Dan Kaplan, executive editor, SC Magazine
Dan Kaplan, executive editor, SC Magazine

Commercial bank account holders are not offered the same degree of liability protection as financial institutions, reports Dan Kaplan.

A 32-year-old federal law decrees that financial institutions almost are entirely on the hook if consumer accounts are used for unauthorized funds transfers. That same level of protection, however, is not afforded commercial bank account holders.

The distinction was of little consequence for two decades. But in early 2009, cybercriminals began earnestly targeting businesses, particularly of the mom-and-pop variety, with a new scam designed to illegally wire funds from legitimate commercial accounts into their own. The perpetrators gain access to the accounts by targeting those employees responsible for online banking duties and delivering to them a socially engineered email that contains a difficult-to-detect trojan, typically Zeus, designed to log usernames and passwords.

Jim Woodhill, a security entrepreneur-turned-lobbyist who founded two-factor authentication vendor Authentify, but is no longer paid by the company, recently met with federal lawmakers to discuss extending liability protection to businesses. This would require amending the Electronic Funds Transfer Act, commonly known as Regulation E.

Over the last several months, Woodhill also has met with a number of small businesses, municipal governments and school districts that have been victimized. Woodhill said hundreds of “unlucky” organizations are being brought to their knees by a scam that is difficult to identify and prevent. “It's not a problem at all if you're not hit,” he said. “It's a catastrophic problem if you are.”

Democratic Sen. Chuck Schumer and Republican Rep. Peter King, both New York congressmen, have asked Woodhill to draft a specific legislative proposal. In the meantime, the banking industry appears poised to fight any change to Regulation E. In fact, PlainsCapital, a Dallas bank, recently filed a pre-emptive lawsuit against a small machinery business that requested full reimbursement after criminals illegally transferred some $800,000. A trial date is scheduled for next March.

“Security surrounding the transfer of electronic funds is a responsibility shared by both the business owner and the financial institution,” said Margot Mohsberg, a spokeswoman for the American Bankers Association, an industry trade group.

She recommended that businesses regularly check their accounts for suspicious activity, avoid clicking on suspicious links, place limits on wire transfers and require two people to approve all transactions.

But Woodhill says big banks and outsourcing firms that run online banking applications for smaller financial institutions must implement fraud detection technology.

$120m: Online fraud involving the electronic transfer of funds in the Q3 of 2009, according to the FDIC