'

Online bank allowed easy scam

One day in mid January, Imad Khalidi arrived at work at his auto dealership in Maine to discover $21,000 had been removed from his company's bank account. It had gone to pay for merchandise ordered from Gucci in San Francisco and was automatically deducted from Auto Europe's account.

One day in mid January, Imad Khalidi arrived at work at his auto dealership in Maine to discover $21,000 had been removed from his company's bank account. It had gone to pay for merchandise ordered from Gucci in San Francisco and was automatically deducted from Auto Europe's account. That began a hellish 10 days for the company, which was caught in the middle of an online banking nightmare involving the newest Web bank, X.com. And it was not the only case of misappropriated funds surrounding the Web site.

Someone had gotten hold of Auto Europe's bank account information and, after attempting a few fraudulent withdrawals, posted the information on the Internet.

"Use this account for your x.com and Wingspan transfers," the criminal wrote in an ominous post to a newsgroup after citing the account numbers. "Account has millions of dollars in funds, and can't notice a mere US $25,000 a week debit. They get their statements quarterly."

For the next 10 days, Khalidi said, there were four or five automatic withdrawals attempted daily by criminals using X.com or online banking competitor Wingspan.

The original Gucci charge -- and some of the subsequent charges to the Portland, Maine, company's accounts -- were funneled through online bill payment assistant CyberBills.com. CyberBills acknowledged its system was used in the attempted fraud but declined to offer details, citing an ongoing investigation. Wingspan did not immediately return phone calls.

Convenience at a price?
In each case, the fraudulent charge was reversed by the company's local bank -- but the charges did get through the online companies, highlighting the security drawbacks that can come with convenient Internet banking.

X.com, which launched in mid-December, came under scrutiny Friday from a security group when a customer pointed out just how easy it was to trick the service into stealing money from someone else's bank account. Users opening an X.com account were given the option to fund the account with a bank transfer, and only had to supply a bank account number and routing number -- printed at the bottom of every check. This structure allowed X.com customers to easily withdraw money from victims' accounts, and they did. One bragged on a newsgroup that he had lifted $4,500.

The company, which added security measures that stopped the scam Jan. 21, said it knows of only six bad charges, totaling less than $10,000. CEO Bill Harris said there may be more victims who have not yet noticed fraudulent charges.

Scammers engage in 'cyber taunting'
Word of the easy money started to spread on Internet newsgroups in early January, well before X.com addressed the flaw, as thieves bragged back and forth about their successful swindling.

Harris conceded the company wasn't aware of the cyber taunting. "I wouldn't at all be surprised if we weren't aware of what was in those newsgroups," he said.

The ease with which criminals could withdraw money from victims' accounts disturbed Elias Levy, who runs SecurityFocus.com, an Internet security information service. The Web site issued a release about the problem on Friday.

"What's most appalling is they said it 'was a designed feature,' " Levy said. The company wanted to make online banking as simple as possible, so it allowed depositors to skip a step like sending in a voided check to verify their identity. "It was a calculated risk. Obviously they calculated wrong."

New policies put in place
Harris said a series of new company policies make X.com safe; it now only allows transfers between accounts held under the same name, for example. He said the changes have been well received by customers and stopped short of saying his company has committed a serious security snafu.

"I don't think a mistake was made," he said. "If we had to do it all over again, I'm not sure we would start without a canceled check procedure."

A spokesperson for Cyberbills said customers must provide physical proof they own an account before they are allowed to draw funds from it to pay bills.

But Khalidi was critical of X.com -- and Wingspan and CyberBills -- for acting slowly in response to his company's crisis.

"It took them more than one week (to stop the criminal activity)," he said. "The only reason they knew we were getting hit was because we told them."

CyberBills disputes that, saying it kept the account open during that time at Auto Europe's request. The company also claims to have discovered the scam itself using "internal security procedures."

He believes the scam artist posted the account information on the Internet to flood it with fraudulent charges, creating a smoke screen that would make tracking the criminal harder for investigators.

Auto Europe's Net experience should be a lesson to other businesses, he said. Even if they have no dealings at all on the Internet, they can still be a victim of an Internet scam.

"As long as you are vigilant you can protect yourself," he said. "We check our accounts every day."