The unabated plundering of online bank accounts belonging to small and midsize businesses is raising significant questions about the authentication and fraud-detection mechanisms now used by financial institutions.
Such cyberthefts have led multiple businesses to file lawsuits against their banks and prompted government regulators to call on financial institutions to improve their security systems.
The FDIC recently disclosed that during the final 2009 quarter alone, cyberthieves stole more than $150 million from small and midsize business accounts.
In most of those cases, the FDIC said, thieves obtained a business’s valid banking log-in credentials by illegal means. The hackers used the stolen credentials to send money from the accounts to overseas bank accounts via wire transfers.
Banks, by and large, have mostly contended that the thefts occurred because the victims failed to adequately protect their banking credentials.
Since banks are not required to reimburse commercial accounts for losses resulting from such thefts, most of the impact has been on public relations.
On the other hand, the thefts have led to tens and even hundreds of thousands of dollars in losses for numerous small businesses, which now have little hope of recovering the money. Some have filed lawsuits against banks, charging that they failed to detect and stop transactions that were patently fraudulent.
Earlier this month, for example, Hillary Machinery Inc. filed a lawsuit against its bank, PlainsCapital, after online crooks used stolen credentials to transfer more than $800,000 from its account last year.
The bank later recovered about $600,000 of the stolen funds but has so far refused to compensate the Plano, Texas-based manufacturing firm for the remainder.
In its lawsuit, Hillary charged that PlainsCapital did not stop wire transfers that involved foreign bank accounts and dollar amounts completely out of norm for Hillary. The company claimed that it had a reasonable expectation that its money would be properly protected by the bank. The company also argued that a small business cannot be expected to hold significant expertise on data security issues.
In a similar case, a Sterling Heights, Mich.-based manufacturing firm is suing its bank after online thieves stole some $560,000 from the company’s online bank account via a series of unauthorized wire transfers last year. The lawsuit that Experi-Metal Inc. filed late last year blamed the theft on Comerica Bank’s alleged failure to heed signs that should have alerted it to the fraudulent activity.
Though it’s unclear yet how courts are going to rule on such lawsuits, the attacks have prompted many questions about the authentication and fraud-detection mechanisms used by many banks.
As far back as 2005, the Federal Financial Institutions Examination Council issued guidelines to banks on implementing stronger authentication for online transactions. Among other things, the “Authentication in an Internet Banking Environment” report called on banks to upgrade current single-factor authentication processes — typically based on usernames and passwords — by adding a stronger, second form of authentication by the end of 2006.
The unceasing attacks on small-business accounts show that many banks, especially small community banks, have still not deployed such controls, said Avivah Litan, a Gartner Inc. analyst.
“The good news is there are plenty of effective fraud-detection and authentication solutions that can and are thwarting these attacks when employed by the banks,” she said. “The bad news is that many banks are not using these solutions and the bank regulators are not paying adequate attention to this.”
Regulators such as the FDIC and the federal Office of the Comptroller of the Currency have so far not enforced their own recommendations for strong authentication. “The bank examiners are really behind the eight ball on this,” Litan said.
Paul Smocer, vice president of security at BITS, an industry consortium representing the 100 largest financial institutions in the U.S, said there has been a “real uptick in sophistication” in cyberattacks targeting commercial accounts over the past six months or so.
Such attacks are seriously testing token-based authentication measures that have been used by banks for many years, Smocer said.
“Until fairly recently, token-based authentication was considered to be very strong,” he said. However, as banking malware becomes increasingly sophisticated, “token methodology is not as strong as it has been historically.”
Smocer said there is a rapidly increasing need for context-aware and out-of-band authentication tools as well as monitoring tools that are capable of detecting fraud by comparing current transaction patterns against historical behavior. “We are starting to see a lot of our members move in that direction,” he said.
BITS has started advising members on ways to identify accounts used by so-called money mules to transfer stolen money to overseas bank accounts. “By working with law enforcement, we are seeing patterns beginning to emerge with regard to the nature of the activity that mules often engage in,” Smocer said.
The attacks are pushing bodies such as the American Bankers Association to ask members to review internal security controls.
In a February alert, for example, the ABA asked banks to be on the alert for funds-transfer fraud involving small and medium-size businesses. The alert specifically cited “large-value” payments to previously unknown payees, unusual international payments and new accounts “with high-value, high-volume transactions [and] previously unfunded accounts with large-value incoming funds that are cashed out as soon as funds are cleared.”
The bankers association is “strongly recommending” that banks review existing controls, such as their anti-money-laundering tools, to determine whether features can be added to fulfill the recommendations, said Doug Johnson, senior policy adviser at the ABA. The ABA is also advising members to implement multiple layers of security for detecting fraud in much the same way that credit card companies have for years, he added.
“Cybersecurity is always an arms race. It is incumbent upon financial institutions to be vigilant. If the exploits change, the defenses have to change with them,” said Johnson who is the ABA’s representative on Financial Services Sector Coordinating Council. “We are obviously very much concerned about the potential for these exploits to really damage the relationship between the customer and the bank, and we will do everything in our power” to alleviate the situation, he added.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, send e-mail to [email protected] or subscribe to Jaikumar’s RSS feed .