TEXT 8: ONLINE ROBBERY

by Kathy Kristof

Before you read:

1) Who are hackers?

2) Do you know any hacker stories? Have hackers ever tried to attack your computer?

3) What are the advantages and disadvantages of online banking, to your mind?

It’s every technophobe’s nightmare, but this time it’s true. Some $50,000 was stolen from Fan Bao’s online bank account by Croatian computer hackers and the bank told him that the loss is not their problem.

Could it happen to you? Here’s the back story to help fill in who is at risk.

Seven years ago, Fan Bao opened a checking account at Bank of America to facilitate his small import-export business called ZICO USA. When he needed to wire money, he or his wife, Cathy Huang, would walk a few blocks to Bank of America’s Highland Park, California, and execute the transfer in person.

But two summers ago, a BofA branch official urged Bao to do his banking online, assuring him that it was every bit as safe as banking in person. Only wires sent from Zico’s computer, accompanied by a downloaded security certificate, would be honored, he was told. Bao followed the bank’s security instructions to the letter, and accepted the bank’s assurances that his money was safe.

But last summer, two fraudulent drafts were sent through Bao’s account – one for $50,000 and another for $99,100. Both drafts were going to a bank in Croatia that Bao had never done business with. In fact, Bao had never before sent a wire transfer to anyone outside of Hong Kong or China.

The bank recognized that the transfers were improbable, but didn’t stop them. A bank official called Bao to report “unusual activity” on his account, but refused to tell him what it was because Huang was the company’s only “authorized agent” and she was on a business trip in Hong Kong, according to court filings. When Huang was able to reach BofA later that day, the couple discovered that nearly $150,000 in unauthorized wires had been charged to their business.

Huang immediately denounced the charges as unauthorized and fraudulent. The bank was subsequently able to stop payment on the second draft for $99,100, but the other $50,000 had already been paid to the Croatian bank and the money had been withdrawn. When Bao asked for the money back, Bank of America told him the missing $50,000 wasn’t their problem.

Why? Bao had agreed to the bank’s “terms and conditions” when opening the business checking account, which said that the bank did not have to make any special effort to “detect errors” in wire transfer requests. Wire transfer rules only require the bank to follow standard security protocol, which includes encrypting accounts. In a five-page response that Nada Alnajafi, Bao’s attorney, calls a “form letter,”[‡] the bank cites wire transfer rules that say that for Bao to recover the fraud loss from the bank, he has to prove that it was the bank – not Bao – that had the security breach.

Bao has seen no other indication of hacking on his own computers, Alnajafi said. Aside from these two wires, neither this nor any of his other financial accounts, have been hit. Nonetheless, the bank says in its letter that it suspects that given the amount of “malware” [§] in the online community, Zico’s computer was infected with some type of “keylogging virus” that captured his user credentials. Thus, he’s stuck. If Bao contends otherwise, it’s incumbent on the small business owner to file a suit against one of the nation’s biggest banks to prove it.

He’s done just that. Bao says in the suit, filed in Los Angeles Superior Court, that the fraud occurred only weeks before the bank was set to initiate tightened security procedures that included a “SafePass token.” The bank informed him they were adding this level of security in late May and Bao immediately signed up. But the bank didn’t “activate” Bao’s safe pass until July 13. The fraud occurred on June 22.

Bao’s suit indicates that he suspects that bank employees are in on the scam. He is alleging negligence and breach of good faith and fair dealing, among other things. He asks for his money back.

Bank spokeswoman Shirley Norton said the bank has not been served with the suit, so it cannot comment on the allegations. Citing client confidentiality, the bank also would not comment on any specific client matter. But Norton said that the bank takes safeguarding client information very seriously.

“BA Direct includes an advanced security mechanism with layered security controls for authenticating wire transfers,” she said in an e-mail. “Those controls include personal digital certificates, encryption, customized authorization and entitlement, separation of duties, automatic log-offs and password expiration. Our security procedure is consistent with those used by other major banks to authenticate wire transfers.”

Before the suit was filed, Bank of America attorneys wrote a letter to Bao that said: “Neither the Bank nor any other major wire transfer bank is or can be in the position of manually vetting each incoming payment order to make an independent assessment whether it appears to be ‘normal’ for a particular customer. Such a process would be commercially infeasible and would delay or halt billions of dollars of wire transfers each day and would constitute an unacceptable substitution of the bank’s judgment for that of its customers. ”

Alnajafi skeptically replied that banks, of course, do just this with millions of credit card transactions each day. “If you try to use your credit card out of state to buy a cup of coffee, they’ll freeze your account,” she said. “But wiring $150,000 to Croatia, when you’ve never sent a dime there before? That’s not going to set off any alarms.”

 

Comprehension:

Decide whether the following statements are true or false.

1. Fan Bao is the owner of a big and influential company.

2. Fan Bao decided to do his business online for convenience.

3. In general Bao preferred to do his banking in person.

4. Bao wired money transfers to many countries.

5. As a result of a hacker attack Bao lost 150,000 $.

6. Even though it was expensive to file a suit against the bank Bao did it.

7. The bank partially admitted the error and paid 99,100 $ back.

8. The attack occurred because Bao hadn’t signed up for the new level of security SafePass.

9. The bank where Bao had opened his account has an advanced security mechanism.

10. After the incident with Fan Bao’s account the bank introduced manual tracing of payment orders to decide whether they are normal for a particular customer.