In other words the bank believed them because their own weak authentication process failed.
“When I first talked to the bank, my question to them was, ‘We’ve always done the same five payroll transactions a month, this was outside the norm, so why didn’t you flag them?’” Diaz recalled. “They told me because [the thieves] answered the secret questions correctly and because the amount was under $10,000 and their daily limit, they let it go just based on the amount.”
In the beginning things were simple:
But with eBanking for transactions under $10k, it appears that not only did banks add the very weak identity and authentication of the web, banks also removed authorization and a fair amount of auditing.
We start the process with a weak username/password "authentication" of random people on the web, and then use this to bootstrap the whole rest of the process! MQ Series is only going to propagate those weak credentials and the mainframe "trusts" it because it was sent from MQ, as long as its why under $10k why worry?
I am not sure this model makes it much longer, it reeks of an 1970s station wagon engine that's coughing and wheezing its last breath and spewing oil all over your driveway, and I am not alone.
Internet banking as we know it, the kind that happens when a user launches a browser, and goes through even a decent approximation of layered security on a bank's Website, is dead, made untenable by the massive fraud now draining hundreds of millions from corporate accounts."
-- Rebecca Sausner, Editor-in-Chief, Bank Technology News