The insurance industry trade Web site insuranceheadlines.com recently republished a fascinating story from Bloomberg dated June 18, 2010. It's entitled "Banking's big dilemma: How to stop cyberheists via customer PCs." This story is a must-read for small- to medium-business operators and executives for all kinds of good reasons and data.
Let's start with some data, related to recent cyber-heists:
This particular paragraph from the Bloomberg story really caught our eyes, however:
This translates into something like: "If the bank can recover the funds easily on behalf of its customers, it will probably return them; but if it is unable to recover those funds, or recovery involves strenuous effort on their part, partial or no restitution is pretty much the norm." How can this be? Easy. Banks are not obligated to cover losses incurred by their customers from fraudulent funds transfers online, and as we've written here in numerous other blogs, banks are not currently on the hook for the kinds of stringent fraud detection and prevention technologies that could help eliminate a great dea of such fraud if implemented (see our blog FFIEC Rewrites Its Rules For Banks to Enhance Security, Prevent Fraud to read about possible upcoming changes that could clean up this act).
One important ingredient in future protection will be to lock down clients to prevent stealthy installation of drive-by downloads used to covertly place keyloggers and backdoor upload utilities on users' machines. This should stop remote harvesting of infected users' account and credential info, and uploads to cyberthieves waiting to put that information to illicit and often lucrative mis-use. The article also mentions "out-of-band" security protections where customers can institute mandatory phone calls from their banks to a designated recipient at a pre-arranged phone number to provide verbal confirmation of funds transfers before they are allowed to go through. Even if credentials get compromised a simple protocol like that will stop fraud cold.
Brian Krebs (the author of the Washington Post blog cited earlier in this post) sums up the situation as follows:
We couldn't have said it better ourselves. Read and heed, please!
Let's start with some data, related to recent cyber-heists:
- The municipality of Poughkeepsie, NY, fell afoul of four unauthorized funds transfers that totaled $378,000. These weren't uncovered until January, 2010, and their bank didn't make those losses good until March after "sometimes tense interaction" with city officials (see this Network World story for more info).
- Hilary Machinery of Plano, TX, lost $801,495 (45 transactions to 40 different payees, losses included $551,495 in outright unrecovered theft plus attorney fees and court costs for related litigation, see Bitpipe.com for more info).
- Patco Construction lost $588,000 and then sued their bank to recover as much from their losses as they could, alleging that the bank failed to exercise proper security over online account authentication and access (see our blog "The Real Bite in Company Suits..." for an overview and pointers to more coverage).
- Unique Industrial, in Sugar Land, TX, lost $1.2M in 30 minutes in April, 2009, when cyberthieves sent 39 wire transfers from that company's credit line to banks in Europe and elsewhere (see this article from the Houston Chronicle "Hackers can take a gigabyte of profits.")
- Ferma Corporation of Santa Maria, CA, lost $447,000 in mid-July , 2009, when they fired off a "large batch of transfers from Ferma's online bank account to 'money mules,'" according to Brian Krebs Security Fix blog for The Washington Post. Ferma was able to block at least $232,000 in bogus transfers, but that still left losses of $225,000 outstanding, and their bank held another $50,000 of funds that they recovered to attempt to force the business owner to sign a waiver of suit.
This particular paragraph from the Bloomberg story really caught our eyes, however:
Disputes over hijacked computers and fraudulent transfers are erupting into the public eye as businesses quarrel with their banks over who is at fault when a cyber-gang manages to make off with the money. The restoration of lost funds occurs on a case-by-case basis.
This translates into something like: "If the bank can recover the funds easily on behalf of its customers, it will probably return them; but if it is unable to recover those funds, or recovery involves strenuous effort on their part, partial or no restitution is pretty much the norm." How can this be? Easy. Banks are not obligated to cover losses incurred by their customers from fraudulent funds transfers online, and as we've written here in numerous other blogs, banks are not currently on the hook for the kinds of stringent fraud detection and prevention technologies that could help eliminate a great dea of such fraud if implemented (see our blog FFIEC Rewrites Its Rules For Banks to Enhance Security, Prevent Fraud to read about possible upcoming changes that could clean up this act).
One important ingredient in future protection will be to lock down clients to prevent stealthy installation of drive-by downloads used to covertly place keyloggers and backdoor upload utilities on users' machines. This should stop remote harvesting of infected users' account and credential info, and uploads to cyberthieves waiting to put that information to illicit and often lucrative mis-use. The article also mentions "out-of-band" security protections where customers can institute mandatory phone calls from their banks to a designated recipient at a pre-arranged phone number to provide verbal confirmation of funds transfers before they are allowed to go through. Even if credentials get compromised a simple protocol like that will stop fraud cold.
Brian Krebs (the author of the Washington Post blog cited earlier in this post) sums up the situation as follows:
My mantra on this continues to be that any commercial banking technology that does not begin with the premise that the customer's machine may be and probably is already compromised with malicious software doesn't stand a chance of defeating today's cyber crooks.
We couldn't have said it better ourselves. Read and heed, please!
