What constitutes adequate security for a bank? PlainsCapital Bank in Lubbock, Texas says what it currently has is enough, and if after all that some crooks still manage to steal your money, it’s not the bank’s fault. The bank has preemptively sued a business customer, Hillary Machinery, to absolve itself from any liability on what it couldn’t get back from the more than $800,000 that was stolen by foreign hackers last November.
PlainsCapital argues that it uses every reasonable security method to protect its customers’ assets, and it points out that the attackers used valid login credentials. In fact, in the lawsuit the bank argues that it “accepted the wire transfer orders in good faith,” shifting the responsibility entirely over to Hillary Machinery. But nobody seems to know how the attackers got the credentials, and I’d hope any bank I loan my money to would employ multiple security protocols in the event a particular wall is breached, as in this case. Things like, I don’t know, looking for suspicious transaction patterns. Or noticing when a customer’s newly authorized computer has an IP address located in Romania instead of Plano, TX.
That’s basically what Hillary Machinery thinks, too. Troy Owen, a vice president at the company, says the transactions were different enough from the company’s regular activity that they should have raised multiple red flags at the bank They all happened in rapid succession, the payments were being sent overseas to payees Hillary had never done business with, and some of them were for amounts much large than Hillary usually made. And then there’s that IP address problem:
According to Owen, the thefts were enabled by the weak authentication measures employed by the bank. In addition to usernames and passwords, the only other authentication the bank required was for users to register the systems they used for online banking transactions. However, that measure was clearly not strong enough, because in this case, the cyber thieves were able to log into Hillary’s account using systems that were based in Romania and Italy, he said.
A memo supplied by the bank to Hillary shows that the bank received two requests to register computers on the company’s behalf just before the attacks. Though the requests appeared to come from a Hillary e-mail address, the computers from which they were sent had IP addresses based in Italy and Romania, Owen said.
“They never challenged whoever logged in with a different computer. There was never any red flag,” Owen said. Though PlainsCapital has claimed that registering the computer represents a second form of authentication, the thefts show that it wasn’t a strong enough measure, he contended.