Online bank: Lax security opened door for thieves

A start-up Internet banking service has revealed that a flawed security policy that allowed customers to transfer funds without verifying bank account numbers resulted in close to $10,000 worth of illegal transfers.

But at least one person has charged that online thieves tried to transfer more than $50,000 from his bank account using a stolen account number.

Before revising its policy on Jan. 22, X.com Corp. in Palo Alto, Calif., allowed customers to transfer up to $2,500 from any U.S. bank account and then withdraw the money by entering only account and bank routing numbers on the X.com Web site.

According to company CEO William Harris, the would-be crooks, entering data from other people’s accounts, attempted six unauthorized fund transfers that were halted by X.com.

Imad Khalidi, CEO of Auto Europe LLC, a car rental agency in Portland, Maine, said he discovered on Jan. 14 that someone had used his account number to siphon $21,000 out of his company’s bank account to pay for Gucci merchandise.

Khalidi said thieves made four other attempts to transfer money from his account via X.com and Wilmington, Del.-based WingspanBank.com, including an attempted $23,000 transfer. The online grifters then posted Khalidi’s account numbers to an Internet forum.

“They are building Web sites without security, and they never asked for a voided check,” said Khalidi about X.com and WingspanBank.

WingspanBank.com didn’t immediately reply to Khalidi’s allegations. The company did issue a statement that asserted, “We are aware of the industry issues surrounding (the Automated Clearinghouse Network) transfers, we are committed to the highest level of security for our customers and are continually evaluating and enhancing our security systems as appropriate.”

According to Harris, X.com, a division of First Western National Bank, a small bank in La Jara, Colo., has changed its security policies to require customers to fax or mail a voided check, signature card and a copy of a driver’s license to verify bank account numbers for transfers of any value.

Harris said none of the attempted transfers involved the actual theft of money. He said X.com notified law enforcement officials and the Federal Deposit Insurance Corp. of one attempted incident and was in communication with one financial institution, which he declined to name. X.com didn’t comment on Khalidi’s charges.

“In this situation, X.com did a pretty good job of discovering what was going on and took steps to change the policy to respond to customer concerns swiftly,” said Rob Leathern, an analyst at New York-based research group Jupiter Communications Inc.

But Elias Levy, chief technology officer at San Mateo, Calif.-based security consulting firm SecurityFocus.com, said he was told by X.com that it was forced to change its procedures after receiving calls from fraud departments at other banks. “It’s incredible how appalling their lack of security was. The potential for damage is enormous,” said Levy.