Zeus threatens to strike down community banks

Small community banks with thin profit margins can ill afford security measures required to defend against Zeus botnet

Community banks that survived the economic crisis of the past three years are finding themselves in jeopardy again -- this time from cyber criminals using banking trojans, most notably Zeus, to steal money from customer accounts.

Take the case of Mark Patterson, who with his brother owns the Patco construction firm in Sanford, Maine. In May 2009, cyber criminals stole $545,000 from the company's checking account over a period of six nights, taking out about $100,000 a night using Automated Clearinghouse (ACH) transactions. After tapping out the checking account, the losses rolled over to a linked line of credit, Patterson told attendees at the cyber crime Symposium 2010 in Portsmouth, N.H.

The bank blamed Patco for allowing a PC to get infected with Zeus and refused to refund the losses. While Patco had a $10,000 fraud policy designed to cover against employee misdeeds, the insurance did not even begin to cover the damages. The company is currently suing its bank.

"It has been a very stressful year and a half," Patterson says. "I had never heard about ACH fraud -- none of the people we talk to on a regular basis at the bank knew what ACH fraud was. It was a brand-new thing."

The case highlights the chasm opening up between small businesses and their community banks. While money stolen from accounts can wipe out a business, small community banks, with their thin profit margins, are also sensitive to the losses. Those that have taken action have found themselves in a quandary: Do they impose additional -- and possibly costly -- security measures on small-business customers and cover their losses or do they continue to push the losses back to those same customers and possibly lose them? Most banks contend that small-business customers, who are not insured against fraud losses, are responsible for the security of the PCs allowed to access their accounts.

The prognosis for community banks and small businesses is not optimistic.

"I have an actual victim tell me they could take the loss better than their bank could," says James Woodhill, founder of Authentify and a cyber crime policy expert. "My great fear is that the market will get educated enough to move their accounts to a handful of money center banks ... and move them away from [small community banks]."

Digital crime has outpaced real-world bank robberies in terms of losses. In 2009, there were 8,818 bank robberies netting criminals an average of $4,029 -- a total of about $35.5 million, according to the FBI's Uniform Crime Reporting (UCR) program. However, 60 percent of bank robbers were caught, often very quickly.

Compare that to ACH fraud statistics: The recent arrests connected with Zeus accounted for some 390 reported cases where $70 million was stolen from accounts. The criminals had attempted to steal some $220 million. The investigation mainly netted the lowest ranks of the criminal network -- the so-called money mules who remove stolen funds from their accounts and transfer the money to international accounts abroad. In general, the money mules are people who are duped into believing they are working for a legitimate company processing payments.

For the criminals, it is a "big payoff if they win, and no one is going to arrest them if they lose," Woodhill says.

The crime spree has small banks worried. One $500 million bank -- considered tiny in the world of banks -- woke up to the threat when one of its customers was attacked. The bank has instituted a two-day hold on new ACH transfers and will confirm the creation of new payees out of band. Both recommended actions for banks.

"We only have 160 accounts that are doing this [ACH transfers], so we can get our arms around this pretty well," Woodhill says. "But we have 7,000 consumer accounts. What I fear is -- because we know there are no controls out there at all on the consumer side -- if they could hit each consumers account for $500 or $1,000, they could wipe us out."

Moreover, some customers have threatened to leave their banks over the new security measures. In one case, a customer created five new payees to transfer $5 million internationally, all from a computer that had not originated previous transactions. When the bank called the company to check on the legitimacy of the transactions, they were chastised. The bank's business side, however, refused to consider dropping the problematic customer.

Security experts say that such hard medicine may have to be practiced in the future, before other, more security-conscious customers decide to leave.

"There is another definition of commercially reasonable," says policy expert Woodhill. "If every one of your commercial customers knew that you allowed another company like theirs to have their money stolen, would you still have any customers?"

This article, "Zeus threatens to strike down community banks," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.


Copyright © 2010 IDG Communications, Inc.