While the limelight on the security front tends to be focused on break-ins at well-recognized companies, the unpalatable truth is that hackers have been busy targeting SMBs. And these criminals are succeeding in making off with the money, too, if the recent court case brought against Professional Business Bank in the California Superior Court in Los Angeles is any indication.
As reported on Dark Reading, hackers apparently made off with some $465,000 in March 2010 from a small business called Village View Escrow Inc. Lawyers for Village View Escrow say that Professional Business Bank led the company to believe that it employed "safe online banking practices" when an account was opened with the bank in 2008. The complaint cited the bank's failure to employ a reasonable security system as well as failure to accept funds transfer orders in compliance with security procedures selected by Village View Escrow.
This is apparently not the first time that such a lawsuit has surfaced in court, according to George Tubin, an analyst for Tower Group. Similar cases have been lost by small business plaintiffs in the past by banks that cited adherence to guidance, titled "Authentication in an Internet Banking Environment," which was released by the Federal Financial Institutions Examination Council (FFIEC) in 2005. Unfortunately for SMBs, the FFIEC guidance only recommends two-factor authentication technologies, which Dark Reading says can be gamed by hackers today.
The result is small companies that have been hacked being forced to settle out of court for pennies on the dollar in their pilfered accounts. In addition, it is pertinent to note that there are some lawsuits that never end up in court.
In a separate report published on The Wall Street Journal, an agent in the Federal Bureau of Investigation's cyber division admitted that hackers targeting small businesses are a "prolific problem." And, "It's going to get much worse before it gets better," says Special Agent Dean Kinsman. The root of the matter has to do with how smaller companies are far less likely to recognize the true nature of the security threat, at a time when even the smallest businesses are making use of Internet-connected computers to run their businesses.
Yet a single attack could literally put a smaller outfit out of business or dramatically eat into the annual profits of a mid-sized company. For example, a restaurant called Burger Me LLC in Bellingham, Wash., saw its computerized cash register hacked. Credit card data stolen from the terminal was used by criminals to rack up fraudulent charges, which cost the dream of former owner Rich Griffith when a credit card company reacted by shutting down the company's account. Thousands of dollars in incoming payments were also frozen:
By late 2008, fees and lost business from not being able to accept credit cards put Mr. Griffith in so much debt - $12,000 for investigation and remediation costs alone - that he closed his formerly break-even burger joint.
There really isn't an easy answer to the problem, though it will probably help if banks were to implement software capable of detecting anomalous behavior such as large transfers of funds to overseas accounts. In addition, SMBs must also take heed of the threat and take immediate steps to bolster their security.