Skip Links

Heist once again highlights e-banking vulnerabilities

Commercial customers need to heed warnings from cyber thefts in Missouri, Maine

By Taylor Armerding, CSO
November 08, 2012 07:55 AM ET

CSO - The chief financial officer of a Missouri firm discovered that cyber thieves had withdrawn $180,000 from the company's bank accounts overnight described it as "a helluva wake-up call" to security blogger Brian Krebs.

Largest banks under constant cyberattack, feds say

But that loss might have been avoided if the company, Primary Systems, had paid better attention to the risks of electronic banking. The warnings, and examples, of cyberheists in the hundreds of thousands -- and even millions of dollars -- have been around for years.

Krebs reported this week that the company became a victim of "a single virus-laden email that an employee clicked on [that] let the attackers open a digital backdoor, exposing security weaknesses that unfortunately persist between many banks and their corporate customers."

In this case, a payroll batch worth about $180,000 was drawn from Primary Systems' bank accounts, paid to "money mules" and eventually sent to recipients in Ukraine.

The transactions were irregular -- highly irregular. They took place on a Tuesday, while the company had always processed its payroll on Friday mornings. They called for payments of between $5,000 and $9,000 to 26 people in almost that many different states who had never had any prior connection to the firm and who were added to the Primary Systems payroll that day.

But, even though it was six times the normal payroll, the total came in below the $200,000 threshold that would have triggered a call from the bank to get permission for the payouts.

None of this is new to electronic banking. One of the more prominent cases dates to May 2009 in Sanford, Maine, where Patco Construction, a small property development and contractor discovered that its banker, Ocean Bank (later acquired by People's United Bank), had authorized six fraudulent withdrawals totaling $588,851, even after the bank's security system had flagged each transaction as high-risk. The bank was able to block or recover $243,406 of that total.

That incident led to a lawsuit against the bank that is reportedly headed for a negotiated settlement at the prodding of a federal Appeals Court judge. But it illustrated the same risks as the theft from Primary Systems -- ones that all businesses conducting electronic banking should be aware of.

First, a business is not protected at the same level as an individual. Different laws govern each. A bank has to reimburse an individual customer for losses due to fraudulent transactions, as long as the fraud is reported promptly. For commercial customers, a bank must simply have a security system that is "commercially reasonable," and electronic transactions must be made in "good faith."

In virtually all cases, that means the customer is on the hook for losses. So it has more of a default obligation to provide its own security by monitoring its accounts.

Joram Borenstein, senior director of global product marketing at NICE Actimize, said there is anecdotal evidence that one response to this is some small companies are "misleading their own financial institution" by registering accounts as consumer accounts instead of ones designed for small businesses.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News