Cyberattacks raise e-banking security fears
Government, business groups urge banks to upgrade security controls as attacks grow
Computerworld - The unabated plundering of online bank accounts belonging to small and midsize businesses is raising significant questions about the authentication and fraud-detection mechanisms now used by financial institutions.
Such cyberthefts have led multiple businesses to file lawsuits against their banks and prompted government regulators to call on financial institutions to improve their security systems.
The FDIC recently disclosed that during the final 2009 quarter alone, cyberthieves stole more than $150 million from small and midsize business accounts.
In most of those cases, the FDIC said, thieves obtained a business's valid banking log-in credentials by illegal means. The hackers used the stolen credentials to send money from the accounts to overseas bank accounts via wire transfers.
Banks, by and large, have mostly contended that the thefts occurred because the victims failed to adequately protect their banking credentials.
Since banks are not required to reimburse commercial accounts for losses resulting from such thefts, most of the impact has been on public relations.
On the other hand, the thefts have led to tens and even hundreds of thousands of dollars in losses for numerous small businesses, which now have little hope of recovering the money. Some have filed lawsuits against banks, charging that they failed to detect and stop transactions that were patently fraudulent.
Earlier this month, for example, Hillary Machinery Inc. filed a lawsuit against its bank, PlainsCapital, after online crooks used stolen credentials to transfer more than $800,000 from its account last year.
The bank later recovered about $600,000 of the stolen funds but has so far refused to compensate the Plano, Texas-based manufacturing firm for the remainder.
In its lawsuit, Hillary charged that PlainsCapital did not stop wire transfers that involved foreign bank accounts and dollar amounts completely out of norm for Hillary. The company claimed that it had a reasonable expectation that its money would be properly protected by the bank. The company also argued that a small business cannot be expected to hold significant expertise on data security issues.
In a similar case, a Sterling Heights, Mich.-based manufacturing firm is suing its bank after online thieves stole some $560,000 from the company's online bank account via a series of unauthorized wire transfers last year. The lawsuit that Experi-Metal Inc. filed late last year blamed the theft on Comerica Bank's alleged failure to heed signs that should have alerted it to the fraudulent activity.
Though it's unclear yet how courts are going to rule on such lawsuits, the attacks have prompted many questions about the authentication and fraud-detection mechanisms used by many banks.
As far back as 2005, the Federal Financial Institutions Examination Council issued guidelines to banks on implementing stronger authentication for online transactions. Among other things, the "Authentication in an Internet Banking Environment" report called on banks to upgrade current single-factor authentication processes -- typically based on usernames and passwords -- by adding a stronger, second form of authentication by the end of 2006.
The unceasing attacks on small-business accounts show that many banks, especially small community banks, have still not deployed such controls, said Avivah Litan, a Gartner Inc. analyst.
- University of North Florida breach exposes data on 107,000 individuals
- Zeus Trojan bust reveals sophisticated 'money mules' operation in U.S.
- GAO slams White House for failing to lead on cybersecurity
- Man charged with attack on Web site of Fox News' Bill O'Reilly
- Heartland breach expenses pegged at $140M -- so far
- IT contractor gets five years for $2M credit union theft
- Democracy would suffer if Google left China, says MIT panel
- Gonzalez accomplice gets five years for hacking TJX
- Threat of cyberattacks from overseas high, federal IT execs say
- Botnets 'the Swiss Army knife of attack tools'
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts