A Miami businessman is suing his bank after $90,000 was lifted from his firm's online banking account following a computer virus attack. Joe Lopez, 42, filed suit against the Bank of America in Miami Circuit Court last week alleging that the bank was negligent in failing to protect his account from compromise through known risks, the South Florida Sun-Sentinel reports.
The case is thought to be the first time a customer has sued a bank over cybercrime losses in the US. It will test the balance of responsibilities between banks and their users over ensuring the security of online banking transactions.
Lopez runs a small printer ink and toner business in Miami. He regularly uses wire transfers both to send and receive money from business contacts in the US and Latin America.
But on 6 April he discovered an unauthorised wire transfer of $90,348 to the Parex Bank in Riga, Latvia. Around $20,000 was withdrawn before the account involved was frozen. The remaining $70,000 remains at Parex Bank. Lopez reported the unauthorised transfer to the police. The US Secret Service became involved in the investigation, which featured a forensic examination of PCs used by Lopez and his businesss, Ahlo Inc, that uncovered infection by a Trojan called Coreflood.
Coreflood is primarily designed to conduct Denial of Service (DoS) attacks, but the theory is that the backdoor access it enabled criminals to extract banking passwords and account details entered into Lopez's PC. This remains unproven.
Lopez's legal case is that Bank of America knew of the risk posed by the Coreflood Trojan but failed to inform customers. There's also the question of whether Bank of America was diligent in so easily allowing the transfer of a large sum to a known centre of cybercrime. Lopez alleges breach of contract, negligence and intentional misrepresentation by Bank of America in a suit aiming to recover his money, plus interest and legal fees. Bank of America has ruled out any breach of its e-banking systems. It denies any responsibility over its customer's losses.
Lopez has taken a second mortgage of his home to keep his business afloat. His attempt to recover his funds from Riga is caught in a tangle of legal and bureaucratic red tape. Lopez's lawyer, Ralph Patino, hopes the suit will attain class action status, allowing more fraud victims to sue their banks over cybercrime losses.
Lopez has stopped using wire transfers. ®
Trojan targets UK online bank accounts
UK banks launch anti-phishing website
SA police arrest man in Absa Net bank fraud case
Fraudsters recruit phishing middlemen
Phishing losses overestimated - survey