Paid Advertising
web application security lab

Banks, Businesses, Viruses and the UCC

There’s an interesting post over at Krebs On Security talking about some poor company that is going bankrupt because TD Bank allegedly will not give them their money back after it was stolen out of their account. Now, I wish I could say this concept is totally foreign to me, but unfortunately this isn’t the first time I’ve heard this story. I’m under NDAs not to describe the people involved, or the bank involved, but the important details are nearly identical to this story. Why is this happening?

There is a little known code call the UCC (Uniform Commercial Code) that essentially says that if you are a business and you want to do wire transfers you are essentially to be treated as a bank. You are probably wincing right now, because it’s just as stupid as it sounds. Note that this is not true for consumers - but even if your business consists of even one person, you still are treated as a bank. As such, if your company has money wired out of it’s account, the bank isn’t to be held liable - or at least that’s been their argument. This is happening all the time, so why aren’t we hearing about it all the time? Well that leads me to the worst part of this story.

The banks have essentially two options if a company takes them to court. They can win the case, or they can lose the case. If they win, that leaves the company in question free to say and do whatever they want (as is the case with TD Bank above). If they lose the case, it essentially creates precedence and can open the bank to class action lawsuits to overturn the UCC. Either way, it’s a bad day for the bank. So they opt for the third choice which is to delay the inevitable. They make these poor businesses wait for sometimes years before they will begrudgingly settle for somewhere shy of the full amount. Sometimes companies just give up, and sometimes they take the money and sign the NDAs. Either way, that’s a much better outcome than letting something get litigated. So yes, those poor companies are getting the run around, and we don’t get to hear about it because at the end of the day they are all signing NDAs.

So, if you run a company, be prepared for the worst when it comes to how the bank is going to treat you if someone steals your money. There don’t appear to be any safeguards other than individual contracts you might be able to get your bank to sign and agree to. However, if anyone happens to work for a bank, and can guarantee that money held there will be treated just like physical cash (and reimbursed just like if it is stolen out of the vault), I’m sure companies would flock to you - I know a lot of small businesses that would like to know that their money is safe, and right now, it just isn’t with TD Bank and their ilk. In the meantime, I sort of hope some lawyer is salivating at the prospect of a class action suit.

9 Responses to “Banks, Businesses, Viruses and the UCC”

  1. Angel One Says:

    The other takeaway is that if you’re a 1-person company, you should keep your business and personal accounts completely separate and the personal accounts have less liability.

  2. Wornstrom Says:

    What all does “wire transfers” cover? Do companies have any recourse short of catching the thief themselves?

    BTW: “If they loose the case” - typo.

  3. niku Says:

    How is it wrong? The person’s computer was infested with a Trojan. It is the ‘poor company’s’ fault, not the bank’s.

  4. Jawdy Says:

    Keeping an attempted level of NDA’ness as yourself - but some people I know tell me horror stories of UK banks and their practices in matters similar to this.
    Many have a pool of funds, I’ve heard numbers in the region of 20million, allocated to fraud of customer accounts. Although I’m not sure if this counts to business accounts.

  5. RSnake Says:

    @Wornstrom - perhaps this will help: Thanks for the typo, fixed.

    @niku - It doesn’t matter who’s fault it is, it’s the responsibility of the bank to insure against losses. Otherwise what is the point of a bank? I’ve been speaking with a banker for the last day or so about this. Maybe I’ll write up more thoughts about why you can’t treat consumers as if it’s their responsibility, regardless of fault. Either way that will be overturned in the future because the UCC makes no sense.

    @Jawdy - I don’t know anything about UK or EU laws in general, but I’d love to know more. Wire fraud is certainly a global problem.

  6. SAS Says:

    UCC is the highest law, i.e. maritime admiralty law under which courts keep their gold fringed flag, sitting on the bench controlling the flow of currency. Court will rule in favor of the UCC, because they are the debt collectors for the UCC. ;)

  7. LonerVamp Says:

    I wouldn’t mind if banks were at fault and gave me my money back after being hacked. I and a friend can do that all day long…”hacking” me, that is. It’ll be like money grows on trees! Hey, hey, it’s my turn, hack me and empty my account and I’ll complain to the bank and get it refunded! Of course, how is that different for companies than for individuals? That I don’t know…I guess one can be dissolved into the ether (corp) while the other persists (person), in theory?

    Seriously, though, unless we know all the details in each specific case, it is hard to begin to lay blame. Sure, the company may have been infected with a trojan. But should a trojan alone be able to circumvent shoddy protections on the bank’s side? That includes complacent customer support or poor “security” questions. Who picked them and who badly answered them? Who watched their statements or didn’t watch their statements? Can whatever protections you provide scale from a 2-man shop up to one with 500 accountants?

    To me, that is why this is so difficult. In the past, just like music/movie piracy, the efficiency in fraud was low enough to be relatively tolerable. With these digital times, fraud efficiency is incredibly high and can happen in minutes. And with zero physical presence.

  8. Axu Says:

    Just one point - what is the banks responsibility to mitigate fraud risks by implementing strong authentication, background chekings and realtime monitoring and building their webbased apps so well and securet, that client side malware cant do frauds?

    Is it too expensive to build secure applications and then accept the risk of fraud?

  9. Steve Fox Says:

    Sounds exactly right. I’m now pentesting full time in support of bank auditors, and doing a bit of incident reponse. We’re seeing this all of the time–banks claiming that the customer was loose with their login credentials, and so it’s not the bank’s fault. The perfect storm is, with AV only catching ~25% of variants, together w/drive-by download attacks infecting users, many more PCs are infected than we realize. Zeus and other sophisticated bots have killed the effectiveness of any two-factor authentication on infected machines through man-in-the-middle capabilities.

    After speaking with all of my financial institutions about this, I have decided to buy a bigger matress for my business accounts–none of them will accept responsibility for the integrity of my funds.