Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:41 PM

Lawsuits Bring Clarity To SMBs In Corporate Account Takeovers

Small businesses have had millions of dollars stolen from their accounts by online thieves; court cases have started creating a clear picture of responsibilities

A ruling in a Missouri lawsuit may define the required security standard for small and midize (SMB) businesses and their banks to prevent online thieves from stealing hundreds of thousands of dollars and sending it overseas.

In late March, a Missouri federal court ruled that Choice Escrow and Land Title, a real-estate closing business, could not sue its bank to recover $440,000 stolen by online thieves in 2010. The company had filed a claim against BancorpSouth Bank after attackers compromised a system at Choice and used the firm's credentials to transfer money to a bank in Cyprus. While the Uniform Commercial Code puts the risk for the loss due to an unauthorized transfer with the bank, Choice had twice refused to institute "dual control," a security measure that requires a second authorized employee to verify certain transactions.

The judge in the case empathized with both victims, but concluded that the refusal shifted responsibility for the loss to Choice.

"The tension in modern society between security and convenience is on full display in this litigation," U.S. Magistrate Judge John T. Maughmer wrote in the order (PDF). "Choice understandably feels as though it did nothing wrong, but yet is out $440,000. BSB, as well, feels as though it has done nothing wrong. In essence, both parties are correct -- yet someone must bear the risk of loss."

The issue of where the balance of responsibility lays between banks and SMBs has been tightly fought for a handful of years. In 2009, construction company PATCO lost more than $270,000 to hackers who transferred the money from its bank, Oceans Bank, using credentials stolen from a compromised PATCO system. In 2011, a district court in Maine ruled against the firm, putting the onus for security on SMBs, but the decision was reversed on appeal in 2012.

Like the PATCO case, previous cases tended to end in results that favored business customers. Yet the Choice case has changed that and highlighted what SMBs must do to protect themselves, says George Tubin, senior security strategist of cybercrime prevention firm Trusteer. Because BSB offered a security tool and Choice refused, liability shifted, he says.

"Where we stand now is that small businesses should be on alert," he says. "If your bank is offering or recommending security tools ... they should adopt them and use them, unless they can prove that using the security tools would have a direct negative effect on their business."

[An online banking fraud tool cheats two-factor authentication, automates the attack, and hides out so that victims can't see losses or traces of the theft until long after the money is gone. See Zeus/SpyEye 'Automatic Transfer' Module Masks Online Banking Theft.]

Banks are attempting to talk to their business customers about the dangers. Doug Johnson, vice president of risk management policy at the American Bankers Association, spends a great deal of time going out and talking with business groups to educate their members about cybercriminals' tactics and what sorts of defenses they should be asking of their banks. For their part, companies should consider using a computer that is dedicated as a banking terminal, dual authentication, and positive pay, where the bank is provided a list of authorized payments through a separate channel, Johnson says.

"You have to take control of the monitoring for potentially unauthorized transactions because you really are the first line of defense," he says. "You should also communicate to the bank under what circumstances they should contact you if there is a transaction that you would not normally make."

It does seem to be a tactic that is working, says Daniel Mitchell, a partner with law firm Bernstein Shur, which represented PATCO in its litigation.

"The banks spend a lot more energy educating customers about the security systems that they have in place and about what the customers ought to be doing to help ensure good security," he says. "I think customers, when they ask the questions now, are getting better information back from the banks."

Finally, the delay between the incidents and when such cases become public lawsuits may create a more pessimistic view of account takeover than is warranted. In 2009, for example, about 70 percent of financial institutions had at least one instance of successful account takeover, according to a small survey conducted by the American Bankers Association. Fast forward to 2012: Only 9 percent of banks suffered a successful account takeover, the same survey found.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Tom Garcia
Tom Garcia,
User Rank: Apprentice
5/1/2013 | 4:14:47 PM
re: Lawsuits Bring Clarity To SMBs In Corporate Account Takeovers
We saw this issue coming down the pipeline and created a turn key program for our banking customers. Our comprehensive Customer Awareness Program educates your retail and commercial customers about phishing, malware, ACH and wire fraud, and more. It also provides methods to evaluate your Program's effectiveness in accordance with federal mandates, as well as documentation of your organization's efforts to comply. In addition, it tracks fraud attempts, losses relating to ID theft, and more. http://www.infosightinc.com/Ne...
User Rank: Apprentice
4/28/2013 | 12:41:33 AM
re: Lawsuits Bring Clarity To SMBs In Corporate Account Takeovers
While I sympathize with the SMB, I believe the ruling is correct because our system won't work if businesses don't aggressively participate in their own security and information risk management.
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.
PUBLISHED: 2020-10-21
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver,...
PUBLISHED: 2020-10-21
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collis...
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.