Michigan firm sues bank over theft of $560,000
Experi-Metal says Comerica Bank's online security practices resulted in theft
Computerworld - A Michigan-based manufacturing firm is suing its bank after online crooks depleted the company's account by $560,000 via a series of unauthorized wire transfers last year.
In a lawsuit filed in December, Experi-Metal Inc. (EMI) of Sterling Heights blamed the loss on its financial institution Comerica Bank's security practices, and on the bank's alleged failure to heed signs that should have alerted it to the fraudulent activity.
The complaint, filed in Macomb County Circuit Court, demanded that Comerica reimburse EMI for the loss, along with interest, attorney's fees and any other damages the court saw fit to impose. News of the lawsuit was reported by Bankinfosecurity.com earlier this week.
The lawsuit is one of several that have been filed over the past few months involving banks and customers victimized by online theft. In this case, the theft occurred after an employee at EMI supplied the crooks with the company's online banking credentials in response to a phishing e-mail that purported to come from the bank.
The credentials were then used to initiate wire transfers totaling $560,000 from EMI's account to numerous accounts in Russia, Estonia, Scotland, Finland, China, and the U.S. Once deposited, the funds were quickly withdrawn.
In its lawsuit, EMI alleged that the phishing scam had worked only because of Comerica's routine practice of sending e-mails to customers asking them to click on a link to update their security information.
EMI said that between 2000 and 2008, Comerica had used digital certificates to authenticate users to its online banking system. During this time, the bank would send e-mails asking customers to click on a link and submit specific information in order to renew their digital certificates, EMI claimed in its suit.
The complaint also alleged that the token-based authentication system that replaced Comerica's digital certificates was not adequate enough to protect against the kind of attack that resulted in the theft.
"Comerica knew or should have known that the technology of the two-factor authentication procedure which it instituted in 2008 was known to be lacking in any reasonable fortification against 'man in the middle' phishing attacks," EMI said.
"[It was in] reality a downgrade as a security measure from the digital certificate technology that was previously used by Comerica," the company said.
The complaint also faulted Comerica for ignoring signs of fraudulent activity on EMI's account. The company said that it had initiated just two wire transfers in total before the unauthorized withdrawals began.
Then, over a three-hour period, 47 wire transfers and 12 transfer-of-fund requests were initiated from EMI's account. The bank did not check with EMI about the unusual activity for several hours, and even after it was asked not to honor any transfers, the bank did not take action until another 38 wire transfers had taken place, the complaint alleged.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Streamline Compliance and Increase ROI
- Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will...
- Protecting Point of Sale Systems from Targeted Attack
- If you are responsible for protecting retail systems, download this case study to learn how this retailer eliminated the threat of malware on...
- From the Frontline - Preventing APT
- Is your company's network secure? Are your endpoints and servers secured? Before you answer, read this case study on a US Military Command...
- Stop Hackers Before They Attack
- Hacktivism, Identify Theft, Financial Gain, Cyber War - regardless of motivation, stopping today's hackers requires a new proactive approach to protecting endpoints. Learn...
- The four rules of complete web protection
- As an IT manager you've always known the web is a dangerous place. But with infections growing and the demands on your time... All Cybercrime and Hacking White Papers
- WikiLeaks: How am I Affected?
- The latest WikiLeaks episode has raised questions about how organizations and governments protect their sensitive information. While this incident was isolated, it has...
- Optimizing Networks for the Cloud
- Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
- Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
- Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
- Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
- Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
- Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
- Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn... All Cybercrime and Hacking Webcasts