According to Brian Krebs of the Krebs on Security newswire, a title insurance firm in Virginia is suing its bank after an eight-day cyberheist involving more than $2 million in thefts and more than $200,000 in losses that took place last year.
As well as being unusual in involving an insurance firm, the researcher says that some of the Eastern European thieves involved in the attack have already been convicted and imprisoned for their roles in the crime.
"Sometime before June 2010, crooks infected computers of Vienna, Va. based Global Title Services with the Zeus trojan, giving them direct access to the company's network and online banking passwords at then-Chevy Chase Bank (now Capital One). On June 1, 2010, the thieves made their move, and began sending a series of unauthorized wire transfers to money mules, individuals who were hired to help launder the funds and relay them to crooks overseas", says Krebs in his latest security posting.
Global Title is suing Capital One, alleging that the bank failed to act in good faith and failed to implement commercially reasonable security procedures for its online banking clients.
Krebs reports that the lawsuit notes that - at the time of the breach - Capital One's online banking system used single-factor authentication and "allowed commercial clients to log in and to transfer millions of dollars using nothing more than a username and password."
And here's where it gets interesting, Infosecurity notes, as Krebs points out that US banks are supposed abide by online banking authentication guidance issued in 2005 by regulators at the Federal Financial Institutions Examination Council (FFIEC), although he notes that many institutions have been slow to comply with the guidelines.
"Several victims of corporate account takeovers have sued their banks, claiming similar negligence, but with mixed results. In June 2011, a Michigan court held Comerica Bank liable for more than half a million dollars stolen in a 2009 cyber heist. Two months later, a district court judge in Maine ruled that banks which protect accounts with little more than passwords and secret questions are in compliance with the FFIEC's security guidance", he says.
The FFIEC recently, he adds, updated its guidance, which calls for `layered security programs' to deal with riskier commercial banking transactions, including methods for detecting transaction anomalies, the use of out-of-band verification, and enhanced customer awareness campaigns.
Those requirements, he says, which will inform the activities of bank security examiners, are set to take effect on at the start of next year.