some years ago, Fan Bao opened a checking account at Bank of America to facilitate his small import-export business called ZICO USA. When he needed to transfer money, he or his wife, Cathy Huang, would walk a few blocks to Bank of America’s Highland Park, Calif., branch and execute the wire in person.
But some times ago, a BofA branch official impulsed Bao to do his transfering online, assuring him that it was every bit as safe as banking in person. Only wires sent from Zico’s computer, accompanied by a downloaded security certificate, would be honored, he was asked. Bao followed the bank’s security direction to the letter, and accepted the bank’s assurances that his money was safe.
But after one year, two fraudulent drafts were sent through Bao’s account–one for $50,000 and another for $99,100. Both drafts were going to a bank in Croatia that Bao had never done business with. In fact, Bao had never before sent a wire transfer to anyone outside of Hong Kong or China.
The bank recognized that the transfers were improbable, but didn’t stop them. A bank official called Bao to report “unusual activity” on his account, but refused to tell him what it was because Huang was the company’s only “authorized agent” and she was on a business trip in Hong Kong, according to court filings. When Huang was able to reach BofA later that day, the couple discovered that nearly $150,000 in unauthorized wires had been charged to their business.
Huang immediately denounced the charges as unauthorized and fraudulent. The bank was subsequently able to stop payment on the second draft for $99,100, but the other $50,000 already had been paid to the Croatian bank and the money had been withdrawn. When Bao asked for the money back, Bank of America told him the missing $50,000 wasn’t their problem.
Why? Bao had accepted the bank’s “terms and conditions” when opening the business checking account, which said that the bank did not have to make any special effort to “detect errors” in wire transfer requests. Wire transfer rules only require the bank to follow standard security protocol, which includes encrypting accounts. In a five-page response that Nada Alnajafi, Bao’s attorney, calls a “form letter,” the bank cites wire transfer rules that say that for Bao to recover the fraud loss from the bank, he has to prove that it was the bank–not Bao–that had the security breach.
Bao has seen no other indication of hacking on his own computers, Alnajafi said. Aside from these two wires, neither this nor any of his other financial accounts, have been hit. Nonetheless, the bank says in its letter that it suspects that given the amount of “malware” in the online community, Zico’s computer was infected with some type of “keylogging virus” that captured his user credentials. Thus, he’s stuck. If Bao contends otherwise, it’s incumbent on the small business owner to file suit against one of the nation’s biggest banks to prove it.
He’s done just that. Bao says in the suit, filed in Los Angeles Superior Court, that the fraud occurred only weeks before the bank was set to initiate tightened security procedures that included a “SafePass token.” The bank informed him they were adding this level of security in late May and Bao immediately signed up. But the bank didn’t “activate” Bao’s safe pass until July 13th. The fraud occurred on June 22.
Bao’s suit indicates that he suspects that bank employees are in on the scam. He is alleging negligence and breach of good faith and fair dealing, among other things. He asks for his money back.
Bank spokeswoman Shirley Norton said the bank has not been served with the suit, so it cannot comment on the allegations. Citing client confidentiality, the bank also would not comment on any specific client matter. But Norton said that the bank takes safeguarding client information very seriously.
“BA Direct includes an advanced security mechanism with layered security controls for authenticating wire transfers,” she said in an email. “Those controls include personal digital certificates, encryption, customized authorization and entitlement, separation of duties, automatic log-offs and password expiration.”
“Our security procedure is consistent with those used by other major banks to authenticate wire transfers.”
The only thing Norton said that could give some comfort on the “could it happen to you” front is that business accounts present more risk than personal accounts.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment