November 2, 2010

New fees levied by financial institutions are likely to push many small businesses into banking online, whether or not they are aware of and prepared for the types of sophisticated cyber attacks that have cost organizations tens of millions of dollars in recent months.

On the way home from the store last week I caught a Public Radio/Marketplace story in which the radio show interviewed a small business owner who was nudged into banking online after discovering a $9.99 fee had been added to her business banking account for the privilege of continuing to receive paper statements each month.

The angle of the story was the unfairness of the new fees, considering the estimated 12 million people in the United States who have no or only slow access to the Internet. In the following snippet from that program, Marketplace’s David Brancaccio interviewed a woman from Northern New Hampshire:

“The bank with her personal account still sends monthly statements printed on paper, through the mail, for free. Old school. But this year, one of her business accounts started charging money for paper statements.

Johnson: That’s right.

Brancaccio: How much?

Johnson: $9.99 a month.

Brancaccio: Really?

Johnson: Yes.

Brancaccio: When did you actually notice?

Johnson: My bank statement, my paper bank statement! is how I found it!

“It’s a growing trend in banking. For instance, Bank of America has something called the E-banking account where paper statements and routine visits to a human teller cost money. It’s now in more than three dozen states. B of A says techno-savvy customers seem fine with online-only in exchange for no minimum cash balances in the account.”

Johnson didn’t say which bank her commercial account was at.  And for its part, BofA’s eBanking plan only applies to consumer accounts, not businesses. But if this type of trend becomes more mainstream among commercial banking customers, more and more small businesses will be pushed into banking online without knowing how to protect themselves from organized cyber thieves that have stolen at least $70 million from small to mid-sized organizations over the last few years.

Banks using fees to push customers away from traditional offline banking will at least be a boon to companies offering security services to the banks, said Dave Jevans, chairman of the Anti-Phishing Working Group, an industry consortium.

“You’re going to see a lot more unsophisticated users entering the channel,” Jevans said.

Avivah Litan, a fraud analyst with Gartner Inc., said banks should not be pushing more businesses into online banking without adequately informing them of the risks.

“It’s not a good time to be forcing people online unless you’re protecting their rights, or at least making sure they’re fully aware of the risks,” Litan said. “This is happening at the same time the banking industry groups are urging businesses to bank online only from locked down, dedicated systems. But the individual banks don’t want to talk about this with their customers.”

What does it take to harden your network, computers, and employees against this type of attack? Apparently, that’s a difficult question to answer succinctly. Last week, the FBI, the Secret Service, the Internet Crime Complaint Center and the Financial Services Information Sharing and Analysis Center jointly issued a nine-page fraud advisory (PDF) for businesses that warned of high-dollar losses from commercial account takeovers.

“Cyber criminals are targeting the financial accounts of owners and employees of small and medium sized businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transfers from these accounts,” the advisory begins. “Often these funds may not be recovered.”

The section on how to protect, detect and respond to these attacks spans five pages of bullet-pointed dos and don’ts. The entire paper should be required reading for every business owner who banks online, but based on interviews with dozens of victims, I’d say that a majority of these attacks could have been stopped had the victims observed the following precautions:

-Use a dedicated computer for online banking — if possible, one that does not run Microsoft Windows (emphasis on non-Windows usage mine).

-Reconcile your accounts daily.

-Talk to your financial institution about Positive Pay and other “out-of-band” services such as SMS texting, call backs, and batch limits to help protect against altered or counterfeit checks and unauthorized transactions.

The financial and law enforcement group that issued the report also issued a separate alert for consumers (PDF), which warns consumers to stay away from work-at-home job schemes and to avoid phishing scams. The consumer version of the alert is much smaller because business owners do not enjoy the same legal protections as consumers when things go wrong with online banking. As a result, a business that suffers an account hijacking is likely to lose any money from fraudulent transfers that their bank cannot reverse.

28 thoughts on “Your Money or Your Business

  1. Russ

    “adequately informing them of the risks”

    That’s tough to do Brian. This article gives the impression that up until now, those who voluntarily chose to use cyber bank services were savvy and adequately informed. They still get ripped off by Zeus any way.

    I’ve been a firm believer that Internet access should be treated like a utility; availability and quality should at least be available to anyone who wants it. But now I see the other side of the coin: users who do not desire this kind of usage may have a false need created by, in this case, their financial institutions.

    There is lots of good advice and I hope it reaches the eyes and ears of those small business owners who are new to Internet banking. While admittedly banks have the right to choose their fees and run their businesses as they see fit, $9.99 for a paper statement seems predatory, the prey being the elderly, the underprivileged and the desperate.

  2. Andy

    Hey awesome! You’re right there with NYTimes, WashPo, and Computer World in the headlines sampling (in the fraud advisory PDF). Nice that your blog is getting so much recognition. It’s daily reading for me. Thanks Brian for your great work!

  3. JS


    1) FBI, the Secret Service, the Internet Crime Complaint Center and the Financial Services Information Sharing and Analysis Center all recommend not to use Microsoft products.

    2) Google is going to sue the Fed Gov because Dept of the Interior sources only the Microsoft Email Stack cause its better security & less spammy.

    3) Left hand has no need of right hand

    4) Someone ends up stealing back Stewards Folly or the Louisana Purchase bit by bit chunk by chunk.

    1. RickySlick


      Could you please substantiate your claims on #1 please? This would be valuable info to me. I’ve done a little looking and I’m having troubles locating any official publications.



      1. JS

        Probably worded it too strongly but reading between the lines the recommendation documents that’s my conclusion.

        Out of the box for my org (state level) its just an escalating & increasing added cost to get a Windows PC secured then you have to tack on the continual curve to keep it secured. Then its ready to run the software required for the mission.

        Somewhere the cost/value is crossed and you look at other OS architectures and sigh.

        Somehow the correspondence to real world things isn’t being made.

        Would it seem sound to annually maintain a fleet of cruisers/vans/trucks that constantly needed updates to keep the locks locked?

        Its not a poor analogy — but a reality. Much IT gets dumped into certain vehicles. Its not that the OS is just along for the ride. Its vital to part of the mission. There are ways to defend these installations but then its not any more COTS but an “in house” custom stack.

        If your looking for a direct citation your not going to find it. No policy bureaucrat wants to have Industry Interests come down on them like a gorilla. The reform will have to come from the outside.

        I’ve written before; the realities as to why car manufactures were producing products “unsafe at any speed” are present in the IT space, and there needs to be a similar challenge to the IT world to kill off unsound solutions and stop concentrating on the superficial and fix the core issues. There is some movement but not enough, and certainly not fast enough.

  4. TJ

    Ms. Johnson should just pay the $9.99 a month for the paper statement and standard account (avoiding online banking altogether) and consider it a cheap form of business insurance.

    If she’s too cheap to pay the $9.99 a month for business banking, I’ll bet she’s just as cheap when it comes to securing her business computer.

    1. Jane

      Or perhaps, for some unkown reason, too attached to her current bank to vote with her feet?

    2. d

      As banks are pushing more and more “fees” to their business customers, this will probably be common soon enough. But why should the business client fork over another $120.00 a year for paper statements? It costs about $6 for a ream of paper at Target and another $5.30 for 12 stamps. $9.99 a month? What a rip off, but what can I expect from the big banks?

    3. T.Anne

      A business shouldn’t be forced to pay $9.99 just to have a paper statement. When you consider the cost of paper, ink, and mailing – they’re making a good profit off that every month.

      And while $120 a year isn’t huge – especially to a business – I can certainly understand being upset about it and unwilling. If it were a reasonable fee and something communicated to me before I started being charged for it so that I had time to consider my options, then I see no problem. But automatically starting to charge $9.99 just for a paper statement without notification seems a bit rediculous to me.

  5. AlphaCentauri

    I heard a radio ad from Wachovia promising to fully reimburse depositors if there are unauthorized withdrawals from their accounts, as if this is something that all banks aren’t required to do by law. The ad also specified the depositor is only covered if he/she has observed the online banking terms and conditions specified by Wachovia.

    If you go to their web site, several paragraphs into the terms and conditions it says that Wachovia is not responsible for losses due to malware on the depositor’s computer. They also say that if you are a business, if anyone steals your access code, you can lose all the money and it’s not their responsibility.

    The ads seem designed to reassure people that there are no risks to online banking at Wachovia, when in fact it’s just business as usual (except for there being an agreement clearly limiting the responsibility the bank has for losses from business accounts due to ZeuS, in case anyone might try to claim otherwise).

    1. Jane

      Ditto on Wachovia. Washington Mutual, before they were bought by Chase, offered those protections for just $5/month. (Maybe they still do.)

  6. emv co man

    The root of the problem is that people trust their banks and think the relationship is based on reciprocity; it’s not bankers will scr*w anybody over to make a buck or save a buck.
    That’s why banks invest a lot of money in the Senate.

  7. Simon

    The banks have their analysts too, and you can be sure they like their money.

    Its probable the bank analysts do not consider zeus and co. a big enough threat.

    Besides in most cases they will blame you for having torjans. Luckily it didn’t happen to me but I know others who had credit account cleaned and Citibank told them to install anti virus next time.

    I was shocked when I heard that cause I was sure that if you are a victim of Zeus and somebody stole 4000 dollars from you the banks is going to give you the money back at least some of it, but from what I heard the bank security division investigated for a year and used tricky questions in recorded conversations to show it was the clients fault. For the record banks have lawyers as part of the system you can’t really do anything with sums under 10k$, you will probably need to pay that to your lawyer who is likely to lose.

  8. Dominic

    Banks across the pond keep trying to make people pay for the paper statements, the weird thing is that you can walk into any branch and get a printed paper statement for free. Seems a little hypocritical.

    However, onto the security measures. The banks here provide chip and pin services, so every card comes with a chip. Then they started sending out card reader things. There’s a whole verification and initialisation process to go through first time you get it, but after that it provides a 16 digit pass key which is required for setting up any new single or recurring transactions. How long until America goes the same way?

  9. John

    I have one issue with Ms. Johnson. Banks are required to inform you of any fee changes a least 30 day before the change goes into effect. I bet you this information was on her statement or was sent out in its own mailer. She does not want to own up to the fact she does not read a single thing her bank sends out. At some point people must be held responsible for their actions. I do admit there is a chance her bank made the change without telling anyone. I doubt that to be the case.

    Their is another issue people forget all about. At the end of the day a bank is a business just like any other business, their goal is to make money just like you. In the last 30 months banks have seen more new regulation than in the last 30 years. All of this regulation is geared toward cutting the bank non interest income. This type of income is what banks use to pay employees helps them pay their bills. As all of you should know by now the boss will not take less money than what he gets today. That loss has to come from some where. Saving money on postage is a great way to do that.

    I will also admit that some banks like Wells Fargo Bank of America, and Chase have some dirty business practices. That does not mean all banks and credit unions need to be punished.

  10. Jane

    A couple posts seem to state that the consumer protections don’t include fraud losses related to malware. Is this true? I thought Brian’s stated again and again that these businesses are losing money to Trojans and not getting it back because they don’t have the same protections as consumers.

    1. John


      Commercial customers do not have the same protection as a retail customer does. In most cases the commercial customer is left holding the empty bag. Banks and credit unions do not have to refund losses due to fraud for commercial customers. Brian reported about a new law that will most likely be passed to extend that protection to commercial customers. Most people do not understand or care about the dangers of being online. Banks need to step and try to educate them on the treats. This is no easy task. I work in IT security and most of the users I deal with just don’t care about online security until it hits them.

      1. Jane

        I know I’m probably too late to be asking for more details, but here goes…

        If a regular consumer banking customer loses money because a trojan on the customer’s computer steals online banking credentials, is the bank required to refund the stolen money?

        1. BrianKrebs Post author

          Jane, generally, yes they are. The caveat is if the consumer waits too long to report the fraud. But yes, that’s the big difference here: Consumers usually can recoup all of their losses; businesses are left holding the bag.

  11. Gaius Baltar

    Try using a credit union. In my experience, they don’t try to bleed you to death with fees.

  12. JTW

    So banks are charging customers for services without informing them prior to instituting the charges?
    Sounds like fraudulent business practices to me, companies (and individuals) so hit probably have a good case to bring to court.

    It’s a change of contract terms, which by law requires all parties be notified in advance and be given a chance to refuse the change (which may require cancelling or modifying the contract free of charge).

    1. AlphaCentauri

      Since the bank wrote the original contract without any input from lawyers representing the depositors, I suspect the language pretty much allows them to make any changes the law allows any time they want. They can include the notification in that 6 pt grey typeface on the back of the statement that appears every month (or a link to a twenty paragraph “terms and conditions” from an online statement). A minor change in what is otherwise the same boilerplate every month would still meet any legal requirements. If the customers learn about a new charge after it has already happened, there is a good chance the competing banks will be adopting the same charges by the time anyone can actually switch.

      1. Jane

        Hasn’t there been a little precedent so far that “subject to change without notice” doesn’t always hold up in court? Sort of like how “at your own risk” waivers doesn’t give you a free pass for negligence.

  13. Neal O'Farrell

    Financial institutions are missing out on a valuable marketing opportunity, and loss reduction opportunity, by continuing to refuse to talk to their customers about security.

    I’m with a top 3 bank and can’t recall once in the last ten years receiving any communications about identity theft or security – not a tip, alert, warning, advice. Nothing.

    Daily balance alerts and marketing pitches, sure, but zero about security. I could be forgiven for believing there’s no such thing as identity theft, or a Trojan. Yet customer awareness remains one of the best defenses against many threats.

    FIs need to wake up and realize that engaging their own customers in the security debate is actually great for business, for trust, loyalty etc.

    When I get an email promotion from my bank I usually delete it immediately. If I were to get an alert, not only would I thank my bank, and remember the favor, I’d be more likely to forward it to my family and friends too. Which makes it great viral marketing.

    FIs need to think more creatively, and understand the relationship between security and trust, and how better security communications and awareness can solve so many problems.

    1. BrianKrebs Post author

      I couldn’t agree more Neal, and I’m actually working on a column that takes just this angle. Most commercial banks simply are not talking to their customers about security options. If nothing else, they’re missing a chance to upsell their customers. In a world in which banks are trying to figure out every which way to add on fees, it’s baffling why — given the threat out there — the banks continue to pass up their opportunity with some creative and informative sales pitches.

      1. Jerry Tylman

        I would love the community’ss feedback on a product that we have the green light to market to commercial banking customers: anti-malware desktop software plus, monthly stay safe online education material plus, $100,000 insurance against any type of cyber crime from a device running the anti-malware software. The cost to the commercial banking customer is $9.99/month. No forms to fill out, just down load the software and you are covered. If the customer wants more coverage, we can offer a policy up to $25MM. The only catch for the Banks is that they have to offer this as an “opt out” product to a group of customers (e.g. those that use online ACH and Wires), meaning that the entire group is covered on day one, but if an individual in the group wants out, they can opt-out after we let them know that under Reg E, the Bank is not liable if they are victimized by cyber crime.

Comments are closed.