Biz bank accounts hacked at ‘unprecedented’ rates
March 29, 2010 by Valerie HelmbreckPosted in: Information security, Special Report, User behavior, Web 2.0, cybercrime, e-commerce, online banking
Criminals are successfully attacking small and mid-size company bank accounts at an unprecedented rate. On top of this, banks aren’t doing as much as they could to intercept fraudulent activity or reimburse customers who are victims. The result:
Many of these businesses are firing their banks after thieves break into their accounts.
That’s conclusion of a recent report by the folks at Guardian Analytics and the Ponemon Institute, two online security firms.
“Banks have a new troubled asset — their customers,” said Terry Austin, CEO, Guardian Analytics. “The survey data proves that financial institutions are failing to protect the small and medium businesses that are at the heart of our economic recovery. [Small and mid-size businesses] are fed up with the banks that are leaving them vulnerable to fraud and not reimbursing them when they are attacked. Banks that do not improve their fraud prevention practices will lose customers and hurt their own recovery.”
The jointly produced 2010 Business Banking Trust Survey points out where security, communication and trust have deteriorated between SMBs and their banks.
It also shows how a breakdown of trust is hurting everyone involved.
Some highlights (or rather, lowlights) of the fraud report:
- Attack Rate: 55% of businesses reported they were hit with fraud in the last year; 58% of the fraud involved online banking activities
- Detection Rate: 80% of banks didn’t manage to catch the fraud before the money was moved
- Loss Recovery: 87% of the time, the money was long gone and the bank couldn’t get it back
- Loss reimbursement: 57% of companies that had their accounts targeted were not fully compensated by their banks; more than a quarter of the victims (25%) got no compensation at all for their losses
- Customer churn: These losses and the banks’ actions both before and after the attacks caused 40% of businesses targeted to switch banks after the fact, and
- Transparency: 24% of businesses said their banks didn’t provide a policy that explained the bank’s responsibilities regarding security and protection of accounts; 39% of customer businesses didn’t even know if their bank had such a policy.
So the question for banks becomes this: How much will it cost to put better safeguards in place and beef up security for the institution versus how many commercial clients (and their assets) will be lost if banking fraud goes undetected and continues to rise?
Commercial customers need to find out what their banks’ policies are regarding fraud, reimbursement and responsibility when it comes to these cybercrimes.
We posted a story not too long ago about a bank that was actually suing a customer that had been victimized by fraud.
The bank wanted a court to confirm — for the record — that it had done everything possible to prevent the fraud.
The bottom line is that banks won’t just automatically replace money swiped from your account using online banking. Unlike the traditional bank robbery — where a crook either breaks into the vault or holds up a teller at a bank branch — banks are now claiming that the thieves had accomplices in the crimes.
And the accomplices are the victims — their very own customers.
Are banks starting to feel more like casinos these days than guardians of assets? You know, the house, er bank, can’t lose because they make the rules. And all risk is on the player, not the folks who are running the games of chance.
While online banking has grown in popularity over the years and has saved banks billions of dollars in brick and mortar branches, personnel and other costs, it seems that these institutions are doing as much as they can to push off the risk of these technology-driven transactions onto the customers that support them.
Will banking reform legislation tackle these problems as well? Your thoughts?
FinanceTechNews.com delivers the latest Finance news once a week to the inboxes of over 150,000 Finance professionals.
Click here to sign up and start your FREE subscription to FinanceTechNews!
Tags: cybercrime, fraud, Guardian Analytics, online banking, Ponemon Institute
March 30th, 2010 at 11:02 am
As an IT security professional I appreciate the difficult position the banks are in. It is difficult to get proper practices and user training implemented internally, much less upon external customers. No matter what criteria is set or methods used, if the customer gives it away then it is of no use. If you give them tokens and passcodes but they give them away to the thieves then they are of no use and you must bear that responsibility. If you limit it by IP address the theive just takes control of your computer to do it. My point is no matter where you set the bar, if the customer becomes the weak link then how much liability should the bank itself have to bear?
March 30th, 2010 at 11:19 am
Issues like this are interesting. I say that because the control of the banking industry belongs to the United States Senate. The Senate has oversight responsibility. The Senate has Committee’s (i.e. The Money and Banking Committee) that it has created to do its work. So if this is such a great and grave issue, why aren’t you holding your elected officials feet to the fire? Why aren’t these elected officials doing their work and fulfilling their oversight responsibility. We need a bill passed that holds the banks/credit unions/lenders/credit card institutions/state government/federal government accountable for the loss of personal information. If the cost of irresponsibility for each person involved was a million dollars, the cost of providing the security would become very reasonable for the institution in question.
March 30th, 2010 at 11:47 am
I work for a mid-size non-profit. We spent over a year fighting a thief who used our on-line donation site to validate stolen credit cards. While we did not profit from his fraud – we were victims as much as the people whose cards were stolen. Our credit card processor did nothing to stop this person because they were making a small fortune in fees off of us. We reported the activity to the police, FBI, and the Treasury Dept and got no response to any of the reports. The only ones we ever got thanked by were the frauded donors and their banks, especially if we noticed a pattern in the bank being used.
This theif started off small with $1.00 donations and then created a program to hit us over a 100 times an hour; getting greed and increasing the amounts on the cards. It’s now over after we spent a small fortune and much aggravation. To this day – I cannot figure out what they got out of it and I really don’t want it explained to me. What annoyed me the most was the complacency that our own supposed representative and the banking world in general took to this activity. It made me sick and glad that I got out of the banking industry.
March 30th, 2010 at 11:48 am
I work for a mid-size non-profit. We spent over a year fighting a thief who used our on-line donation site to validate stolen credit cards. While we did not profit from his fraud – we were victims as much as the people whose cards were stolen. Our credit card processor did nothing to stop this person because they were making a small fortune in fees off of us. We reported the activity to the police, FBI, and the Treasury Dept and got no response to any of the reports. The only ones we ever got thanked by were the frauded donors and their banks, especially if we noticed a pattern in the bank being used.
This thief started off small with $1.00 donations and then created a program to hit us over a 100 times an hour; getting greed and increasing the amounts on the cards. It’s now over after we spent a small fortune and much aggravation. To this day – I cannot figure out what they got out of it and I really don’t want it explained to me. What annoyed me the most was the complacency that our own supposed representative and the banking world in general took to this activity. It made me sick and glad that I got out of the banking industry.
March 30th, 2010 at 3:52 pm
Denise, you stated that your organization was thanked only by “the frauded donors *and their banks*” – I don’t understand what you’re sick about here?
Thanks to Craig for a reasonable response! Banks cannot be held responsible for the irresponsibility of their customers and still remain in business. If you give away the dinner you ordered at a restaurant to someone you thought you could trust, is the restaurant then responsible for your hunger? DON’T give away your access codes or tokens and DON’T use an unsecured network!
Furthermore, if you are a decision maker for a small- to mid-size company, your needs would be better served by a small- to mid-size community bank than by those multi-state or multi-national conglomerate banks.
The community bank for which I work may not have a written policy regarding fraud, reimbursement and responsibility but we DO look out for, recognize indicators of, and inform our customers about possible fraud.
May 14th, 2010 at 5:47 am
These all stories are fearful that How it become too easy to hack creadit cards and Banks has to pay in most of cases. But point is that Who are responsible for this. According to me 70% is Bank and 30% is user. If bank uses new technology and some diffrent idea(One I have for Banks) for protection, and the user is aware with his responsibilty and take action on right time then 90% of hacking cases are avoidable. Believe me it’s really very easy but it needs actions.
I have some good Ideas for avoid these frauds, I hope you also have, so, We have to come ahead for avoid these frauds, it’s not matter to fear, it’s just need some actions.