21 October 2017
Robert Siciliano

Identity Theft Expert

Robert Siciliano - IDTheftSecurity.com

739Posts 2,037,483Views 62Comments

How Banks Fail to Provide Effective Online Security

12 February 2010  |  2971 views  |  4

A Texas bank is suing one of its customers who was hit by an $800,000 online bank theft that could determine who is to be held responsible for protecting their online accounts from fraud.

Computerworld reports Romanian and Italian based criminal hackers launched numerous wire transfers out of the client’s back account. The bank recovered $600,000 of the $800,000.

The victim wanted all its money back and sued the bank to be reimbursed of the $200,000. The bank in turn filed a lawsuit requesting the bank certify it had adequate security that was considered “commercially reasonable”. The bank doesn’t want anything more than to be absolved of the $200,000.

The bank states all transfers originated from unauthorized wire transfer orders that had been placed by someone using valid Internet banking credentials belonging to the victim. How the victim’s credentials fell into he wrong hands has not been disclosed. It seems it was the victim’s lax security opposed to the banks. There are numerous ways this can happen. What is evident is there were wire transfers of various dollar amounts ranging from $2500.00 to $100,000 made to different accounts all overseas. The bases of the victim’s lawsuit are that the bank should have systems in place to detect such activity.

Small businesses and banks are losing money via attacks on their online banking accounts. It’s very simple: criminal hackers send an e-mail with a link to a malicious site or download to employees who handle their company’s bank accounts. These malicious links then steal the username and passwords the employees use to log in to their online banking accounts. Done.

So, if my PC is compromised because I don’t have adequate security and $800,000 goes missing from my account, whose fault is it?  At first glance some may say the victims, others may say the banks. The fact that there are so many ways passwords can be compromised and accounts can be taken over, and banks know this, it should motivate banks to have redundant security in place. Hacks like this undermine people’s confidence in the system.

Here is a similar story being played out. I’m a big believer in taking action and making sure my systems are secure. And, the bank has some responsibility here too. I, we the public, have limitations on what we can do to be secure. I bet anything the bank will tighten up regardless of what the outcome of the lawsuit is because they have to see there is a weakness in their system. If they don’t, they are stupid.

I’ve been trying to transfer money from one bank account to another. My bank has made it difficult to do so. Painful even. It’s a customer service and a security issue. Ultimately they provide an option to do so and it requires paperwork, online authentication, phone calls and text messages. It’s not a matter of logging in and transferring money by entering another account. Even with my own login details I’m having a hard time transferring money.

Check to see how easy or difficult your bank makes it. Because if it’s easy peazy, that could be an issue if your PC is hacked.

TagsSecurityRisk & regulation

Comments: (6)

Cedric Pariente
Cedric Pariente - Racine Alpha - Paris | 14 February, 2010, 15:15

Very good article thank you Roberto.

It raises once again the question of the users' best practices.

When you buy pretty much anything, most of the time you get a manual on how to use it.

Why isn't there a document like this concerning online banking and internet usage in general, that banks would give to their 'internet' users, so there's no discussion to whose fault it is once the crime has been done?

If it does not exist, I'd be interested in contributing in such a document if you think it's a good idea.

And if it exists already, who is supposed to validate it so it's adopted by all the banks?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Paul Rattray
Paul Rattray - Private - Edinburgh | 15 February, 2010, 10:31

You have to feel sorry for the average online bank customer don't you?

They are being jostled down the route to go paperless and online for the sake of their own convenience. On the other hand, the average PC user has little or no idea if their computer is secure - they trust their anti-virus software to stop the nasties. "What's spyware?" they'll say, "What's malware?"

But, if the money disappears, it is the customer's fault for not being a chartered IT security expert - the minimum standard needed to be an online banking user. What, didn't you read the small print before you clicked "agree" when you signed up?

Roll on the day when there is a nice big expensive and painful (to the bank) court case to define where the walls lie in cyberspace!

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Robert Siciliano
Robert Siciliano - IDTheftSecurity.com - Boston | 15 February, 2010, 14:28

Thanks for the feedback.

Banks decisions slanted towards minimum investments in security will always be the underlying reason fraud occurs. While there is a delicate balance between usability and security, the public can adapt to security.

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Cedric Pariente
Cedric Pariente - Racine Alpha - Paris | 15 February, 2010, 15:01

The route to educate consumers is a necessary step,  but it's not the solution.

The solution will have to satisfy 3 parties.

Consumers: Lots and lots of people. Don't know anything about what we're talking about.

Banks: Finite number. Know a little bit about security, know a lot about the consumers.

Security Vendors: Finite number. Know a lot about security, know a little bit about the consumers.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Robert Siciliano
Robert Siciliano - IDTheftSecurity.com - Boston | 15 February, 2010, 15:04

Touche Cedric

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Cedric Pariente
Cedric Pariente - Racine Alpha - Paris | 15 February, 2010, 15:24

Unfortunately, even if I'm right, being a security vendor does not pay (that's why lots of them are giving up).

When a bank earns more by selling insurances than the 'cost of fraud', what do you want to sell them???

Even I, if I were a bank, I would build my business model on selling insurances instead of trying to fight fraud. It pays more, is more scalable, is not obsolete as fast... The only bad thing is the image of the bank, but as everybody is doing the same... who cares?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Robert

What Was Scary About Blackhat 2017?

02 August 2017  |  6038 views  |  0 comments | recomends Recommends 0 TagsSecurity

Black Hat 2017 was an Amazing Event

29 July 2017  |  6677 views  |  0 comments | recomends Recommends 0 TagsSecurity

Blackhat Hackers Love Office Printers

28 July 2017  |  5283 views  |  0 comments | recomends Recommends 0 TagsSecurity

Getting Owned or Pwned SUCKS!

13 June 2017  |  5705 views  |  0 comments | recomends Recommends 0 TagsSecurity

Parents Beware of Finstagram

27 April 2017  |  5178 views  |  0 comments | recomends Recommends 0 TagsSecurity

Robert's profile

job title Security Analyst
location Boston
member since 2010
Summary profile See full profile »
Security analyst, published author, television news correspondent. Deliver presentations throughout the United States, Canada and internationally on identity theft protection and personal security....

Robert's expertise

Member since 2009
732 posts62 comments

Who's commenting on Robert's posts

Ketharaman Swaminathan
Adedeji Olowe