If your a business and you bank online *STOP* doing so immediately. There have been too many instances of banks handing over accounts to cyber-thieves, while claiming that they are not to be held responsible, as YOUR computer was not protected sufficiently.

Ongoing computer scams targeting small businesses cost U.S. companies US$25 million in the third quarter of 2009, according to the U.S. Federal Deposit Insurance Corporation.

Online banking fraud involving the electronic transfer of funds has been on the rise since 2007 and rose to over US$120 million in the third quarter of 2009, according to estimates presented Friday at the RSA Conference in San Francisco, by David Nelson, an examination specialist with the FDIC.

The FDIC receives a variety of confidential reports from financial institutions, which allow it to generate the estimates, Nelson said.

Almost all of the incidents reported to the FDIC “related to malware on online banking customers’ PCs,” he said. Typically a victim is tricked into visiting a malicious Web site or downloading a Trojan horse program that gives hackers access to their banking passwords. Money is then transferred out of the account using the Automated Clearing House (ACH) system that banks use to process payments between institutions.

Even though banks now force customers to use several forms of authentication, hackers are still stealing money. “Online banking customers are getting too reliant on authentication and on practicing layers of controls,” Nelson said.

That’s bad news for businesses, which are increasingly on the hook for any losses.

“Commercial deposit accounts do not receive the reimbursement protection that consumer accounts have, so a lot of small businesses and nonprofits have suffered some relatively large losses,” Nelson said. “In the third quarter of 2009, small businesses suffered $25 million in losses due to online ACH and wire transfer fraud.”

That’s led to some nasty legal disputes, where customers say the banks should have stopped payments, and the banks argue that the customers should have protected their own computers from infection.

Often small businesses do not have the controls in place to prevent unauthorized ACH payments, even when their banks make them available, Nelson said. “Hackers are definitely targeting higher-balance accounts and they’re looking for small businesses where controls might not be very good.”

The FDIC’s estimates are “reasonable,” but they illustrate a problem that is becoming too expensive for banks and businesses, said Avivah Litan, an analyst with Gartner. She said that attacks that install a password-stealing botnet program, known as Zeus, have increased so far in 2010, so those losses may be even higher this year.

“Organized cyber-criminal gangs stole $25 million in the 3rd quarter alone last year, by pilfering the online bank accounts of small to midsized businesses, the FDIC reported last week. In contrast, traditional bank robbers hauled just $9.4 million in 1,184 bank robberies during that same period, according to an analysis of FBI bank crime statistics.  From that story: ‘The federal government sure publishes a lot more information about physical bank robberies than it makes available about online stick-ups. Indeed, the FBI’s bank crime stats are extraordinarily detailed. For example, they can tell you that in the 3rd quarter of last year, bank robbers were more likely to hold up their local branch between the hours of 9 a.m. and 11 a.m. on a Wednesday than at any other time or day of the week; they can tell you the number of tear gas and dye packs taken with the loot, the number of security cameras activated, the number of food stamps taken, even what percentage of suspected perpetrators had illegal drug habits at the time of the robberies. About the only thing the stats don’t tell you is what brand of jeans the perpetrators were wearing and whether the getaway car had cool vanity plates. What do we get about e-crime statistics from the federal government? One guy from the FDIC giving a speech at the RSA conference.”

 

This entry was posted on Wednesday, March 10th, 2010 at 03:02 by dsmith and is filed under Banking, Exploit, Security. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.