A US title insurance firm that lost more than $200,000 after cybercrooks using the Zeus Trojan accessed its online account, is suing its bank, accusing it of lax security.
In a case picked up by security blogger Brian Krebs, Virginia-based Global Title Services had its computers infected with Zeus sometime before June last year.
This gave crooks access to the firm's passwords for their online accounts with Chevy Chase Bank (since rebranded by owner Capital One).
On the first of June the criminals began an eight day process of wiring money from the company's account to money mules. A total of 18 transfers, worth more than $2 million, were made.
The bank managed to reverse all but the first three transfers, meaning that Global Title Services suffered actual losses of around $200,000.
The company is suing Capital One, accusing it of failing to act in good faith and arguing that by not employing two-factor authentication it "failed to implement commercially reasonable security procedures for its online banking clients," says Krebs.
According to the complaint: "By operating a single factor identification online banking system, Capital One lefts its customers open to identity theft and failed to take sufficient safeguards to prevent unauthorized access to its client's online banking accounts, including the ability to send wire transfers."
Global Title is asking for a $500,000 judgment, plus pre- and post-judgment interest and attorney's fees with the case slated for trial in April.
Some of the crooks involved have already been convicted and imprisoned for their roles in cyberheist.
The question of whether a bank is responsible for ACH wire fraud committed against customers has been in the spotlight in recent months thanks to several court cases, the outcomes of which have been mixed.
In August Comerica Bank ditched plans to appeal the ruling of a Michigan court and reimbursed a small business customer that was hit by wire fraud scammers. However, previously a presiding magistrate in Maine ruled that Ocean Bank was not responsible for the loss of around $345,000 from a business customer account following a similar cyber-attack.