Wanted: Defense Against Online Bank Fraud

[Erik Sine]

Wanted: Defense Against Online Bank Fraud

By RIVA RICHMOND

Wall Street Journal | Small Business

Cybercriminals have found a rich, new hunting ground: small businesses' bank accounts.

Just ask Sign Designs Inc., an electric-sign maker in Modesto, Calif. The first sign of trouble was a morning phone call from Bank of Stockton, Sign Design's community bank. It had just fielded a call from Chase Bank, whose anti-fraud team was questioning the legitimacy of a $9,670 electronic payment to a Chase customer in Michigan. Sign Designs confirmed it hadn't set up the payment, and the banks halted the transaction.

Checking its account online, Sign Designs quickly discovered the problem was much bigger: Almost $100,000 had been sent to 17 mystery people, all added as payees the previous day. Although Bank of Stockton immediately notified all the banks that had received funds, some $48,000 had already been picked up by "money mules," people recruited to shuttle money for online-crime groups, typically in Eastern Europe.

Bank of Stockton says it isn't responsible for the losses because its systems were never breached. Hackers had planted a malicious program on the computer of Sign Designs' controller and used it to steal his online-banking credentials. The California bank also says Sign Designs failed to take advantage of security measures that might have averted losses, such as requiring two staff members to sign off on every payment.

Sign Designs President David Johnston argues that Bank of Stockton should cover the losses because it didn't flag the highly unusual account activity nor did it bar two computers—the controller's and hacker's—from accessing the account with the same credentials at the same time. "I don't think they should offer a service that is not safe," Mr. Johnston says. "Do you expect I'm going to solve this? I'm going to take on these Russian thieves? Clearly I'm not going to [be able to] do it."

Sign Designs is among a growing number of small businesses whose bank accounts have been drained in increasingly sophisticated hacker attacks over the past two years. Losses have climbed into the hundreds of millions of dollars in the past year or so as more organized-crime groups, emboldened by the success of fellow criminals, move online, says Shawn Henry, assistant director of the Cyber Division at the Federal Bureau of Investigation, which issued a public warning about the problem in November.

Small businesses are proving a rich target for hackers because they—and the smaller regional banks they often use—tend to have fewer technical and financial resources to stop attacks. And unlike consumers, they lack legal protections from identity fraud, so they typically are forced to absorb the losses.

"Small businesses are really in a bind," says Avivah Litan, an analyst at Gartner Inc. "They need to protect themselves."

Experts offer the following suggestions for small businesses seeking to ward off an attack:

Defend Computers

Hackers often take aim at small firms' computers because they are easier to infiltrate than banks' systems. One common mode of attack is to send a "spear phishing" email containing an infected file or a link to a malicious Web site to employees with access to the firm's financial accounts. Once the employee opens the attachment or goes to the Web site, malware is installed on the computer that allows criminals to access banking logins and passwords. While up-to-date antivirus software offers substantial protection against malware, it isn't 100% effective.

Accessing your bank account through a computer that isn't used for anything else—no email or Web surfing—and isn't connected to the local network offers strong protection, says William Nelson, president of the Financial Services Information Sharing and Analysis Center, an industry group that collects and shares threat data.

Another option is to use an obscure computer operating system such as Ubuntu or Web browser such as Opera because attackers rarely create malware for them, security experts say.

If you use Microsoft Corp.'s Internet Explorer browser, make sure you have the latest version, IE 8, which includes security features to help prevent attacks. Consider using Explorer in "protected mode," which restricts files that try to install on a computer without the user's consent, and set your "Internet zone security" to "high," which disables some of Explorer's less-secure features, according to Microsoft.

Protect Accounts

Ask your bank to set up "dual controls" on your account so that each transaction requires the approval of two people—a good guard against fraud, security experts say. Establish a daily limit on how much money can be transferred out of your account, and require that all transfers be prescheduled by phone or confirmed via phone call or text message. If possible, impose restrictions on adding new payees, security experts say.

Check bank balances and scheduled payments at the end of every workday, rather than the beginning, and immediately contact your bank if anything is amiss. Banks use the Automated Clearing House system to transfer funds to payees' banks. These transfers usually aren't paid until the next morning, so timely action could halt the completion of a fraudulent transaction, Mr. Nelson says.

Shop for a Bank

Review your agreement with your bank and know what rights you may be waiving by not using certain security measures. While agreements between banks and commercial customers typically absolve banks of responsibility for fraud losses, the bank down the street may offer better protections, so shop around. Also, consider adding insurance coverage for fraud losses.

Many banks, concerned about damage to customer relationships, have stepped up their defenses against cyberattacks, rolled out new protections for customers and begun sharing more threat information with each other and law enforcement, Mr. Nelson says.

An emerging motivator may be a growing number of lawsuits by small companies claiming their banks didn't have "commercially reasonable" security.

A judge in a closely watched case involving a self-employed couple's personal and commercial accounts said in refusing to grant a summary judgment that a jury might find fault with the adequacy of the bank's defenses, which the plaintiffs argued weren't state of the art at the time of the theft. The case—Shames-Yeakel vs. Citizens Financial Bank—was settled in late December under confidential terms. The plaintiff's lawyer, John Soumilas of Francis & Mailman PC in Philadelphia, says he pursued the case as one of consumer-identify theft, where protections are ample.

Still, David D. Johnson, a digital-media lawyer at Jeffer, Mangels, Butler & Marmaro LLP in Los Angeles who wasn't involved in the case, says the judge's action suggests that "a bank can't simply rest on its laurels, on its security measures that worked last year," and avoid liability. The judge declined to comment, and Citizens Financial didn't return a call for comment.

Reach Out

Connect with law-enforcement agencies before an incident occurs, suggests Mr. Henry. He says small businesses should consider joining the FBI's InfraGard, a group of businesses, academic institutions and state and local law-enforcement agencies that seek to ward off cyberattacks and other threats by sharing information and intelligence.

He also urges companies to report all computer crimes immediately to the FBI. The agency has relationships with law-enforcement organizations around the world that are starting to bear fruit, he says, pointing to the recent arrest of 120 people tied to Romanian groups that allegedly stole money from U.S. companies and citizens.

"In the cases where we have put hands on somebody, it was the result of a victim company raising their hand and saying this happened," Mr. Henry says. "If they hit you today, they're hitting the guy down the street tomorrow."

[Erik Sine]

At the beginning of last year, this sit was hacked beut it wasn't long before my hosting comapny contacted me to let me know someone had uploaded a Wachovia website into a vulnerable old section of this website. People were Wachovia customers were logging into it and trying to do their banking. I don't know the full details but it was one of those "shell99" deals. I still have clicks going to that old link that does not exist.

[HansonSigns]

Scary how easy it seems to be for the bad guys to steal our bank accounts/ id's. Good article with good info - thanks for posting it.

[knowacki]

Good article and good info. It's too bad we as small business owners can't concentrate on our "business". We have to worry about what anyone is going to do...outside or inside the company.

Sorry to hear about Sign Designs experience. They used to be a customer of ours.

I also know of quite a few company's that have had money taken from right under their noses by their own employees...and I'm not talking a $1 here and a $1 there...I am talking BIG BUCKS$$$$$$$$$$$$

[Erik Sine]

I thought it was an interesting article too, it was actually forwarded to me by another member.

[manuellynch]

Friend of ours in Las Vegas is head of Police Cyber-crimes. You have no idea how bad it is. We showed him how banking is done in New Zealand and he said "holy crap - that would solve our problems here in the USA."

Basically you have a random code that is generated for transactions that is sent to your mobile phone via text from the bank at time of transaction to confirm you are doing the transaction. If you dont respond to text they call you. And if you do banking online they have another matrix that randomly changes.

I asked why we dont do this in the USA - his answer.... "too risky - would require one of the companies to change how they do things - they may lose customers"

Another note he said - in the USA - DO NOT USE YOUR ATM CARD AS DEBIT - he said use as Credit Card, better chance of recouping lost funds if identity stolen.

[HansonSigns]

Manuel, the process you quoted for online banking is almost exactly how my bank set up our online accounts. It's not hard to work with and I have a certain peace of mind that the bank system is keeping an eye on our online transactions. Hard to believe more banks don't do that!