Continuing on from last time, we’ll be further discussing the issue of Corporate Account Takeover.
In 2010, some online thieves stole $440,000 from Choice Escrow and Land Title, a real-estate closing business. They stole the corporate online banking account credentials and issued a wire to a bank in Cyprus. To read about it in detail, click here.
On paper, for all intents and purposes, the transaction was perfectly legitimate in that it was issued from the corporate account using legitimate credentials.
The company tried suing the bank (BankcorpSouth) to recuperate the money, but a court ruled that the lawsuit couldn’t even take place. As it turns out, the bank had not once but twice tried to get the customer to create dual controls for money transfers above a certain amount ~ meaning that two persons were required to provide authorization for that transfer and, consequently, hackers would have been stopped in their tracks. However, the corporation chose convenience over security and declined, twice, to institute that policy.
When confronted with this argument, the judge ruled that there no grounds for which the bank could even be sued. They’d done whatever they could to ensure the transactions were protected; the customer simply did not want to be protected.
How does this affect you as a financial institution? Don’t sleep too tight just yet; not all rulings are in favor of the bank. A similar case in Florida has already gone back and forth on two separate occasions already, simply because the responsibility wasn’t so clear cut.
Not all judges are willing to be pally with banks just yet. However, the tide does appear to be changing as more people realize that while FIs are doing all they can, they can’t protect us (banking customers) if we’re unwilling to be protected.
A FI can protect its records and databases but if I lose my credentials because I’m reckless or careless, what’s the bank to do? Of course they have fraud protection, some even offer software I can install on my laptop (I do, in fact, have one installed as an add-on to my browser); but if I refuse to be protected, I need to know I’ll be held accountable.
Why am I saying all this? Remember how I mentioned being invited to speak on the topic by a bank in Houston a little while ago? Well, the audience was comprised of around 60 C level executives from their largest customers. I must praise this initiative and I really do feel that more FIs should do this, on a regular basis.
You need to start thinking that properly educating your customers about the threats they face will go a long way towards increasing the security of their assets (and helping you sleep at night).
Your customers aren’t involved in fraud detection, security issues, hacking, probing and testing as we are. They’ve no idea what’s going on; they’re busy running their own businesses and when they see news about a breach, it’s typically about some large bank, or some large corporation, or some millions or records stolen. Why? Because “big” makes for better news.
If a small company is hacked and their bank account emptied, no one really cares and it doesn’t generate any media ink. This unfortunately creates a false idea that such issues occur only to large companies but statistics clearly show quite the opposite – almost 70% of breaches occur to small and medium businesses. Hackers have come to realize that some of these businesses have large enough bank accounts to make it worth their efforts, and because security is almost always lacking, the effort for the hacker is minimal. Small effort = big rewards; what more could a hacker want?
And so, they’ve taken to attacking small, unaware, businesses. Which, by the way, also keeps them out of the news, and for them, this is another advantage. Not all hackers are like Anonymous, wanting notoriety; most of them try to stay well under the radar as much as possible.
Next month, we’ll discuss what you can do when you train your users; what you need to explain to them, what you need to tell them, what they do NOT know.
Until then, make the best of it.