Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Bank Auditing Services
January 28, 2000, Copyright the New York Times

Security Flaw Discovered at Online Bank

Easy Electronic Transfers of Money Nationwide Were Allowed

By JOHN MARKOFF

SAN FRANCISCO, Jan. 27 -- In what may prove to be a cautionary tale about the headlong rush into electronic commerce, a new online bank permitted customers for almost a month to transfer funds from any other account in the nation's banking system.

As a result, someone armed with another person's account number and bank routing number could move money from that account to the Internet bank, then withdraw it.

The vulnerability was apparently discovered and exploited by at least one Internet grifter. The company's executives acknowledged today that they had contacted law enforcement officials because of one incident, but said the dollar amounts involved "are not significant."

The security flaw, which the company said was corrected earlier this week after computer security experts alerted it to the problem, highlights the potential risks inherent in moving traditional commerce into cyberspace.

The company, X.Com, based in Palo Alto, Calif., was founded in March 1999 and has been online since early December. Its banking services are provided by X.com Bank, a division of First Western National Bank, a small community bank based in La Jara, Colo. The relationship is intended to permit the Internet start-up to develop technology "that makes accessing and moving your money easy," according to the company's Web site.

Computer security experts said today that the company had erred in making unauthorized electronic funds transfers far too easy.

"I should not need to explain to you the dangers and damage that could be caused by this security flaw in X.com's systems," said Elias Levy, a computer security expert at Security Focus, a San Francisco-based consulting firm. "Anyone with half a clue could perform these unauthorized transfers for over a month via their Web site and create some real financial problems for other people."

He said that he had verified that the flaw existed last week by transferring money from another account with the permission of the owner.

Company executives acknowledged the Web banking service had some early problems, but said they had instituted procedures intended to prohibit fraudulent practices.

William Harris, chief executive of X.com, said the company had changed its procedure for authorizing new accounts after it had discovered about 10 instances in which inaccurate or suspicious numbers had been entered into online application forms.

"We've done thousands of transfers, and 5 or 10 that have been problematic," he said. "We have had people attempt to beat our systems in a number of ways and now we think that we've identified and addressed these problems."

The company now requires that new customers fax or mail a copy of a canceled check to establish their ownership of an account before transferring money from it. In addition, only transfers from accounts in the same name can be used to open accounts with the online bank.

The company is one of a small but growing number of Internet-oriented banking operations trying to offer consumers more convenience and better interest rates than conventional banks.

Others include Telebank, a subsidiary of E*Trade, the Internet brokerage company; and Wingspan, part of the Bank One Corporation. Traditional banks and financial services like the Charles Schwab Corporation are also offering Web-based banking services.

Financial industry experts said X.com's experience highlights the potential risks of introducing Internet banking systems before they are completely tested.

"The problem here is not unique to online banking," said Mark Rasch, vice president of the Global Integrity Corporation, a financial systems computer security consulting firm based in Reston, Va. "But with online banking you're exposed to the Web, and as a result your network is more vulnerable and you have to be extra vigilant."

Underlying the X.com security flaw was the company's decision to directly interconnect its online application form with the nation's Automated Clearing House network.

Under rules governing fund transfers through the network, debit transactions from a consumer's account must be authorized in writing. But the rules place responsibility for verification and authorization on the receiving party.

"An opening question in an online banking relationship should be, 'Where is the money coming from?'" said Robert H. Ledig, a New York lawyer who is the co-author of "21st-Century Money, Banking and Commerce," published in association with the National Automated Clearing House Association. "If the answer isn't clear, it's a bad start for the relationship."

Back Button

Go to the Bank Web Site Audit home page.

Yennik, Inc. - R. Kinney Williams®

All rights reserved; Our logo R. Kinney Williams & Associates is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated

We are Americans and will never be defeated.