While it’s quite typical for my blogs to take shots at the banks for failing to implement effective security controls, and at the financial regulators for being too slow at releasing guidelines, I think it’s time to emphasize that fighting fraud is a team effort.
By coincidence, my last blog entry, in early July, ended with this exact recommendation. Within a week, news came out that a bank, BankcorpSouth, is suing their customer for failing to adopt security controls, which made it easy for criminals to steal about $400,000.
Interesting. I’ve read several articles about banks counter-suing their customers after a fraud loss. Typically, the bank’s claim is pretty lame. One example is found in a blog on the OceanBank/Patco construction case last year. Well, in the BankcorpSouth versus Choice Escrow and Land Title, the situation is quite different.
As reported by Tracey Kitten at bank Information Security, BankcorpSouth attempted, on several occasions, to get their customer to adopt available security controls to help protect against fraudulent wire transfers:
“In April 2009, when Choice Escrow signed up for the bank’s InView Automated Information Reporting Services, which include account access and management and provide businesses with the ability to schedule wire transfers, it opted out of the dual-control option, the counterclaim says. Later in 2009, Choice Escrow again declined to sign for the dual-control feature after BankcorpSouth asked the business to acknowledge in writing that it had voluntary chosen not to use the feature, according to the counterclaim.”
Dual controls are actually a very old and proven technique used in both the physical world and in online banking. A simple example of dual controls is when two individuals have separate keys and both are required to access a lock (e.g., a security deposit box).
Dual controls are also used online to prevent against unauthorized transactions where, typically, a supervisor will approve a transaction initiated by someone within their department. While dual-control mechanisms are not “bulletproof” protection against advanced fraud attacks, there is a very good chance that the fraud would have never occurred in this particular situation had they been used.
So, let me say it again: fighting fraud is a team effort. As consumers, small-business owners, or CFOs in large corporations, we all need to educate ourselves about the risks of conducting business online. AND, we need to take advantage of the security controls our banks offer to us. Without everyone doing their part, the criminals will quickly exploit the weak link.