Stunned by $45M cyberheist, banks have limited options for trying to recover money
It isn’t just bank customers who can see their funds vanish in a short time, with little or no recourse, when hackers take over their accounts.
As a $45 million cyberheist revealed last week illustrates, banks themselves can have much the same problem.
Two Middle Eastern banks lost the money in a matter of hours during two coordinated International ATM heists in December and February, federal prosecutors in Brooklyn, N.Y., announced Thursday, along with charges against eight individuals. They are accused of withdrawing $2.8 million of the money in roughly 3,800 transactions, after hackers broke into the computer systems of third-party payment processors and removed the usual limits on authorized withdrawals from prepaid debit card accounts, according to CNN Money and Reuters.
As law enforcement agencies continue to look for suspects, the victims, Oman-based Bank of Muscat and United Arab Emirates-based National Bank of Ras Al Khaimah PSC, face what observers say could be a daunting uphill battle to recover their money.
It’s common for payment processors that have been victimized by hackers to have failed to comply with all security standards, reports Reuters. However, it’s also common for the contracts under which they perform their work to limit processors’ liability to the banks whose funds they are handling.
Insurance coverage for such crimes is still evolving, and it isn’t known what policies the banks and processors had and how they may be limited.
“There’s no hard and fast rule,” Dan Karson, who serves as Americas chairman of Kroll Advisory Solutions, tells Reuters. “We’re in very much a new cybersphere of finance, and allocating liability is still very much evolving.
See also:
ABA Journal: “Digital Dangers: ABA Pursues Practical and Legislative Responses to Cybersecurity Threats”
ABAJournal.com: “As Hackers Steal Up to $1B Annually from Biz Bank Accounts, Victims May Have No Recourse”
Reuters: “Indian companies at center of global cyber heist”
Wired: “Mules’ in £29 million cyber heist charged in New York”
