The epidemic of on-line bank fraud by cyber criminals succeeds because
- Security procedures at too many businesses fail to prevent the compromise of workstations. This leads to the compromise of online bank credentials which the cyber criminal uses to commit fraud.
- ACH transfer security procedures at too many banks fail the test of "commercial reasonableness."
In our role of assisting clients with cyber security management, we have seen first-hand how too many companies (i) fail to provide effective awareness training to staff to meet the cyber crime challenge and (ii) fail to impose rigorous security requirements on the management of their IT infrastructures.
We have also had the opportunity to see first-hand how easy it is for a bank to fail to meet the standard of commercial reasonableness of its ACH security procedures.
- Failing to consider the wishes of its customer expressed to the bank.
- Failing to consider the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank.
- Failing to implement security procedures in general use by customers and receiving banks similarly situated.
We echo Krebs' warning that "The attack is the latest reminder that small businesses should assume that they are completely responsible for the security of their online transactions: Businesses do not enjoy the same legal protections afforded to consumers, and thus are responsible for any losses due to cyber theft or fraud."