The unabated plundering of online bank accounts belonging to small and midsize businesses is raising significant questions about the authentication and fraud-detection mechanisms now used by financial institutions.
Such cyberthefts have led multiple businesses to file lawsuits against their banks and prompted government regulators to call on financial institutions to improve their security systems.
The FDIC recently disclosed that during the final 2009 quarter alone, cyberthieves stole more than $150 million from small and midsize business accounts.
In most of those cases, the FDIC said, thieves obtained a business's valid banking log-in credentials by illegal means. The hackers used the stolen credentials to send money from the accounts to overseas bank accounts via wire transfers.
Banks, by and large, have mostly contended that the thefts occurred because the victims failed to adequately protect their banking credentials.
Since banks are not required to reimburse commercial accounts for losses resulting from such thefts, most of the impact has been on public relations.
On the other hand, the thefts have led to tens and even hundreds of thousands of dollars in losses for numerous small businesses, which now have little hope of recovering the money. Some have filed lawsuits against banks, charging that they failed to detect and stop transactions that were patently fraudulent.
Earlier this month, for example, Hillary Machinery Inc. filed a lawsuit against its bank, PlainsCapital, after online crooks used stolen credentials to transfer more than $800,000 from its account last year.
The bank later recovered about $600,000 of the stolen funds but has so far refused to compensate the Plano, Texas-based manufacturing firm for the remainder.
In its lawsuit, Hillary charged that PlainsCapital did not stop wire transfers that involved foreign bank accounts and dollar amounts completely out of norm for Hillary. The company claimed that it had a reasonable expectation that its money would be properly protected by the bank. The company also argued that a small business cannot be expected to hold significant expertise on data security issues.
In a similar case, a Sterling Heights, Mich.-based manufacturing firm is suing its bank after online thieves stole some $560,000 from the company's online bank account via a series of unauthorized wire transfers last year. The lawsuit that Experi-Metal Inc. filed late last year blamed the theft on Comerica Bank's alleged failure to heed signs that should have alerted it to the fraudulent activity.
Though it's unclear yet how courts are going to rule on such lawsuits, the attacks have prompted many questions about the authentication and fraud-detection mechanisms used by many banks.
As far back as 2005, the Federal Financial Institutions Examination Council issued guidelines to banks on implementing stronger authentication for online transactions. Among other things, the "Authentication in an Internet Banking Environment" report called on banks to upgrade current single-factor authentication processes -- typically based on usernames and passwords -- by adding a stronger, second form of authentication by the end of 2006.
The unceasing attacks on small-business accounts show that many banks, especially small community banks, have still not deployed such controls, said Avivah Litan, a Gartner Inc. analyst.