The December 2022 issue of IEEE Spectrum is here!

Close bar

There were two stories this past week that should serve as warnings to the owners and operators of small or medium-size businesses. The first appeared in the LA Times and concerned an employment lawyer in Woodland Hills, Calif., who discovered that her office phone system had been hacked and some US $20 500 in international calls charged to her telephone account. When she contacted AT&T about it, the woman was initially told that the she wouldn't be held responsible for the fraudulent calls, but the $20 000 charge kept showing up on her monthly telephone bill anyway.

The Times story says that AT&T apparently decided that the lawyer was indeed responsible for the charges, and that if she didn't pay up, her phone service would be terminated.

The Times contacted AT&T for a comment about the case, which told the paper that:

"... if a customer's phone system gets hacked, the company isn't responsible for any fraudulent charges that accrue.

"If your toaster blows up in your home, you don't expect the electricity company to be responsible for it... [an AT&T spokesperson explained] It's your toaster."

The Times also reports that Verizon operates under a similar policy. I presume that is true of other telecom companies as well.

The story says that AT&T and the employment lawyer have now settled the matter (I would guess in part because the Times contacted AT&T about it), but exactly how it was settled isn't described; a nondisclosure agreement prohibits either party from discussing it.

In a similar vein, there was a Bloomberg News story last week about cyber crooks stealing as much as $1 billion a year from the bank accounts of small and medium US businesses, which have little recourse to get their money back if the bank claims that the businesses lost their money because the businesses' IT systems were hacked. Business bank accounts are not protected from wire-transfer fraud in the same way that consumer accounts are.

As a point of comparison, the story says that about $43 million was taken in US bank heists last year.

Bloomberg says that only JPMorgan Chase & Co., the second-largest bank in the US, insures commercial deposits against the hacking that is now targeting small and medium businesses, as detailed in a Wall Street Journal article from last month. Small and medium businesses—as well as the banks they typically do business with—are seen as having very weak IT security that can be easily defeated and or exploited by phishing attacks.

There is proposed legislation at the federal level to extend wire-fraud protection to small business accounts, but the American Banking Association is opposed to it, the Bloomberg story states. The reasons apparently are that the banks—especially the small and mid-sized ones—don't want the added IT expense of monitoring client accounts for potentially fraudulent activities or to pay for the insurance to cover the losses.

However, the company Experi-Metal recently won its case against Comerica Bank, which might change the risk-responsibility landscape a bit. The case is detailed at Brian Krebs' security blog, but in short, Experi-Metal was hacked and its bank accounts "electronically ransacked" even after the company informed Comerica that its IT system had been compromised. When the bank refused to cover Experi-Metal's losses, the company sued, claiming the bank should have done more to prevent the hacking from happening as well as stop its accounts from being tapped by the cyber thieves—especially after the company told the bank about the hacking. You can read the court opinion (PDF) in favor of Experi-Metal here.

Comerica was going to appeal, but apparently has decided not to and has paid Exper-Metal back its stolen money. Meanwhile, in another very similar wire-transfer fraud case, this time involving the construction company Patco v. Ocean Bank, the courts just this week have reaffirmed a ruling in favor of the bank.

So, given the conflicting court findings, at least for the foreseeable future, small and medium businesses should keep AT&T's admonition in mind when it comes to IT security and protecting their computer and phone systems from hackers: "It's your toaster."

Photo: iStockphoto

The Conversation (0)

Why the Internet Needs the InterPlanetary File System

Peer-to-peer file sharing would make the Internet far more efficient

12 min read
An illustration of a series
Carl De Torres

When the COVID-19 pandemic erupted in early 2020, the world made an unprecedented shift to remote work. As a precaution, some Internet providers scaled back service levels temporarily, although that probably wasn’t necessary for countries in Asia, Europe, and North America, which were generally able to cope with the surge in demand caused by people teleworking (and binge-watching Netflix). That’s because most of their networks were overprovisioned, with more capacity than they usually need. But in countries without the same level of investment in network infrastructure, the picture was less rosy: Internet service providers (ISPs) in South Africa and Venezuela, for instance, reported significant strain.

But is overprovisioning the only way to ensure resilience? We don’t think so. To understand the alternative approach we’re championing, though, you first need to recall how the Internet works.

Keep Reading ↓Show less