Losses from falsified online banking transactions in the US
tripled in the third quarter, and it seems that the banks have no way to stop them, reports Joseph Menn for the FT. At $120m, this is only about 17% of the total cost of identity fraud and bad checks / cheques, amounting to a total of $700m, although significant
enough that you would believe banks would be working hard to stop the problem. The issue for businesses it seems is that many banks are not feeling much of the $120m cost, ensuring that the losses remain with the business account holders. Compensation is something
the banks are avoiding, unlike the losses from fraudulent use of a credit card. While they continue to do so, the direct financial cost to banks may mean that they push off the problem for later.
It seems that a "trojan" named Zeus is being sold by hackers to criminal organizations who are wanting to use it to empty business bank accounts. Zeus makes it easy for online banking passwords to be recorded by the criminals, then used to transfer funds from
the account through the standard, legitimate online banking system. The FT story claims that new versions of the trojan also allow criminals to bypass some of the additional physical security that banks are employing, such as tokens with rotating passkeys
and SMS confirmation messages. If this really is the case, it is a worrying development, although I can't technically understand how the hack could do that unless these security systems are incredibly poorly implemented.
If the additional security measures that banks employ are being bypassed by hackers, it seems that banks may eventually have to act. If the losses start to approach those of other fraudulent transactions, and banks continue to push responsibility to the customers,
the large base of small and mid-sized businesses may just mutiny finding a way to protect their money without feeding the coffers of the worst offending banks. How long will it be before we see a league table of banks and percentage of losses due to fraudulent
transactions - at least with this type of information companies could pick the most reliable bank, reducing their risk.
When banks finally decide to act, and they find that they are unable to secure online accounts and transactions through a web-browser, some may just decide that it is time to develop full, installable, self-validating applications as the only access mechanism
to online banking facilities. If "there is an app for that", the flexibility for accessing accounts from anywhere is lost, but it may be the only way security can be maintained.