By KARL STEPHAN, Consulting Engineer, Texas State University, San Marcos
Say you run a dry-cleaning company with three outlets, or a restaurant or a machine shop with 13 employees. You have an account with a bank, possibly a smaller bank that isn’t in the major leagues. Like most people these days with bank accounts in the U. S., you deal with your bank electronically as well as in person.
You log onto your bank’s website daily and transfer funds, pay bills, do payroll and most of the other financial operations that a small business requires. And you probably have some accounting software on your business computers that interfaces somehow with the bank’s software.
Everything’s rolling along OK until one fine morning, when you open up your accounting software, update your balances from the bank and find that instead of the thousands of dollars you had there yesterday, there’s zero dollars and zero cents — or even that your $10,000 line of credit with the bank that you haven’t touched in months is suddenly maxed out.
You get on the phone with the bank. After some heated conversations with the bank’s information technology (IT) people, you discover your accounts have been hacked. And the bank says that because it was your system that was hacked, not theirs, that you are out of luck. They won’t make good on your losses.
According to a recent blog post in the online edition of IEEE Spectrum, the amount of physical cash stolen in old-fashioned bank heists (less than $50 million a year in the U.S.) is dwarfed by the amount of money hacked from small-business bank accounts, which is upwards of $1 billion annually.
Unlike regulations covering consumer credit-card accounts, which have a $50 maximum loss ceiling that most banks honor, there is no law protecting small businesses against similar kinds of fraud. So unless a small company can prove in court that the bank itself was at fault, and not the company’s IT system, that money is just as gone as if a thief broke into the office safe and walked away with it. But in the case of physical cash, there’s usually no question about who the money was stolen from. Digital cash is different.
Money is an interesting philosophical concept. I was in my forties before a historian of technology made me realize that the monetary value of gold is not an intrinsic objective property, like atomic weight.
Considered analytically, money is just an elaborate symbolic system humans have devised to keep track of economic value. Whether money is stored in the form of dollar bills, gold bars or bits on some server somewhere, it is fundamentally an agreement among people that certain physical states of the universe correlate with a certain distribution of wealth among individuals and groups.
That being the case, there is a fundamental distinction between physical theft, which is what happens when someone with a gun holds up a real bank and runs off with real bills, and cybertheft, where by fraud some hackers make certain numbers in one computer system go down and certain other numbers in their own accounts go up. In this regard, hacking small business accounts is in the same category as check forging. In both hacking and forging, a third party or parties are made to believe something false.
What has this got to do with the question of who should shoulder the responsibility for hacking small business accounts? In a more leisurely era, there may be a real chance of simply catching the crooks and making them give back the dough. But the famous fungibility of money (the ease with which it is converted into other things of value) goes double for digital cash, which can be laundered, converted, disguised and transferred around the world in seven minutes or less, beating Shakespeare’s Puck by a good measure.
Hackers are notoriously difficult to catch, and by the time they are caught, the money they steal is almost always unrecoverable. So in reality, the question boils down to who is left holding the empty bag: the small-business owner or the bank?
The fact that there is some dispute about this in the various court cases that have been brought to trial reflects the fuzziness of computer systems with regard to the question of whose pieces are whose. If your business software transfers data back and forth to your bank, who is to say where one system ends and the other one begins? Maybe we should all gang up on the rooms full of programmers who worked out the compatibility standards for both systems.
After all, they are ultimately responsible for the way the system ended up, including any vulnerabilities. But nowhere have I seen that anyone considers going after the programmers or engineers who put these systems together. Instead, the banks who hire them are the main targets of lawsuits, because, as all good bank robbers know, that’s where the money is.
I wish I had a gold-plated surefire answer to this ethical issue, but I don’t. The best I can do is urge caution all around, especially where phishing attacks are concerned. If what you think is your bank’s website looks the least little bit funny, stop what you’re doing and double-check everything. That way, you may be able to avoid a very costly mistake.
Karl Stephan has worked in the industry as a consulting engineer. He currently teaches college-level engineering courses at Texas State University in San Marcos, Texas.
Sources: Robert Charette’s blog post entitled “Business Phone or Bank Account Hacked? It's Your Toaster” appeared on Aug. 12 in the online edition of the magazine for electrical and electronic engineering professionals IEEE Spectrum at www.spectrum.ieee.org/riskfactor/telecom/security/business-phone-or-bank-account-hacked-its-your-toaster.