NEW YORK – Valiena Allison got a call from her bank on a busy morning two years ago about a wire transfer from her companys account. She told the manager she hadnt approved the transfer. The problem was, her computer had.
As Allison, chief executive officer of Sterling Heights, Mich.-based Experi-Metal Inc., was to learn, her company computer was approving other transfers as she spoke. During hours of frantic phone calls with her bank, Allison, 45, was unable to stop this cybercrime in progress as transfer followed transfer. By days end, $5.2 million was gone.
She turned to her bank, a branch of Comerica Inc., to help recover the money for her metal-products firm. It got all but $561,000 of the funds. Then came the surprise: The bank said the loss was Experi-Metals problem because it had allowed Allisons computer to be infected by the hackers.
At the end of the day, the fraud department at Comerica said: Whats wrong with you? How could you let this happen? Allison said.
In increments of a few thousand dollars to a few million per theft, cybercrooks are stealing as much as $1 billion a year from small and midsized bank accounts in the U.S. and Europe like Experi-Metal, according to Don Jackson, a security expert at Dell SecureWorks. And account holders are the big losers.
I think theyre losing more now than to the James Gang and Bonnie and Clyde and the rest of the famous gangs combined, said Sen. Sheldon Whitehouse, D-R.I., who chaired a Select Committee on Intelligence task force on U.S. cybersecurity in 2010.
Organized criminal gangs, operating mostly out of Eastern Europe, target small companies, school districts and local governments that maintain fat commercial bank accounts protected by rudimentary security measures at community or regional banks. The accounts typically arent covered by insurance as individual accounts are.
If everyone knew their money was at risk in small and medium-sized banks, they would move their accounts to JPMorgan Chase, said James Woodhill, a venture capitalist who is leading an effort to get smaller banks to upgrade anti-fraud security for their online banking programs.
JPMorgan Chase, the second-largest U.S. bank, is the only major U.S. bank that insures commercial deposits against the type of hacking that plagues smaller banks, Woodhill said. JPMorgan spokesman Patrick Linehan declined to comment.
Smaller banks as well as many of the victims tend not to make the thefts public, according to interviews with the customers and experts such as Woodhill. As the threat becomes better known, small-business customers and other target entities may shift their business to large, national banks, which can better absorb the losses to maintain customer relations and which have better security policies to protect clients from such crimes.
Its frightening for small businesses because they have no clue about this, said Avivah Litan, an analyst at Stamford, Conn.-based Gartner Inc., which does computer analysis. They just dont have any clue, and everyone expects their bank to protect them. Businesses are not equipped to deal with this problem, and banks are barely equipped.
Customers used to being made whole when they are victims of credit-card fraud or ATM thefts have had to sue small and medium-size banks to recover losses after being blamed by their branches for permitting the crime, as Allison was.
The traditional help of law enforcement hasnt been there either for such customers. In the heyday of bank robberies in the 1930s, the FBI became famous for Tommy-gun shootouts with the bad guys, who were put on the Most Wanted list. In most cases, the identities of the John Dillingers and Pretty Boy Floyds of the 21st century arent known because of online anonymity, and the bureau doesnt disclose statistics on how much these cybercrooks are stealing.
Victims in the last two years have ranged from Green Ford Sales, a car dealership in Abilene, Kan., to Golden State Bridge Inc., a construction company in California wine country. No need to use a mask or gun. These criminals can steal millions from the comfort of their homes dressed in their pajamas.
The crime profits can be staggering and the risks minimal. Jackson, the security expert, said three sophisticated gangs each haul in at least $100 million a year. That dwarfs the $43 million taken in all conventional bank heists in the U.S. last year, from stick-ups to burglaries, according to the FBI.
A $100 million hit on a bank or a series of banks, Whitehouse said. Thats a pretty big bank robbery. And it doesnt even make the press. It just trickles through in FBI tip sheets.
To law enforcement officials, cybercrime is a new priority. Both the FBI and the Secret Service, which has jurisdiction over financial crimes, have boosted manpower to combat computer-enabled robberies and have formed partnerships with foreign law-enforcement agencies.
Those efforts have been swamped by the explosion in e-commerce, said Chris Swecker, a former FBI assistant director who advises companies on cybersecurity. As millions of customers have shifted online, criminals have followed, their hacking tools and nimble criminal organizations racing ahead of old-school law enforcement models.
The banking industrys reluctance to confront this problem head-on has allowed criminals to reinvest some of their booty to create better, more effective malicious software, known as malware, according to Woodhill.
Malware is what hurt Earl Goossen, business manager for Green Ford Sales, when he logged on to the companys payroll account at First Bank Kansas at 7:45 a.m. Nov. 3, 2010. Just two days earlier, hed used his computer to arrange for the bank to send out the $63,000 payroll to employee accounts. Everything went smoothly at first. Goossen responded to a follow-up email request from First Bank Kansas to OK the payroll, just as he did on the 1st and 15th of every month.
Unbeknownst to Goossen, malicious software had infected the computer with a so-called worm, which had the ability to grab passwords, user names and credit card data.
Some malware allows hackers thousands of miles away to take remote control of machines it infects, as if they were sitting at the keyboard. This malware is affordable and easy to obtain. A basic version sells for less than $5,000, Jackson said. Many models, licensed like commercial software from Microsoft and Adobe Systems, even come with tech support, he said.
The worm on Goossens machine allowed thieves to log onto the website of the auto dealers bank using Goossens credentials and set up a second payroll batch for the usual amount for nine non-existent employees. The additional payroll was sent out overnight by First Bank.
The software allowed the hackers to grab Goossens email password and banking details. All they had to do was change the notification email address to a name under their control.
When an amount like Green Fords $63,000 is taken from a bank by gun-toting robbers, the FBI would typically dispatch special agents to cordon off the crime scene and interview witnesses.
No agents arrived in Abilene on Nov. 4, and no one at the company was ever interviewed by the bureau about the theft.
Green Fords owner, Lease Duckwall, filled out a report with local police, who dont have a cybercrime unit. The Kansas Bureau of Investigation examined his computer and found nothing of use. Frustrated, Duckwall turned detective, interviewing bank employees, victims of similar crimes and whoever knew anything about cybertheft. In the end, the trail went cold.
Representatives of the FBI and the Secret Service insist they are not overwhelmed.
I dont think its right to conclude that because there are not a lot of arrests that law enforcement is not doing its job, said Gordon Snow, the FBIs assistant director of the cyber division.