Experi-Metal Inc. (EMI) in Sterling Heights, MI is suing Comerica Bank to recover $550,000 that was stolen from the company’s online banking account. EMI alleges that Dallas-based Comerica opened its customers to phishing attacks by sending emails asking customers to click on a link to update the bank’s security software. EMI says even though the bank had two-factor authentication using One Time Password devices for its online banking portal, the scam was able to circumvent these measures.
EMI is complaining that the bank’s historical process of sending out emails to corporate customers, asking them to update security tools (in this case, digital certificates), effectively “trained” the customer to fall for phishing scams. In 2008 Comerica switched from digital certificates to One Time password devices for authenticating customers. OTPs offer a lower level of security than digital certificates, as they can be vulnerable to man-in-the-middle and quick replay phishing attacks.
In early 2009 an EMI employee opened a fake email purporting to be from Comerica Bank, and instructing them to click on a link and update their security software. The user did so, and was taken to a phishing site, which requested the username, password and One Time Password number from the token. The user inputted this information, and the phishers used it to quickly log into the actual account and begin doing funds transfers. Over a period of a few hours, 47 wire transfers totalling $550,000 were made from EMI’s account to the bank accounts of criminals in other countries and in the US.
