It started out as an ordinary workday for Michelle Marsico, who runs a business based in Redondo Breach, Calif., handling escrow funds for clients in real estate. But when she went online to check the funds-transfer activity in her commercial bank account, she found to her horror that it had been cleaned out by cybercrooks to the tune of almost half a million dollars.
Two dozen fraudulent electronic-funds transfers had whisked about $450,000 out of her account to bank accounts elsewhere for roughly 20 recipients whose names and addresses she didn't recognize. "I was in shock for a few minutes," says Marsico, president of Village View Escrow. "I thought, there must be a mistake."
It was all an online cyberheist against her and Professional Business Bank, where she had the Village View escrow account, and it turned her life upside down. The next shock was when she realized her bank, which called the FBI, wasn't going to be able to speedily recover the funds that had been sent to these 20 or so "money mules," the individuals recruited to help the organized cybercrime gang.
And since her bank wasn't going to quickly go after the money mules, Marsico decided to do it herself.
"I finally received a copy of the wire transfers, with the names and addresses of the recipients," she says. She frantically set out to find as many as she could through online searches.
Strangely, one of the recipients had actually called the company, angrily demanding that it "stop harassing him."
"They thought we were harassing him to send out the money after he had his bank call him about it. He thought the money legitimately came from us, and the criminals were trying to hurry him up," she says.
Some of the money mules that had been recruited to transfer stolen funds on to the crooks were indeed unaware they were part of a cybercrime, often having been recruited by means of fake job advertisements at online job sites like CareerBuilder.com. One older man in Hawaii thought the funds transfers were part of a textile-buying operation.
But "some did know what it was," says Marsico.
One man in New York that had received about $29,000 "was frank with me and said, 'I feel bad about it.' I said if you return the money, I'll let the Secret Service know that." She managed to get about a dozen of the recipients to cough up $72,000 of the stolen funds. But that left her out $373,000.
That left Marsico and her bank to square off over how this had happened, whether someone had broken into a Village View Escrow computer or something else. The focus of the dispute came to center around the nature of the authentication and funds-transfer validation process.
Village View Escrow ended up suing Professional Business Bank. Basically, the company contended that the authentication and funds-transfer authorization and validation process was insufficient, and the bank should be held responsible for the loss that Village View suffered.
Marsico does not represent herself as a security expert, but her painful experience has also been a learning experience. Basically, Professional Business Bank -- later acquired by Bank of Manhattan -- at the time claimed to use "two-factor authentication," says Marsico, but the process was only two people from the company who had to log in to release the wire transfer. "One of input, one to release," she says. "Only using a user name and password." The process was also supposed to entail the company getting an email or callback response, but "nothing was consistent. Sometimes it happened, sometimes it didn't."
She switched to another bank where token-based variable passwords are part of the security in online banking.
The lawsuit took two years to settle. Marsico was represented by Silicon Valley Law Group, whose lead attorney, Kim Dincel, had been a friend since she was 14. One filing from the suit almost mockingly recites the advertising Professional Business Bank used to attract clients:
"Now you can do all your banking from home or office! ProBizBank offers NetTeller -- advanced and secure financial online banking services that's available 24 hours a day 7 days a week. All you need is a computer, a ProBizBank account and your personalized user ID and password. It's simple, safe and so convenient, you'll wonder how you lived without it."
Law enforcement wasn't much help to Marsico.
"Every department I talked with, it was out of their jurisdiction. The Secret Service agent -- he was very kind -- but he said you need to do what it takes to survive." Marsico had to go get a loan to cover the stolen funds and the situation also put her in jeopardy of losing the license she needed to operate her business.
But after a two-year fight, Professional Business Bank, which had by that time become part of Bank of Manhattan, finally agreed to pay Village View Escrow $600,000 in late June. The settlement basically covered Marsico's losses, plus interest and expenses.
Julie Rogers, attorney at Silicon Valley Law Group, points out that businesses that end up in disputes with their banks over cybercrime-related theft actually find they have less legal protection than consumers. When in a dispute with their commercial customers, "banks typically deny liability," says Rogers, adding small to midsize businesses are often more on the defensive than larger corporations that may have more resources.
Not only that, business owners will find themselves under investigation as law-enforcement authorities or others question whether the business actually committed the fraud. And in these circumstances, the person being investigated may also have to pay for this investigation under the law. In Marsico's case, competitors in her business even took advantage of the situation by sending out fliers alluding to her plight, trying to impact her reputation, Rogers adds.
As to where all those stolen funds from the money mules were being transferred, Rogers says it appeared they were destined for the Middle East and Russia.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.
Read more about wide area network in Network World's Wide Area Network section.