Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Court Ruling Puts Security Burden On SMBs, Not Banks

Security experts cry foul in U.S. District Court ruling in $500,000 online bank account heist from construction firm

A recent ruling by a U.S. District Court of Maine magistrate in favor of a bank being sued by a construction company that had money stolen from its account by hackers highlights how vulnerable small to midsize business owners are to online fraud.

Unlike consumer bank accounts that come with fraud-reversal protection, businesses are left on the hook for fraudulent transfers -- a fact that many remain ignorant about, but of which hackers are well-aware, say security experts.

"They don't get the same kind of protection that an individual consumer gets, but they don't get much more attention than an individual consumer [from banks], so they are very vulnerable from that standpoint," says Terry Austin, CEO of Guardian Analytics. "And the criminals figured this out. A lot of the action a couple years ago was in retail banking, and we still see fraud there, but the big, really significant fraud attacks have been against the small-business community. There are hundreds of thousands of dollars, sometimes up to million-dollar attacks on these small businesses."

This is exactly what happened to PATCO Construction, which in 2009 saw $500,000 sliced away from its Oceans Bank commercial account after a malware attack made away with its authentication credentials -- including answers to challenge questions asked by the bank's authentication system. The bank helped PATCO recover a little less than half the sum, but the company was out $270,000 as a result of the attack.

Last year, PATCO sued Oceans Bank for that money, claiming the financial institution's authentication system was inadequate in protecting its customers from common hacking attacks. After the case made its way through the courts, on May 27 a magistrate ruled in favor of the bank. The magistrate claimed that the bank followed Federal Financial Institutions Examination Council (FFIEC) guidelines set in 2005 for multifactor authentication for online banking.

But many within the security industry disagree with the ruling and believe it sets a dangerous precedent that will justify banks to continue using weak alternative factors of authentication that are easily bypassed by automated malware today.

"I don’t believe this magistrate correctly interpreted the 2005 FFIEC authentication guidance," wrote Avivah Litan, a Gartner analyst who specializes in bank fraud and authentication matters. "Unfortunately, the 2005 FFIEC guidance referred to examples of relatively basic online theft techniques that were commonplace in 2004 and 2005. The cybercriminal of 2011 has long ago bypassed and surpassed those old techniques."

According to Litan and Austin, the ruling first and foremost should be a wake-up call to regulators to update old guidance on authentication that was developed in an age before the Zeus Trojan crimeware kit.

"I think that the FFIEC has been standing on the sidelines of this and not stepping in and updating their guidance and taking a firmer stand," Austin says. "I think they really have a lot to answer for here. I just don't think they're doing their part to respond to the problem."

But SMBs must also do their part to secure their machines. Often small-business owners assume that if they're ever hit by bank-stealing malware, the bank will reverse charges because this is what they are conditioned to believe due to their retail banking experiences. But banks rarely extend the same fraud reversal for business accounts as they do for consumer accounts. So SMBs at the very least need to start with the most basic principles of installing security software, establishing strong passwords,and limiting access to banking credentials across the organizations. Many experts also believe that small businesses should consider buying a dedicated machine solely for online banking.

"One thing I recommend to every small business is to not bank from a computer you use for anything else, period. Just don't do it," says Chet Wisiniewski, senior security adviser at Sophos. "Don't ever search the Web, don't go to Google, don't go to Facebook. Because of the Web risk, simply visiting an infected site puts you at risk. Do you really want to take that chance if you can buy the perfect banking netbook for $200? An alternative to that, too, is to use a live CD Linux distribution that's not writable."

Additionally, SMBs need to know to ask the right questions when they're looking for a bank, Austin says.

"These small businesses don't know how to ask their banks the right questions about their fraud policies," Austin says, explaining that companies need to ask about what their liability is in the event of an attack, what kind of authentication the bank uses, how the bank monitors activity to look for anomalous behavior, whether the bank utilizes risk-detection technology with behavioral analytics, and what the processes are when fraud is detected.

Ultimately, though, Austin believes it is up to the banks to start closing in on the vulnerabilities hounding their SMB customers. "I think even a business that does take precautions and does follow all of the proper procedures is still at very high risk," he says. "We have a level of sophistication in malware that is hitting even the most protected industry practitioners today. For a firm like a midsize $20 million business that's just trying to make a go of it, I just don't think they should be expected to bear the full burden of this."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-21
IBM Security Identity Governance and Intelligence 5.2.6 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the...
PUBLISHED: 2021-01-21
IBM Security Identity Governance and Intelligence 5.2.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 192427.
PUBLISHED: 2021-01-21
IBM Security Identity Governance and Intelligence 5.2.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniq...
PUBLISHED: 2021-01-21
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to import/export data and to create widget instances was able to inject an exe...
PUBLISHED: 2021-01-21
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.5, an administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml. The latest OpenMage Versions up from 19.4.9 and ...