Online bank allowed easy scam
"Use this account for your x.com and Wingspan transfers," the criminal wrote in an ominous post to a newsgroup after citing the account numbers. "Account has millions of dollars in funds, and can't notice a mere US $25,000 a week debit. They get their statements quarterly."
For the next 10 days, Khalidi said, there were four or five automatic withdrawals attempted daily by criminals using X.com or online banking competitor Wingspan.
The original Gucci charge -- and some of the subsequent charges to the Portland, Maine, company's accounts -- were funneled through online bill payment assistant CyberBills.com. CyberBills acknowledged its system was used in the attempted fraud but declined to offer details, citing an ongoing investigation. Wingspan did not immediately return phone calls.
Convenience at a price?
In each case, the fraudulent charge was reversed by the
company's local bank -- but the charges did get through the
online companies, highlighting the security drawbacks that
can come with convenient Internet banking.
X.com, which launched in mid-December, came under scrutiny Friday from a security group when a customer pointed out just how easy it was to trick the service into stealing money from someone else's bank account. Users opening an X.com account were given the option to fund the account with a bank transfer, and only had to supply a bank account number and routing number -- printed at the bottom of every check. This structure allowed X.com customers to easily withdraw money from victims' accounts, and they did. One bragged on a newsgroup that he had lifted $4,500.
The company, which added security measures that stopped the scam Jan. 21, said it knows of only six bad charges, totaling less than $10,000. CEO Bill Harris said there may be more victims who have not yet noticed fraudulent charges.
Scammers engage in 'cyber taunting'
Word of the easy money started to spread on Internet
newsgroups in early January, well before X.com addressed
the flaw, as thieves bragged back and forth about their
successful swindling.
Harris conceded the company wasn't aware of the cyber taunting. "I wouldn't at all be surprised if we weren't aware of what was in those newsgroups," he said.
The ease with which criminals could withdraw money from victims' accounts disturbed Elias Levy, who runs SecurityFocus.com, an Internet security information service. The Web site issued a release about the problem on Friday.
"What's most appalling is they said it 'was a designed feature,' " Levy said. The company wanted to make online banking as simple as possible, so it allowed depositors to skip a step like sending in a voided check to verify their identity. "It was a calculated risk. Obviously they calculated wrong."
New policies put in place
Harris said a series of
new company policies
make X.com safe; it now
only allows transfers
between accounts held
under the same name, for
example. He said the
changes have been well
received by customers and stopped short of saying his
company has committed a serious security snafu.
"I don't think a mistake was made," he said. "If we had to do it all over again, I'm not sure we would start without a canceled check procedure."
A spokesperson for Cyberbills said customers must provide physical proof they own an account before they are allowed to draw funds from it to pay bills.
But Khalidi was critical of X.com -- and Wingspan and CyberBills -- for acting slowly in response to his company's crisis.
"It took them more than one week (to stop the criminal activity)," he said. "The only reason they knew we were getting hit was because we told them."
He believes the scam artist posted the account information on the Internet to flood it with fraudulent charges, creating a smoke screen that would make tracking the criminal harder for investigators.
Auto Europe's Net experience should be a lesson to other businesses, he said. Even if they have no dealings at all on the Internet, they can still be a victim of an Internet scam.
"As long as you are vigilant you can protect yourself," he said. "We check our accounts every day."