Cyberattacks raise e-banking security fears
Government, business groups urge banks to upgrade security controls as attacks grow
Computerworld - The unabated plundering of online bank accounts belonging to small and midsize businesses is raising significant questions about the authentication and fraud-detection mechanisms now used by financial institutions.
Such cyberthefts have led multiple businesses to file lawsuits against their banks and prompted government regulators to call on financial institutions to improve their security systems.
The FDIC recently disclosed that during the final 2009 quarter alone, cyberthieves stole more than $150 million from small and midsize business accounts.
In most of those cases, the FDIC said, thieves obtained a business's valid banking log-in credentials by illegal means. The hackers used the stolen credentials to send money from the accounts to overseas bank accounts via wire transfers.
Banks, by and large, have mostly contended that the thefts occurred because the victims failed to adequately protect their banking credentials.
Since banks are not required to reimburse commercial accounts for losses resulting from such thefts, most of the impact has been on public relations.
On the other hand, the thefts have led to tens and even hundreds of thousands of dollars in losses for numerous small businesses, which now have little hope of recovering the money. Some have filed lawsuits against banks, charging that they failed to detect and stop transactions that were patently fraudulent.
Earlier this month, for example, Hillary Machinery Inc. filed a lawsuit against its bank, PlainsCapital, after online crooks used stolen credentials to transfer more than $800,000 from its account last year.
The bank later recovered about $600,000 of the stolen funds but has so far refused to compensate the Plano, Texas-based manufacturing firm for the remainder.
In its lawsuit, Hillary charged that PlainsCapital did not stop wire transfers that involved foreign bank accounts and dollar amounts completely out of norm for Hillary. The company claimed that it had a reasonable expectation that its money would be properly protected by the bank. The company also argued that a small business cannot be expected to hold significant expertise on data security issues.
In a similar case, a Sterling Heights, Mich.-based manufacturing firm is suing its bank after online thieves stole some $560,000 from the company's online bank account via a series of unauthorized wire transfers last year. The lawsuit that Experi-Metal Inc. filed late last year blamed the theft on Comerica Bank's alleged failure to heed signs that should have alerted it to the fraudulent activity.
Though it's unclear yet how courts are going to rule on such lawsuits, the attacks have prompted many questions about the authentication and fraud-detection mechanisms used by many banks.
As far back as 2005, the Federal Financial Institutions Examination Council issued guidelines to banks on implementing stronger authentication for online transactions. Among other things, the "Authentication in an Internet Banking Environment" report called on banks to upgrade current single-factor authentication processes -- typically based on usernames and passwords -- by adding a stronger, second form of authentication by the end of 2006.
The unceasing attacks on small-business accounts show that many banks, especially small community banks, have still not deployed such controls, said Avivah Litan, a Gartner Inc. analyst.
- University of North Florida breach exposes data on 107,000 individuals
- Zeus Trojan bust reveals sophisticated 'money mules' operation in U.S.
- GAO slams White House for failing to lead on cybersecurity
- Man charged with attack on Web site of Fox News' Bill O'Reilly
- Heartland breach expenses pegged at $140M -- so far
- IT contractor gets five years for $2M credit union theft
- Democracy would suffer if Google left China, says MIT panel
- Gonzalez accomplice gets five years for hacking TJX
- Threat of cyberattacks from overseas high, federal IT execs say
- Botnets 'the Swiss Army knife of attack tools'
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts