Bloomberg Businessweek
Go To Businessweek.com
During the past 20 years, the author has watch China move from being a developing country into an industrial superpower
Money Moves, 5/24: Chocomize Co-Founder Fabian Kaempfer talks with Bloomberg’s Deirdre Bolton about the business of customizing chocolate
The president's campaign has a new rule—no cell phones allowed
In honor of remote control inventor Eugene Polley, we recognize other influential but neglected inventors who have felt the sting of stolen glory
Adam Johnson talks about what trading vehicles can help you earn more money per trade
The Italian automaker and others are adding hybrid technology to elite cars
The storied bridge that links San Francisco and Marin County changed the face of California
Schools cultivate ties with startups before they're big successes
Dave McClure's traveling venture capital show scours the world for promising startups
Illustration by Matt Dorfman
Two years ago hackers stole $5.2 million from the online account of Experi-Metal, a 135-employee metal products manufacturer in Sterling Heights, Mich. The bank, Comerica, got nearly 90 percent of the money back, but said the unrecoverable $561,000 was Experi-Metal’s problem because the company had allowed a computer to be infected. “The fraud department at Comerica said, ‘What’s wrong with you? How could you let this happen?’ ” says Valiena A. Allison, Experi-Metal’s chief executive officer. The company sued to recover the money, and in June a U.S. District Court judge in Detroit found that Comerica’s response didn’t meet standards of good faith and fair dealing. Comerica agreed to pay almost the entire amount. (The bank declined to comment, beyond saying that the matter was resolved.)
Cybercrooks are stealing as much as $1 billion a year from the accounts of small and midsize companies in the U.S. and Europe, according to estimates from Dell SecureWorks, a security arm of the PC maker. Overseas gangs target small commercial accounts protected by rudimentary security measures at community or regional banks. The accounts typically aren’t covered by fraud insurance, as individual accounts are, and businesses often find themselves on the hook for losses. “Everyone expects their bank to protect them,” says Avivah Litan, an analyst at tech researcher Gartner. “Businesses are not equipped to deal with this problem, and banks are barely equipped.”
Hacking losses dwarf the $43 million the FBI says was taken last year in conventional bank heists, and authorities are struggling to keep up with criminals abroad, whose trails turn cold fast. For perpetrators, profits can be staggering and risks minimal. In a bust last September, federal prosecutors in Manhattan arrested dozens of middlemen in a cyberfraud ring that they say had stolen $70 million. Although police in Ukraine questioned five people in the case, the FBI says, no ringleader was arrested.
Both the FBI and the U.S. Secret Service, which investigates financial crimes such as counterfeiting, have boosted manpower to fight online thefts. Despite the difficulty in tracking thieves overseas, investigators insist they aren’t overwhelmed. “I don’t think it’s right to conclude that because there are not a lot of arrests that law enforcement is not doing its job,” says Gordon M. Snow, assistant director of the FBI’s cyberdivision.
If cops fail to get the money, courts don’t always help small businesses. Patco Construction, a 22-employee builder in Sanford, Me., lost $354,444 in 2009 after cyberthieves hacked its accounts, co-owner Mark Patterson says. When the bank, now named People’s United Bank, rebuffed his attempts to reach a settlement, he sued. He argued the bank should have better monitored his account. Federal judges have twice agreed with the People’s United contention that its protections were “commercially reasonable.” Patterson plans a further appeal.
The Patco rulings infuriated James R. Woodhill, a venture capitalist leading an effort to get smaller banks to upgrade online security. Woodhill, who co-founded cybersecurity firm Authentify in 1999, wants Congress to require banks to warn commercial clients explicitly of the dangers of cyberfraud. “I can’t fathom how one could consider a security procedure that makes it easy for people to steal money from school districts, churches, and small businesses to be commercially reasonable,” Woodhill says. Last year Senator Charles E. Schumer (D-N.Y.) introduced a bill to make banks extend cyberfraud protection, already required for individual depositors, to small business clients.
The American Bankers Assn. says businesses might get lax about security if they knew fraud losses would be covered. “The goal is to … have a partnership between a business and a bank and recognize that every one of those partners has a responsibility to secure the environment,” says Doug Johnson, senior policy analyst for the ABA. “If you put in a provision that takes away any responsibility, it gives the commercial customer no motivation to be active partners with the bank.”
