Court Ruling Puts Security Burden On SMBs, Not Banks

A recent ruling by a U.S. District Court of Maine magistrate in favor of a bank being sued by a construction company that had money stolen from its account by hackers highlights how vulnerable small to midsize business owners are to online fraud.

Unlike consumer bank accounts that come with fraud-reversal protection, businesses are left on the hook for fraudulent transfers -- a fact that many remain ignorant about, but of which hackers are well-aware, say security experts.

"They don't get the same kind of protection that an individual consumer gets, but they don't get much more attention than an individual consumer [from banks], so they are very vulnerable from that standpoint," says Terry Austin, CEO of Guardian Analytics. "And the criminals figured this out. A lot of the action a couple years ago was in retail banking, and we still see fraud there, but the big, really significant fraud attacks have been against the small-business community. There are hundreds of thousands of dollars, sometimes up to million-dollar attacks on these small businesses."

This is exactly what happened to PATCO Construction, which in 2009 saw $500,000 sliced away from its Oceans Bank commercial account after a malware attack made away with its authentication credentials -- including answers to challenge questions asked by the bank's authentication system. The bank helped PATCO recover a little less than half the sum, but the company was out $270,000 as a result of the attack.

Last year, PATCO sued Oceans Bank for that money, claiming the financial institution's authentication system was inadequate in protecting its customers from common hacking attacks. After the case made its way through the courts, on May 27 a magistrate ruled in favor of the bank. The magistrate claimed that the bank followed Federal Financial Institutions Examination Council (FFIEC) guidelines set in 2005 for multifactor authentication for online banking.

But many within the security industry disagree with the ruling and believe it sets a dangerous precedent that will justify banks to continue using weak alternative factors of authentication that are easily bypassed by automated malware today.

"I don’t believe this magistrate correctly interpreted the 2005 FFIEC authentication guidance," wrote Avivah Litan, a Gartner analyst who specializes in bank fraud and authentication matters. "Unfortunately, the 2005 FFIEC guidance referred to examples of relatively basic online theft techniques that were commonplace in 2004 and 2005. The cybercriminal of 2011 has long ago bypassed and surpassed those old techniques."

According to Litan and Austin, the ruling first and foremost should be a wake-up call to regulators to update old guidance on authentication that was developed in an age before the Zeus Trojan crimeware kit.

"I think that the FFIEC has been standing on the sidelines of this and not stepping in and updating their guidance and taking a firmer stand," Austin says. "I think they really have a lot to answer for here. I just don't think they're doing their part to respond to the problem."

But SMBs must also do their part to secure their machines. Often small-business owners assume that if they're ever hit by bank-stealing malware, the bank will reverse charges because this is what they are conditioned to believe due to their retail banking experiences. But banks rarely extend the same fraud reversal for business accounts as they do for consumer accounts. So SMBs at the very least need to start with the most basic principles of installing security software, establishing strong passwords,and limiting access to banking credentials across the organizations. Many experts also believe that small businesses should consider buying a dedicated machine solely for online banking.

"One thing I recommend to every small business is to not bank from a computer you use for anything else, period. Just don't do it," says Chet Wisiniewski, senior security adviser at Sophos. "Don't ever search the Web, don't go to Google, don't go to Facebook. Because of the Web risk, simply visiting an infected site puts you at risk. Do you really want to take that chance if you can buy the perfect banking netbook for $200? An alternative to that, too, is to use a live CD Linux distribution that's not writable."

Additionally, SMBs need to know to ask the right questions when they're looking for a bank, Austin says.

"These small businesses don't know how to ask their banks the right questions about their fraud policies," Austin says, explaining that companies need to ask about what their liability is in the event of an attack, what kind of authentication the bank uses, how the bank monitors activity to look for anomalous behavior, whether the bank utilizes risk-detection technology with behavioral analytics, and what the processes are when fraud is detected.

Ultimately, though, Austin believes it is up to the banks to start closing in on the vulnerabilities hounding their SMB customers. "I think even a business that does take precautions and does follow all of the proper procedures is still at very high risk," he says. "We have a level of sophistication in malware that is hitting even the most protected industry practitioners today. For a firm like a midsize $20 million business that's just trying to make a go of it, I just don't think they should be expected to bear the full burden of this."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.