Network Security, Vulnerability Management

Banking bill would treat schools, towns like consumers

A New York lawmaker has introduced a bill that would extend financial protection to municipalities and school districts that fall victim to unauthorized bank funds transfers.

Late last month, Democratic Sen. Chuck Schumer introduced the legislation, which would amend Regulation E of the existing Electronic Fund Transfer Act to include local government and school districts. Current law only lends liability protection to consumers if their bank accounts are hijacked to make unauthorized transfers.

However, over the last two years, hackers predominantly have begun targeting small and midsize organizations with a sophisticated scam to illegally wire funds from legitimate commercial accounts to ones under their control.

The perpetrators gain access to victim bank accounts by targeting those employees responsible for online banking duties and delivering to them a socially engineered email that contains a difficult-to-detect trojan, usually Zeus. The trojan is built to steal, in real time, the usernames and passwords used to access online banks.

Schumer's proposal, which is unlikely to be acted on by Congress this year, first was reported by security blogger Brian Krebs.

A representative for the American Bankers Association, the largest trade association representing the U.S. banking industry, could not immediately be reached for comment.

But the group has said it opposes extending liability coverage to businesses.

"Security surrounding the transfer of electronic funds is a responsibility shared by both the business owner and the financial institution," Margot Mohsberg, an ABA spokeswoman, told SC Magazine earlier this year.

The FBI has said it is investigating hundreds of cases of this type of fraud, which leverages the Automated Clearing House (ACH) electronic network and has resulted in well over a hundred million dollars in losses to small and midsize organizations.

A number of victims reside in Schumer's state, including the Duanesberg Central School District, which lost some half-million dollars to hackers.

Jim Woodhill, founder of authentication services provider Authentify who now lobbies on behalf of ACH victims, said many of the fraud cases affect organizations that use small and regional banks.

"I would expect this bill to get expanded [to cover businesses] as the legislative process [goes] on," he told on Monday.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.