Cyberattacks raise e-banking security fears

Government, business groups urge banks to upgrade security controls as attacks grow

The unabated plundering of online bank accounts belonging to small and mid-size businesses is raising significant questions about the authentication and fraud detection mechanisms now used in financial institutions.

Such cyberthefts have led multiple businesses to file lawsuits against their banks, and prompted government regulators to call on financial institutions to improve security systems.

The FDIC recently disclosed that during the final 2009 quarter alone, cyberthieves stole mre than $150 million from small and mid-size business accounts.

In most of those cases, the FDIC said, thieves obtained a business's valid banking login credentials by illegal means. The hackers used the stolen credentials to send money from the accounts to overseas bank accounts via wire transfers.

Banks, by and large, have mostly contended that the thefts occurred because the victims failed to adequately protect their banking credentials.

Since banks are not required to reimburse commercial accounts for losses resulting from such thefts, most of the impact on them has come from a public relations standpoint.

On the other hand, the thefts have led to tens and even hundreds of thousands of dollars in losses for numerous small businesses, which now have little hope of recovering the money. Some have filed lawsuits against banks charging that they failed to detect and stop transactions that were patently fraudulent.

Earlier this month, for example, Hillary Machinery Inc filed a lawsuit against its bank, PlainsCapital, after online crooks used stolen credentials to transfer more than $800,000 from its account last year.

The bank later recovered about $600,000 of the stolen funds, but has so far refused to pay the remaining amout to compensate the Plano, Texas-based manufacturing firm for the remainder.

In its lawsuit, Hillary charged that PlainsCapital did not stop wire transfers that involved foreign bank accounts and dollar amounts completely out of norm for Hillary. The company claimed that it had a reasonable expectation that its money would be properly protected by the bank. The company also argued that a small business cannot be expected to hold significant expertise on data security issues.

In a similar case, a Sterling Heights, Mich.-based manufacturing firm is suing its bank after online crooks stole some $560,000 from the company's online bank account via a series of unauthorized wire transfers last year. The lawsuit that Experi-Metal Inc. filed late last year blamed the theft on loss on Comerica Bank's alleged failure to heed signs that should have alerted it to the fraudulent activity.

Though it's unclear yet how courts are going to rule on such lawsuits, the attacks have prompted many questions about the authentication and fraud detection mechanisms used by many banks.

As far back as 2005, the Federal Financial Institutions Examination Council issued guidelines to banks on implementing stronger authentication for online transactions. Among other things, the Authentication in an Internet Banking Environment report called on banks to upgrade current single-factor authentication processes -- typically based on user name and passwords -- by adding a stronger, second form of authentication by the end of 2006.

The unceasing attacks on small business accounts shows that many banks, especially small community banks, have still not deployed such controls, said Avivah Litan, a Gartner Inc. analyst.

"The good news is there are plenty of effective fraud detection and authentication solutions that can and are thwarting these attacks when employed by the banks." she said. "The bad news is that many banks are not using these solutions and the bank regulators are not paying adequate attention to this."

Regulators such as the FDIC and the federal Office of the Comptroller of the Currency have so far not enforced their own recommendations for strong authentication. "The bank examiners are really behind the 8-ball on this," Litan said.

Paul Smocer, vice president of security at BITS, an industry consortium representing the 100 largest financial institutions in the U.S, said there's been a "real uptick in sophistication" in cyberattacks targeting commercial accounts over the past six months or so.

Such attacks are seriously testing token-based authentication measures used by banks for many years, Smocer said.

"Until fairly recently, token-based authentication was considered to be very strong," he said. However, as banking malware get increasingly sophisticated, "token methodology is not as strong as it has been historically."

Smocer said there is a rapidly increasing need for context-aware and out-of-band authentication tools as well as monitoring tools that are capable of detecting fraud by comparing current transaction patterns against historical behavior. "We are starting to see a lot of our members move in that direction," he said.

BITS has started advising members on ways to identify accounts where so-called "money mules" have moved to transfer stolen money to overseas bank accounts. "By working with law enforcement we are seeing patterns beginning to emerge with regard to the nature of the activity that mules often engage in," Smocer said.

The attacks are pushing bodies such as the American Bankers Association to ask members to review internal security controls.

In a February alert, for example, the ABA asked banks to be on the alert for funds-transfer fraud involving small and medium-sized businesses. The alert specifically cited "large-value" payments to previously unknown payees, unusual international payments and new accounts "with high-value, high-volume transactions [and] previously unfunded accounts with large-value incoming funds that are cashed out as soon as funds are cleared."

The bankers association is "strongly recommending" that banks review existing controls, such as their anti-money laundering tools, to determine whether features can be added to fulfill the recommendations, said Doug Johnson, senior policy advisor at the ABA. The ABA is also advising members to implement multiple layers of security for detecting fraud in much the same way that credit card companies have been doing for years, he added.

"Cybersecurity is always an arms race. It is incumbent upon financial institutions to be vigilant. If the exploits change the defenses have to change with them,' said Johnson who is the ABA's representative on Financial Services Sector Coordinating Council. "We are obviously very much concerned about the potential for these exploits to really damage the relationship between the customer and the bank and we will do everything in our power," to alleviate the situation he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld . Follow Jaikumar on Twitter at @jaivijayan , send e-mail to or subscribe to Jaikumar's RSS feed .

Read more about security in Computerworld's Security Knowledge Center.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon