Banking Security – Who owns the risks?

Most businesses, when interacting with their financial services provider, assume that they are going to be protected to a certain degree if things go wrong. This may not always be the case. Worryingly, some businesses wont have even considered the situation and are unaware of any risks.

It is reasonably clear cut that if someone hacks into your bank and misuses your data or steals your money, the bank is responsible. Few people would expect to have to pay for any transactions carried out in this manner.

Less well understood is what would happen is your computers were hacked into and an attacker used these to steal your (or other peoples) money. It is almost certain that you would be responsible for any and all losses – that is if you were even able to identify how the attack had taken place.

While it is not directly relevant to UK businesses, a US legal action gives some indication of what could happen. (more detailed discussion can be found at Krebs on Security)

In a nutshell, the US company Patco Construction Co fell victim to the ZeuS trojan which then enabled criminals to siphon US$588,000 in automated transactions over a seven day period. This appears to have been as a result of the ZeuS trojan being able to circumvent the security controls put in place by the bank (Peoples United Bank) to prevent unauthorised access.

Following the loss, which may well have only come to Patco’s attention because the withdrawal exceeded the funds they had and, as a result, they were charged interest penalties, Patco attempted to prove – in court – that the bank’s lax security was a breach of contract and that Patco was not liable for the loss. It seems, at the time of writing, that the court will find that a password and secret phrase constitutes sufficient security for Patco to be fully responsible for all of the loss.

It doesnt matter if you agree with the decision or not, (and given that the US FFIEC requirement is for multi factor authentication, we believe that two single factors is not sufficient), the fact is you need to determine a few things sooner rather than later:

  • What is your current security like? At a minimum do you have a good antivirus and a firewall on your internet connections? If not, take action this second.
  • What is your banks position on this sort of incident? It is unlikely to be clearly stated in any contract so speak to the bank and find out.
  • Are there any other measures you could put in place to help mitigate against this sort of risk? For example, you could investigate having an alternative approval for any automated processes or for ones above a certain threshold.
  • Have you fully documented your risk strategy here? If not, get on to it as soon as possible. If things go wrong, you need to be able to show you have considered every option and made the best decisions possible.

As the unfortunate case of Patco shows, this is a genuine risk and one that can put lots of organisations out of business. Criminal attackers will not care about your business, they will simply try to get away with as much money as they possible can – it is down to you to take the best measures possible to prevent them doing this.

If you need more advice, or want an informal chat about how Halkyn Consulting can help you with your security, then get in touch for a no-cost discussion and no-obligation quote. Dont wait until after the hacker has struck – take action today!