March 10, 2010, 10:09 AM — The unabated plundering of online bank accounts belonging to small and mid-size businesses is raising significant questions about the authentication and fraud detection mechanisms now used in financial institutions.
Such cyberthefts have led multiple businesses to file lawsuits against their banks, and prompted government regulators to call on financial institutions to improve security systems.
The FDIC recently disclosed that during the final 2009 quarter alone, cyberthieves stole mre than $150 million from small and mid-size business accounts.
In most of those cases, the FDIC said, thieves obtained a business's valid banking login credentials by illegal means. The hackers used the stolen credentials to send money from the accounts to overseas bank accounts via wire transfers.
Banks, by and large, have mostly contended that the thefts occurred because the victims failed to adequately protect their banking credentials.
Since banks are not required to reimburse commercial accounts for losses resulting from such thefts, most of the impact on them has come from a public relations standpoint.
On the other hand, the thefts have led to tens and even hundreds of thousands of dollars in losses for numerous small businesses, which now have little hope of recovering the money. Some have filed lawsuits against banks charging that they failed to detect and stop transactions that were patently fraudulent.
Earlier this month, for example, Hillary Machinery Inc filed a lawsuit against its bank, PlainsCapital, after online crooks used stolen credentials to transfer more than $800,000 from its account last year.
The bank later recovered about $600,000 of the stolen funds, but has so far refused to pay the remaining amout to compensate the Plano, Texas-based manufacturing firm for the remainder.
In its lawsuit, Hillary charged that PlainsCapital did not stop wire transfers that involved foreign bank accounts and dollar amounts completely out of norm for Hillary. The company claimed that it had a reasonable expectation that its money would be properly protected by the bank. The company also argued that a small business cannot be expected to hold significant expertise on data security issues.