$800,000 Reasons Why Banks Need Stronger Authentication

By John Dancu

PlainsCapital bank in Lubbock, Texas is suing its customer, Hillary Machinery Inc., who was hit by a $800,000 cybertheft incident involving unauthorized wire transfers to accounts in Romania and Italy last November.

While the bank later recovered $600k, the customer demanded the bank repay the other $200k claiming the theft happened because the bank’s security measures were inadequate.  This then prompted the bank to file a lawsuit against the customer asking only for the court to certify that its security procedures were “commercially reasonable.”

As a spokesperson for Hillary explains in this ComputerWorld article:

While the transfers were initiated using valid log-in credentials, there were several details that should have alerted bank authorities that all was not right…The biggest red flag should have been that the money was being transferred to foreign destinations which had never happened before on Hillary’s account.

The fact that dozens of transfers were made ina two-or three- day period, many of them involving sums that were outside the normal range of transfers initiated by Hillary, should have been another clue about fraudulent activity.  Some of the transfers involved sums in excess of $100,000, while others were as small as $2,500.  Each of the transfers was also made to a different account, which was highly unusual….typical money transfers involve the same limited set of accounts.

According to Owen, the thefts were enabled by the weak authentication measures employed by the bank.  In addition to usernames and passwords, the only other authentication the bank required was for users to register the systems they used for online banking transactions.  However, that measure was clearly not strong enough, because in this case, the cyber-thieves were able to log into Hillary’s account using systems that were based in Romania and Italy, he said.

A memo supplied by the bank to Hillary shows that the bank received two requests to register computers on teh company’s behalf just before the attacks.  Though the requests appeared to come from a HIllary e-mail address the computers from which they were sent had IP addresses based in Italy and Romania, Owen said.

They never challenged whoever logged in with a different computer.  There was never any red flag…Though PlainsCapital has claimed that registering the computer represents a second form of authentication, the thefts show that it wasn’t a strong enough measure, he contended.

I’m going to have to agree with him.  It  sounds as if there were plenty of Red Flags associated with this incident and the bank failed to detect them.  Bankinfosecurity recently interviewed Jeff Kopchik, senior policy analyst with the Federal Deposit Insurance Corporation (FDIC) about the top 3 deficiencies with Red Flag Compliance since the regulations went into effect for banks over a year ago.  What is the most common?  Banks are not including certain types of commercial accounts in their identity theft prevention program.

Far and away the most common deficiency is that there is a portion of the regulation that says under certain circumstances, certain types of commercial accounts, as opposed to consumer accounts, should be included in the identity theft prevention program and in some cases banks that should have included those commercial accounts did not do so, and that is far and away the most common deficiency that examiners are talking about.

Perhaps this incident can be chalked up to PlainsCapital expanding its type of covered accounts under Red Flag since the security of the account in question is a commercial account.  Or perhaps the bank needs to look at implementing a comprehensive fraud detection system (such as Oracle’s OAAM) to monitor and manage all of its transactions.  Regardless, it’s clear that the bank’s current authentication protocols failed here and PlainsCapital needs to take a hard look at its process and systems.

News & Events

Upcoming Events