Steve Unger was startled when a Wells Fargo banker called him out of the blue to say one of his online accounts had been violated and someone had viewed his account numbers.
"I saw no unusual activity on my accounts, and my experience was that my account numbers were always masked," he recalled.
As it turns out, this problem is common in online banking — account numbers are hidden in some places but often displayed in full in statement and check images.
More importantly, the burden then dumped on Unger to clean up the mess points to a broader issue plaguing the banking industry. While banks are providing better defenses against online banking fraud — U.S. banks stopped more than $8 out of every $10 of attempted deposit-account fraud in 2014, according to the American Bankers Association's latest Deposit Account Fraud Survey Report — closing the compromised accounts and opening new ones remains nightmarish for banks and customers.
Unger, who owns and runs the Lion and the Rose inn in Portland, Ore., had to shut down and reopen all seven of his Wells Fargo business and personal accounts twice. Because several of his bank accounts feed data directly into his QuickBooks software, he also had to contact vendors and reestablish linkage with QuickBooks Online. He had to communicate with each of his creditors twice about the account changes.
"It was an ordeal and a mess," Unger said. He estimates he spent 40 hours at a local branch over the course of three months sorting out matters.
Wells Fargo says it has since put in place several security controls to try to prevent third-party access to small-business accounts, including two-factor authentication, real-time fraud analytics and challenges to users who try access sensitive information such as account statements.
The Trouble with Tainted Accounts
The process of closing and reopening credit card accounts has been perfected to the point where banks do thousands of these a day. They have had plenty of practice in recent years due to the massive breaches at Target, Home Depot and many other retailers.
Deposit accounts are another story.
"That's like having your house burn down and saying, 'My house burned down, I'm just going to get a new house,'" said Rick Swenson, who until recently oversaw enterprise fraud prevention and detection at USAA and who now has his own consulting company, RSS Consulting.
Banks have to reconstruct the accounts, shutting off automatic payments, facilitating bill payments, issuing new checks and re-establishing relationships with other accounts the customer may have with the bank.
"What banks most fear is mass takeover on their deposit accounts because there is no switch, there's no easy way to transfer all of a customer's credits and debits over to a new account," Swenson said. "It's an extremely laborious task."
It is even more difficult if the customer has intermingled retail and commercial accounts at the same bank, as Unger does.
"Banks haven't done much in the past 30 years to make that any better," Swenson said. In one case, a bank had 1,200 accounts taken over at once. Switching all those customers to new accounts lasted six months.
Old technology is a big part of the reason banks struggle. Many banks are running core deposit systems that are two or three decades old, and they run customized code on top of that.
And large banks have multiple deposit-account systems because of their many acquisitions. "They're running so many back-office environments, and they're knitted together — some with baling wire and others with yarn," Swenson said. "You have a seismic shock wave that goes through these systems, and they've got all kinds of exception-handling routines keeping these accounts in check."
And having bank staff take care of the account closing and reopening process is sometimes cost-prohibitive, depending on the size of the customer, Swenson said.
Wells Fargo says it's trying to do better. "If we suspect a customer's been compromised, there's a continual effort to make that process of getting them back in business as pain-free as we can," said Chris Clausen, group manager for authentication, detection and omni-solutions in the virtual channels group at Wells Fargo. "It's an ongoing drive the operations groups have: to make that the best experience it can be."
New Security Checks
Most banks are doing their best to monitor for potential threats and notify their customers. Where they fall down, in Swenson's view, is in lacking adequate, systematic triggers that flag transactions for review and failing to consistently require strong, multifactor authentication.
"I do believe banks are doing enough to keep their online banking sites secure," Swenson said. "But I do not believe banks are being as assertive as they need to be in requiring specific levels of authentication be in place before they process high-risk transactions."
Wells Fargo has added several risk controls to its online banking site, Clausen said. It conducts risk checks every time someone logs into a business account. If something looks out of the ordinary — say, the person's device ID shows they have also tried to access the accounts of other customers — the bank requires two-factor authentication or blocks the session. If someone navigates to a sensitive part of the site where there could be account information, again the bank requires two-factor authentication.
Much of this happens behind the scenes, to keep the session smooth for customers. "A typical customer logging in from a typical device would never see that capability because everything checks out with what we would expect," Clausen said.
The bank also conducts real-time checks throughout the session. If something looks odd, it might ask for a special code sent to the customer's mobile device, make a call to an established landline or require the use of a security fob.
Similarly, First Tennessee Bank recently added several security controls to its online banking site. The bank now has an extensive group of real-time text alerts, some mandatory and some optional, that let customers know instantly when something suspicious has happened on their accounts.
"If you know within seconds of the transaction happening, and you're able to make a phone call to First Tennessee and say that wasn't me and we're able to block it, the damage is very small, compared to if you don't know until midnight tonight," said Kevin Karrels, digital channel strategy executive at First Tennessee. The bank pays special attention to the movement of money. For example, it has added a requirement for out-of-band authentication (which involves a code sent by text message) for adding a new payee. Failed bill payments, additions of accounts or recipients, modified payments and other events trigger alerts.
Even after a painful experience, the Wells customer Unger is sticking with his bank — for now.
"I've been a happy customer for many years," he said. "I'm praying this doesn't happen again."
He noted that all his family's accounts are with the bank, and he pays his kids with SurePay. Unwinding all those services would be another trial.
"And if I go to Bank of America, how do I know they're going to be any better?"
But other customers who are victims of online banking fraud, or attempted fraud, may not always be so patient. It is easy to picture someone who has been asked to shut down and reopen all his or her accounts twice just saying forget it, and switching to another bank.
Unger, in fact, says if an incident like this happens again he will go elsewhere.
"This time I would fight them — I would refuse to do it," he said.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.