Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/22/2013
11:41 PM
50%
50%

Lawsuits Bring Clarity To SMBs In Corporate Account Takeovers

Small businesses have had millions of dollars stolen from their accounts by online thieves; court cases have started creating a clear picture of responsibilities

A ruling in a Missouri lawsuit may define the required security standard for small and midize (SMB) businesses and their banks to prevent online thieves from stealing hundreds of thousands of dollars and sending it overseas.

In late March, a Missouri federal court ruled that Choice Escrow and Land Title, a real-estate closing business, could not sue its bank to recover $440,000 stolen by online thieves in 2010. The company had filed a claim against BancorpSouth Bank after attackers compromised a system at Choice and used the firm's credentials to transfer money to a bank in Cyprus. While the Uniform Commercial Code puts the risk for the loss due to an unauthorized transfer with the bank, Choice had twice refused to institute "dual control," a security measure that requires a second authorized employee to verify certain transactions.

The judge in the case empathized with both victims, but concluded that the refusal shifted responsibility for the loss to Choice.

"The tension in modern society between security and convenience is on full display in this litigation," U.S. Magistrate Judge John T. Maughmer wrote in the order (PDF). "Choice understandably feels as though it did nothing wrong, but yet is out $440,000. BSB, as well, feels as though it has done nothing wrong. In essence, both parties are correct -- yet someone must bear the risk of loss."

The issue of where the balance of responsibility lays between banks and SMBs has been tightly fought for a handful of years. In 2009, construction company PATCO lost more than $270,000 to hackers who transferred the money from its bank, Oceans Bank, using credentials stolen from a compromised PATCO system. In 2011, a district court in Maine ruled against the firm, putting the onus for security on SMBs, but the decision was reversed on appeal in 2012.

Like the PATCO case, previous cases tended to end in results that favored business customers. Yet the Choice case has changed that and highlighted what SMBs must do to protect themselves, says George Tubin, senior security strategist of cybercrime prevention firm Trusteer. Because BSB offered a security tool and Choice refused, liability shifted, he says.

"Where we stand now is that small businesses should be on alert," he says. "If your bank is offering or recommending security tools ... they should adopt them and use them, unless they can prove that using the security tools would have a direct negative effect on their business."

[An online banking fraud tool cheats two-factor authentication, automates the attack, and hides out so that victims can't see losses or traces of the theft until long after the money is gone. See Zeus/SpyEye 'Automatic Transfer' Module Masks Online Banking Theft.]

Banks are attempting to talk to their business customers about the dangers. Doug Johnson, vice president of risk management policy at the American Bankers Association, spends a great deal of time going out and talking with business groups to educate their members about cybercriminals' tactics and what sorts of defenses they should be asking of their banks. For their part, companies should consider using a computer that is dedicated as a banking terminal, dual authentication, and positive pay, where the bank is provided a list of authorized payments through a separate channel, Johnson says.

"You have to take control of the monitoring for potentially unauthorized transactions because you really are the first line of defense," he says. "You should also communicate to the bank under what circumstances they should contact you if there is a transaction that you would not normally make."

It does seem to be a tactic that is working, says Daniel Mitchell, a partner with law firm Bernstein Shur, which represented PATCO in its litigation.

"The banks spend a lot more energy educating customers about the security systems that they have in place and about what the customers ought to be doing to help ensure good security," he says. "I think customers, when they ask the questions now, are getting better information back from the banks."

Finally, the delay between the incidents and when such cases become public lawsuits may create a more pessimistic view of account takeover than is warranted. In 2009, for example, about 70 percent of financial institutions had at least one instance of successful account takeover, according to a small survey conducted by the American Bankers Association. Fast forward to 2012: Only 9 percent of banks suffered a successful account takeover, the same survey found.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tom Garcia
50%
50%
Tom Garcia,
User Rank: Apprentice
5/1/2013 | 4:14:47 PM
re: Lawsuits Bring Clarity To SMBs In Corporate Account Takeovers
We saw this issue coming down the pipeline and created a turn key program for our banking customers. Our comprehensive Customer Awareness Program educates your retail and commercial customers about phishing, malware, ACH and wire fraud, and more. It also provides methods to evaluate your Program's effectiveness in accordance with federal mandates, as well as documentation of your organization's efforts to comply. In addition, it tracks fraud attempts, losses relating to ID theft, and more. http://www.infosightinc.com/Ne...
ChuckBenson
50%
50%
ChuckBenson,
User Rank: Apprentice
4/28/2013 | 12:41:33 AM
re: Lawsuits Bring Clarity To SMBs In Corporate Account Takeovers
While I sympathize with the SMB, I believe the ruling is correct because our system won't work if businesses don't aggressively participate in their own security and information risk management.
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5226
PUBLISHED: 2020-01-24
Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapp...
CVE-2019-1517
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1518
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1519
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1520
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.