Small businesses have had millions of dollars stolen from their accounts by online thieves; court cases have started creating a clear picture of responsibilities

4 Min Read

A ruling in a Missouri lawsuit may define the required security standard for small and midize (SMB) businesses and their banks to prevent online thieves from stealing hundreds of thousands of dollars and sending it overseas.

In late March, a Missouri federal court ruled that Choice Escrow and Land Title, a real-estate closing business, could not sue its bank to recover $440,000 stolen by online thieves in 2010. The company had filed a claim against BancorpSouth Bank after attackers compromised a system at Choice and used the firm's credentials to transfer money to a bank in Cyprus. While the Uniform Commercial Code puts the risk for the loss due to an unauthorized transfer with the bank, Choice had twice refused to institute "dual control," a security measure that requires a second authorized employee to verify certain transactions.

The judge in the case empathized with both victims, but concluded that the refusal shifted responsibility for the loss to Choice.

"The tension in modern society between security and convenience is on full display in this litigation," U.S. Magistrate Judge John T. Maughmer wrote in the order (PDF). "Choice understandably feels as though it did nothing wrong, but yet is out $440,000. BSB, as well, feels as though it has done nothing wrong. In essence, both parties are correct -- yet someone must bear the risk of loss."

The issue of where the balance of responsibility lays between banks and SMBs has been tightly fought for a handful of years. In 2009, construction company PATCO lost more than $270,000 to hackers who transferred the money from its bank, Oceans Bank, using credentials stolen from a compromised PATCO system. In 2011, a district court in Maine ruled against the firm, putting the onus for security on SMBs, but the decision was reversed on appeal in 2012.

Like the PATCO case, previous cases tended to end in results that favored business customers. Yet the Choice case has changed that and highlighted what SMBs must do to protect themselves, says George Tubin, senior security strategist of cybercrime prevention firm Trusteer. Because BSB offered a security tool and Choice refused, liability shifted, he says.

"Where we stand now is that small businesses should be on alert," he says. "If your bank is offering or recommending security tools ... they should adopt them and use them, unless they can prove that using the security tools would have a direct negative effect on their business."

[An online banking fraud tool cheats two-factor authentication, automates the attack, and hides out so that victims can't see losses or traces of the theft until long after the money is gone. See Zeus/SpyEye 'Automatic Transfer' Module Masks Online Banking Theft.]

Banks are attempting to talk to their business customers about the dangers. Doug Johnson, vice president of risk management policy at the American Bankers Association, spends a great deal of time going out and talking with business groups to educate their members about cybercriminals' tactics and what sorts of defenses they should be asking of their banks. For their part, companies should consider using a computer that is dedicated as a banking terminal, dual authentication, and positive pay, where the bank is provided a list of authorized payments through a separate channel, Johnson says.

"You have to take control of the monitoring for potentially unauthorized transactions because you really are the first line of defense," he says. "You should also communicate to the bank under what circumstances they should contact you if there is a transaction that you would not normally make."

It does seem to be a tactic that is working, says Daniel Mitchell, a partner with law firm Bernstein Shur, which represented PATCO in its litigation.

"The banks spend a lot more energy educating customers about the security systems that they have in place and about what the customers ought to be doing to help ensure good security," he says. "I think customers, when they ask the questions now, are getting better information back from the banks."

Finally, the delay between the incidents and when such cases become public lawsuits may create a more pessimistic view of account takeover than is warranted. In 2009, for example, about 70 percent of financial institutions had at least one instance of successful account takeover, according to a small survey conducted by the American Bankers Association. Fast forward to 2012: Only 9 percent of banks suffered a successful account takeover, the same survey found.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights