FRAMINGHAM, 17 JUNE 2010 - In online banking and payments, customers' PCs have become the Achilles' heel of the financial industry as cyber-crooks remotely take control of the computers to make unauthorized funds transfers, often to faraway places.
That's what happened to the town of Poughkeepsie in New York earlier this year to the tune of US$378,000 carried out in four unauthorized funds transfers from the town's account at TD Bank. First discovered in January, the town was able to finally get the full lost amount restored by March, according to public records, through sometimes tense interaction with the bank.
Proposed U.S. law would single out cybercrime havens
Though the town declines to discuss the matter, this high-dollar cyberheist, along with a slew of other incidents in the past year, has many bank officials worried. They're concerned that the customer desktop, especially in business banking where dollar amounts are high, is increasingly the weak link in the chain of trust.
Other cyberheists that have reached the public eye include Hillary Machinery of Plano, Texas, for $801,495; Patco Construction for $588,000; Unique Industrial for $1.2 million; and Ferma Corp. for $447,000. Schools and churches aren't immune, either. One FBI report from late last year said the agency gets several new victim complaints each week.
And businesses should be even more worried than consumers about whether banks will restore monies stolen by cybercrooks exploiting compromised computers using botnet-controlled malware. According to Gartner analyst Avivah Litan, while consumer accounts receive specific legal protections to restore unauthorized transfers under what's called the "Reg E" federal regulations, businesses do not.
Disputes over hijacked computers and fraudulent transfers are erupting into the public eye as businesses quarrel with their banks over who is at fault when a cyber-gang manages to make off with the money. The restoration of lost funds occurs on a case-by-case basis.
The dilemma for banks boils down to this: How far can they go to help protect customer desktops that function like part of their shared network but aren't owned by the bank?
Banks are faced with the prospect that "customers own PCs that have been in the hands of Russian crime syndicates," says Jeff Theiler, senior vice president at Hancock Bank, which primarily operates along the Gulf Coast region.
Like many other banks, Hancock finds itself getting more involved in helping customers defend their machines. One recent step has Hancock making available for free specialized protective software for use by the bank's 100,000 e-banking customers.
Developed by Trusteer, the software becomes active when the customer's PC is interacting with Hancock Bank's online banking services. Basically a browser plug-in, the security software can detect and block keylogging, stop re-directions of the user, and inform the bank if the PC's infected with malware.
Sign up for CIO Asia eNewsletters.