Security

02:40 PM
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Bank Fraud: Itís Not Personal, Just Business

Less publicized (but nonetheless costly) incidents of fraud, questions of liability, and mixed success in court complicate the allocation of security resources.

High-profile breaches of consumer data have been in the news lately, with Neiman Marcus, Michael's, and Target each losing hundreds of thousands to millions of payment card details. As of last week it looks as if we will be able to add P.F. Chang’s to that list as well.

Much of the media coverage of these events has revolved around the impact on consumers and what consumers should do to protect themselves, but the reality of these breaches is that the consumers are the least likely to be affected: Federal law limits liability for fraudulent credit or debit card purchases to $50 in most cases (with the condition that the loss or theft of the card is reported promptly in the case of debit cards). The real impact of these breaches has been on the companies that have been compromised. Target reported $61 million in total breach expenses during the quarter of the breach, and this number is sure to grow as time goes on.

There is another type of financial fraud that is hitting companies as well: wire transfer fraud. This type of fraud costs approximately $1 billion per year but generally doesn’t get the media coverage we have seen with recent personal information breaches, perhaps because it doesn’t involve millions of individuals’ payment card numbers or because breach notifications usually aren’t required if a consumer’s personal information isn’t lost.

The ploy is fairly simple, an attacker gains access to a commercial bank account, wires as much money as possible to another bank account, and withdraws the stolen money before the unauthorized transfer is noticed. Often the recipient bank accounts and withdrawals are handled by unwitting “mules” who answer the “Work From Home!” ads that seem to be plastered all over the Internet and on telephone poles across the country. The mules believe they are working for a legitimate company handling office finances when in reality they are withdrawing the stolen money and forwarding it to the overseas (usually somewhere in Eastern Europe) masterminds behind the scheme.

Unlike personal consumer bank accounts, which fall under FDIC regulations and have the same federal liability limits as debit cards ($50 if the bank is notified within 2 days and $500 if the bank is notified within 60 days), there is essentially unlimited liability for commercial bank accounts. It is entirely possible for an entire bank account to be cleaned out in a matter of hours. In 2009 Experi-Metal Inc., a Michigan based company, had $5.2 million wired out of its account at Comerica in a single day. The bank was able to recover most of the money because the transactions had been detected by fraud-alerting algorithms, but Experi-Metal was still left short by $561,000.

Experi-Metal’s story is fairly typical, most victims are left with losses in excess of $100,000. This seems like a pittance compared to the Target losses, but it could be a devastating blow for a small or midsized business with a much smaller revenue stream than the $21.5 billion Target reported during the same quarter as the recent breach. These attacks are happening regularly, and they aren’t just targeting businesses: Public schools, libraries, universities, and non-profits have all been victimized in this manner.

Most banks accept no liability for the missing money, because the breaches are occurring on the customer’s computer systems, not the bank's. These can range from a simple phishing attack in which an email purporting to be from the bank attempts to trick an unwitting user into directly revealing his or her banking passwords to complex botnets made up of malware-infected computers around the world waiting to capture these credentials.

Law enforcement does try to break up these fraud networks when they can, but it can take years. With many of the perpetrators targeting US businesses but operating out of foreign countries, it can be difficult for US law enforcement to find the masterminds behind the operation and get the quick cooperation they would need to effect any meaningful arrests. Businesses certainly shouldn’t hold out any hope that these modern-day bank robbers will be caught and their money returned.

Some businesses have tried to fight back against the banks in court with mixed success. Patco Construction Co. of Maine lost $588,000 in 2009 and, after repeatedly losing in lower courts, was able to win a judgment from the 1st Circuit Court of Appeals in July 2012 forcing the bank to cover tits losses. On the other hand, Choice Escrow and Land Title LLC of Missouri also lost $440,000 in 2009, and on June 11, 2014, the 8th Circuit Court of Appeals ruled that not only was the bank not responsible for the losses, but that the bank can pursue Choice Escrow to pay for its legal defense costs. Given the potential losses from a breach and the expensive, uncertain, and lengthy nature of attempting to recover funds from a bank it is clear that businesses need to focus on protecting themselves from fraudulent transfers.

Malware and botnets are an enormous threat on the Internet today, and many of them are designed to steal financial details in order to facilitate wire transfer fraud. The ZeuS botnet alone (the same piece of malware that caused the Patco breach described above) is estimated to have stolen $70 million over its lifetime. NTT Com Security’s Global Threat Intelligence Report shows that botnets were responsible for the largest proportion of attacks happening on the Internet in 2013 with 34% of the total. Disturbingly, the same report also shows that 54% to 71% of malware is not detected by antivirus software, which highlights an underlying security issue: Installing antivirus and tossing a firewall on the network is not enough to prevent these types of attacks.

Christopher Camejo is an integral part of the Consulting leadership team for NTT Com Security, one of the largest security consulting organizations in the world. He directs NTT Com Security's assessment services including ethical hacking and compliance assessments. Mr. Camejo ... View Full Bio
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
6/25/2014 | 9:10:14 AM
disturbing numbers
The high percentage of botnet attacks (34% of total attachs) and also the high percentage (54% to 71%) of malware that is not detected by antivirus software is disturbing. Antivirus software is the primary (and sometomes only) line of defense for many retail customers.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
6/30/2014 | 11:41:33 AM
Electronic wire transfer fraud
It seems unfair that companies utilizing electronic wire transfer through a bank are not being afforded as much fraud protection as retail consumers.

Since the fraud is entering their computer system, the bank is not coverign the full loss. This is still a commercial banking relationship. A company cannot obtain electronic wire transfer on their own. Small and medium size companies have a lot to lose if one of these botnets or malware attacks infiltrate their networks. Are corporations held to a higher standard under the law?
KBurger
50%
50%
KBurger,
User Rank: Author
6/30/2014 | 3:49:13 PM
Re: Electronic wire transfer fraud
That's a good point, Ivy. I would think in the current environment where a lot of corporate banking services have become commoditized and banks are looking for ways to differentiate in a very competitive business, being able to help out your corporate customers that are affected by wire fraud -- by covering the loss or providing some kind of service (the corporate equivalet to a credit score check?) -- could be a very important step to take to distinguish your bank.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
6/30/2014 | 6:28:35 PM
Re: Electronic wire transfer fraud
I agree, Kathy. Corporations might prefer certain banks that provide coverage for electronic wire transfer fraud over others that don't. I wonder if this is lack of coverage is more the norm, than the exception?
KBurger
50%
50%
KBurger,
User Rank: Author
7/1/2014 | 9:37:58 AM
Re: Electronic wire transfer fraud
I really don't know. But the colunnist's point is that wire transfer-relted fraud is under recognized/reported, so I suspect that "make goods" probably are not pervasive in the industry. Or it may be something that is offered quietly on a case-by-case basis, not promoted as a basic offerin.
Becca L
50%
50%
Becca L,
User Rank: Author
6/30/2014 | 1:52:24 PM
And it could have been worse
Chris, thank you for this article! It's insane how quickly things can go wrong and how long the road is to financial recovery. Without anyone tangible to attack in court and mixed ideas of who is liable, it's difficult for firms to recover their financial losses.

"54% to 71% of malware is not detected by antivirus software"  - crazy! And the example of Experi-Metal is particularly chilling - that half million dollar loss could have been much more with less effective fraud-alerting algorithms, something firms are keeping in mind when evaluating their security systems and when they renew their contracts with antivirus software providers.
Kelly22
50%
50%
Kelly22,
User Rank: Author
6/30/2014 | 2:28:18 PM
Re: And it could have been worse
Great article, really highlights the importance of an aggressive cybersecurity strategy. I was taken aback by those numbers myself - I had no idea how much malware could get by antivirus software! Just goes to show how important it is for businesses to consider every precaution. Just recently I heard someone mention that they isolate the computers they use for banking, a smart strategy that could go a long way in protecting against attacks. 
More Commentary
Bitcoin: 4 Factors Holding the Banks at Bay
For a number of reasons, major banks haven't seized the opportunity to get involved with bitcoin. Banks like to participate in size, compliance has restrictions, and bosses don't understand it. But these hurdles will be overcome in 2015.
5 Tips On How To Prepare For A Data Breach
If you are a financial institution your cyber security defenses will be breached -- again and again. Here are five tips to respond quickly and minimize damage.
Wall Street CIOs Have a Vendor Management Problem
If Wall Street CIOs want to stay ahead of competition and ensure high-speed trading software doesn't start the next flash crash, they need better insight into vendor delivered software.
Technology Innovation Returns to Financial Services
Capital Markets Outlook 2015: Following a few years dominated by regulatory compliance and cost saving technology initiatives, financial organizations are finally investing in innovative technology and tools.
Voice Biometrics Improve Transaction Monitoring Fraud Detection
Why voice biometrics should be a part of your fraud prevention strategy in the call center.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video