise recoverable from the beneficiaries of the orders," said the bank in a court complaint. "It is entitled to a statutory judgment that its security procedures are commercially reasonable, that it is entitled to enforce the wire transfer orders and that it has not breached its obligations under the terms of either Commercial Account Agreement or the Wire Transfer Authorization Agreement," the bank said, also claiming legal costs.
Needless to say, Hillary took a different view. "Cyber robbers exploited vulnerabilities in PlainsCapital Bank's Internet banking system and initiated fraudulent wire transfers and automated clearing house transactions and transferred money from one of Hillary Machinery Inc's commercial business accounts to multiple financial institutions and individuals in the US and overseas," the company said.
Hillary cites the guidelines issued by the Federal Financial Institutions Examination Council, which in 2005 updated its 2001 guidance on internet banking security, advising financial institutions to deploy multifactor authentication.
"When the bank gets hit by a cyber robbery through one of its customers' accounts, they quickly transfer the blame to the customer and begin a strategy of plausible deniability, essentially hiding behind a fake interpretation of what the FFIEC actually recommended," Hillary concluded.
"It is evident that the loss incurred by Hillary Machinery, Inc, although regrettable, was not the result of a cyber attack on PlainsCapital Bank," countered the bank's president, Jerry Schaffner.
A spokesperson for the bank told Infosecurity that it did use multi-factor authentication for its online transactions.