Friday, January 22, 2010

PlainsCapital vs Hillary Machinery

tx_plow_boy asked what I though about "my bank" after the revelations by Hillary Machinery. Hillary is alleging that negligence on the part of PlainsCapital led to the theft of over $800,000 from Hillary Machinery's account. $600,000 was recovered, but Hillary Machinery wants PlainsCapital to admit that they are responsible and pay up.

I've read Walt Nett's article,  "Company, bank blame each other," in the Avalanche-Journal. I've read what Hillary Machinery says in the news section on their website, and I've read the two stories about similar breaches they link to directly from their site. I'm going to take a closer look at the info we have on the Hillary Machinery breach and see what I can come up with. Most of the information I'm using will be straight from their website. As we look at this the circumstances of this theft, keep in mind that I am not a lawyer, and I have only the information I've read (and linked to for you) to go by.

Looking at the info provided by Hillary Machinery on their website, here is what we have. To shorten this a little, I'll take it point by point.

1. In November 2009 PlainsCapital became the target of cybercriminals. They used vulnerabilities in PlainsCapitals internet banking system and initiated fraudulent wire and automated clearinghouse transfers.

Since I can find no mention of similar data breaches at PlainsCapital, I would probably classify the bank as a victim. It appears that the target was actually Hillary Machinery. For the same reason, I would say that the bank was not where the vulnerabilities were exploited. The normal scenario when an institution gets breached is to grab as much information as possible, or in the case of banks, grab money in small amounts from as many accounts as possible. Grabbing a large amount of money from one account points to the exploited vulnerability being at Hillary Machinery.

2. Even though the transactions were not authorized by a representative of Hillary Machinery Inc and inconsistent with Hillary's the bank still allowed them to occur.

The "not authorized by a representative of Hillary Machinery" is a bit of a red herring. If the perp stole the needed information from Hillary Machinery, the bank woudln't know that it wasn't someone from Hillary until the transaction was set in motion, and even then maybe not until two or three had been made. At that point the bank should have contacted the company to make sure the transactions were legit.

3. To make matters worse, PlainsCapital Bank has yet to take responsibility for the stolen funds claiming that their Internet banking systems are "reasonably secure."

Face it. The bank can't admit any culpability. The second they admit any kind of fault they will be sued out of business. If this case ends the way these things usually do it will be settled out of court with PlainsCapital paying some undisclosed amount without admitting any fault.

I don't think the lions share of blame goes to PlainsCapital on this one. It looks like Hillary was breached, whether by a virus, a trojan, or social engineering. Any share of the blame that goes to PlainsCapital goes after Hillary recognizes their own part in this very expensive fiasco.

I hope that answers your question, tx_plow_boy.