Hard lessons learned about online banking security

Linda Musthaler
By | July 20, 2012

Posted in: Network Security Trends

Network World recently published an article about a small business owner that was a victim of online banking fraud who fought mightily to get her money back—first from the money mules working for the fraudster, and then from the bank whose lax security allowed the fraud to happen. First the highlights, and then we’ll discuss some of the lessons that small businesses – or any business, really – can take away from this fraud incident.

Village View Escrow is a small California firm that holds funds in escrow for real estate transactions. In March 2010 owner Michelle Marsico opened an email message telling her that a UPS delivery failed. She clicked on the attachment to get details and apparently nothing happened. That is, nothing that she could see. She shared the email with a staffer who also clicked on the attachment. In reality, they both were falling victim to a phishing scam that subsequently downloaded password-stealing malware to their PCs. What’s more, the malware disabled automated measures that required email notifications and multiple approvals of the wire transfers.

Shortly after that incident, there were 26 consecutive wire transfers from Village View’s accounts to 20 individuals around the world who had no legitimate or previous business with Marsico’s company. Within 2 days, Village View Escrow’s bank account was emptied of almost $450,000. Marsico’s bank at the time, Professional Business Bank, offered little help in recovering the money.

Marsico took matters into her own hands and contacted some of the U.S.-based recipients of the money. She had their contact information from the wire transfers.  In some cases, these money mules had no idea they were part of an illegal scheme; they thought they were part of a legitimate “work at home” business. Some of them returned the money they had received to Marsico, allowing her to recover about $72,000 of her clients’ money.

Then Marsico ended up battling her bank over liability for the remainder of the stolen funds—some $373,000. The bank argued that it had provided sufficient security to protect Marsico’s business. In this case, the so-called security consisted of a user name and password and little else. Village View sued the bank, contending that the authentication and funds transfer validation process was insufficient. In the end, the bank (now owned by Bank of Manhattan) settled the lawsuit for $600,000. Since there is little legal precedence over cases like this, it wasn’t clear who might have won the case if it had gone to trial. It’s quite likely that Marsico could have lost and been liable for all the money that wasn’t recovered from the fraudster.

Unfortunately, this incident isn’t unique. According to the FBI, wire transfer fraud cost U.S. businesses and organizations $100 million in 2009. Fraudsters are constantly looking for ways to get around controls put in place to prevent this type of crime.

There are a lot of lessons in this incident for small (as well as not-so-small) businesses, not the least of which is this: business owners, it’s up to you to protect your own interests. You cannot assume that someone else is looking out for you and will secure your business. Here are some specific things you can do:

Assume your business is a target of cyber thieves and build security measures into your processes. If you conduct financial transactions online, keep a clean PC for this purpose. That is, don’t use the same PC for financial transactions that you use for web browsing and email. The latter activities are prone to bringing malware to your computer. If you can’t afford to keep a separate computer, security expert Brian Krebs recommends you boot your computer using a read-only bootable Linux OS CD (known as a Live CD). Krebs’ research shows that this type of financial fraud happens most often on Windows PCs that are completely taken over by thieves via malware. If computer security isn’t your forte, consider hiring a professional online security consulting service to help you setup your environment and procedures.

Educate yourself and your staff about phishing scams and other means by which PCs become infected and about good security practices. The Anti-Phishing Working Group offers tips on how to avoid becoming a victim to a scam.

Talk to your banker about maintaining or increasing security. Every business needs a layered approach to security these days. A username and password is simply not enough. There are plenty of new technologies and products that can increase security, but many of them have to be implemented on the bank’s side. If your bank is too relaxed about security, find another bank.

Understand the agreement you have with your bank regarding liability for fraud losses. Banks typically deny liability for commercial accounts, especially those of small businesses that lack the resources to fight to recover their losses. There is little legal precedence to provide guidance on which company – yours or the bank – will bear the brunt of financial losses.

If necessary, get an insurance policy that covers financial losses from fraudulent activity. Village View Escrow might be out of business today if the bank hadn’t settled the lawsuit. If you aren’t willing to gamble on your business, get an insurance policy that can provide peace of mind.

Michelle Marsico is lucky that her lawsuit was settled in her favor. Her business survived to operate another day. Will yours?

You May Also Be Interested In: