Bank Of America Hit With Lawsuit Over Electronic Transaction
Incident raises questions about online banking systems' vulnerability to hacking incidents.
A Miami businessman is suing Bank of America to recover $90,000 that he claims was stolen and diverted to a bank in Latvia after his computer was infected by a "Trojan horse" computer virus.
Although consumers are routinely hit with "phishing" E-mails carrying bank logos intended to dupe them into revealing IDs and passwords, this is the first known case of a business customer of a U.S. bank claiming to have suffered a loss as a result of a hacking incident.
- Government Analytics: Set Goals, Drive Accountability and Improve Outcomes
- 2012 IBM Chief Information Security Officer Assessment
In a complaint filed earlier this month, Joe Lopez, owner of a computer and copier supply business, accused Bank of America of negligence and breach of contract in not alerting him to the existence of a virus called "coreflood" prior to April 6, 2004, the date the alleged theft took place. In July, the bank sent a letter to users of Bank of America Direct, its online business banking portal, alerting them to a new "dual administration" feature requiring the approval of at least two individuals to execute a funds transfer. The letter also recommended that clients install antivirus software.
The $90,000 was transferred from Lopez's account to Parex Bank in Latvia, according to the complaint. Shortly afterwards, $20,000 was withdrawn from Parex by unknown individuals; the other $70,000 has been frozen by Latvian banking authorities.
A letter from the U.S. Secret Service to Lopez in November stated that Lopez's PC was found to be infected by coreflood, which logs victims' keystrokes through a backdoor installed on their computers. The Secret Service had been called in to investigate by Bank of America, says Lopez's attorney, Ralph Patino. "The Secret Service took my client's hard drive and came up with the fact that it was infected," he says.
Bank of America says in a statement that an internal review turned up nothing unusual about the way the transaction had been handled and that the bank had followed all required security procedures.
Bank of America is on fairly solid ground legally, experts say. "A bank can't be expected to be responsible for safeguarding its customer's computer environment against all forms of attack," says Maggie Scarborough, research manager at Financial Insights.
At the same time, the possibility that its online banking system is vulnerable to attack is troubling. "Bank of America has invested millions in security," Scarborough says. "Yet users still don't understand all the risks inherent in online banking, and banks can't depend on users to protect themselves."