The theft of $378,000 from the town of Poughkeepsie, N.Y., is prompting questions about the responsibility of banks to protect customer accounts from online criminals.
In a statement last week, a Poughkeepsie town official revealed that thieves had broken into the town's TD Bank NA account and transferred $378,000 to accounts in the Ukraine.
The thefts took place over a two-day period in mid-January during which a total of nine attempts were made to steal money. In the end, four of the attempts were successful, resulting in the lost money.
The thefts were discovered by town officials one day after they occurred. So far, TD Bank has managed to recover $95,000, with efforts still under way to try and recover the rest. The theft is being investigated by local police, the FBI and the U.S. Secret Service.
It was not clear how the thieves gained access to the town's bank account, and there was no immediate response from Town Supervisor Patricia Meyers to a Computerworld request for comment. But in other such cases, crooks typically break into commercial and retail bank accounts using stolen log-in credentials belonging to authorized users to transfer large sums of money to banks outside the U.S.
It's a trend that's been gaining steam in recent months. Late last month, Hillary Machinery Inc. in Plano, Texas, said its bank account was depleted by $800,000 after criminals broke into its account and transferred the money to accounts in Romania and Italy.
Last August, NACHA–the Electronic Payments Association warned its 11,000 members about cybercriminals using stolen credentials to take over corporate accounts and initiate unauthorized transfers of funds via electronic payment networks. A similar alert by the Financial Services Information Sharing and Analysis Center identified organized cybercriminals in Eastern Europe as being largely responsible for the thefts. And the FBI's Internet Crime Complaint Center noted that as of October 2009 cybercrooks had attempted to steal approximately $100 million from U.S. banks using stolen log-in credentials.
Such thefts have prompted new scrutiny and criticism about the controls banks have in place for detecting fraudulent transactions.
In a statement, Meyers blasted TD Bank for failing to spot the fraudulent activity. "We find it unacceptable that movement, or attempted movement, of money from a Town account to an account in Eastern Europe did not immediately raise a 'red flag' with the bank, was not questioned by anyone at the bank, but was simply processed," Meyers said.
"We are equally disappointed that in the three weeks since the thefts were detected, no representative from TD Bank has come to Town Hall to speak with us about the situation," she said.
A spokeswoman for TD Bank said the bank may have more information on the break-in after the FBI and the Secret Service complete their investigation. Until then, "it would be premature to speculate on exactly how the fraud occurred," the bank spokeswoman said.
"We also can't elaborate on the matter or the transfers themselves in respect to customer confidentiality. We have been in contact with the Town and are working to set up a meeting to discuss the matter," she said in an e-mailed statement.
Avivah Litan, an analyst at Gartner Inc, said such incidents highlight the continuing failure by banks to implement even rudimentary controls for detecting fraudulent money transfers and other types of fraud. "For banks, it's inexcusable not to have rules for money transfer. It's not rocket science to do a review of a transaction to a foreign account," Litan said.
Given the sharp increase in attacks against U.S. bank accounts from outside the country, financial institutions need to ensure that they have a process in place for vetting money transfer requests -- especially to foreign destinations, she said. "There are so many basic controls they can put in place first before they need to even think about putting up any fancy fraud detection measures," Litan said.
Banking customers also need to do what they can to protect their accounts. But the growing sophistication of online attacks makes it vital for banks also to work to fend off attacks, she said. "Even if customers are using the latest anti-malware tools, the crooks are getting through."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.