In June, Patco Construction Company of Sanford, Maine, lost its lawsuit against Ocean Bank to recover more than $300,000 the construction company had lost to online hackers, as reported by Kim Zetter on Wired.com's Threat Level blog.
The court found that while Ocean Bank's security procedures "were not optimal," in the words of Magistrate Judge John Rich of the U.S. District Court in Maine, Patco was ultimately responsible for securing the company's online bank accounts. Patco is not the only business to learn this lesson the hard way--far from it.
Greg Farrell and Michael A. Riley state on Bloomberg.com that small and medium-size businesses are losing as much as $1 billion a year from Internet thieves who hack into their online bank accounts. Few of these business accounts are insured the way most individual consumer accounts are.
(Last February, CNET's Elinor Mills described in her InSecurity Complex blog how criminals in Eastern Europe used the "OddJob" Trojan to pilfer the accounts of bank customers in the U.S., Denmark, and Poland.)
Scammed businesses respond with a user-education campaign
Several victims of these cybercriminals have joined together to create the Cyber Looting Awareness Security Project (CLASP). Its site--Your Money Is Not Safe in the Bank--serves as a clearinghouse for information on recent breaches of commercial bank accounts.
The CLASP site provides links to white papers, banking-industry contacts, and other resources. The group's mission is to inform commercial online banking customers that they need to take responsibility for their business's financial security rather than rely on their bank's security systems. Since most online-banking breaches result from a worm inadvertently downloaded by a PC user at the organization, employee education can help bolster the first line of defense.
But even the most cautious PC user can fall victim to a well-crafted phishing attack--and the phishers are getting more sophisticated in their techniques every day. In a post from last June I described three ways to add another layer of protection against a phishing attempt.
A relatively low-cost solution is to conduct all online banking on machines dedicated for that purpose and used for no other tasks. Almost every business has an old PC tucked into the corner of some closet or storage area. Converting an outdated system into a bank terminal is as easy as wiping the machine's hard drive and installing a free Linux distribution. (CNET's Rob Lightner describes five other great uses for an old Windows PC.)
In a series of posts from a couple of years ago I described how to get started with Ubuntu Linux, including how to get Flash and QuickTime files to play on Ubuntu (in case your bank's site requires Flash), and how to use the OS's virtual desktops.
Even though FDIC-insured consumer bank accounts are protected from hack attacks, individuals may benefit from the added level of security a dedicated banking PC can provide. The FDIC site explains how to ensure that your account is insured.
You can also protect yourself by using the free Trusteer Rapport program to establish a secure connection; I described the program along with four other scam-busting techniques in a post from last January.