Did you hear about the unfortunate heist in Eliot, ME in the US, earlier this month? As reported by blogger-turned-detective @briankrebs, computer crooks in Eastern Europe stole $28,000 from the New England town of Eliot in Maine. Brian Krebs alerted the town controller to the possibility that its accounts were being emptied as money was being laundered via the Ukraine. Read the full story to find out how the alarm was raised, but our point here is to focus on how this could have been prevented.
Ultimately, banks aren’t deploying enough security. Despite all the recent hype around the updated FFIEC guidelines on the back of the likes of the Citi data breach, few banks are actually doing anything about it. Indeed, Brian Krebs even raised the question of whether the new FFIEC guidelines would provide enough protection for SMEs and now look at what’s happened to a small innocent town.
The current threat landscape is the online equivalent of the Yankees versus a small town’s Little League baseball team. The level of sophistication of the “bad guys” is truly remarkable and even more so when compared to the feeble defenses in place against them. The point missed in this case is that the town is at the mercy of the bank, which had done the absolute minimum and its approach to security was not designed to protect the customer but to protect the bank from examiners and lawsuits. They did comply with the FFIEC guidance minimum requirements, which is likely to prove enough in court as we have recently blogged about, but it’s probably not enough for their customers who are unlikely to get their money back.
What we are seeing emerge is a scenario of customer versus bank. Customers need to be made aware of the protections that could be in place – and then demand them from their banks. While the new guidelines set out from the FFIEC help support the notion that stronger authentication and security measures are required (of Yankee strength), it’s no good waiting until it’s too late. All banks need to take action now, before their customers lose out and defect to a bigger and better player.
