Marsha and Michael Shames-Yeakel state that they were the victims of fraud perpetrated though their online bank account to the tune of $26,500. As extensively reported by legal blogger David Johnson over on the Digital Media Lawyer Blog; the couple have brought a case against Citizens Financial Bank, alleging that the bank failed to implement state-of-the-art security technology at the time the alleged incident took place. At the beginning of this month, a US District Judge refused to grant summary judgement in favour of the financial institution, clearing the way for the court case to take place, stating in her judgement
“In light of Citizens’ apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access”
An FFIEC report entitled Authentication in an Internet Banking Environment, dated 2005 states;
“The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.”
The sheer volume of personal banking data and the ease with which it can be accessed is staggering. Don’t for a moment think that cost or lack of skill is a barrier to entry into the shady world of “carding” and online financial fraud. Logon details for online banking are usually sold priced as a percentage of the available balance on the account. Today, bank accounts are available online for as little as 3% including, personal, business and offshore accounts.
For “n00bs” (newbies) more experienced fraudsters post tutorials on underground forums where these details are bought and sold. One article, “Bank transfers for newbies or how to make your first 1000$” explains the process, it clarifies what extra information the fraudster needs and how to avoid triggering monitoring systems designed to flag fraudulent transactions.
It is no surprise that a large majority of stolen banking credentials come from American victims. America is a large monoculture, and uses a common language. In Europe, language skills often also become a necessity when committing online fraud. Also, and importantly, when online banking security in the US is compared to security mechanisms deployed in Europe, it comes off a poor second. Online banking in the US still tends to rely on simple user name and password combinations. In the rare cases where a confirmation number is required, this is often sent to the customer’s email account, which is also easy for a criminal to compromise. This is called “single factor authentication”, based purely on “something you know” in this case, your password.
In Europe, two-factor authentication has been common for years – Germany and France were using two-factor authentication even in the days before the internet, for BTX and Minitel banking respectively. Two-factor authentication involves a user name and password, the “something you know”; as well as an additional piece of information, often based on “something you have”. In Germany this works through a TAN (Transaction Authentication Number), a sheet of one-time use numbers sent regularly to each customer. Some banks will use a mobile TAN sent by SMS to the customer’s mobile phone, some banks will send hardware tokens to all customers, which generate random codes and some offer bank or ID card reading devices which ask for your PIN and then generate a confirmation code. In most instances these codes are required whenever a customer is moving money around or making a payment.
The deployment of these kinds of technologies in Europe, along with the language issues, mean that the US is considered “low-hanging fruit” for online banking fraud, and until financial institutions invest in the necessary deterrent technology, it will remain so.
That being said though, two-factor authentication technology may not be familiar to even some European banking customers, because (as was the case with chip and PIN cards) certain European countries have also been guilty of tardiness in deploying security technologies for online banking. So, if your bank doesn’t require this additional security, you can bet that cybercriminals know this and that your bank and your account will be targets.
It’s also worth remembering that you shouldn’t always rely on the goodwill of your financial institution to reimburse you for losses to cybercime. An argument I have heard time and again from friends and accquaintances is “Why should I worry when the bank always reimburse any losses?” If the losses to cybercrime ever become too much for UK banks for example, they can fall back on the provisions of their Banking Code which states:
“If you act without reasonable care, and this causes losses, you may be responsible for them. (This may apply, for example, if you do not follow section 12.5 or 12.9 or you do not keep to your account’s terms and conditions.)” (emphasis added by me).
Section 12.9 of the code says “Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall“