What If Your Online Bank Account Is Hacked? Are You Stuck?
By Darrell Delamaide, from Medscape
A modern nightmare: Your bank account is hacked and emptied through unauthorized transfers. Will your bank make you whole? It depends.
Is it covered by the Federal Deposit Insurance Corporation (FDIC)? Nope. Should you worry? Probably.
Cybertheft of banking and brokerage accounts is growing more sophisticated as hackers increasingly target small businesses as well as retail clients. Physicians need to be aware of the risks and liabilities from these attacks, both for their personal and professional accounts.
How Bank Accounts Get Wiped Out
Most people appreciate the convenience of online banking — the 24/7 access from the comfort of home or office and taking care of transactions with a couple of clicks — but it also introduces new risks. Criminals located anywhere in the world might be able to obtain the personal information that enables them to be you online and carry out transactions with your money as if they owned it. What happens next depends on several things, and these are things you should pay attention to.
Regulators and the banking industry have developed fairly uniform methods for protecting depositors in case of bank failure, with deposit insurance or normal bank theft with banker’s blanket bonds. But there is no uniformity yet on how to deal with cybertheft.
Bank and securities regulators do have rules about when and how financial institutions must report a breach of their own cybersecurity to clients. However, the actual liability for lost funds depends on the contracts signed by the customer in opening an account.
Many of the bigger banks, such as JPMorgan Chase, guarantee full reimbursement if their security is breached. Still, this is not uniformly the case, and many bank customers have had to go to court to try to recover their funds.
Even more problematic are cases in which an account is hacked because the personal information has been obtained from your computer owing to lack of adequate security or precautions on your part. Some banks are treating this like leaving your purse unattended or having your wallet pickpocketed — “Sorry for your loss, but you should have been more careful.”
Who’s Responsible for Your Account Breach?
According to Chris Loeffler, a cybersecurity expert at the law firm of Kelley, Drye & Warren LLP in Washington, DC, the fundamental question is, “Where is the hack?” If, for instance, someone with authority over the account responds to a “phishing” attack — where the hacker poses as the bank or the Internal Revenue Service, for instance — and releases credentials, “it gets a little problematic,” says Loeffler.
“Like any business, a physician’s account has the responsibility to maintain proper levels of security,” says Doug Johnson, the vice president for risk management at the American Bankers Association. These normally include appropriate levels of authentication, antivirus software, and dual control of the account.
The Uniform Commercial Code, which is binding on physician practices as on all other businesses, requires “commercially reasonable” measures. But just what that term means in the context of cybertheft is still debatable.
If it’s clear that the financial institution is where the breach occurred, Johnson says, then the bank has the liability. If the liability is on the side of the customer, or if there is a breach of security on both sides, then reimbursement becomes a matter of negotiation or even litigation.
Is There Strange Activity in Your Account?
One gray area that has not been fully litigated is to what extent the bank is responsible for monitoring unusual activity in an account and alerting the customer.
“There are new requirements at the federal level about transaction monitoring,” acknowledges Doug Johnson.
The question, says Chris Loeffler, is who is in the best position to monitor the account and to what extent the client has responsibility in this area. “There is not a bright line on this issue right now.”
The difference between identity theft involving credit cards and that involving bank accounts is that the customer sustains an immediate hit when a bank account is pilfered, notes Loeffler. “You are out those dollars immediately,” he says.
Bank accounts are insured by the FDIC up to $250,000, but only in the case of bank failure — and only for actual bank deposits, not for other products, such as money market funds, that might also be on deposit in the bank.
Some of these other products — for example, securities on deposit at a brokerage house — may be covered by the Securities Investor Protection Corporation (SIPC), another federal agency that reimburses clients for securities lost up to $500,000 when a firm fails. (Obviously, the insurance does not cover any loss of value in the securities, only the loss of the securities themselves when they are held by a failed firm.)
But these federal agencies do not insure for loss from cybertheft. The FDIC Website says, “If a third party somehow gains access to your account and transacts business that you would not approve of, you must contact the bank and your local law enforcement authorities, who have jurisdiction over this type of wrongdoing.” In other words: You’re on your own — good luck.
Will Your Bank Refund a Hacking Loss?
Some banks will proactively refund any losses from hacking, says Loeffler. “A lot of it is based on the relationship the bank has with the client,” he says.
In fact, cybersecurity is increasingly an area of service where financial service institutions compete for business. For instance, E*TRADE, which offers diverse financial services online, boasts on its Website, “Our promise to you is simple: E*TRADE Securities LLC or E*TRADE Bank will cover any loss that results from the unauthorized use of our brokerage, banking or lending services.“ (Emphasis in the original text.)
In addition to contractual protocols for security, financial institutions will make efforts to educate clients on how to protect themselves.
“Education of the customer often is baked into the agreement,” says Doug Johnson.
Ultimately, however, it is the client’s responsibility to understand exactly what is covered in the contract for the account, and a client should spend some time getting to understand who is responsible for what. “That is a very good conversation for the bank and the client to have,” Johnson says.
In an update last year on Internet security measures for financial institutions, the Federal Financial Institutions Examination Council, which groups all the bank regulators together, put the focus on ongoing risk assessment rather than specific technologies. The council recommended revisiting security measures whenever new threats appear or new products are launched. Because hackers are always changing and upgrading their methods, security must also be dynamic.
A Separate Computer for Your Banking Transactions?
On the customer side, experts suggest use of a stand-alone computer with no Web-browsing functions for financial transactions, especially those involving Automated Clearing House functions. A further precaution would be to have a reserve account to keep excess funds so that the active account only has the minimum necessary. Requiring a call-back from the bank for certain kinds of transactions or amounts also adds a layer of security.
As cyberthieves grow more sophisticated, they have shifted their attention from retail consumers to small businesses, and these could easily include physicians’ practices.
“It’s the low-hanging fruit,” says Chris Loeffler. It just takes the push of a button to send out 10,000 emails in a phishing attack, and if only 1 of those results in obtaining information that enables an account to be hacked, the attack was successful.
Big banks, such as JPMorgan Chase, have more resources to develop cybersecurity measures and bigger balance sheets to absorb losses for the sake of customer relationships. But by the same token, Loeffler notes, they make fatter targets for cybercriminals.
“Small institutions can still do a great job” in cyberprotection, Loeffler says. “There’s no one single solution.”
Brokerage accounts and securities holdings are also subject to hacking attack, but much less often. “Securities are not as liquid,” notes Loeffler. “Even if an account is hacked, assets still have to be converted to cash.” The longer time and bigger amounts involved make it easier for the financial institution to monitor unusual transactions.
But cybertheft is real and growing. Law enforcement agencies have had decades to learn how to work a crime scene for a physical robbery, but many are novices in investigating cybercrime. Banks don’t publicize cyberthefts because they don’t want to scare people away from online banking.
Bottom line: The person in the best position to take precautions and to monitor activity to catch unauthorized transactions is the account holder — you.
Dr. Pinna says:
I constantly worry about the security of my business accounts and our family personal accounts.
Nothing is totally “Good” or totally “Bad.”
Technology, such as computers and the Internet are Good, because they enable us to have a nearly infinite amount of knowledge quickly, and easily.
But, Bad, because they allow the criminal mind to develop methodology to rob the innocent, hard working individual or family of their savings.
Governments and financial institutions can do nothing to prevent these acts if the criminal is sufficiently creative and persistent to eventually find a weak link in the lawful area of society.
As the writer of this article advises: It is up to the individual to protect his savings and assets.
Humans have not changed from the days when they lived in the jungles as brutish animals.
Human predators are still seeking the weak and helpless just as they did tens of thousands of years ago.