« Ind. Decisions - One Indiana 7th Circuit decision today; and an environmental decision of note | Main | Ind. Courts - Federal criminal fraud case persists after defendants' deaths »
Tuesday, August 25, 2009
Law - Still more computer problems: Kentucky county's funds stolen by online hackers [Updated]
Be concerned. When the ILB posted this story July 27th from the Louisville Courier Journal about the theft of $415,000 of Bullitt County Kentucky's funds by Ukrainian hackers, it seemed an isolated incident.
Not so, according to this story today in the Washington Post, reported by Brian Krebs, and headed "European Cyber-Gangs Target Small U.S. Firms, Group Says." Some quotes:
Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the United States, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions.[Updated 8-26-09] See also this Washington Post "Security Fix" entry.A task force representing the financial industry sent out an alert Friday outlining the problem and urging its members to implement many of the precautions now used to detect consumer bank and credit card fraud.
"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," the confidential alert says. The alert was sent to members of the Financial Services Information Sharing and Analysis Center, an industry group created to share data about critical threats to the financial sector. The group is operated and funded by such financial heavyweights as American Express, Bank of America, Citigroup, Fannie Mae and Morgan Stanley.
Because the targets tend to be smaller, the attacks have attracted little of the notoriety that has followed larger-scale breaches at big retailers and government agencies. But the industry group said some companies have suffered hundreds of thousands of dollars or more in losses.
Many have begun to come forward to tell their tales. In July, a school district near Pittsburgh sued to recover $700,000 taken from it. In May, a Texas company was robbed of $1.2 million. An electronics testing firm in Baton Rouge, La., said it was bilked of nearly $100,000.
In many cases, the advisory warned, the scammers infiltrate companies in a similar fashion: They send a targeted e-mail to the company's controller or treasurer, a message that contains either a virus-laden attachment or a link that -- when opened -- surreptitiously installs malicious software designed to steal passwords. Armed with those credentials, the crooks then initiate a series of wire transfers, usually in increments of less than $10,000 to avoid banks' anti-money-laundering reporting requirements. * * *
Businesses do not enjoy the same legal protections as consumers when banking online. Consumers typically have up to 60 days from the receipt of a monthly statement to dispute any unauthorized charges.
In contrast, companies that bank online are regulated under the Uniform Commercial Code, which holds that commercial banking customers have roughly two business days to spot and dispute unauthorized activity if they want to hold out any hope of recovering unauthorized transfers from their accounts.
Avivah Litan, a fraud analyst with Gartner Inc., said few commercial banks have invested in back-end technologies that can detect fraudulent or unusual transaction patterns for businesses.
"The banks spend a lot of money on protecting consumer customers because they owe money if the consumer loses money," Litan said. "But the banks don't spend the same resources on the corporate accounts because they don't have to refund the corporate losses."
Posted by Marcia Oddi on August 25, 2009 01:30 PM
Posted to General Law Related