Cyberthieves lurk everywhere, and they have logged some astounding break-ins lately against banks and the security vendors who strive to protect accounts.
But it doesn't take a very large theft to illustrate that no matter how sophisticated bank security services are, or will become, they often are only as good as the customers using them.
A recent, smaller breach involving the Metropolitan Entertainment and Convention Authority in Omaha, Neb., illustrates the idea nicely, and argues for banks to do more to ensure that their commercial customers lock the door behind them when they conduct sensitive transactions online.
In August, an employee with treasury account access for MECA, a nonprofit that oversees public gathering places in the Omaha area, reportedly opened an email infected with malware that stole the user's online banking credentials, giving cybercriminals access to the organization's online bank account.
MECA had contracted with First National Bank of Omaha for its treasury account services. First National declined to be interviewed for this story, but as many banks today would do, it likely urges corporate users to set dual authority controls. This requires a second person to sign off on transactions from treasury accounts, typically when they exceed a particular amount.
MECA neglected to set up that part of its security service. As a result, it lost tens of thousands of dollars through unauthorized wire transfers.
One moral of the story is that dual authorization is important, but the lessons run much deeper than that. If banks want to protect their clients, and by extension their relationships with those clients, then they need to take a much more active role in their customers' security than they have in the past.
"At the end of the day, security is a partnership between the bank and the customer," says Sudeshna Raha, senior vice president and head of wholesale online banking at Wells Fargo.
While consumers can pretty much go on auto-pilot in their online banking activities, with the assurance that retail bank customers are 100 percent reimbursed for online theft, small-business owners lack this same comfort. Therefore, they should have a bigger incentive to take a more active role in securing their online banking sessions.
But not enough business customers are making the connection.
A third of small businesses have been the target of online fraud, with 4 percent suffering financial losses, according to a September report from Aite Group. The research and consulting firm compiled results from three surveys conducted over the last three months, which together polled 291 small-business owners with less than $10 million in revenue, and 110 treasurers and controllers from companies with annual revenue of $100 million or less.
Nearly half the 26 North American banks Aite interviewed for the report said that commercial online banking was their biggest pain point.
"As there is an increasing awareness among businesses that this is an issue, it becomes a competitive advantage for banks that have the right tools to deploy," says Julie Conroy McNelley, a senior analyst for Aite.
Of course, the availability of security measures doesn't fully solve the problem of fraud exposure. "People are most often the weakest link in the chain when it comes to security," says Ben Knieff, director of product marketing for security software company NICE Actimize, a unit of NICE Systems Ltd., of New York.
Basic customer education is perhaps the most obvious way to get customers to secure their online sessions. Many banks offer security education through channels on their websites devoted to fraud. Others have either annual or quarterly fraud webinars where they invite commercial clients to hear about the current state of security and threats, conducted with fraud experts and bank executives.
Bank of America has used webinars since 2008 to reach some of the 500,000 commercial customers that use its Cash Pro Online payments suite, to help clients understand the security issues surrounding use of the service. Upwards of 3,000 customers have attend the hour-long sessions in a given year, says Milton Santiago, senior vice president of portal strategy and treasury eCommerce solutions for BofA.
"We can put in place all the security tools and technology in the world," but to have them work customers must be willing to use them, Santiago says.
As a result of the webinars, Bank of America has seen a "dramatic decline" in fraud attempts against its commercial users, Santiago says, though he would not quantify the amount.
Smaller banks, which often have closer connections with their commercial clients because they typically operate in the same communities, have found that a hands-on approach is helpful to get customers to use their security products.
Fairfield County Bank, of Fairfield, Conn., with assets of $1.6 billion, has about 500 commercial clients using its online services. It turned six months ago to a product from IronKey, called Trusted Access for Banking. The product enables a dedicated, encrypted connection between the bank and client, using a mini-computer lodged in a piece of hardware that looks like a USB fob. This plugs into any computer, and operates securely even if that computer is infected with viruses or malware.
To solve any questions customers may have about the product, Fairfield schedules on-site visits with clients and demonstrates how to use the product.
"Corporate clients realize there needs to be a shift in the way they do things internally in order to protect themselves from external threats," says Christina Bodine, assistant vice president and cash management officer for business e-banking at Fairfield.
Some banks have gotten tougher with their contracts, rewriting terms to make it clear that if customers fail to take the appropriate actions to secure their accounts when they do their online banking, liability will shift to them.
Some of the contractual changes stem from the updated guidance from the Federal Financial Institutions Examination Council, issued June 29, which stipulates that banks must have layered security-solutions. This includes things like dual authority control, as well as transaction anomaly detection and device identification, among other things.
In addition, "the new FFIEC guidance says you have to tell customers what they are liable for and what not," says Avivah Litan, a vice president and analyst at Gartner Research in Stamford, Conn.
Banks are in tricky territory now when it comes to liabilities involving commercial clients. Whereas courts used to side predominantly with banks when online theft cases were litigated, recent case law, which relies in part on the FFIEC's guidance, is evenly split—sometimes punishing the bank and sometimes the customer when break-ins occur.
In June, for example, a Michigan district court ruled that Comerica had to reimburse a Detroit metals shop, called Experi-Metal, $560,000 for funds that had been stolen from its corporate account. The court found that the bank should have realized anomalous transactions were taking place, even though, like MECA, the commercial client had waived dual authority controls and likewise fallen victim to a phishing scam. (Comerica settled out of court in August for an undisclosed amount.)
Given the potential for dispute, Guaranty Bank and Trust of Denver has gotten tougher with its contracts. The $2 billion-asset bank explicitly addresses business clients' liability and responsibility for maintaining internal security with computer software and hardware. According to Marsha Taraba, Guaranty's executive vice president of deposit services and treasury management, the use and safeguarding of online access credentials are among the responsibilities spelled out in its agreement with businesses.
Taraba says that as the complexity of what customers can do with online banking has increased, contracts have similarly become more comprehensive.
But many small businesses may find it difficult to use all the controls they have at their disposal. Very small ones may not have enough employees for dual authorization for money transfers, for example.
"Banks can require their customers to do many things that will protect their customers from online cyber account takeovers but in the real world banks don't want to impose conditions on their customer that become administratively burdensome," says Bill Repasky, a partner with law firm Frost Brown Todd of Louisville, Ky.
Ultimately, security systems may transform to the point that they automatically recognize when controls have been disabled or have not been activated, and make transactions more difficult pending more careful scrutiny, experts say.
Until then, banks and their commercial clients need to work together to share their insights about fraud and security break-ins. As MECA acknowledged in a written statement about its experience over the summer, "This was an important lesson to us about vulnerability in the online world."
Bankers would do well to heed the lesson, too.
