Don’t blame the hackers; don’t blame the bank; apparently it’s the victim’s fault that a Missouri escrow firm was robbed of $440,000 in a cybercrime, says a report on
The attack occurred in 2010, but the appeals court’s March 2013 ruling declared that the firm, Choice Escrow and Title LLC, can’t hold its bank accountable. The victimized firm might even have to pay the bank’s attorney fees. The court says that the firm
failed to abide by the bank’s recommended security procedures.
BancorpSouth Bank was sued by Choice Escrow following a cyber assault in which the password and username to the firm’s online bank account was stolen.
The victim asserted that the bank failed to implement sufficient security measures, allowing the attack to take place. The firm also insisted that the bank should have detected that the wire transfer of the money to Cyprus was fraudulent because it was initiated
outside the U.S.—an unprecedented type of transaction.
BancorpSouth’s defense was that Choice Escrow failed to instill the security precautions for wire transfers that the bank recommended.
At first it seems like the bank here is bucking culpability, but according to the bank:
- It had controls in place for Choice Escrow to use.
- The bank requested that the firm use a dual-control process for wire transfer requests that would require two people to sign.
- The bank asked the firm to enforce an upper limit on wire transfers.
- Choice failed to follow these two recommendations.
The bank also points out that the wire transfer was started by someone who used the firm’s legitimate banking credentials, along with a computer that seemed to belong to the company. Had the company followed the bank’s recommendations, the crime may not
Stealing legitimate banking credentials and using them to initiate criminal wire transfers to overseas accounts is nothing new to cyber criminals. This crime causes disputes between banks and their customers and heightens awareness over how much responsibility
each entity should carry.