January 28, 2000,
Copyright the New York Times
Security Flaw Discovered
at Online Bank
Easy
Electronic Transfers of Money Nationwide Were Allowed
By JOHN MARKOFF
SAN FRANCISCO, Jan. 27 -- In what may prove to be a cautionary tale about
the headlong rush into electronic commerce, a new online bank permitted
customers for almost a month to transfer funds from any other account in
the nation's banking system.
As a result, someone armed
with another person's account number and bank routing number could move
money from that account to the Internet bank, then withdraw it.
The vulnerability was
apparently discovered and exploited by at least one Internet grifter. The
company's executives acknowledged today that they had contacted law
enforcement officials because of one incident, but said the dollar amounts
involved "are not significant."
The security flaw, which
the company said was corrected earlier this week after computer security
experts alerted it to the problem, highlights the potential risks inherent
in moving traditional commerce into cyberspace.
The company, X.Com, based
in Palo Alto, Calif., was founded in March 1999 and has been online since
early December. Its banking services are provided by X.com Bank, a
division of First Western National Bank, a small community bank based in
La Jara, Colo. The relationship is intended to permit the Internet
start-up to develop technology "that makes accessing and moving your
money easy," according to the company's Web site.
Computer security experts
said today that the company had erred in making unauthorized electronic
funds transfers far too easy.
"I should not need to
explain to you the dangers and damage that could be caused by this
security flaw in X.com's systems," said Elias Levy, a computer
security expert at Security Focus, a San Francisco-based consulting firm.
"Anyone with half a clue could perform these unauthorized transfers
for over a month via their Web site and create some real financial
problems for other people."
He said that he had
verified that the flaw existed last week by transferring money from
another account with the permission of the owner.
Company executives
acknowledged the Web banking service had some early problems, but said
they had instituted procedures intended to prohibit fraudulent practices.
William Harris, chief
executive of X.com, said the company had changed its procedure for
authorizing new accounts after it had discovered about 10 instances in
which inaccurate or suspicious numbers had been entered into online
application forms.
"We've done thousands
of transfers, and 5 or 10 that have been problematic," he said.
"We have had people attempt to beat our systems in a number of ways
and now we think that we've identified and addressed these problems."
The company now requires
that new customers fax or mail a copy of a canceled check to establish
their ownership of an account before transferring money from it. In
addition, only transfers from accounts in the same name can be used to
open accounts with the online bank.
The company is one of a
small but growing number of Internet-oriented banking operations trying to
offer consumers more convenience and better interest rates than
conventional banks.
Others include Telebank, a
subsidiary of E*Trade, the Internet brokerage company; and Wingspan, part
of the Bank One Corporation. Traditional banks and financial services like
the Charles Schwab Corporation are also offering Web-based banking
services.
Financial industry experts said X.com's experience highlights the
potential risks of introducing Internet banking systems before they are
completely tested.
"The problem here is
not unique to online banking," said Mark Rasch, vice president of the
Global Integrity Corporation, a financial systems computer security
consulting firm based in Reston, Va. "But with online banking you're
exposed to the Web, and as a result your network is more vulnerable and
you have to be extra vigilant."
Underlying the X.com
security flaw was the company's decision to directly interconnect its
online application form with the nation's Automated Clearing House
network.
Under rules governing fund
transfers through the network, debit transactions from a consumer's
account must be authorized in writing. But the rules place responsibility
for verification and authorization on the receiving party.
"An
opening question in an online banking relationship should be, 'Where
is the money coming from?'" said Robert H. Ledig, a New York
lawyer who is the co-author of "21st-Century Money, Banking and
Commerce," published in association with the National Automated
Clearing House Association. "If the answer isn't clear, it's a
bad start for the relationship."
|