It's the most unnerving story imaginable for a bank customer -- money disappearing from their account. A mysterious transaction, and no recourse. All the money, simply gone.
The case of Joe Lopez, detailed Tuesday by "NBC Nightly News with Brian Williams," is just one example. Lopez lost $90,000 when an unauthorized wire transfer moved the funds from his small business account to a bank account in Latvia. As a small business account holder, Lopez has fewer rights than consumers would if facing the same situation. But the story highlights increasing concern over the way financial institutions verify just who is moving money around their systems.
Online banking is increasingly popular in the United States. This year, about 55 million people will bank online, according to analyst firm Gartner. But the system is fraught with perils.
Chief among them are phishing e-mails that trick consumers into giving away their bank login information or other personal data. Nearly 2 million consumers said they'd fallen for the trick during one 12-month period, Gartner analyst Avivah Litan said earlier this year. It's not clear how many of them suffered an eventual attack on their online bank accounts, Litan said, but the stolen information is clearly valuable to would-be criminals.
While consumers who do suffer account losses are often refunded the money, there's still paperwork headaches to deal with, and not everyone does recover everything they've lost.
"In most cases, especially those involving credit card fraud, consumers get their money back pretty easily," she said. "But in other cases, like new account fraud or illegal transfers, it's not so simple and consumers often can lose out. They need to be aware of the holes in the system that are more apparent than ever with all the electronic doors into and out of their bank accounts."
Banks take action
Banks are trying to react to the problem. Citibank recently reduced the amount of money it allows customers to transfer out of checking accounts in response to the phishing epidemic. Daily limits on the institution's Global Transfers program, which allows customers to move money to any Citibank account for $5 or $10 per transfer, were reduced to $500 per day and $1,000 per week in October.
"In the current environment, where there is a lot of phishing and potential fraud, we took preventative security measures by reducing the amount that can be sent," said Citibank spokesman Mark Rodgers. "We hope to up those limits again soon. We have been adding security enhancements to the service."
Still, consumers are worried. A study published last month by InsightExpress reveals two out of five consumers are more concerned about online banking fraud this year versus last year. And in the most recently-available statistics from the Federal Trade Commission, 17 percent of identity theft complaints involved bank account thefts.
"The consumer feels like ... they are exposed to that risk," said Lee Smith, president and COO of InsightExpress.
Know your rights
In general, consumers draw little distinction between credit card fraud and online bank account theft, Smith said. But while consumers might not, federal law does, and so it's important that account holders understand the distinctions.
Rules governing credit card fraud are clear. Consumers are only liable for the first $50 charged in their name by a thief, and most banks waive that responsibility.
Rules governing electronic fraud are more complex. According to the Federal Reserve's Regulation E, consumers must report a electronic funds transfer problem within two days to insulate themselves from liability, and even then are still on the hook for $50. Consumers who report a problem within 60 days have their liability capped at $500.
But after that, there are no federally-mandated consumer protections. Consumers may end up losing all their money. Legally, victims in this situation are on very shaky footing when they try to fight their bank.
The other problem with money that's been stolen directly from a checking account, said Linda Foley, director of the Identity Theft Resource Center, is that it's already gone — a very different situation than a credit card takeover, where consumers can simply refuse to pay the bill. "There's always an immediacy issue when your money has been drained from your checking account," she said.
Lopez actually reported his theft right away, but as a small business owner with a corporate account, the transaction was not governed by Regulation E, which only protects consumers. So when Bank of America determined the problem was faulty security on his end, it decided not to refund his money.
Thanks to the widespread protection afforded consumers, they shouldn't be reluctant to bank online, said James Van Dyke, founder and principal analyst of Javelin Strategy and Research.
"People are more worried than they used to be, and that makes sense," he said. "There are threats out there which have come into popular use. But there are some very logical things people can do which really do protect themselves."
Not divulging personal information through e-mail is one, he said. Another successful tactic is to use the Internet to regularly monitor online banking accounts for signs of fraud. The quicker a fraud is discovered, the easier it is to fix, Van Dyke said.
At a 'tipping point'
Still, Howard Schmidt, former White House cybersecurity advisor and co-author of the National Strategy to Defend Cyberspace, said stories like these only highlight the need for dramatic new ways to positively identify consumers and institutions when they are online.
"This is a growing problem," he said. "We're reaching a tipping point."
Schmidt favors what's called "two-factor" authentication. Banks should issue consumers smart cards with electronic chips that they can insert into their computer before banking online, he said. Then, they'll also have to supply a password before performing transactions.
"It's something you have, and something you know," Schmidt said. "Even if I had a keylogger and had stolen your password, without a smart card ... you can't do anything. That's why it's so effective."
Recently, America Online began offering consumers the opportunity to log on using an external device, in one of the first major two-factor authentication efforts. But despite the need, Schmidt said it will be a long time before such a system is mandatory at banks and other financial institution Web sites.
"There's been a lot of discussion (with banks), but it requires a tremendous infrastructure change," he said.
So for now, as some consumers are finding out the hard way, only a username and password stands between criminals and their hard-earned money.
Bob Sullivan is the author of Your Evil Twin: Behind the Identity Theft Epidemic