Marketplace Scratch Pad

Who’s to blame for Internet theft?

Scott Jagow Jan 29, 2010

Companies victimized by cyber crimes have been suing their banks for having inadequate online security. But a new case in Texas turns that situation on its head. The bank is suing the customer for allowing hackers in.

The dispute involves Lubbock-based PlainsCapital bank and a company called Hillary Machinery. Last November, more than $800,000 was stolen from Hillary’s account by hackers in Romania and Italy. The bank subsequently recovered $600,000 of the money. Hillary filed the usual lawsuit claiming the bank had poor security and should be responsible for the remaining $200,000.

But the bank sued back, claiming Hillary credentials were used to add new computers to the network, and the hackers used those computers to access the bank account.
More from The Consumerist:

PlainsCapital argues that it uses every reasonable security method to protect its customers’ assets, and it points out that the attackers used valid login credentials. In fact, in the lawsuit the bank argues that it “accepted the wire transfer orders in good faith,” shifting the responsibility entirely over to Hillary Machinery.

But nobody seems to know how the attackers got the credentials, and I’d hope any bank I loan my money to would employ multiple security protocols in the event a particular wall is breached, as in this case. Things like, I don’t know, looking for suspicious transaction patterns. Or noticing when a customer’s newly authorized computer has an IP address located in Romania instead of Plano, TX.

From Krebs On Security:

“It’s pretty ridiculous that the bank is saying their security was reasonable,” (Hillary VP Troy) Owens said. “The people who run this bank are from an area that still leaves their doors unlocked at night and their keys in the car. These security measures were probably very up to date 10 to 15 years ago, but they’re not in today’s age.”

Well, if it’s such a hayseed bank, then why are you doing business with them?

This will be an interesting case to follow. On one hand, banks can’t stay in business if they have easily-hackable security measures and don’t raise red flags when unusual transactions take place. But shouldn’t the company bear some responsibility if its credentials were used?

I expect this is only the beginning. A report from Deloitte this month points out the fast-growing nature and crazy sophistication of cyber crime:

The CSO 2010 CyberSecurity Watch survey shows that cybercrime threats to organizations are increasing faster than they can combat them. The issue – attackers are becoming smarter and using more sophisticated malware, viruses and techniques that have outpaced traditional security models and many current signature-based detection techniques. And, it looks like this gap is only going to widen as cyber criminals build more complex and innovative threats.

On its website, Hillary Machinery is sounding the alarm to other small businesses:

!!!!!!!!!!!! Small Business Alert !!!!!!!!!!

Is Your Bank Watching Your Back?

In the cyber world, bank robbers carry keyboards; not guns. And, you will be surprised to learn that not only have banks been alerted by many regulatory agencies, many are still ill-prepared to prevent it, and may not return your money if it’s stolen from your account.

How do you see this issue?

We’re here to help you navigate this changed world and economy.

Our mission at Marketplace is to raise the economic intelligence of the country. It’s a tough task, but it’s never been more important.

In the past year, we’ve seen record unemployment, stimulus bills, and reddit users influencing the stock market. Marketplace helps you understand it all, will fact-based, approachable, and unbiased reporting.

Generous support from listeners and readers is what powers our nonprofit news—and your donation today will help provide this essential service. For just $5/month, you can sustain independent journalism that keeps you and thousands of others informed.