FDIC: Hackers took more than $120M in three months

$25 million of those online bank-fraud losses were born by cusotmers

Ongoing computer scams targeting small businesses cost U.S. companiesUS$25 million in the third quarter of 2009, according to the U.S.Federal Deposit Insurance Corporation.

Online banking fraud involving the electronic transfer of funds hasbeen on the rise since 2007 and rose to more than US$120 million in thethird quarter of 2009, according to estimates presented Friday at theRSA Conference in San Francisco, by David Nelson, an examinationspecialist with the FDIC.

The FDIC receives a variety of confidential reports from financialinstitutions, which allow it to generate the estimates, Nelson said.

Almost all of the incidents reported to the FDIC "related to malware ononline banking customers' PCs," he said. Typically a victim is trickedinto visiting a malicious Web site or downloading a Trojan horseprogram that gives hackers access to their banking passwords. Money isthen transferred out of the account using the Automated Clearing House(ACH) system that banks use to process payments between institutions.

Even though banks now force customers to use several forms ofauthentication, hackers are still stealing money. "Online bankingcustomers are getting too reliant on authentication and on practicinglayers of controls," Nelson said.

That's bad news for businesses, which are increasingly on the hook for any losses.

"Commercial deposit accounts do not receive the reimbursementprotection that consumer accounts have, so a lot of small businessesand nonprofits have suffered some relatively large losses," Nelsonsaid. "In the third quarter of 2009, small businesses suffered $25million in losses due to online ACH and wire transfer fraud."

That's led to some nasty legal disputes, where customers say the banksshould have stopped payments, and the banks argue that the customersshould have protected their own computers from infection.

Joseph Mier sued his bank, CapitolOne, a few weeks after scammersremoved more than $27,000 from his corporate bank account over a MardiGras weekend last year. According to him, CapitolOne refused to pay thelosses, saying that the hacking hadn't happened on their networks.

But Mier, a real estate appraiser based in Hammond, Louisiana, hireda forensic investigator to look at his systems, and he says there's nosign of an intrusion. "CapitalOne allowed someone to go into our bankaccount without authorization and take the money out," he said. "It'sbeen pretty frustrating, I can tell you that."


Often small businesses do not have the controls in place to preventunauthorized ACH payments, even when their banks make them available,Nelson said. "Hackers are definitely targeting higher-balance accounts,and they're looking for small businesses where controls might not bevery good."

The FDIC's estimates are "reasonable," but they illustrate a problemthat is becoming too expensive for banks and businesses, said AvivahLitan, an analyst with Gartner. She said that attacks that install apassword-stealing botnet program, known as Zeus, have increased so farin 2010, so those losses may be even higher this year.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies