Blog article
See all stories »

How Banks Fail to Provide Effective Online Security

A Texas bank is suing one of its customers who was hit by an $800,000 online bank theft that could determine who is to be held responsible for protecting their online accounts from fraud.

Computerworld reports Romanian and Italian based criminal hackers launched numerous wire transfers out of the client’s back account. The bank recovered $600,000 of the $800,000.

The victim wanted all its money back and sued the bank to be reimbursed of the $200,000. The bank in turn filed a lawsuit requesting the bank certify it had adequate security that was considered “commercially reasonable”. The bank doesn’t want anything more than to be absolved of the $200,000.

The bank states all transfers originated from unauthorized wire transfer orders that had been placed by someone using valid Internet banking credentials belonging to the victim. How the victim’s credentials fell into he wrong hands has not been disclosed. It seems it was the victim’s lax security opposed to the banks. There are numerous ways this can happen. What is evident is there were wire transfers of various dollar amounts ranging from $2500.00 to $100,000 made to different accounts all overseas. The bases of the victim’s lawsuit are that the bank should have systems in place to detect such activity.

Small businesses and banks are losing money via attacks on their online banking accounts. It’s very simple: criminal hackers send an e-mail with a link to a malicious site or download to employees who handle their company’s bank accounts. These malicious links then steal the username and passwords the employees use to log in to their online banking accounts. Done.

So, if my PC is compromised because I don’t have adequate security and $800,000 goes missing from my account, whose fault is it?  At first glance some may say the victims, others may say the banks. The fact that there are so many ways passwords can be compromised and accounts can be taken over, and banks know this, it should motivate banks to have redundant security in place. Hacks like this undermine people’s confidence in the system.

Here is a similar story being played out. I’m a big believer in taking action and making sure my systems are secure. And, the bank has some responsibility here too. I, we the public, have limitations on what we can do to be secure. I bet anything the bank will tighten up regardless of what the outcome of the lawsuit is because they have to see there is a weakness in their system. If they don’t, they are stupid.

I’ve been trying to transfer money from one bank account to another. My bank has made it difficult to do so. Painful even. It’s a customer service and a security issue. Ultimately they provide an option to do so and it requires paperwork, online authentication, phone calls and text messages. It’s not a matter of logging in and transferring money by entering another account. Even with my own login details I’m having a hard time transferring money.

Check to see how easy or difficult your bank makes it. Because if it’s easy peazy, that could be an issue if your PC is hacked.

3113

Comments: (6)

Cedric Pariente
Cedric Pariente - EFFI Consultants - Paris 14 February, 2010, 15:15Be the first to give this comment the thumbs up 0 likes

Very good article thank you Roberto.

It raises once again the question of the users' best practices.

When you buy pretty much anything, most of the time you get a manual on how to use it.

Why isn't there a document like this concerning online banking and internet usage in general, that banks would give to their 'internet' users, so there's no discussion to whose fault it is once the crime has been done?

If it does not exist, I'd be interested in contributing in such a document if you think it's a good idea.

And if it exists already, who is supposed to validate it so it's adopted by all the banks?

A Finextra member
A Finextra member 15 February, 2010, 10:31Be the first to give this comment the thumbs up 0 likes

You have to feel sorry for the average online bank customer don't you?

They are being jostled down the route to go paperless and online for the sake of their own convenience. On the other hand, the average PC user has little or no idea if their computer is secure - they trust their anti-virus software to stop the nasties. "What's spyware?" they'll say, "What's malware?"

But, if the money disappears, it is the customer's fault for not being a chartered IT security expert - the minimum standard needed to be an online banking user. What, didn't you read the small print before you clicked "agree" when you signed up?

Roll on the day when there is a nice big expensive and painful (to the bank) court case to define where the walls lie in cyberspace!

 

Robert Siciliano
Robert Siciliano - Safr.me - Boston 15 February, 2010, 14:28Be the first to give this comment the thumbs up 0 likes

Thanks for the feedback.

Banks decisions slanted towards minimum investments in security will always be the underlying reason fraud occurs. While there is a delicate balance between usability and security, the public can adapt to security.

 

Cedric Pariente
Cedric Pariente - EFFI Consultants - Paris 15 February, 2010, 15:01Be the first to give this comment the thumbs up 0 likes

The route to educate consumers is a necessary step,  but it's not the solution.

The solution will have to satisfy 3 parties.

Consumers: Lots and lots of people. Don't know anything about what we're talking about.

Banks: Finite number. Know a little bit about security, know a lot about the consumers.

Security Vendors: Finite number. Know a lot about security, know a little bit about the consumers.

Robert Siciliano
Robert Siciliano - Safr.me - Boston 15 February, 2010, 15:04Be the first to give this comment the thumbs up 0 likes

Touche Cedric

Cedric Pariente
Cedric Pariente - EFFI Consultants - Paris 15 February, 2010, 15:24Be the first to give this comment the thumbs up 0 likes

Unfortunately, even if I'm right, being a security vendor does not pay (that's why lots of them are giving up).

When a bank earns more by selling insurances than the 'cost of fraud', what do you want to sell them???

Even I, if I were a bank, I would build my business model on selling insurances instead of trying to fight fraud. It pays more, is more scalable, is not obsolete as fast... The only bad thing is the image of the bank, but as everybody is doing the same... who cares?