Is Your Online Bank Account Safe?
Like many small business owners, Marsha and Michael Shames-Yeakel didn't see any need to build a wall between their personal and business accounts when they started banking online three years ago. Their commingling came back to haunt them a year later after computer hackers transferred nearly $27,000 to unknown points beyond the reach of the law.
Fall victim to a card scam and you're on the hook for a maximum of $50. Have an online banking thief rip off your business and you could be out some big bucks.
The couple (Marsha, 57;
Michael, 58) run a bookkeeping business in their
suburban Chicago home and in 2003 took out a $50,000
line of credit with Citizens Financial Bank. They
later linked it to their business checking account.
Hackers tapped into their accounts in early 2007 and
directed that $26,500 from the credit line be placed
in the business account. The intruders then
transferred the assets to a Hawaiian account of JV
Financial, a bogus entity. By the time the couple
realized the money was missing, ten days later, it
was in an Austrian bank, which refused to return it.
Unfortunately for the Shames-Yeakels, even if their bank data were stolen from their home it remains unresolved whether they will have to cover the loss because it flowed through their commercial account. Citizens, like many banks, required the Shames-Yeakels to accept liability for the type of fraud they suffered in their business account. When they failed to repay the losses, Citizens reported their personal account as delinquent to credit bureaus, and six months after the theft threatened to foreclose on their home. A federal judge ruled this August that their lawsuit against Citizens can go forward because it involves a personal account.
Since the Shames-Yeakels were defrauded in 2007, bank fraud has evolved dramatically. Hackers are now infecting high-volume Web sites with Trojan viruses. When visitors arrive to view, say, a news page, the virus hops from the site onto their PC. The hackers then follow their marks as they move to their online bank accounts. Outfitted with a keystroke-capture mechanism, the Trojan horse records the user names and passwords.
With these in hand, the thieves need only set up a bogus money transfer without tipping off the bank. Since banks have started watching out for transfer requests from unknown computers, hackers have in the past year or so begun hijacking their victims' own IP addresses. You may have experienced a similar, benign takeover of your work computer after suffering a problem. You call your employer's information technology department for help and within seconds they're remotely in control of your computer.
Such technology may explain how Unique Industrial Product Co., a Sugar Land, Tex. importer, got taken for $200,000. Unique's bank, Comerica ( CMA - news - people ), noticed nothing unusual when hackers targeted the company's account late one Monday in April. Unique's comptroller arrived the next morning to find a stack of faxes from Comerica confirming $1.2 million in transfers, some to banks in far-off places like Ukraine. The hackers planned the heist well; the transfers were executed shortly before Unique closed for the day and most were for less than $10,000, a tactic designed to avoid close scrutiny. Comerica eventually recouped $1 million. Unique Industrial will eat the rest of the loss.
"We had a talk with our bank over who's responsible, and they said we are because our computers were targeted," says Jugal Malani, Unique Industrial's chief executive.
Such tales are rampant. A Missouri bank that wishes to remain anonymous says two commercial customers have been victimized this year by what appear to be Russian-speaking hackers. One client, a nonprofit, had $142,000 transferred out and recovered $107,000. The other, a builder, lost $50,000 in a series of transfers that drained $115,000.
"When it's their system compromised, commercial account holders foot the bill," says a bank executive.
Not without a fight. Pennsylvania's Western Beaver County School District had $700,000 whisked out of accounts that its bank, ESB Bank, apparently thought had been ordered by the system's superintendent. ESB tracked down nearly $265,000 and says Western Beaver is responsible for the rest. The district claims the bank should have noticed something amiss because the district was closed for 2008-09 winter break. Western Beaver has filed a lawsuit in Beaver County Common Pleas Court claiming breach of contract.
Is technology the answer? The Shames-Yeakels think so. Their lawsuit argues that Citizens should have provided them with digital tokens. These devices enable customers logging into their accounts to enter unique pass codes that change every few seconds.
Alas, SecureWorks' Jackson says a group of Russian-speaking hackers has designed a virus that installs instant messaging code on computers. When a user enters his token code, the virus zaps it to the hackers, who use it to log in while holding off the legitimate log-in connection. To the victim the log-in process slows as their money disappears.
One answer: Use cell phone calls or text messages to confirm banking transactions independent of computers. Currently less than a tenth of banks do so, says banking industry research firm Javelin Strategy & Research. The stumbling block: cost, fears of inconveniencing customers and the repercussions if such systems slip up, says Joseph Yesutis, a Washington, D.C. banking attorney.
Another defense tactic that banks could employ is to allow customers to spell out which electronic transactions (such as wires to foreign banks) can be undertaken only in person. Citibank, for one, says it offers such service; Bank of America ( BAC - news - people ) doesn't. Neither provides two-way texting.
( Courtesy: Forbes Magazine )