An escrow firm in Missouri is suing its bank to recover $440,000 that organized cyber thieves stole in an online robbery earlier this year, claiming the bank’s reliance on passwords to secure high-dollar transactions failed to measure up to federal e-banking security guidelines.
The attack against Springfield, Mo. based title insurance provider Choice Escrow and Land Title LLC began late in the afternoon on St. Patrick’s Day, when hackers who had stolen the firm’s online banking ID and password used the information to make a single unauthorized wire transfer for $440,000 to a corporate bank account in Cyprus.
The following day, when Choice Escrow received a notice about the transfer from its financial institution — Tupelo, Miss. based BancorpSouth Inc. — it contacted the bank to dispute the transfer. But by the close of business on March 18, the bank was distancing itself from the incident and its customer, said Jim A. Payne, director of business development for Choice Escrow.
“They said, ‘We’re going to get back to you, we’re working on it’,” Payne said. “What they really were doing is contacting their legal department and figuring out what they were going to say to us. It took them until 5 p.m. to call us back, and they basically said, ‘Sorry, we can’t help you. This is your responsibility.'”
A spokesman for BancorpSouth declined to discuss the bank’s security measures or the specifics of this case, saying the institution does not comment on ongoing litigation.
According to documents filed today with the Circuit Court of Greene County, Mo., BancorpSouth’s most secure option for Internet-based authentication requires the customer to have one user ID and password to approve a wire transfer and another user ID and password to release the same wire transfer. The other option — if the customer waives or does not choose dual control — requires one user ID and password to both approve and release a wire transfer.
Choice Escrow’s lawyers argue that because BancorpSouth allowed wire or funds transfers using two options which were both password-based, its commercial online banking security procedures fell short of 2005 guidance from the Federal Financial Institutions Examination Council (FFIEC), which warned that single-factor authentication as the only control mechanism is inadequate for high-risk transactions involving the movement of funds to other parties.
“BancorpSouth should have, and could have, offered a commercially reasonable multifactor authentication method, since it had ample time (more than four years, October 2005 to March 2010) and knowledge of the need and requirement to provide its customers with secure authentication methods, as evidenced from the numerous documents it received, and/or knew about or should have known about, from the FFIEC and FDIC,” the complaint charges.
The amount of the fraudulent transfer was for approximately $90,000 more than Choice Escrow actually had in its operating account on the day of the incident. Since the attack, the company has had to take out a loan to replace the money, which it was holding on behalf of its real estate clients.
“We’re a title company and we had less than 48 hours to replace the money or shut down,” Payne said. “After about 30 days, we converted the amount to a permanent loan that runs over 10 years at $4,300 a month. There’s a lot of pucker factor going on there.”
The attack is the latest reminder that small businesses should assume that they are completely responsible for the security of their online transactions: Businesses do not enjoy the same legal protections afforded to consumers, and thus are responsible for any losses due to cyber theft or fraud.
Elaine Dodd, vice president of the fraud division for the Oklahoma Bankers Association, said financial institutions are playing catch-up on security, but that they’re also worried about assuming too much liability for these incidents.
“The banks I’m talking to are saying, ‘Hey, we’re trying, but a lot of this comes down to customers getting a virus on their computers’,” Dodd said.
I’ve been doing quite a bit of public speaking on this issue this year, and the message I try to get across to the bankers in the audience is this: Any security or authentication mechanism that does not start with the assumption that the customer’s system is already compromised by malicious software does not have a prayer of defeating today’s malicious attacks.
Unfortunately, the advice is the same to small business owners: The wisest approach is to behave as if your general-purpose computer systems already are compromised by password-stealing malicious software. The cheapest and probably most formidable approach involves the use of a free Live CD, a version of Linux that boots from a CD-Rom. I describe how to do this in detail at this Washington Post article from last year.
Alternatively, businesses may opt to bank solely from a dedicated PC — one that is not used for anything other than accessing the bank’s Web site — such as a netbook that lives in a drawer unless it is being updated or used to access the corporate accounts. This may sound extreme, but the integrity of this approach increases significantly if the dedicated computer is a non-Windows machine, because all of the malicious software used in the attacks I’ve written about to date simply won’t run on anything but Microsoft Windows.
The attack on Choice Escrow came during a month in which hackers seemed to hit a large number of escrow firms, almost as if they were paging through a business directory of escrow companies and picking targets at random. In that month, I communicated with several other escrow firms that were similarly hit, but have chosen not go public with the breaches — mainly out of concern that their competitors will exploit the news to frighten or siphon away customers.
One exception was Redondo Beach, Calif. based Village View Escrow Inc., which lost $465,000 in March when hackers who had stolen the company’s online banking password with the help of the ZeuS Trojan sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm. Village View’s bank recovered about $70,000 of the money, but the firm’s owner was forced to take out a $395,000 loan at 12 percent to cover the loss — which was all money that belonged to her clients.
In October, authorities in the United States, U.K. and Ukraine rounded up dozens of individuals thought be responsible for a huge percentage of these commercial account takeovers, although it’s unclear whether the fraudsters responsible for the attack on Choice Escrow have been apprehended. According to the FBI, organized thieves have attempted to steal more than $220 million from small to mid-sized organizations in recent years, and have succeeded in making off with more than $70 million.