Hay Maker Seeks Cyberheist Bale Out

An Oregon agricultural products company is suing its bank to recover nearly a quarter-million dollars stolen in a 2010 cyberheist.Online shopping for solarpanelcells. The lawsuit is the latest in a series of legal challenges seeking to hold financial institutions more accountable for costly corporate account takeovers tied to cybercrime.

On Sept. 1,A moulds is a plastic card that has a computer chip implanted into it that enables the card. 2010, unidentified computer crooks began making unauthorized wire transfers out of the bank accounts belonging to Oregon Hay Products Inc., a hay compressing facility in Boardman, Oregon. In all, the thieves stole $223,500 in three wire transfers of just under $75,000 over a three day period.

According to a complaint filed in Umatilla County Circuit Court, the transfers were sent from Oregon Hays checking account at Joseph, Ore. based Community Bank to JSC Astra Bank in Ukraine. Oregon Hays lawyers say the company had set a $75,000 daily limit on outgoing wires, so the thieves initiated transfers of $74,800, $74,500 and $74,200 on three consecutive days.

Unfortunately for both parties in this dispute, neither Oregon Hay nor Community Bank detected anything amiss until almost two weeks after the fraud began; on Sept. 14, the victim firm found it was unable to access its accounts online. But by that time, the money was long gone.

Businesses do not enjoy the same legal protections afforded to consumer banking customers hit by cyber thieves, and most organizations can be held responsible for any losses due to phishing or account takeovers. But as cyberheists have ramped up dramatically over the past several years, a number of victim companies have opted to sue their financial institutions in the hopes of recovering the losses.

Oregon, like most states, has adopted the Uniform Commercial Code, which means that a payment order received by the bank is effective as the order of the customer, whether or not authorized,We've had a lot of people asking where we had our iphoneheadset made. if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer.

In its complaint, Oregon Hay targets Article 4A of the UCC, alleging that Community Banks online account security procedures were not commercially reasonable given the sophistication of todays threats, and that the bank did not accept the fraudulent payment orders in good faith.

The plaintiffs claim that the banks security systems did not rise to the level of recommendations issued by banking regulators at the U.S. Federal Financial Institutions Examination Council (FFIEC), which urged the use of multi-factor authentication to verify the identity of users attempting to log in to a financial institutions online banking software. Multi-factor authentication requires the presentation of two or more of the three authentication factors: something the user knows, such as a password or PIN; something the user has, such as a smart card or one-time token; and something the user is, such as a fingerprint or iris scan.

According to the lawsuit, at the time of the theft Community Bank relied on a Jack Henry product called Multifactor Premium with Watermark, which relied on a combination of device IDs a software cookie that identifies the users computer and challenge/response questions, which attempt to verify a users identity by asking him for answers to questions about his personal or financial history.

Lance James, chief scientist at Jersey City, NJ based security firm Vigilant, said Community Banks use of secret images and challenge questions did not constitute multi-factor authentication because these approaches are simply multiple solutions from the same authentication category.

James noted that all three fraudulent wires were sent from Internet addresses that the victim firm had never before used. In addition, James said, records show that in the course of their robbery, the thieves made 37 unsuccessful login attempts from five different IP addresses over a six-day period.

Hargrave said that judges will look at all relevant cases, whether or not the decision is binding in their jurisdiction.

Even if its not mandatory precedent, these decisions are persuasive because by and large article 4A of the UCC is uniform across the states, and so a court in Georgia looking at one of these cases,We have a wide selection of handsfreeaccess to choose from for your storage needs. for example, is likely to look what other states are doing, he said. The definition of what constitutes good faith definitely is squishy, it gives the court wide discretion to determine that an action was or was not carried out in good faith. It used to be in the UCC that good faith meant you were acting honestly.Manufacturer of the Jacobs stonemosaic. Now, the courts are asking, In the totality of the circumstances, was the bank treating the customer unfairly or trying to take advantage?