Most Americans have received an authentic-looking email from a scammer, purportedly from a bank, requesting an update to the account information for official-sounding reasons.
Unfortunately, criminals do the same to businesses, sometimes making off with thousands or millions of dollars.
This is the reason financial institutions must better protect customers.
The role of banks’ security has increasingly been making it to the courts. Last month United Security Bank of Fresno settled a lawsuit filed by TRC Operating Company, an oil drilling and production firm.
In November 2011 Ukrainian-based criminals breached the oil firm’s security and initiated bank transfers worth approximately $3.5 million. USB contacted the company only after the online thieves had completed three transfers for nearly $600,000. Thankfully banking “clawbacks” recovered about half of the money, but TRC still lost almost $300,000.
The bank claimed it was not to blame and refused to reimburse TRC, causing the company to file suit. In June, just before the case went to trial, USB agreed to settle with TRC for $350,000; it covered interest on the $300,000 but not TRC’s attorney’s fees.
Equally important, USB implicitly accepted responsibility by changing its procedures following the settlement. While blaming TRC for getting hacked, the bank changed its security procedures to require additional authentication.
“The automation of electronic banking isn’t so automatic anymore,” USB CEO Dennis Woods said. Had this simple change been in effect in 2011, there would have been no theft at TRC.
TRC’s travails illustrate two serious financial weaknesses threatening all Americans.
First, federal and state laws primarily protect retail, not commercial, customers, leaving businesses stuck with cyber losses.
However, if businesses were made aware they are not protected, they could change financial institutions, or halt online banking.
Second, regional and especially community banks, typically lack the sophisticated security procedures adopted by larger financial institutions, which means companies doing business with local banks, such as USB, are potentially at greater risk. Nonprofits and governments have also have been targeted.
No one knows how much U.S. companies have lost to cyber-thieves. Many smaller enterprises simply accept their losses and say nothing. Law enforcement experts say there have been thousands of attacks costing potentially billions of dollars.
In the latest cybercrime survey of Fortune 500 executives three-quarters of respondents reported a security breach in the past year. “Cyber criminals continue to find ways to circumvent these technologies in order to obtain sensitive information that they can monetize,” warned Ed Lowery of the Secret Service.
Smaller businesses lacking the sophistication of corporate giants face long odds against professional hackers.
Most companies don’t realize how vulnerable they are or that their bank has no responsibility to help keep them safe. Financial institutions talk about “shared responsibility,” but in practice that means placing the burden on customers.
For this reason TRC faulted USB for failing to offer “commercially reasonable” protection. Obviously, the bank is in a better position than TRC to defeat financial crime. Attorney Julie Rogers pointed out that the fraudulent wire transfers were obviously anomalous. Yet the bank had no requirement in place for confirming the transaction.
Banks are best equipped to safeguard deposits; indeed, that is their job, made more important by the industry’s concerted effort to shift customers online. Exempting financial institutions from responsibility leaves them less incentive to protect accounts from attack.
The “responsibility to protect” should begin with the 13 large banking platform vendors, or “processors.” Their large size makes them a better match for sophisticated cyber-thieves.
Financial institutions should make cyber-security a “best practices” priority, integrated into all of their operations. At the very least, banks should brief customers about common threats and cost-effective responses, as well as bank policies and customer liabilities. Depositors should be given an option of fuller coverage, and required to sign a consent form if they refuse.
The federal and state governments should take an active role as well. The Federal Financial Institutions Examination Council already provides guidelines for fraud controls, which require more than simply a username and password for customer authentication. The Uniform Commercial Code, does as well, which has been implemented by states. Moreover, governments at all levels should keep funds only in banks equipped with adequate cyber-security.
Extending standard consumer protections to business accounts is another option. In theory, commercial enterprises are more sophisticated than the typical household, but most businesses are small, and vulnerable. Minimum bank standards should apply to all.
This issue goes beyond banking; the federal government should undertake a public review of America’s vulnerability to attack, and initiate steps to “harden” IT assets and actively protect cyberspace. America is at risk from criminals, international adversaries, and terrorists.
While individual consumers and businesses have an obligation to act responsibly, financial institutions, such as USB, should protect develop, implement and maintain information security plans, policies and programs. This will help ensure depositors funds are protected. Improved bank security is in everyone’s interest.
Katy Grimes is an investigative journalist and long-time political analyst.