Pages

Wednesday, February 17, 2010

On Line Hackers Steal $50,000 And Bank Says "Tough Luck"

Online Robbery: Hackers Steal $50,000. Bank Says ‘Tough Luck’
By Kathy Kristof | Feb 10, 2010 | 23 Comments

SharePrintRecommend3
It’s every technophobe’s nightmare, but this time its true. Some $50,000 was stolen from Fan Bao’s online bank account by Croatian computer hackers and the bank told him that the loss is not their problem.

Could it happen to you? Here’s the back story to help fill in who is at risk.

Seven years ago, Fan Bao opened a checking account at Bank of America to facilitate his small import-export business called ZICO USA. When he needed to wire money, he or his wife, Cathy Huang, would walk a few blocks to Bank of America’s Highland Park, Calif., branch and execute the transfer in person.

But two summers ago, a BofA branch official urged Bao to do his banking online, assuring him that it was every bit as safe as banking in person. Only wires sent from Zico’s computer, accompanied by a downloaded security certificate, would be honored, he was told. Bao followed the bank’s security instructions to the letter, and accepted the bank’s assurances that his money was safe.

But last summer, two fraudulent drafts were sent through Bao’s account–one for $50,000 and another for $99,100. Both drafts were going to a bank in Croatia that Bao had never done business with. In fact, Bao had never before sent a wire transfer to anyone outside of Hong Kong or China.

The bank recognized that the transfers were improbable, but didn’t stop them. A bank official called Bao to report “unusual activity” on his account, but refused to tell him what it was because Huang was the company’s only “authorized agent” and she was on a business trip in Hong Kong, according to court filings. When Huang was able to reach BofA later that day, the couple discovered that nearly $150,000 in unauthorized wires had been charged to their business.

Huang immediately denounced the charges as unauthorized and fraudulent. The bank was subsequently able to stop payment on the second draft for $99,100, but the other $50,000 already had been paid to the Croatian bank and the money had been withdrawn. When Bao asked for the money back, Bank of America told him the missing $50,000 wasn’t their problem.

Why? Bao had agreed to the bank’s “terms and conditions” when opening the business checking account, which said that the bank did not have to make any special effort to “detect errors” in wire transfer requests. Wire transfer rules only require the bank to follow standard security protocol, which includes encrypting accounts. In a five-page response that Nada Alnajafi, Bao’s attorney, calls a “form letter,” the bank cites wire transfer rules that say that for Bao to recover the fraud loss from the bank, he has to prove that it was the bank–not Bao–that had the security breach.

Bao has seen no other indication of hacking on his own computers, Alnajafi said. Aside from these two wires, neither this nor any of his other financial accounts, have been hit. Nonetheless, the bank says in its letter that it suspects that given the amount of “malware” in the online community, Zico’s computer was infected with some type of “keylogging virus” that captured his user credentials. Thus, he’s stuck. If Bao contends otherwise, it’s incumbent on the small business owner to file suit against one of the nation’s biggest banks to prove it.

He’s done just that. Bao says in the suit, filed in Los Angeles Superior Court, that the fraud occurred only weeks before the bank was set to initiate tightened security procedures that included a “SafePass token.” The bank informed him they were adding this level of security in late May and Bao immediately signed up. But the bank didn’t “activate” Bao’s safe pass until July 13th. The fraud occurred on June 22.

Bao’s suit indicates that he suspects that bank employees are in on the scam. He is alleging negligence and breach of good faith and fair dealing, among other things. He asks for his money back.

Bank spokeswoman Shirley Norton said the bank has not been served with the suit, so it cannot comment on the allegations. Citing client confidentiality, the bank also would not comment on any specific client matter. But Norton said that the bank takes safeguarding client information very seriously.

“BA Direct includes an advanced security mechanism with layered security controls for authenticating wire transfers,” she said in an email. “Those controls include personal digital certificates, encryption, customized authorization and entitlement, separation of duties, automatic log-offs and password expiration.”

“Our security procedure is consistent with those used by other major banks to authenticate wire transfers.”

The only thing Norton said that could give some comfort on the “could it happen to you” front is that business accounts present more risk than personal accounts.

Business accounts are regulated by the commercial code. The commercial code puts the onus on the customer, not the bank, in some disputes. Personal online banking accounts (and debit card transactions) are covered by Regulation E–a.k.a. the Electronic Funds Transfer Act. You can read the whole thing here.

My summary would be this: With a personal account, you’re only liable for $50 in unauthorized charges, unless you fail to report the charges promptly. Your losses can be as high as $500 if you fail to report the fraud within two days of learning about it, and can be unlimited if you don’t report the fraud within 60 days of getting a statement (unless you’ve been out of the country or in the hospital).

Before the suit was filed, Bank of America attorneys wrote a letter to Bao (provided to CBS MoneyWatch) that said: “Neither the Bank nor any other major wire transfer bank is or can be in the position of manually vetting each incoming payment order to make an independent assessment whether it appears to be ‘normal’ for a particular customer. Such a process would be commercially infeasible and would delay or halt billions of dollars of wire transfers each day and would constitute an unacceptable substitution of the bank’s judgment for that of its customers.”

Alnajafi skeptically replied that banks, of course, do just this with millions of credit card transactions each day.

“If you try to use your credit card out of state to buy a cup of coffee, they’ll freeze your account,” she said. But wiring $150,000 to Croatia, when you’ve never sent a dime there before? That’s not going to set off any alarms.

More on MoneyWatch

The Dangers of Using a Debit Card

Credit Reform and My New 703.8% card

More recent post »« Older post

MoneyWatch Talkback
Share your ideas and expertise on this topic

Subscribe to this discussion via Email or RSS


1
amerize
02/10/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

Wow, I can not believe that a large institution such as Bank of America does not provide any protection to its Merchant Clients. Merchant Clients even have their own teller line inside B of A, so I guess I always assumed that they were treated better and given even more protection than regular clients of the bank. I find this unbelievable and unacceptable.

Any large transfer of money must be scrutinized thoroughly, even a simple computer program could flag a large transfer to a country that a customer has never sent money to before. It just goes to show that all the passwords and "SiteKey" type security precautions can not protect a person who is being targeted. I always assumed that banks had other security measures and sort of "silent alarms" in place to protect me that I just did not know about. I find it disturbing that they do not.

Aside from that there should be a clear set of procedures for helping any victim of such a fraud recover some if not all of their money, perhaps through some sort of insurance protection provided by the bank or a government regulatory body.


2
Kathy Kristof
02/11/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

Amerize, I've been covering banking for more than 25 years and
this tale shocked me too. We all know that hackers run
rampant, but I had assumed that bank security was far better
than this. What's worse, I think, is that they spotted the
problem, but didn't stop it. I can only attribute that to the fact
that they figured they wouldn't be liable in the end. When banks
are held accountable, like they are with credit card
transactions, they do stop fraud very effectively.


3
queenbeethatsme
02/11/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

B of a is a baaaaad bank. when my dad died sa few years ago, as part of his estate, his kids were to split his IRAs--of course we all wanted to liquidate them except one of us. Because we were not keeping the money with B of A (think hundreds of thousands here. B of a did everything possible to hold up transfer including placing my faxed in paperwork on a seat of a worker then claiming for 3 months it was unnoticed and misplaced because the woman was out on pregnancy leave. They also gave us internet stock trading passwords that did not work and delayed asking for information for MONTHS at a time. (say for instance--telling one sibling they needed a notarized letter confirming identity, then not doing anything for a month then after repeated calls and the involvement of watchdog agencies--telling the same sibling she had to provide birth cert. and all marriage licenses and divorces each time waiting a month--but finally (about 5 months later--claiming her paperwork had been lost on a workers seat so that is why it was never processed)

B of A are scam artists and full of liars who, (in my opinion) will steal your money and blame it on you--so I am not surprised about this guy. I would NEVER, EVER knowingly bank with them n like I would NEVER use Allstate Insurance. Criminals. Anyone with similar experiences should put the word out-- BOYCOTT B of A. Because next time the "scam" could be you.....


4
chakooch
02/11/10 | Report as spam

Internal Job

This sound like an internal job.
On-line transactions with such amounts need authorization in a country as small as Jordan, how it could be done undetected in the USA?
I would suggest to make in-depth investigation on the emplpyee who authorised these 2 transaction.


5
ginolg@...
02/11/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

You think this is shocking. B of A takes no responsibility
for your money.

I worked for a firm that had been embezzled against by an
employee. B of A tellers cashed many obviously doctored
checks over the counter for currency. B of A claimed that
it wasn't their responsibility. No regulators have shown
any interest in the protecting a small business.

In one case a computer check was made out to "The
Internal Revenue Service" but the words "CASH" were
inserted at the very front of the check - clearly not in line
with the other text. This is just one example.

While the embezzler was well known to the company and
Bank, he was not a signer on the account. I mention one
example but the total damage was about $1 million over
several years (Viking Bank was also used).

We all assume that common sense about a check would be
a basic fiduciary responsibility.

It especially irked me at the time that many of our hourly
production workers were denied the ability - or made to
jump through hoops - to cash their honest pay checks at
the same bank. I was shocked that so many workers used
check cashing services and started to ask why.


6
jan.mulder@...
02/11/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

B of A apparantly was unhappy with few transfers going through my checking account since I live abroad. So, they had a simpel solution, they handed the money over to the State of California. They claimed no activity at all for years, although I had made a withdrawal a month ago.

It took almost a year to get my money back, and many expensive overseas phone calls. No interest paid of course.

Yes, it's a great bank!

Jan Mulder from Holland


7
Kathy Kristof
02/11/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

Good lord, Ginolg. Did they sue? How could they cash a check
that wasn't signed by one of the officers of the company?


8
Kathy Kristof
02/11/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

Egads, Jan. I assume you moved your account... I've got to say
that no one damages the reputation of big banks better than
the big banks themselves. What are they thinking?


9
ginolg@...
02/11/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

Kathy K

The checks were altered after they were signed appropriately.
The point is that most of them were pretty clearly altered. One would assume that a teller would be trained to look for such things. The embezzler always used the same teller. It is unclear if the teller was untrained or complicit. In either case he IS the Bank.

I would seem to me that fiduciary responsibility would mean that a Bank should refuse to honor suspect checks - especially over the counter - to protect themselves. It appears that the big institutions have little accountability.

Yes, a law firm took the case but it has been several years ago and it is easy for a giant like B of A to wear down a small firm. I no longer work for the firm but still know people and I'm sure I would have heard if they had won the suit.


10
dahlia rabadi
02/11/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

WOW, the truth of the matter is that the BANK should be doing there job to properly identify the employees who are not comlying with the bank security standards. The employees at all banks should be properly checking any large transactions from being deposited. They should be identifying all uncommon transaction and call the merchant. i bank at US bank here in California and I got a phone call the minute they saw one wire transfer come out of my account. This is total fault of the bank they should protect their customers or assist in identiifying possible areas or fraud.


11
clarkm
02/11/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

I used my regular credit card (VISA) to purchase some new windows for my home at a Home Depot last summer. Total cost ~$7500.00. Within about 18 hours I was contacted by automated teller by phone at my home to confirm that the transaction was legit. And BofA can't seem to keep track of $150.00K in (2) obviously questionable transactions? I am still waiting for someone to finally blow a gasket and start shooting bank execs. I won't feel sorry.


12
Quench
02/11/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

Clearly, you can't trust any of them and I don't buy any of the excuses the banks have to offer. I can only imagine how upsetting and frustrating it must be to find that the bank is completely unaccountable for any role in this especially when they provide the means and system to make it all possible. There must be a breach somewhere.

They provide a service and encourage you to use it, but when it fails it isn't their fault. There is something absolutely wrong with that line of logic.

Read the fine print? You've got to be kidding me. Inside job? I would say absolutely. I would start by interviewing the employee that encouraged me to use the online service to begin with.

In Canada, if you deposit a cheque into your personal account, the bank may hold the funds for up to 21 days (depending on the amount) to make sure the cheque clears. They will not put themselves at risk. Any unusual deposits are certainly held for a limited period of time until the cheque clears.

Perhaps the banking system needs a way for "businesses" to re-confirm and approve funds when cheques are presented for withdrawal. Certainly a limit or threshold could be established to minimize the problem.

Of course, one of the next new products that banks will likely want to sell you is "account fraud" insurance. Just make sure you read the fine print - because they won't pay if the bank, or any of it's employee's or affiliates, are involved.

The banks are also smart enough to know that it will take a lot of cash to fight them in court. I'm sure they can recommend a few good, honest, trustworthy lawyers. It's a shame when someone has to fend for themselves with nowhere to turn.

Thanks for sharing the article and I'm just glad I read it at the end of my day. Arghhh... Whose money was it that bailed them out?


13
Name Here
02/11/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

What happened to the holds on amounts for several days to
insure that it clears? I suspect BofA as well because the
same thing happened to me. An "e-check" was drawn against
my account which triggers an overdraft notice mailed to me.
When I went to the bank and found out what happened, the
banker refused to trace it and said, "They didn't get your
money, did they?" Then he wanted to charge me $5 for a
cashier's check to close the account. I just took everything
out at the ATM and that trigger "Monthly Account Fees"
because I didn't officially closed the account, which I refused
to pay. It landed on my credit record, but didn't do too much
damage to my Fico.


14
Mrs. E
02/11/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

When they got too big to fail; they became too big to care.
I bank with a credit union, I have been with them 20 years. My husband still has an account at Wells Fargo, despite my pointing out the monthly fees he is paying to keep his money there, and his complaints over the years of the poor customer service. He went in to close his account and they talked him into staying, then wanted me to come in with him to discuss our options, since "we are larger than Golden 1". That is not a selling point in this market! I will stay where everyone knows my name and that my account number technically has a typo in it!


15
calghanie
02/11/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

We have problems with Bank of America also. When they took over the Barnett Bank, we had a CD account with that bank. Since we live outside the States we never heard of the buyout or merger concerning Barnett. We discovered that the State of Florida owes us rent for the amount of $1500.00 because the BoA closed the account and gave the intrest to the state's comptroller to keep untill the owners come look for it. BoA will not give us back the main sum invested in the CD account, stating that they do not have any records. Their records are will fully destroyed because they are not required by law to keep any records longer than a certain period of time. Do not trust this bank, or any other!


16
foddo@...
02/12/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

This is of course ridiculous. Bank of America should be ashamed of themselves, as well as held accountable. My bank which is actually a credit union calls me every time I make a wire transfer and ask me the amount. I am not talking about a bunch of different transactions to a bunch of different places. I am talking about 4 to 6 times a year, I wire money from my business to the same identical bank and account in the Philippines, from the same identical business account in the US. And they still call me each time to verify the amount. Kudos to Alliance Credit Union.


17
plyati
02/12/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

I am by no means a BofA cheerleader, but I work for a small community bank and I can say for a fact that it is FAR more likely that a customer will have a security breach before a bank will. Banks are audited constantly. More than likely this customer was the victim of an info-stealing trojan which led to his credentials being compromised. Why should the bank suffer the consequences of the customer's poor security practices? Any bank (if they're smart) will tell a business customer that they should have a separate dedicated computer to carry out online transactions. That computer should go nowhere else on the web except to do business online banking. Period.


18
AirBoss
02/12/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

Great PR for BofA, eh? As if they need any more like this.


19
Kathy Kristof
02/12/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

Hey, Plyati. I wouldn't disagree with you, but if Bao's
attorney is to be believed, they have no sign of a security
breach with the one computer they use for their business.
More of the story may come out when BofA responds to the
suit. But, even if their computer was compromised, what
bothers me is that BofA didn't hold this transaction for even a
few hours, when they know about fraud problems in that part
of the world and when they recognized how off-kilter this
particular transaction was. That makes no sense to me and
strikes me as negligent on the part of the bank.


20
Kathy Kristof
02/12/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

You said it, AirBoss. Right now, I'd say that the big banks are
their own worst enemies. Gotta wonder if they're going to wise
up.


21
ubllc2008
02/16/10 | Report as spam

Stop banking with BofA

I am not surprised with the news. Our experience with BofA is , leave alone hackers, even BofA is involved in fraudulent charges. We have such experiences. Lucky for us , we did not get conned by BofA by double or triple digit figures.

And the customer treatment is nothing short of rude and "we don;t care" attitude. So we withdrew all of 200k held in BofA and moved to Wells Fargo, Digital Federal Credit Union and Chase.

Tell you this -this bank will or should sink. Customers ABORT.


22
Kathy Kristof
02/16/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

Wow....sure don't hear from a lot of BofA fans. Anyone like this
bank?


23
fchaffin@...
02/17/10 | Report as spam

RE: Online Robbery: Hackers Steal $50,000. Bank Says 'Tough Luck'

I am hearing more and more stories where the bank is refusing to make good on bogus transactions. While I kind of understand the bank's position I do not agree with it and think the bank is making
a mistake. Rather that avoiding the issue I think BofA should do what Heartland Payment Systems did
(see Jan 28, 2010 in Bank Systems & Technology)
and go from online banking fraud victim to online banking security expert. If they did this they could attract many new commercial accounts.

Also, I would like to know what would happen if the same person lost their credit card in the street and someone picked it up and used it to make bogus purchases!! My guess is that they would make the client whole.

Cybercrime Fighter
GuideMarkSecurity.com


Please add your comment:

You are currently: a Guest | Log in


Alert me when new posts are added

Basic HTML tags that work in comments are: bold (), italic (), underline (), and hyperlink (
Latest MoneyWatch Segments


Walking Away from Mortgages

Consumer Reports: Which Appliances Are Best?

Love and Money: Saver vs. Spender

3 Money Questions for Your Honey

What's Better: Debit or Credit Cards?

Ask the Experts: Smartest Financial Decisions
PreviousNext


Active MoneyWatch
What are folks in the community talking about

290Are You in Loan Modification Hell? Join the Club.
143Guess Who's the Dumbest Generation
101Zicam Addicts (and Shareholders) Were Ripped-Off
53Underwater? Maybe You Should Walk Away From Your Mortgage?
38Diet Plan Review: Best Ways to Lose 20 Pounds
36Credit Reform and My New 703.8% Card
36Crooks Are After Your Retirement Plan
27Charities Fake Their Numbers to Look Good
MoneyWatch Blogs
Who is talking to you on MoneyWatch

Eric Schurenberg | Financial Independence
Jill Schlesinger | The Financial Decoder
Mark Thoma | Maximum Utility
Larry Swedroe | Wise Investing
John Keefe | The Macro View
Ilyce Glink | Home Equity
Kathy Kristof | Devil in the Details
Lynn O'Shaughnessy | The College Solution
Stacey Bradford, Jolie Solomon | Family Finance
Alison Rogers | Ask the Agent
Marlys Harris | The Consumer Reporter
Robert Pagliarini | Your Other 8 Hours
Ron Brown | Power Plays
Conrad deAenlle | Against the Grain
Nathan Hale | Mutual Fund Insider
Allan Roth | The Irrational Investor
Charlie Farrell | Retirement Roadmap
Carla Fried | The Retirement Beat
Ray Martin | What Works
Steve Vernon | Money for Life
MoneyWatch.com
Get
Dow
Nasdaq
S&P 500
News
Dow 10268.81 +169.67 +1.68%

Best Credit Cards for You





About CBS MoneyWatch.com

MoneyWatch.com is the premier destination for smart, practical personal finance advice about your retirement, investing, savings, career and real estate. A joint effort between the news powerhouse CBS and the business experts at BNET, MoneyWatch.com is the place to go for personal financial insight you can trust.

Meet the CBS MoneyWatch.com Team

Feeds

All of MoneyWatch
All MoneyWatch video
Big Picture
Human Capital
Cash Flow
Investing
Your Future
Site Help & Feedback | Reprint Policy

Popular on CBS sites: College Signing Day | March Madness | Lost | iPhone | Cell Phones | Video Game Reviews | Free Music
Visit other CBS Interactive Sites
Privacy Policy (updated) | Terms of use | Site Map
About CBS Interactive | Jobs | Advertise
© 2010 CBS Interactive Inc. All rights reserved.

No comments: