Customer Sues Bank After Phishing Attack

Thursday, February 11, 2010

Linda McClasson reports:

A Michigan-based metal supply company is suing Comerica Bank, claiming that the bank exposed its customers to phishing attacks.

A lawsuit filed by Experi-Metal Inc. (EMI) in Sterling Heights, MI alleges that Dallas-based Comerica opened its customers to phishing attacks by sending emails asking customers to click on a link to update the bank’s security software. EMI says even though the bank had two-factor authentication using digital certificates for its online banking portal, the phishing scam was able to circumvent these measures.

EMI contends that Comerica’s actions opened its online bank account to a successful phishing attack where more than $550,000 was stolen from the company’s bank accounts and sent overseas.

News of this suit comes days after news of another Dallas-based bank, PlainsCapital Bank, suing one of its customers in a dispute over a similar hack.

EMI is but one of many companies across the U.S. being targeted by hackers in this fashion.

Read more on BankInfoSecurity.

Original Source:
Possibly Related Articles:
Phishing Breaches
Accounting Banking Financial Services General Legal
Phishing Financial Loss
Post Rating I Like this!
Anthony M. Freed With the entire purpose of the PCI Security Standards Council seeming to be that of shielding the CC companies from liability, I don't think we have to worry about them shouldering any responsibility even if it is deserved.

As it stands with this self-policing and self-regulating PCI industry, the ultimate responsibility lies with the corporate leadership.

I examined CEO Robert Carr's stock trades in relation to the Heartland Payment Systems data breach time line. I wrote the article a week after they revealed the breach, and questioned whether Carr made insider trades.

The next day I received an email from Heartland's outside legal counsel denying any impropriety or material knowledge of the breach prior to the week of the disclosure. I published the email and a few more articles. One month later, the SEC opened an investigation.

Subsequently, the investors filed a class action in US District court alleging the withholding of material information per SEC reporting compliance, and my article was cited in the lawsuit as Scienter Evidence - or who knew what and when.

Seems Carr had made statements to Wired Magazine in August that they knew of breach on corporate systems as early as December-07, but did not think processing network was in any jeopardy - that did not jibe with the email sent to me.

See items 117-119: [|leo://plh/http%3A*3*3scas%2Eissproxy%2Ecom*3pdf*330981cmp%2Epdf/kqMf?_t=tracking_disc ]

Responsibility should come from and extend to the very top - and the board room - else we can expect short cuts and short term profit to trump security and integrity every time.
Fred Williams The basis for the lawsuit alleges that Comerica standard operation was to send emails to its customers asking them to follow the links. The PDF mentions that EMI had followed links like this for nearly 8 years.

That seemed to set EMI up for the purported phishing attack since they were used to receiving emails and following the links.

Even though EMI had technology that was vulnerable to MITM, how can a business be held responsible for the actions of its customer base? Comerica didn't send out the phishing email, they didn't instruct the employee to go to the phishing site. Even if Comerica didn't change it's authentication and was still using certificates, how would that ensure the customers wouldn't recognize a bad certificate?

I don't concur that Comerica should be held liable however I'll be watching for the outcome of this trial.
Fred Williams Oops, I meant "Even though Comerica had technology that was vulnerable to MITM...."