In response to a series of costly online banking heists perpetrated against towns, cities and school districts, Sen. Charles Schumer (D-NY) has introduced legislation that would extend those entities the same protections afforded to consumers who are victims of e-banking fraud.

Under “Regulation E” of the Electronic Funds Transfer Act (EFTA) consumers are not liable for financial losses due to fraud — including account takeovers due to lost or stolen usernames and passwords — if they promptly report the unauthorized activity. However, entities that experience similar fraud with a commercial or business banking account do not enjoy the same protections and often are forced to absorb the losses. Organized cyber thieves, meanwhile, have stolen more than $70 million from small to mid-sized businesses, nonprofits, towns and cities, according to the FBI.

On Sept. 29, computer crooks stole $600,000 from the coastal town of Brigantine, N.J.; seven months earlier, computer crooks stole $100,000 from Egg Harbor Township just 20 miles away. In late December 2009, an organized cyber gang took $3.8 million from the Duanesburg Central School District in Schumer’s home state. In that attack, the bank managed to retrieve some of the money, but the district is still missing roughly $500,000.

The same day as the Brigantine breach, Schumer introduced S. 3898, a bill that would extend EFTA’s Regulation E protections to certain local government entities, including municipalities and school districts. The Board of Governors of the Federal Reserve System is to define which entities are included in the categories of “municipality” and “school district.”

Steve Verdier, executive vice president and director of congressional affairs for the Independent Community Bankers of America, said the thinking behind the current law is that banks can absorb the losses from this type of fraud when it happens to consumers because there is usually a comparatively smaller amount of money involved.

“The bank is probably in no better position to protect against this type of fraud than the [business] account holder,” Verdier said. “Whereas consumers may not be as good a position to protect themselves against these types of losses, you would hope a government or school district would have employee procedures to guard against this type of thing. And if the bank is forced to start making good on these losses, that weakens its ability to serve consumers and they’re going to have to price that risk into all of their services.”

Avivah Litan, a financial fraud analyst with Gartner Inc., said there are a number of promising new technologies that banks can make available to their customers that help guard against these attacks, referring to several products that use specially encoded USB keys to load a virtual operating system on the customers computer and encrypt the keystrokes between the bank and the customer.

“Also, why limit this to schools and municipalities? Small businesses have just as much risk as school districts, as do churches for that matter,” Litan said. “So does that mean that small businesses have more resources to deal with this type of fraud than cities and counties do?”

There isn’t much — if any — likelihood that the bill will be acted upon before the November elections, in which case Schumer will need to reintroduce the bill when the 112th Congress convenes early next year.

A copy of Schumer’s bill is here (PDF).

Last week I traveled to Cooperstown, N.Y. to deliver a keynote address about the scourge of online banking fraud that I’ve written about so frequently this past year. I flew into Albany, and in the short, 60 minute drive west to Cooperstown, I passed through tiny Duanesburg, a town whose middle school district is still out a half million dollars from e-banking fraud. On my way to Cooperstown, I also passed within a few minutes of several other recent victims — including a wrecking firm based on Schenectady that lost $70,000 last month when organized thieves raided its online bank account.

Alexander “Sandy” Jackson‘s world started crashing down on Apr. 20, the day he learned that more than $70,000 of company’s cash had been transferred to 10 complete strangers scattered about the United States. Since then, the owner of Jackson Demolition Service has spent a good deal of time trying to retrieve that money. So far, he and his bank have recovered about one-third of the amount stolen.

Oddly enough, Jackson first learned of the fraud after being contacted by an individual who received close to $5,000 of the firm’s money.

That individual was Montgomery, Ala. resident April Overton. In March, Overton responded to an e-mail from a company that said it found her resume on Careerbuilder.com, and would she be interested in a work-at-home job entering tax information on behalf of American tax filers? Overton said she accepted the job, and for more than a month worked several hours each day completing various tax forms with personal tax information sent to her via e-mail, forms that she then had to fax back to her employers, who claimed to be Tax World LLC, at www.taxreturnsworld.com.

“I was basically processing tax returns, and they’d have me log in to a site every morning between the hours of 8:30 a.m. and 11:30 a.m., and would send me information, have me filing out [IRS Form] 1040 tax returns,” Overton said.

The information at taxreturnsworld.com indicates that the company is based in New Jersey, and that it has been in business since 2002. However, the state has no record of a business by that name, and the domain name was registered in March 2010 via a Russian domain name registrar. In addition, the same Web server hosts an identical site reachable through the domain worldtaxreturns.com. A message left at the phone number listed on both sites was not returned.

Overton said she spent more than a month entering and faxing tax information for Tax World before she was paid. The payment took the form of an unexpected $4,700 deposit into her bank account from a company in North Carolina. She said she spent that money, assuming it was payment for her work, until the deposit was recalled by the issuing bank, at which point her account went thousands of dollars into the red.

A few days later, she received another $4,700 deposit, this time from Jackson Demolition Service. Suspecting that the rug was about to be pulled out from beneath her yet again, she picked up the phone and called the wrecking firm, effectively alerting workers there to the missing money. Overton’s bank, however, appears to have used the deposit from Jackson to replace the overdraft amount from the previous deposit from the North Carolina firm.

“She got a $4,700 deposit and spent it right away, but her bank overdrafted her account because that deposit got recalled,” Jackson said. “Then my money comes flying in there and her bank grabs that to replace the missing money.”

Overton has promised to repay the $4,700 to Jackson. Meanwhile, it remains unclear what Overton’s employers were doing, if anything, with the completed tax forms, although experts say it’s not uncommon for organized criminal groups to secretly file taxes on behalf of other people, request a refund and then later request that the refund check be sent to a new address.

The closing slide in my presentation up in New York included a list of tips that I urged small business owners in the audience to consider in order to avoid becoming the next victim of this type of crime. The thrust of my speech was that today’s attacks against online banking have become so sophisticated that banks need to adopt authentication mechanisms that work even when their customers’ PCs are already compromised by organized criminal gangs.

Unfortunately, very few commercial banks are prepared to meet this threat. As such, I encourage small business owners to take a few simple precautions, such as banking online only from a dedicated computer. This can take the form of a laptop or desktop that’s used only for online banking and nothing else; a Mac OS X system (all of the malware used to steal online banking credentials simply fails to run on non-Windows computers); or a bootable Linux installation that runs off of a CD-Rom or DVD.

By the way, if you ever get a chance to visit Cooperstown, N.Y., consider staying at the picturesque Otesaga Resort Hotel there, where I snapped this photo last week right before a thunderstorm moved into the area.

Further reading:  Target: Small Businesses

The FBI is investigating the theft of nearly a half million dollars from tiny Duanesburg Central School District in upstate New York, after cyber thieves tried to loot roughly $3.8 million from district online bank accounts last month.

On Friday, Dec. 18, thieves tried to electronically transfer $1.86 million from the district’s account at NBT Bank to an overseas account. The following Monday, the attackers attempted to move another $1.19 million to multiple overseas location. It wasn’t until the next day, when transfers totaling $758,758.70 were flagged by a bank representative as suspicious, that the two previous unauthorized transactions were discovered, school officials said.

As of today, Duanesburg and its bank have succeeded in recovering $2.55 million of the stolen funds, but the school district is still out $497,000.

Audrey Hendricks, a communications specialist with Duanesburg Central, said the thieves tried to steal more than a quarter of the district’s annual budget, which stands at less than $15 million. The district services about 1,000 students kindergarten through 12th grade in a rural area about 30 miles west of Albany.

Dozens of similar attacks on school districts, cities, counties and small businesses across the country last year have all started with malicious software that helped the attackers steal user names and passwords needed to access the victim’s online bank accounts.

Hendricks said the FBI and the New York State police are investigating, but she said it’s not clear yet whether malicious software played a part in this attack as well.

“At this point, we don’t know exactly how it happened,” Hendricks told krebsonsecurity.com. “The FBI only knows so much, which is unfortunate because we have lots of questions.”

To prevent any district bank accounts from being further compromised, the district closed all of its bank accounts and established new ones with restricted online access, the district said in a letter (.pdf) sent today to families with students in the area.