Bank customers left adrift by increasingly draconian security T&Cs

News by Steve Gold

US banking fraud case highlights serious online banking security issue

A Californian business that went bankrupt last year after cybercriminals withdrew £900,000 (US $1.5 million) from its accounts has taken legal action against its former bank to recoup the losses.

The move comes against a backdrop of increasingly draconian terms and conditions relating to online and card security being imposed by UK banks - with security experts observing that the changes in terms and conditions (T&Cs) impose a higher duty of care on businesses - and consumers - to look after their credentials.

According to security researcher Brian Krebs the state-appointed receiver for Efficient Services Escrow has filed a lawsuit against First Foundation Bank, alleging that the bank's security procedures were insufficient, and that "it failed to act in good faith when it processed three fraudulent international wire transfers totalling £946,760 (US$ 1,558,439) between December 2012 and February 2013."

The lawsuit, says the researcher, is the latest in a series of court cases seeking to determine whether banks should be held more accountable for losses stemming from so-called cyberheists.

In the lawsuit, the receiver to the company alleges that a component of the bank's core security protection — the requirement that customers enter a code generated by a customer-supplied security token that changes every 32 seconds — had failed in the days leading up to the fraudulent transfers, which included a £305,000 (US $ 0.5 million) bank wire to China.

The bank - First Foundation - claims that the fraud was down to insecure actions by a member of the firm's staff, notes, but closer to home, most UK business and consumer bank customers will have noticed their online banking - and general - T&Cs changing to accommodate the shift towards Internet banking plus online card usage.

Negative Trend

This trend it not at all positive, says Sarb Sembhi, an Analyst and Director of Consulting with Incoming Thought, the security research and analysis house, which says that none of the T&Cs he has seen actually state the specific processes that customers must adhere to in order to secure themselves.

"The problem is that there is no single and agreed standard amongst the UK banks about what steps customers should be taking," he said, adding that the UK banking industry needs to develop a security check list to which businesses - and consumer - customers can adhere.

They need this check list, he says, to meet the requirements of their bank's T&Cs, and so gain protection in the event of their being hit by fraud.

The good news, he went on to say, is that cyber liability insurance can go a long way to filling the gap between the actual losses sustained by an online bank or card fraud, and what the company's bank is prepared to pay out in the event of cyber fraud coming to light.

Sembhi, who is also a leading light in ISACA, the not-for-profit international security association, says that most insurance firms in this field have a track record of paying out on Internet banking fraud claims, especially where the bank denies liability.

"It's also worth bearing in mind that the UK's CNI (Critical National Infrastructure) is predominantly in the hands of smaller companies, many of whom could be put out of business by a banking cyberheist. Since the banks are taking a more draconian attitude to these types of incidents, there is a clear risk of a banking cyberheist putting elements of the UK's CNI out of action," he explained.

Sembhi's concerns were echoed by Professor John Walker, a Visiting Professor with the Nottingham-Trent University Faculty of Engineering, who said that it is highly ironic that some of the UK banks are now admitting their own security architectures are not up to scratch.

This was witnessed, he told, by the comments of Ross McEwan, the chief executive of RBS late last year, when he blamed the bank's latest card payment and systems outages on a failure to “properly invest” in technology.

"It's clear the banks have a security problem of their own. One bank I was called in to audit found it had Chinese-connected systems hanging off its network - about which it had no knowledge whatsoever. The reality is that the banks - and their customer accounts - are regarded as low-hanging fruit by cybercriminals, so there is no doubt they are increasingly being hit by cyber frauds," he said.


"For this reason it's outrageous that they should hide behind their T&Cs in trying to escape paying when an account holder is hit by cyber fraud," he added.

Professor Walker - who is also CTO of IT security consultancy Integral Security Xssurance - noted that Mark Carney, the Governor of the Bank of England, has admitted that UK bank security needs bolstering and last October revealed plans to help protect the UK's banking system from the mounting threat of cyber attack.

"The reality is that the UK banks are every bit as vulnerable to cyber fraud as their US counterparts. Hiding behind T&Cs as a means of not paying out to customers for an obvious fraud is made all the more outrageous in the light of Carney's comments," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews