Could it happen to you? Here's the back story to help fill in who is at risk.
Seven years ago, Fan Bao opened a checking account at Bank of America to facilitate his small import-export business called ZICO USA. When he needed to wire money, he or his wife, Cathy Huang, would walk a few blocks to Bank of America's Highland Park, Calif., branch and execute the transfer in person.
But two summers ago, a BofA branch official urged Bao to do his banking online, assuring him that it was every bit as safe as banking in person. Only wires sent from Zico's computer, accompanied by a downloaded security certificate, would be honored, he was told. Bao followed the bank's security instructions to the letter, and accepted the bank's assurances that his money was safe.
But last summer, two fraudulent drafts were sent through Bao's account--one for $50,000 and another for $99,100. Both drafts were going to a bank in Croatia that Bao had never done business with. In fact, Bao had never before sent a wire transfer to anyone outside of Hong Kong or China.
The bank recognized that the transfers were improbable, but didn't stop them. A bank official called Bao to report "unusual activity" on his account, but refused to tell him what it was because Huang was the company's only "authorized agent" and she was on a business trip in Hong Kong, according to court filings. When Huang was able to reach BofA later that day, the couple discovered that nearly $150,000 in unauthorized wires had been charged to their business.
Huang immediately denounced the charges as unauthorized and fraudulent. The bank was subsequently able to stop payment on the second draft for $99,100, but the other $50,000 already had been paid to the Croatian bank and the money had been withdrawn. When Bao asked for the money back, Bank of America told him the missing $50,000 wasn't their problem.
Why? Bao had agreed to the bank's "terms and conditions" when opening the business checking account, which said that the bank did not have to make any special effort to "detect errors" in wire transfer requests. Wire transfer rules only require the bank to follow standard security protocol, which includes encrypting accounts. In a five-page response that Nada Alnajafi, Bao's attorney, calls a "form letter," the bank cites wire transfer rules that say that for Bao to recover the fraud loss from the bank, he has to prove that it was the bank--not Bao--that had the security breach.
Bao has seen no other indication of hacking on his own computers, Alnajafi said. Aside from these two wires, neither this nor any of his other financial accounts, have been hit. Nonetheless, the bank says in its letter that it suspects that given the amount of "malware" in the online community, Zico's computer was infected with some type of "keylogging virus" that captured his user credentials. Thus, he's stuck. If Bao contends otherwise, it's incumbent on the small business owner to file suit against one of the nation's biggest banks to prove it.
He's done just that. Bao says in the suit, filed in Los Angeles Superior Court, that the fraud occurred only weeks before the bank was set to initiate tightened security procedures that included a "SafePass token." The bank informed him they were adding this level of security in late May and Bao immediately signed up. But the bank didn't "activate" Bao's safe pass until July 13th. The fraud occurred on June 22.
Bao's suit indicates that he suspects that bank employees are in on the scam. He is alleging negligence and breach of good faith and fair dealing, among other things. He asks for his money back.
Bank spokeswoman Shirley Norton said the bank has not been served with the suit, so it cannot comment on the allegations. Citing client confidentiality, the bank also would not comment on any specific client matter. But Norton said that the bank takes safeguarding client information very seriously.
"BA Direct includes an advanced security mechanism with layered security controls for authenticating wire transfers," she said in an email. "Those controls include personal digital certificates, encryption, customized authorization and entitlement, separation of duties, automatic log-offs and password expiration."
"Our security procedure is consistent with those used by other major banks to authenticate wire transfers."
The only thing Norton said that could give some comfort on the "could it happen to you" front is that business accounts present more risk than personal accounts.
Business accounts are regulated by the commercial code. The commercial code puts the onus on the customer, not the bank, in some disputes. Personal online banking accounts (and debit card transactions) are covered by Regulation E--a.k.a. the Electronic Funds Transfer Act. You can read the whole thing here.
My summary would be this: With a personal account, you're only liable for $50 in unauthorized charges, unless you fail to report the charges promptly. Your losses can be as high as $500 if you fail to report the fraud within two days of learning about it, and can be unlimited if you don't report the fraud within 60 days of getting a statement (unless you've been out of the country or in the hospital).
Before the suit was filed, Bank of America attorneys wrote a letter to Bao (provided to CBS MoneyWatch) that said: "Neither the Bank nor any other major wire transfer bank is or can be in the position of manually vetting each incoming payment order to make an independent assessment whether it appears to be 'normal' for a particular customer. Such a process would be commercially infeasible and would delay or halt billions of dollars of wire transfers each day and would constitute an unacceptable substitution of the bank's judgment for that of its customers."
Alnajafi skeptically replied that banks, of course, do just this with millions of credit card transactions each day.
"If you try to use your credit card out of state to buy a cup of coffee, they'll freeze your account," she said. But wiring $150,000 to Croatia, when you've never sent a dime there before? That's not going to set off any alarms.