Thieves Try to Hit Online Bank
X.com has fixed its security policies and says illegal transfers were halted--but one customer disagrees.
Ann Harrison, Computerworld
But at least one person has charged that online thieves tried to transfer more than $50,000 from his bank account using a stolen account number.
Before it revised its policy on January 22, X.com allowed customers to transfer up to $2500 from any U.S. bank account and then withdraw the money by entering only account and bank routing numbers on the X.com Web site.
According to company Chief Executive Officer Edward Harris, the would-be crooks, entering data from other people's accounts, attempted six unauthorized fund transfers that were halted by X.com.
Imad Khalidi, chief executive of Auto Europe, a car rental agency in Portland, Maine, says he discovered on January 14 that someone had used his account number to siphon $21,000 out of his company's bank account to pay for Gucci merchandise.
Khalidi says thieves made four other attempts to transfer money from his account via X.com and WingspanBank.com, including an attempted $23,000 transfer. The online grifters then posted Khalidi's account numbers to an Internet forum, he says.
"They are building Web sites without security, and they never asked for a voided check," says Khalidi about X.com and WingspanBank.com.
Doing Enough?
WingspanBank.com didn't immediately reply to Khalidi's allegations. The company did issue a statement that asserted, "We are aware of the industry issues surrounding [the Automated Clearinghouse Network] transfers, we are committed to the highest level of security for our customers, and are continually evaluating and enhancing our security systems as appropriate."
According to Harris, X.com, a division of First Western National Bank, has changed its security policies to require customers to fax or mail a voided check, signature card, and a copy of a driver's license to verify bank account numbers for transfers of any value.
Harris says none of the attempted transfers involved the actual theft of money. He says X.com notified law enforcement officials and the Federal Deposit Insurance Corporation of one attempted incident and was in communication with one financial institution, which he declines to name. X.com didn't comment on Khalidi's charges.
"In this situation, X.com did a pretty good job of discovering what was going on and took steps to change the policy to respond to customer concerns swiftly," says Rob Leathern, an analyst at Jupiter Communications.
But Elias Levy, chief technology officer at San Mateo, California-based security consulting firm SecurityFocus.com, says he was told by X.com that it was forced to change its procedures after receiving calls from fraud departments at other banks. "The potential for damage is enormous," says Levy.
For more enterprise computing news, visit Computerworld. Story copyright © 2007 Computerworld Inc. All rights reserved.
