While it wasn’t widely publicized on this side of the pond, a hacker breach last month into Britain’s Tesco Bank sent shockwaves throughout Europe, with the thieves managing to steal £2.5 million pounds (US$3.1 million).
That’s a relatively small loss compared to other hacker attacks, such as the staggering $81 million theft earlier this year from the Bangladesh central bank’s accounts in New York. What is more distressing though is the fact that nearly 7% of Tesco’s customers were affected – as well as the techniques the hackers may have used to penetrate the bank’s databases.
Early reports on the attack, which took place in early November, indicated that hackers might have guessed a customer’s debt card number, expiration date, and security code through a “distributed guessing” attack. That is, for each compromised account, the attackers made multiple attempts to access it from numerous websites until they finally got it right. The tools used for this type of attack are now so sophisticated that according to one researcher, a hacker can acquire these three data points in a matter of seconds.
More recent reports point to a more obvious vulnerability: Tesco may have issued debit cards numbered sequentially. That would mean that by knowing just one card number, a hacker would have a much easier time working out the remaining two data points – the expiration date and security code. In addition, most online payment systems aren’t set up to detect multiple invalid requests from different websites.
As would be the case in most countries, Tesco has now reimbursed the 9,000 customers whose accounts were affected by the hack. But don’t assume that if hackers steal money out of your account, you’re not liable for the loss.
In the US, protection against unauthorized electronic transfers is almost absolute for personal accounts. Regulation E of the Electronic Fund Transfer Act requires banks to bear the burden in most circumstances. Your liability for a loss is capped at $50 if you report the unauthorized transfer within two days. The limit is $500 if you wait longer than that. Even your personal negligence – such as writing your PIN on the back of your debit card – doesn’t let the bank off the hook for your loss if the card is stolen. But if you don’t report the loss for 60 days, you’re responsible for all of it.
Business accounts tend to be larger and are therefore increasingly in hackers’ crosshairs. However, for business accounts, Regulation E no longer applies. Instead, transactions are governed by the Uniform Commercial Code (UCC). That means much weaker legal protection.
The UCC requires that banks provide business customers with “commercially reasonable” security conditions. As long as the bank follows its own protocol, it need not reimburse businesses whose accounts are hijacked by hackers. Moreover, buried in the fine print of business banking agreements, you’ll often find the bank disclaims all responsibility for security breaches.
Stuart Rolfe, a Seattle businessman, found this out the hard way. Hackers managed to hijack his company’s email account, allowing them to impersonate Rolfe and authorize fraudulent transfers. When he finally discovered what was happening, more than $1 million was missing. And since all of the transfers appeared to originate from Wright Hotels, JP Morgan, the company’s bank, had no obligation to make good on the loss.
The most recent FBI data show a huge growth in this kind of fraud. More than 8,000 companies have been victimized over the past two years. Their losses total nearly $800 million.
The safest strategy to protect yourself is to avoid online banking completely, cut up your debit cards, and close all your bank accounts. Unfortunately, that’s not practical for most of us. But there are several ways you can protect yourself and your business from this type of fraud.
- Avoid posting information on social media that a hacker could use to answer security questions. What I do is intentionally give the wrong answers to security questions. For instance, I might list my best childhood friend as “Uriah Heep,” the fictional character in Charles Dickens’ masterpiece, David Copperfield. Just make sure to keep a record so you don’t lock yourself out.
- Subscribe to fraud alerts from your bank notifying you of suspicious activity in your account.
- Use a virtual private network (VPN) for all online communications. This prevents hackers from monitoring your data stream to siphon off passwords and other credentials that could be used to impersonate you. Here at The Nestmann Group, we use Cryptohippie for this purpose.
- Monitor your account activity carefully. Individuals should review monthly statements for any unauthorized activity. Business users should monitor account activity daily or even more often, to ensure there’s been no fraudulent withdrawals.
- Impose daily transaction limits on your account. For instance, if you never transfer more than $10,000 out of your account daily, this would be an appropriate limit.
- Set up accounts with banks that give you a printed list of disposable authorization codes. Whenever you want to log on to the bank’s website, you’ll need to match a challenge-response screen to a series of letters and numbers on the list. An equally effective precaution is to have your bank give you a “dongle,” a small device plugged into your PC or smartphone. Without the dongle, you can’t get access to the account.
One thing is certain: Hackers have your financial accounts in their sights, especially if you operate a business and keep large balances in them. Don’t wait to be the next victim before you take the appropriate precautions.