X.com, a Palo Alto, California-based online bank, recently allowed customers who were setting up new accounts to specify the account number from which funds were being transferred. Unfortunately, X.com did not verify whether the person who was setting up the account had the right to transfer those funds.
This sort of security breach brings into serious question whether the U.S. banking system is ready to protect existing bank accounts from cyber criminals.
So far, at least one person has taken advantage of the flaw in the system. That individual bragged to an Internet newsgroup that he or she had transferred $25,000 (US$) from an account that “has millions of dollars in funds” and had withdrawn $4,500 in cash.
Although X.com claims that the amount of purloined funds “is not significant,” the company has nonetheless contacted law enforcement officials because of the incident. It is not clear, however, what type of crime the person who transferred the funds has committed, if any.
Is Bank Security Ready for E-Commerce?
Online banking is designed to increase convenience for the consumer, while reducing banking costs. Already, Telebank, a division of E*TRADE; Wingspan, a division of Bank One; and Charles Schwab are all promoting their online consumer banking services.
In addition, numerous brick-and-mortar banks allow customers to perform banking services online, such as paying bills and transferring funds among accounts.
Critics of online banking, however, assert that the industry has rushed to get online without appropriately confronting issues that could compromise its integrity. These critics maintain that there are heavy risks involved that could directly affect consumers, and most of them have to do with transaction and account security.
Security Breach Associated with Account Set-Up
X.com, a division of First Western National Bank of La Jara, Colorado, has been operational online since early last month. It offers online banking services and investment products via its partnership with Barclays Global Investors (BGI), an institutional investment firm worth more than $680 billion in assets.
X.com’s security flaw came during its first month in operation, which began on December 10, 1999. During that period, X.com allowed customers to open accounts by filling out an online form that specified the account number and amount of funds that were to be transferred to the customer’s new online account.
X.com then sent instructions to the Automated Clearinghouse (ACH) system used by banks worldwide to transfer money from the specified account to the customer’s new X.com account. The problem is that X.com apparently did not require verification from the customer that he or she owned rights to transfer funds from the account.
Security Breach or Weak Procedures
The X.com story is not a case of a security breach. It is a case of X.com not thinking through the procedures for doing business online to recognize where security is lax.
While a recent report from Arthur Andersen criticized financial services firms for not moving quickly enough into online services, the X.com fiasco shows that there may be wisdom in waiting until the kinks are ironed out of the system. People with bank accounts, for example, might perceive a problem with a system in which funds from their accounts can be transferred so easily.
The problem, furthermore, is more than just a lapse of judgment by X.com. The ACH system relies on the integrity of its members to make accurate requests to transfer funds from one account to another. If all it takes to breach this security is the ability to fool a bank into believing that funds should be transferred, then critics may have a point that the banking system is not ready for e-commerce.
X.com CEO William Harris admitted that the bank had some early problems, but claims that his company has put procedures in place to prevent online banking fraud. As a safeguard, he said that only transfers from accounts in the same name will be accepted when opening accounts with X.com.
He added that new customers must also fax or mail a copy of a cancelled check to establish their ownership of an account before transferring money from it.
Consumers Should Cast a Wary Eye on Online Banks
The frightening part of the story is not X.com’s initial lack of judgment. It is the belief that its new procedures are somehow safe. One of the fastest-growing consumer-related frauds is stealing checks from mailboxes, and then creating fake checks.
Imagine what can happen if these same criminals can steal these checks, open an account in that name at an online bank — including sending a fax of a fraudulently “cancelled check” — and then empty those accounts by transferring the money to who knows where.
The bottom line here is that online banks must set up stringent procedures, not cosmetic ones, that protect consumers from having their accounts pilfered by online criminals. Until there is real security, consumers should be very concerned with the integrity of their accounts.