Online banking theft -- who pays?

commentary Miami businessman Joe Lopez could change the face of Internet banking. Lopez discovered his company bank account was US$90,000 short and a quick check online revealed the amount had been transferred -- without his knowledge -- to a Latvian bank.

commentary Miami businessman Joe Lopez could change the face of Internet banking.

Lopez discovered his company bank account was US$90,000 short and a quick check online revealed the amount had been transferred -- without his knowledge -- to a Latvian bank.

The Bank of America was duly notified, with Lopez urging its officers to stop the transfer. Unfortunately, it was too late. About US$20,000 was already withdrawn from the Latvian bank account, with the bank freezing the remainder.

After the US Secret Service combed through Lopez's computer, they realised the culprit was a trojan horse called Coreflood. Seemingly harmless when first discovered in 2001, subsequent variants proved malicious -- Backdoor.Coreflood was one example which could give control of infected machines to an attacker.

Not wanting to be left high and dry, Lopez filed suit against the Bank of America, claiming it failed to protect him from online theft. The financial institution had allegedly neglected in its duty to warn him of the security threat. It was like the bank knew someone else had a key to the vault but didn't warn customers, claimed Lopez's lawyer.

As expected, the Bank of America denied all charges saying the onus lies on customers to install security software, including regularly updating patches.

"Microsoft has indeed squandered an opportunity to set a mark in the security arena. To go one step further, Microsoft can directly be blamed for a big portion of the mess the entire Net is in today."
-- Andreas Kuhn

Some banks in Australia practice a two-pronged security strategy for fund transfers: customers are required to re-enter their password before money can be wired and transactions bear a cap of between AU$1,000 and AU$5,000 per day.

These limits also act as a obstacle for clandestine activities. At the moment, bank tellers are to report suspicious transactions -- such as repeat transfers -- below AU$10,000 to anti-money laundering regulator Austrac (Australian Transaction Reports and Analysis Centre).

Other authentication methods or devices in the market such as smart cards, USB tokens, password generators, and biometric readers -- are technologically sound but unwieldiness and cost barriers continue to hamper mass adoption. In terms of user friendliness, Citibank's dynamic PIN-pad login -- the mouse (instead of keyboard) used to click on random digits to form a password -- is more likely to catch on with other financial institutions and users.

But history has shown that any system can be beaten. A Malaysian man nearly walked away with around AU$625,000 before his scam was busted by authorities. Ng Kok Meng used a skimming device -- which captures data from a customer's ATM card -- to gain illegal access into the account.

Meanwhile, the Lopez vs Bank of America court ruling is still pending but this case holds valuable lessons ... primarily that Internet banking, while extremely convenient, comes with its fair share of risks. There's no silver bullet so don't expect Internet scams, hackers, trojan horses and the like to vanish overnight. The challenge for banks and customers to minimise their exposure to losses will continue. Security is neither about the journey nor the destination ... it's like an infinite loop which requires our constant attention.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All