Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

Court Ruling Puts Security Burden On SMBs, Not Banks

Security experts cry foul in U.S. District Court ruling in $500,000 online bank account heist from construction firm

A recent ruling by a U.S. District Court of Maine magistrate in favor of a bank being sued by a construction company that had money stolen from its account by hackers highlights how vulnerable small to midsize business owners are to online fraud.

Unlike consumer bank accounts that come with fraud-reversal protection, businesses are left on the hook for fraudulent transfers -- a fact that many remain ignorant about, but of which hackers are well-aware, say security experts.

"They don't get the same kind of protection that an individual consumer gets, but they don't get much more attention than an individual consumer [from banks], so they are very vulnerable from that standpoint," says Terry Austin, CEO of Guardian Analytics. "And the criminals figured this out. A lot of the action a couple years ago was in retail banking, and we still see fraud there, but the big, really significant fraud attacks have been against the small-business community. There are hundreds of thousands of dollars, sometimes up to million-dollar attacks on these small businesses."

This is exactly what happened to PATCO Construction, which in 2009 saw $500,000 sliced away from its Oceans Bank commercial account after a malware attack made away with its authentication credentials -- including answers to challenge questions asked by the bank's authentication system. The bank helped PATCO recover a little less than half the sum, but the company was out $270,000 as a result of the attack.

Last year, PATCO sued Oceans Bank for that money, claiming the financial institution's authentication system was inadequate in protecting its customers from common hacking attacks. After the case made its way through the courts, on May 27 a magistrate ruled in favor of the bank. The magistrate claimed that the bank followed Federal Financial Institutions Examination Council (FFIEC) guidelines set in 2005 for multifactor authentication for online banking.

But many within the security industry disagree with the ruling and believe it sets a dangerous precedent that will justify banks to continue using weak alternative factors of authentication that are easily bypassed by automated malware today.

"I don’t believe this magistrate correctly interpreted the 2005 FFIEC authentication guidance," wrote Avivah Litan, a Gartner analyst who specializes in bank fraud and authentication matters. "Unfortunately, the 2005 FFIEC guidance referred to examples of relatively basic online theft techniques that were commonplace in 2004 and 2005. The cybercriminal of 2011 has long ago bypassed and surpassed those old techniques."

According to Litan and Austin, the ruling first and foremost should be a wake-up call to regulators to update old guidance on authentication that was developed in an age before the Zeus Trojan crimeware kit.

"I think that the FFIEC has been standing on the sidelines of this and not stepping in and updating their guidance and taking a firmer stand," Austin says. "I think they really have a lot to answer for here. I just don't think they're doing their part to respond to the problem."

But SMBs must also do their part to secure their machines. Often small-business owners assume that if they're ever hit by bank-stealing malware, the bank will reverse charges because this is what they are conditioned to believe due to their retail banking experiences. But banks rarely extend the same fraud reversal for business accounts as they do for consumer accounts. So SMBs at the very least need to start with the most basic principles of installing security software, establishing strong passwords,and limiting access to banking credentials across the organizations. Many experts also believe that small businesses should consider buying a dedicated machine solely for online banking.

"One thing I recommend to every small business is to not bank from a computer you use for anything else, period. Just don't do it," says Chet Wisiniewski, senior security adviser at Sophos. "Don't ever search the Web, don't go to Google, don't go to Facebook. Because of the Web risk, simply visiting an infected site puts you at risk. Do you really want to take that chance if you can buy the perfect banking netbook for $200? An alternative to that, too, is to use a live CD Linux distribution that's not writable."

Additionally, SMBs need to know to ask the right questions when they're looking for a bank, Austin says.

"These small businesses don't know how to ask their banks the right questions about their fraud policies," Austin says, explaining that companies need to ask about what their liability is in the event of an attack, what kind of authentication the bank uses, how the bank monitors activity to look for anomalous behavior, whether the bank utilizes risk-detection technology with behavioral analytics, and what the processes are when fraud is detected.

Ultimately, though, Austin believes it is up to the banks to start closing in on the vulnerabilities hounding their SMB customers. "I think even a business that does take precautions and does follow all of the proper procedures is still at very high risk," he says. "We have a level of sophistication in malware that is hitting even the most protected industry practitioners today. For a firm like a midsize $20 million business that's just trying to make a go of it, I just don't think they should be expected to bear the full burden of this."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3166
PUBLISHED: 2021-01-18
An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3_805 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, r...
CVE-2020-29446
PUBLISHED: 2021-01-18
Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5.
CVE-2020-15864
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...