Karen McCarthy – Little & King Co., LLC
On Monday, February 15, 2010, my life was turned upside down. My commercial bank account at TD Bank was looted.
Eastern Europe-based cyber-thieves added my company to the list of victims of the epidemic of American commercial bank account cyber-looting that apparently started in late 2008.
These computer hackers successfully impersonated me to TD Bank’s online banking system and made $164,000 in fraudulent wire transfers out of my company’s account in a matter of minutes.
I had never made a single electronic payment from this account, much less $164,000 in a day and a half to Romania by terrorist groups known by the FBI, yet TD Bank did not notify me of any unusual activity, per my online banking agreement.
When I discovered the fraudulent transfers I notified TD Bank immediately. They did not even freeze my account until noon the next day. They said that they were not responsible, that the fraud was “not related to any breach on the part of TD Bank.”
Since then, I’ve learned:
- TD Bank did not even comply with the regulatory guidance they have been receiving from FFIEC and FDIC starting in 2005. Indeed, TD Bank’s CEO received an FDIC Special Alert (LINK) almost six months before my incident that exactly described the attack that cleaned out my business account, instructed him to institute and referred appropriate security measures to prevent losses due to it.
- This FDIC Alert informed service providers where to look for guidance and gave them information on authentication and information about security for high risk transactions. These documents included:
- FFIEC Guidance Authentication in an Internet Banking Environment
- Authentication in an Internet Banking Environment Frequently Asked Questions
- FFIEC Information Security Examination Handbook
- FFFIEC Retail Payment Systems Examination Handbook
- FDIC Guidance on Mitigating Risks from Spyware
- Previous FFIEC guidance instructed TD Bank to institute “layers” of fraud controls such as checks on Internet addresses used and for unusual patterns of account activity.
- TD Bank did nothing to secure their online banking facility, disregarding all the explicit warnings from federal agencies, plus industry analysts such as Avivah Litan and computer security specialists such as Bruce Schneier.
- And this is in spite of the fact that many different proven, inexpensive, fast-to-implement, easy-to-integrate, and customer-friendly bank security solutions that defeat these attacks have been available in the commercial marketplace for over half a decade.
TD Bank maintains that because the hackers used my correct username and password to make the transfers, TD Bank bears no responsibility whatsoever for the breach. However, I don’t log on from Eastern Europe! Security experts, BRIAN KREBS, who examined my computer have told me that the hackers probably acquired my username and password by planting a virus on my computer called “ZeuS.” TD Bank claims that because my computer was infected with ZeuS, I bear responsibility for the fraudulent transfers.
In fact, it is well-known in the banking and financial world that this virus (“ZeuS”) cannot be prevented by anti-virus software, yet TD Bank has not adapted its security measures to deal with this known threat. Because accessing TD Banks’ online banking services required no more authentication than a simple user name and password and did not require any enhanced authentication, TD Bank made it easy for a hacker to steal my company’s assets, despite the banks assurances of “multi-factor authentication.” The reality is, it took no more information for these hackers to steal my money than it does to sign in to a Facebook account. It is blatantly apparent that TD Bank’s security measures are not commercially reasonable and are not on par with those utilized by other financial institutions.
I have antivirus software on my computer and it is updated at least 3 – 4 times daily, but the FDIC and others have stated publicly that commercial antivirus software is NOT capable of detecting ZeuS. Thus, until the day I was robbed, I had no way to know that my computer was infected.
I am a businesswoman, not a computer information security expert. I assumed that when TD Bank accepted my deposit, they were guaranteeing to do everything in their power to keep in safe. It would have been safer under my pillow.
As it turns out, TD Bank failed to institute any meaningful security measures to protect my account from unauthorized access.
Note that had this account been a consumer account rather than a business account, TD Band would have been forced to make good on the fraud losses it failed to prevent. Right now, no organization that banks online is safe.
In March of 2011, The Cyber Looting Awareness & Security Project was born (www.clasproject.org). With leadership from victims myself (OTHER VICTIMS) and support from cyber security professionals, the movement against cyber theft is moving fast. We are lobbying Congress to extend Federal Reserve Regulation E to cover commercial accounts.
America’s local and regional banks have made it more than clear that until they are forced to take full financial responsibility (as they are today with retail – consumer – accounts) for allowing these attacks to succeed, they simply will not follow the guidance that their regulators have offered them to prevent those successful attacks.
If and only when banks like TD Bank are required to reimburse commercial depositors for losses from cyber theft that they could have thwarted they will then institute the security measures that they could and should have instituted long ago.
Visit us at www.yourmoneyisnotsafeinthebank.org, find your local lawmakers and petition them to institute this necessary extension to Regulation E to cover commercial bank accounts.