http://www.dailymail.co.uk/money/saving/article-2465839/Bankline-fraud-NatWest-business-accounts-hit-online-scam.html
'Fraudsters stole £100k from our account - but bank says we're liable': NatWest business accounts hit by online scam
By LEE BOYCE
|
Running a small business on tight finances is tough at the best of times - so envisage discovering that more than £100,000 had been stolen from your firm's accounts by fraudsters who were able to compromise your bank's internet security.
That is the situation Jonathan Kemp now faces after scammers managed to use a sophisticated computer virus to lurk in the background as a staff member unwittingly entered security details into fake version of NatWest internet banking.
Now his company, Birkenhead-based varnish producer AEV Ltd, faces a massive £100,000 hit after NatWest said the theft was down to the firm's negligence, not to weakness in its security systems.
Huge losses: Jonathan Kemp, director of AEV Ltd, fears the company will go out of business after NatWest refused to refund for fraud
Jonathan's was one of two businesses that contacted This is Money after we covered a similar case involving bakery firm Truffles earlier this month. The other, GB Electrical and Building Services Ltd, saw £24,150 swiped from its accounts (see below).
All three businesses held NatWest accounts and all three frauds came to light within a short period in September.
AEV had its money nabbed by fraudsters on 19 September. Its financial controller logged into Bankline – the service NatWest offers business customers - and accessed the site via a 'bookmark' on the computer's internet browser. Unusually, Bankline prompted to enter her ‘Smartcard Pin’.
This is a number that NatWest requires to be entered into a small card-reader device that account-holders are given by the bank. The device then produces a code that must be entered online. The Smartcard Pin is not normally requested to be entered directly into the internet banking site.
The AEV staff member, having seen internet banking security measures change several times over the years, assumed this must have been some new update. After entering the Smartcard Pin the website displayed a message that she had entered it incorrectly and requested it again.
When she eventually saw the balances on the firm's multi-currency accounts she noticed two unexplained payments had been made - one from its US dollar account for $30,000 and the other from its Euro account for just under €100,000. The withdrawals plunge the account more than £70,000 beyond its overdraft limit.
HOW ONLINE FRAUD IS GROWING
According to official police figures released today, fraud is growing.
In the Office for National Statistics report, it said: ‘The extent of fraud is difficult to measure because it is a deceptive crime, often targeted at organisations rather than individuals.’
The stats regarding fraud are startling. Between July 2012 and June 2013, there were 230,335 cases of reported fraud.
In July 2011 and June 2012, there were 191,007 and in April 2007 to March 2008 there were 145,032. And these are just the reported cases.
Unfortunately, these statistics are not split out for organisations and individuals, so it is difficult to see if business fraud is growing.
She immediately phoned the bank and told them there had been a mistake. They advised her the payments were real, but looked suspicious as they were made to the Ukraine and Cyprus.
AEV had fallen victim to a Malware attack - similar to the Truffles case. A virus is downloaded to a computer, usually via an email that appears to be from a trusted source, allowing fraudsters to impose a fake version of the internet banking site that appears when the user attempts to log on.
It later transpired the virus may have been delivered in an email purporting to be from an AEV supplier.
The company phoned the police and were given a crime reference number, although officers said the matter had to be dealt with by the bank.
The business then spoke to the fraud team at Natwest. The next day, the staff member was interviewed via telephone by a member of the fraud team investigating the case. The investigator in turn spoke to Jonathan and he was told the case would result in a report being made to the NatWest executive board.
Encouragingly, on the 30 September, $30,000 was returned to AEV’s account.
But on the 11 October an investigating team member spoke to Jonathan again and informed him the executive board had found AEV liable for the loss outstanding on the euros. It said the money was unrecoverable and as such it would extend the company's overdraft but then shave this repaid over time.
NatWest said AEV’s liability was based on the fact it breached terms and conditions of Bankline. It said that it had told the company via pages on its internet banking website and in emails that it would never ask for a Smartcard Pin, notwithstanding the fact users are expected to enter the Pin into the card-reader device.
Jonathan said: ‘I must state, that NatWest have supported us through the process by extending our overdraft facilities to account for the loss.
‘However, I have now been informed by my relationship manager that they will be looking to bring the facilities into line within a “reasonable period of time”’.
Jonathan has since been offered a loan by NatWest to make repaying the losses less costly – but he is furious with the bank and is considering legal action.
He is angry that a payment so far above the company's credit limit was allowed and cannot believe NatWest allowed this to happen without flagging up the payments.
Jonathan added: ‘If we lose this money, I fear the company will go out of business and the 22 members of staff will lose their livelihood.’
He said the business had comprehensive Avast anti-virus software on both PCs installed by an outsourced IT firm.
Trusteer Rapport, the anti-virus software that NatWest recommend users install was not on either of the PCs as ‘they slowed the computers down to an unusable level.’
NatWest takes no liability for the AEV fraud
In a letter dated 17 October 2013 to AEV, the bank says it ‘does not accept it has any liability to the company for any loss arising out of these transactions.’
It goes on to outline the reasons why it thinks this, including that it would never ask for a Pin to log-in and customers should have Rapport security software installed.
It adds: ‘During the Bankline process [the user] was twice requested to provide characters from her password and Pin.
‘In addition, during the log on process, [the user] also provided two smartcard codes when prompted. As referenced above, the bank has made it clear in commentary sent to the company that we will “never ask for a challenge code from your smartcard and reader in order to log-in or confirm your identity”’.
‘As a result of these actions, two transactions were carried out at 14.54 and 14.59 on 19 September as detailed in the table above. The payments were made to beneficiary accounts maintained at Bank of Cyprus and First Ukrainian International Bank.
‘At approximately 15:10 on 19 September 2013, [the user] contacted the bank to advise the transactions were not authorised. As a result of the call, the bank commenced recovery actions by contacting the beneficiary banks in an attempt to secure any remaining funds that had been paid away.’
‘We believe the company has been the subject of a malware attack. [The user] has confirmed that an email received from what appeared to be a legitimate supplier of the company may not have been genuine.
‘This may have facilitated a Trojan to be downloaded onto your IT platform, which resulted in Bankline security details being compromised allowing a third-party to access the Bankline facility.’
‘We have contacted the Bank of Cyprus in relation to the payment for €99,855 and are awaiting a response.’
Unhappy businesses: Despite having large amounts of money taken from accounts, NatWest is refusing to refund
‘£24k has been swiped from us and there is nothing we can do’
On 6 September 2013 a staff member at Hereford-based GE Electrical and Building Services Ltd logged onto NatWest Bankline system. A message popped up to say it wasn't possible to access the system as maintenance was being carried out between 8am and 3pm that day.
However, another member of staff logged on via another computer with no problem. Only one of the four company computers was getting the maintenance message.
When staff accessed Bankline again at 11.20am they noticed a CHAPS payment made that morning at 8.23am for £24,150.
After being informed of the unexplained payment, NatWest contacted the payee’s bank, Barclays, and managed to recover £3,800 of the missing money. There is so far no explanation why more of the money cannot be recovered.
Once again NatWest has refused to refund the loss. It said a card reader would have been required and that GE must have given the Smartcard Pin out over the phone to someone purporting to be from the bank, or else may have given the code via email.
Sue Pickering, director of GE, said: ‘None of my staff are daft enough to do such a thing. They know that just like their Pin code for their own accounts, this something that you never reveal to anyone else.
‘Who is to say that once someone has got into your bank system that they can’t order a user card and Pin number? Any NatWest card reader can be used and they are easily available.
‘I am very disappointed with NatWest. We have banked with them since 1991 and I have my personal accounts and three mortgages with them as well. They obviously don’t value my business.’
The company didn’t have Trusteer Rapport installed on the machine as it isn’t ‘mandatory'. It also has been put off by complaints that it slows down PCs to ‘unusable levels.’
Approached to comment on the three frauds reported to This is Money, a NatWest spokesperson said: ‘We know how distressing fraud can be for all involved and we provide support to our customers when they become victims to deal with the consequences.
‘We regularly inform customers to never divulge their secure information online or over the phone, and we strongly recommend that all customers download and keep updated computer security software.
‘Customers should contact us immediately if they believe their account has been compromised. It is particularly important within businesses that this advice is shared to all staff who access the bank account.’
This is worrying for businesses – are they safe to bank online?
Comment by This is Money banking correspondent Lee Boyce
We all expect to be able to bank safely and securely online – and this includes small businesses.
But these three decisions from NatWest are tough to swallow.
None of the three firms can be said to have done a whole lot wrong, just fallen into complicated traps designed by fraudster to fool them.
In total, almost £150,000 has been swiped from AEV, GE Electricals and Truffles. These are huge sums for any small businesses to shoulder.
The fraud is complex and highly developed software was used – who can genuinely say they would not fall prey to such an operation, even those who are internet savvy?
It leaves me concerned about small businesses using online banking – after all, small businesses are more likely to hold more cash than individuals in their account, so in turn could be lucrative targets for fraudsters.
The only option left for the businesses is to take the case to court, but the process could be costly and there is no guaranteed success. They cannot turn to the Financial Ombudsman Service because they are too large – the FOS only deals with businesses with less than 10 staff.
If this was an individual that had money stolen from fraudsters online, I believe there is a reasonable chance an FOS adjudicator would judge all three businesses had not been negligent.
All of these businesses have been left between a rock and a hard place. Stronger rules need to be set out in terms of online banking and especially business customers.
Perhaps the FOS could extend the rules slightly to help out more small businesses who could face closure through online fraud otherwise.
ARE YOU A SMALL BUSINESS THAT HAS BEEN HIT BY ONLINE BANKING FRAUD? I would love to hear from you – please e-mail lee.boyce@thisismoney.co.uk
HOW FRAUDSTERS ARE ATTACKING BANK USERS ONLINE
Gangs of fraudsters are using sophisticated financial malware virus to target online banking customers, especially those located in the UK.
It is a multi-billion dollar worldwide industry and a serious headache to banks.
Phishing e-mails are among the most common causes of online banking fraud, but there are more advanced scams.
These can include pop-ups on websites which infect the user with financial malware once they simply hover the cursor over the pop-up.
While NatWest provides a free download of the Trusteer Rapport software, it does not insist customers have it or signpost exactly why people should use it, without clicking through numerous screens and explanations.
In the past, This is Money has also been told by various readers that this anti-virus seriously slows down PCs making them ‘unusable’.
Experts describe financial malware as one of the most sophisticated viruses around that is built to make consumers not notice it – it’s 'silent'.
Malware and Trojan viruses work by sitting in the background of a computer which is then triggered off when an unsuspecting victim logs into a financial website.
It often then directs bank customers to an official looking web page in a different browser and takes the details as they type them in – often pin numbers and passwords.
Installing Rapport will usually block this other browser and essentially cripples it, offering customers layers of protection.
Customers can unwittingly ‘catch’ viruses from a number of sources, including downloads and getting it from legitimate websites – especially if their anti-virus software is not up to date.
Data Breach Roundup: September 2013
A surprising number of last month's data breaches involved the theft or loss of laptops or hard drives.
This month eSecurity Planet takes a look back at the data breaches we covered in September, providing an admittedly unscientific but potentially interesting overview of the current breach landscape.
What follows is a list of such breaches by category, noting what happened, what data was exposed, and what (if anything) the organization is doing to help those affected – along with a few comments by industry experts.
Burglary/Loss
A surprising proportion of the breaches in September resulted from the theft or loss of laptops or hard drives, many of them unencrypted. Chester Wisniewski, senior security advisor at Sophos, says unencrypted laptops at this point are simply gross negligence. "We should have zero tolerance for this behavior in 2013," he says.
Buckeye Check Cashing A laptop was stolen from a vehicle, exposing an undisclosed number of names, addresses, bank account information and/or Social Security numbers. All those affected were offered one year of Experian'sProtectMyID Alert service.
Dr. Hankyu Chung. A password-protected laptop was stolen, exposing an undisclosed number of patients' names, phone numbers, birthdates and medical records, including visit dates, complaints, physical examination notes, diagnoses, and testing and medication information.
Edgewood Partners Insurance Center. Five password-protected but unencrypted laptops were stolen, exposing an undisclosed number of names, addresses, birthdates, driver's license numbers, benefits information and Social Security numbers, along with some bank account information and health information. All those affected were offered one year of Experian's ProtectMyID Alert service.
InterContinental Mark Hopkins San Francisco. A hard drive was accessed but not stolen during a burglary, potentially exposing an undisclosed number of guests' names, mailing addresses, email addresses, phone numbers and credit/debit card numbers.
NHC Healthcare. An unencrypted backup tape was discovered missing. The backup tape contained an undisclosed number of patients’ names, Social Security numbers, birthdates, home addresses and medical information.
Olson & White Orthodontics. Password-protected computers were stolen. Ten thousand patients' names, addresses, x-rays, photos and diagnostic findings were exposed, along with parents' or insured parties' names, email addresses, Social Security numbers and credit scores.
St. Anthony's Medical Center. A password-protected laptop and flash drive were stolen, providing the thieves with access to 2,600 patients' names and birthdates, and possibly their medical records.
UTHealth. An unencrypted laptop was discovered missing. The laptop contained 596 patients' names, birthdates and medical record numbers.
Employee Error
Columbia University Medical Center. A hidden column in a widely emailed spreadsheet contained personal data, exposing 407 medical students' names and Social Security numbers. All those affected were offered one year of Experian's ProtectMyID Alert service.
Georgia Department of Labor. An employee mistakenly emailed a spreadsheet containing 4,457 people's names, Social Security numbers, phone numbers and email addresses to approximately 1,000 people. All those affected are being offered credit monitoring services from Equifax.
Hill Air Force Base. An employee forwarded sensitive data to an unprotected email address in order to work from home, potentially exposing 525 Air Force employees' names and Social Security numbers.
PLS Financial. A programming error exposed customers’ names, addresses, email addresses and Social Security numbers. All those affected were offered one year of Experian's ProtectMyID Alert service.
Virginia Department of Human Resources Management. A Conexis employee mistakenly sent 13,000 state employees' personal information, including names and Social Security numbers, to 11 state employees. Free credit monitoring and identity theft protection services are being provided to all those affected.
Hackers
BEL USA LLC. A server was breached, exposing an undisclosed number of customers' names, addresses, phone numbers, credit or debit card numbers, expiration dates and CVV codes.
Bell Helicopter. A database was breached, exposing an undisclosed number of email addresses along with some credit card numbers. All those affected were offered one year of Experian's ProtectMyID Alert service.
Creative Banner Assemblies. The company’s website was hacked and infected with malware, providing the hackers with access to 232 customers' names, addresses, phone numbers and credit card information. All those affected were offered one year of credit monitoring and identity theft protection through ITAC Sentinel Plus.
ICG America. The company’s payment processing system was hacked, exposing an undisclosed number of customers’ names, addresses, email addresses, credit/debit card numbers, expiration and CVV codes.
NetCologne. The company’s website was hacked via SQL injection. The hackers published a list of 15 user names, encrypted passwords, email addresses, registration dates and display names.
Outdoor Network, LLC. The company’s website was hacked and infected with malware, providing the hackers with access to an undisclosed number of customers' names, addresses, credit card numbers, expiration dates and CVV codes.
Unique Vintage. The company’s website was hacked and infected with malware, providing the hackers with access to an undisclosed number of customers’ names, email addresses, phone numbers and credit card numbers.
Virginia Tech. A server in the university’s human resources department was hacked, exposing 144,963 job applicants’ names, addresses, employment history, education history and prior convictions, along with 16,642 applicants’ driver’s license numbers.
Insider Attack
These types of attacks are particularly preventable, according to Camouflage Software president and CEO Kevin Duggan, because they’re often the result of personnel having access to sensitive data that’s not required for them to do their jobs.
"The main question these organizations need to be asking is: Did the individuals from whom the data was stolen really need access to the sensitive portion of the data in order to do their jobs? In many cases, the answer is a resounding no," Duggan says.
Other methods of mitigating insider threat risks include creating effective data loss prevention policies, such as restricting data access by file type and/or user privilege level; encrypting data; and investing in software that monitors, analyzes and potentially stops files containing sensitive data from moving out of the business network.
State Farm. A call center employee stole customers’ credit card numbers. Nearly 700 customers were potentially affected.
Vodafone Germany. The company says the breach was only made possible through insider access. Two million customers' names, addresses, birthdates, genders, bank sort codes and account numbers were accessed.
Partner Company Hacked
Medical University of South Carolina. Credit card processor Blackhawk Consulting Group was hacked, exposing 7,000 customers' names, billing addresses, email addresses, credit/debit card numbers, expiration dates and CVV numbers. All those affected are being offered one year of credit protection from Experian.
Paymast'r Services. A website hosted by the company’s service partner was hacked, exposing an undisclosed number of names, addresses, Social Security numbers, driver's license numbers and payroll card numbers.
Windhaven Investment Management. A third-party vendor’s Web server was hacked, exposing an undisclosed number of clients’ names, account numbers, custodians, and investment positions. All those affected were offered one year of credit monitoring from Equifax.
Spear Phishing
Spear phishing attacks can occur by getting employees to open malicious email attachments. While email gateways and anti-virus scanners can detect many of those attachments, experts see an increase in spear phishing attacks in which fraudsters instead entice people to click on links that take them to websites that attempt to exploit common security vulnerabilities.
To decrease the likelihood that these attacks will occur, it's a good idea to train staff to recognize both suspicious attachments and links. Some vendors also offer products that help companies gauge the effectiveness of education efforts by allowing companies to send simulated spear phishing emails to employees after they have received training.
U.S. House of Representatives. A spear phishing attack appears to have provided hackers with access to five names, email addresses, encrypted passwords, IP addresses and photos.
Morning Fred,
ReplyDeleteIt's a cool morning down here in VA, think I'll finally paint and install my rocket stove in the fireplace. I guess I better test it again too, last test was a good one but I added some height to it since then. Keep your fingers crossed, with Grid -xxx coming I might need that thing.
Loved the Jim Willie link as always, had to follow that one and read the whole article.
Bitcoin up a good bit, again mentioned as an indicator. I thinking since it's less manipulated that the early signs of hyper inflation will show there before they show up in the precious metals.
I could keep going with the comments on the many articles but you and I are on the same page so need. Have a great rest of the weekend.
Morning Kev ! Good day to work on that " Honey Do " list , right ? Lol !
ReplyDeleteAs usual , may interesting items in the news and interesting views to consider !
Jim Wille piece was good , Friday night Doug Noland ( a link at the Ed Steer's gold and Silver post for Saturday ) also a must read missive !
BitCoin has not been attacked lately , so BitCoin has that going for it ! To me , BitCoin is an indicator of systemic instability , lack of trust ( whether we express that " distrust " as lack of trust in : government policies ; death of the rule of law and law enforcement in general ; asset confiscation risks ; bank deposit risks - here and in Europe ; the desire to escape " The Matrix . " ) Folks are looking for escape hatched , BitCoin is a manner of expression of distrust fears. I agree and appreciate the distrust concept - my fears are that the BitCoin " escape hatch can be battened down far to easily for my tastes by the Authorities , there are too many unknowns ( hackability of Bitcoin markets , BitCoin ponzi potential and reliability of overseas BitCoin markets and operators ) and just a general belief that anything that seems to good to be true usually isn't .
NW has been visiting - good to see he's hanging in there and now posting on our little board here !
Have fun with your tasks today !
Thank you for sharing.
ReplyDelete-reliability centered maintenance services