The chief financial officer of a Missouri firm discovered that cyber thieves had withdrawn $180,000 from the company's bank accounts overnight described it as "a helluva wake-up call" to security blogger Brian Krebs.
But that loss might have been avoided if the company, Primary Systems, had paid better attention to the risks of electronic banking. The warnings, and examples, of cyberheists in the hundreds of thousands -- and even millions of dollars -- have been around for years.
Krebs reported this week that the company became a victim of "a single virus-laden email that an employee clicked on [that] let the attackers open a digital backdoor, exposing security weaknesses that unfortunately persist between many banks and their corporate customers."
In this case, a payroll batch worth about $180,000 was drawn from Primary Systems' bank accounts, paid to "money mules" and eventually sent to recipients in Ukraine.
The transactions were irregular -- highly irregular. They took place on a Tuesday, while the company had always processed its payroll on Friday mornings. They called for payments of between $5,000 and $9,000 to 26 people in almost that many different states who had never had any prior connection to the firm and who were added to the Primary Systems payroll that day.
But, even though it was six times the normal payroll, the total came in below the $200,000 threshold that would have triggered a call from the bank to get permission for the payouts.
None of this is new to electronic banking. One of the more prominent cases dates to May 2009 in Sanford, Maine, where Patco Construction, a small property development and contractor discovered that its banker, Ocean Bank (later acquired by People's United Bank), had authorized six fraudulent withdrawals totaling $588,851, even after the bank's security system had flagged each transaction as high-risk. The bank was able to block or recover $243,406 of that total.
That incident led to a lawsuit against the bank that is reportedly headed for a negotiated settlement at the prodding of a federal Appeals Court judge. But it illustrated the same risks as the theft from Primary Systems -- ones that all businesses conducting electronic banking should be aware of.
First, a business is not protected at the same level as an individual. Different laws govern each. A bank has to reimburse an individual customer for losses due to fraudulent transactions, as long as the fraud is reported promptly. For commercial customers, a bank must simply have a security system that is "commercially reasonable," and electronic transactions must be made in "good faith."
In virtually all cases, that means the customer is on the hook for losses. So it has more of a default obligation to provide its own security by monitoring its accounts.
Joram Borenstein, senior director of global product marketing at NICE Actimize, said there is anecdotal evidence that one response to this is some small companies are "misleading their own financial institution" by registering accounts as consumer accounts instead of ones designed for small businesses.
"While it's an outright lie to the bank, they are hoping that in a case of money being stolen, they will be protected from financial loss," he said.
[See related: Largest banks under constant cyberattack, feds say]
Borenstein doesn't recommend that approach, of course. He and other experts say commercial bank customers need to remember that conventional security measures like firewalls and antivirus software are not enough. Thieves simply have to spoof an employee to get inside the firewall.
Educating employees is not enough either, said George Tubin, senior security strategist for Trusteer. "It goes to show that the battle of educating users on what they should and shouldn't do is lost. People are going to keep opening things they shouldn't," he said.
Most banks now offer heightened security services. Enterprise Bank offered Positive Pay, which verifies the validity of checks. Primary Systems did not start using Positive Pay until after the theft.
Banks should also make sure they are in compliance with the Federal Financial Institutions Examination Council's (FFIEC) mandatory guidelines. Among them are that a bank impose multi-factor authentication, that it use layered security and also that it develop a risk profile of each of its customers so its system will be able to tell more readily if transactions may be fraudulent.
Borenstein said commercial customers should "dedicate a work station or thumb drive or other 'locked-down' machine" for all bank transactions -- another measure Primary Systems took after the theft.
Tubin said he believes banks should be more forceful about telling commercial customers about their liability. While virtually all banks include that in account documents, "people just don't read all the documents, just like nobody reads every sentence of their mortgage."
"Most small businesses just don't get that they're vulnerable to this type of fraud," Tubin said. "But if they were told directly, then they might buy added security services the banks is offering."
Read more about access control in CSOonline's Access Control section.