Construction firm sues after $588,000 online theft
IDG News Service - A construction company in Maine is suing its bank after about $588,000 disappeared from its accounts, alleging the bank failed to spot suspicious account activity before it was too late.
Over a week-long period in May, fraudsters made six transfers from the online bank accounts of Patco Construction Company, a family-owned developer in Sanford, Maine, according a copy of the lawsuit on the Washington Post's Web site.
The money went to so-called "mules," or people who have agreed to receive the funds and then further transfer it to the fraudsters. The hefty withdrawals exceeded the amount of money Patco had in its account, which was used solely for payroll.
To make matters worse for Patco, its bank -- People's United Bank, or Ocean Bank of Delaware -- drew $223,237 on the company's line of credit to cover the withdrawals. Ocean Bank now wants Patco to pay that money back with interest, the lawsuit said.
After the bad transfer came to light, Ocean Bank did recover or block $243,406, but Patco is still on the hook for $345,444.
The fraudsters had a lot of key information needed to do the transfers, conducted through the ACH (Automated Clearing House) Network, used by institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals.
The ACH system has proved vulnerable to fraud as of late, due to its age and a lack of controls in the underlying transfer system, investigators have said.
Several Patco employees were authorized to use the account. They logged in with a company ID and password and also their own ID and password, the suit said. For transfers over $1,000, the employees then had to answer two challenge questions. Since most of their transfers exceeded that amount, the challenge questions were used often.
Apparently the fraudsters were able to collect that security information. They could have done that by infecting computers used to perform transfers with spyware, often installed through social engineering techniques or by exploiting vulnerabilities in out-of-date software.
Patco argues that Ocean Bank did not offer two-factor authentication, which often involves the use of a token that displays a one-time password or a verification telephone call.
Patco also said the transfers were initiated from IP (Internet Protocol) addresses that had never been used by Patco, the transfers far exceeded what the company normally performed and were on days other than Friday, when the company paid its employees by direct deposit.
"None of these transactions triggered any suspicious activity alerts on the part of Ocean Bank," the lawsuit alleges.
One of Patco's owners, Mark Patterson, did received a notification on May 13 that one of the ACH transfers was rejected due to an invalid account number supplied by the scammers.
Patco notified the bank the next morning, but the bank already started the day's ACH transfers and $111,963 floated away. Some of that amount was recovered.
- 18 Hot IT Certifications for 2014
- CIOs Opting for IT Contractors Over Hiring Full-Time Staff
- 12 Best Free iOS 7 Holiday Shopping Apps
- For CMOs Big Data Can Lead to Big Profits
- Slideshow: 5 ways to lock down your mobile device
- Slideshow: 10 mistakes companies make after a data breach
- How to rob a bank: A social engineering walk through
- Which smartphone is the most secure?
If you think getting it right from day one is always what matters, you probably haven't been following technology too closely.
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Mitigating DDoS Attacks with F5 Technology
- This document examines various DDoS attack methods and the application of specific ADC technologies to block attacks in the DDoS threat spectrum while...
- The DDoS Threat Spectrum
- Bolstered by favorable economics, today's global botnets are using distributed denial-of-service (DDoS) attacks to target firewalls, web services, and applications, often simultaneously.
- Defending Against Denial of Service Attacks
- By utilizing end-user interviews, this whitepaper explores a deeper understanding of DDoS defense plans and reveals the knowledge gaps around the Denial of...
- Strategic Solutions for Government IT
- This paper outlines why F5 is the optimum partner to help achieve the levels of security, performance and availability that are vital to...
Top Considerations for Moving to a Cloud Delivery Model for ITSM
Find out whether SaaS-based ITSM is right for you
- Software-as-a-service is more than just a cloud-based delivery model-it's a new approach to service that lets companies optimize utilization of in-house IT resources... All Government IT White Papers
- Modernizing SAP environments with minimum risk - a path to Big Data Hear from top IDC analyst, Richard Villars, about the path you can start taking now to enable your organization to get the benefits...
- Fighting Fraud Videos: IBM Intelligent Investigation Manager Short videos about IBM Intelligent Investigation Manager (IIM) for Fraud. IIM optimizes the investigation of fraud for customers across many industries in both...
- IBM Intelligent Investigation Manager: Online Product Demo Intelligent Investigation Manager optimizes fraud investigation and analysis and it dynamically coordinates and reports on cases, provides analysis and visualization, and enables more...
- Webinar: IBM IIM for Fraud, Abuse and Waste in Government View this IBM webinar to learn about the challenges and opportunities in fraud reduction, waste, and abuse in government programs and agencies. You...
- Pre-Engineered solutions from VCE Simplify Core Infrastructure Implementation In this video, the CTO of Purdue Pharma, a privately held pharmaceutical company explains how Purdue transformed their data center infrastructure with VCE.
- All Government IT Webcasts
Does your organization offer extensive benefits, cool perks, competitive salaries, opportunities for training and advancement? Then get it recognized!
Nominate your company or another deserving organization for Computerworld's 2014 Best Places to Work in IT list now through Dec. 12, 2013.