Poughkeepsie, N.Y., slams bank for $378,000 online theft
TD Bank's failure to detect fraudulent money transfers 'unacceptable,' official says
Computerworld - The theft of $378,000 from the town of Poughkeepsie, N.Y., is prompting questions about the responsibility of banks to protect customer accounts from online criminals.
In a statement last week, a Poughkeepsie town official revealed that thieves had broken into the town's TD Bank NA account and transferred $378,000 to accounts in the Ukraine.
The thefts took place over a two-day period in mid-January during which a total of nine attempts were made to steal money. In the end, four of the attempts were successful, resulting in the lost money.
The thefts were discovered by town officials one day after they occurred. So far, TD Bank has managed to recover $95,000, with efforts still under way to try and recover the rest. The theft is being investigated by local police, the FBI and the U.S. Secret Service.
It was not clear how the thieves gained access to the town's bank account, and there was no immediate response from Town Supervisor Patricia Meyers to a Computerworld request for comment. But in other such cases, crooks typically break into commercial and retail bank accounts using stolen log-in credentials belonging to authorized users to transfer large sums of money to banks outside the U.S.
It's a trend that's been gaining steam in recent months. Late last month, Hillary Machinery Inc. in Plano, Texas, said its bank account was depleted by $800,000 after criminals broke into its account and transferred the money to accounts in Romania and Italy.
Last August, NACHA–the Electronic Payments Association warned its 11,000 members about cybercriminals using stolen credentials to take over corporate accounts and initiate unauthorized transfers of funds via electronic payment networks. A similar alert by the Financial Services Information Sharing and Analysis Center identified organized cybercriminals in Eastern Europe as being largely responsible for the thefts. And the FBI's Internet Crime Complaint Center noted that as of October 2009 cybercrooks had attempted to steal approximately $100 million from U.S. banks using stolen log-in credentials.
Such thefts have prompted new scrutiny and criticism about the controls banks have in place for detecting fraudulent transactions.
In a statement, Meyers blasted TD Bank for failing to spot the fraudulent activity. "We find it unacceptable that movement, or attempted movement, of money from a Town account to an account in Eastern Europe did not immediately raise a 'red flag' with the bank, was not questioned by anyone at the bank, but was simply processed," Meyers said.
"We are equally disappointed that in the three weeks since the thefts were detected, no representative from TD Bank has come to Town Hall to speak with us about the situation," she said.
A spokeswoman for TD Bank said the bank may have more information on the break-in after the FBI and the Secret Service complete their investigation. Until then, "it would be premature to speculate on exactly how the fraud occurred," the bank spokeswoman said.
"We also can't elaborate on the matter or the transfers themselves in respect to customer confidentiality. We have been in contact with the Town and are working to set up a meeting to discuss the matter," she said in an e-mailed statement.
Avivah Litan, an analyst at Gartner Inc, said such incidents highlight the continuing failure by banks to implement even rudimentary controls for detecting fraudulent money transfers and other types of fraud. "For banks, it's inexcusable not to have rules for money transfer. It's not rocket science to do a review of a transaction to a foreign account," Litan said.
Given the sharp increase in attacks against U.S. bank accounts from outside the country, financial institutions need to ensure that they have a process in place for vetting money transfer requests -- especially to foreign destinations, she said. "There are so many basic controls they can put in place first before they need to even think about putting up any fancy fraud detection measures," Litan said.
Banking customers also need to do what they can to protect their accounts. But the growing sophistication of online attacks makes it vital for banks also to work to fend off attacks, she said. "Even if customers are using the latest anti-malware tools, the crooks are getting through."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts