EMI said that between 2000 and 2008, Comerica had used digital certificates to authenticate users to its online banking system. During this time, the bank would send e-mails asking customers to click on a link and submit specific information in order to renew their digital certificates, EMI claimed in its suit.

The complaint also alleged that the token-based authentication system that replaced Comerica's digital certificates was not adequate enough to protect against the kind of attack that resulted in the theft.

"Comerica knew or should have known that the technology of the two-factor authentication procedure which it instituted in 2008 was known to be lacking in any reasonable fortification against 'man in the middle' phishing attacks," EMI said.

"[It was in] reality a downgrade as a security measure from the digital certificate technology that was previously used by Comerica," the company said.

The complaint also faulted Comerica for ignoring signs of fraudulent activity on EMI's account. The company said that it had initiated just two wire transfers in total before the unauthorized withdrawals began.