Subscribe to RSS
Follow me on Twitter
Join me on Facebook
A machine equipment company in Texas is tussling with its bank after organized crooks swiped more than $800,000 in a 48-hour cyber heist late last year. While many companies similarly victimized over the past year have sued their banks for having inadequate security protection, this case is unusual because the bank is preemptively suing the victim.
Both the victim corporation – Plano based Hillary Machinery Inc. – and the bank, Lubbock based PlainsCapital, agree on this much: In early November, cyber thieves initiated a series of unauthorized wire transfers totaling $801,495 out of Hillary’s account, and PlainsCapital managed to retrieve roughly $600,000 of that money.
PlainsCapital sued Hillary on Dec. 31, 2009, citing a letter from Hillary that demanded repayment for the rest of the money and alleged that the bank failed to employ commercially reasonable security measures. The lawsuit asks the U.S. District Court for the Eastern District of Texas to certify that PlainsCapital’s security was in fact reasonable, and that it processed the wire transfers in good faith. The documents filed with the court allege that the fraudulent transactions were initiated using the defendant’s valid online banking credentials.
Troy Owen, Hillary’s vice president of sales and marketing, doesn’t dispute that the perpetrators stole their online banking credentials, but said Hillary is still investigating how the information was taken. Owen said the transfers appear to have been initiated from computers in Romania and Italy, among others, and sent to accounts in Ukraine, Russia and other Eastern European nations.
According to a Nov. 12 memo that Owens said PlainsCapital shared with him, the institution’s commercial banking platform requires that each customer not only enter a user name and password, but also “register” their computer’s Internet address by entering a secure access code sent to the e-mail address on file for the customer.
The bank’s memo states that on Nov. 8, secure access code e-mails were sent to a Hillary e-mail address, but that the request came from a computer with an Internet address in Italy. The memo further states that the actual wire transfer requests were made from computers with Internet addresses in Romania.
Owen said no one in his company received any such e-mails on or around the date of the break-in Nov 8th and 9th, and that it is likely whoever stole the company’s banking credentials also intercepted the e-mails.
“It’s pretty ridiculous that the bank is saying their security was reasonable,” Owens said. “The people who run this bank are from an area that still leaves their doors unlocked at night and their keys in the car. These security measures were probably very up to date 10 to 15 years ago, but they’re not in today’s age.”
PlainsCapital declined to discuss the memo or other details of the case, citing the pending litigation. The bank’s president Jerry Schaffner said in an e-mailed statement that “It is evident that the loss incurred by Hillary Machinery, Inc., although regrettable, was not the result of a cyber attack on PlainsCapital Bank.”
Transaction logs shared by Hillary indicate that the majority of the unauthorized transfers were international wires for roughly $100,000 each. But at least $60,000 of the money was sent to more than two dozen money mules, willing or unwitting accomplices in the United States who are often recruited through work-at-home job scams.
A copy of the bank’s complaint against Hillary Machinery is available here (PDF).
Update: Since this blog post ran, the story of Hillary’s fight with Plains Capital has been picked by several mainstream media outlets, including the Dallas Morning News, Forbes, and Fox News.
So if the VP thinks that this “hay seed bank” didn’t have reasonable security measures, why did the company choose to do business with them? Great article, Brian!
Hot debate. What do you think?
18 
17
If you read Hillary’s article on thier website, they appeared to learn ‘the hard way’ just how lacking the bank’s security really was, albiet after the fact, but isn’t it a banks job to protect a depositers money?….I mean, isn’t that why they put money in a bank to begin with? You go to a construction company to build a house; a pest control company to get rid of bugs, etc..you go to a bank to keep your money safe and secure.
Well-loved. Like or Dislike:
36 
14
To quote….well, myself:
I think the following anecdotes explain the difference nicely. When a consumer wants to do online banking, the bank says, “Thanks for banking with us. And don’t worry: We will put your money back in our super-secure vault. Even if somebody should break in and rob the place, your money will still be safe because it’s protected by armed guards, and six inches of steel. But even if they get past all of those protections and steal cash from the vault, we’ll replace any money that was yours.”
In contrast, when businesses bank online, the unspoken message from many financial institutions is: “Thanks for banking with us. And don’t worry: We’ll keep your money here in our super-secure vault. Oh, and by the way, here’s a key to that vault. Just make sure you don’t lose it.”
http://voices.washingtonpost.com/securityfix/2009/11/business_e-banking_and_the_6-f.html
Well-loved. Like or Dislike:
38 
6
Brian,
First, great article.
Second, I think it’s hilarious that the bank sues the victim, claiming to have acted in good faith in fulfilling the transfer requests. Never mind the fact the request for the access code came from an IP in Italy, while the victim organization is a local one right there in Texas and geographically near the bank. Never mind the fact that many of the transfer requests originated from IPs in places like Romania, or that the transfer destinations were to places like Ukraine.
Clearly the bank is trying to establish precedence in getting the true victims to be held responsible. But perhaps it’s time for the banks to actually step up and take some responsibility for the fact that for more than the last year, they’ve served as unwitting participants in these Eastern Bloc financial scams — despite the fact the indicators of these scams can be spotted from miles away.
Maybe you could enlighten them on some online banking security 101 topics like Avalanche and Zeus?
Well-loved. Like or Dislike:
7 
1
Absolutely agree with Kevin. The IPs form FOREIGN countries should trigger an alarm in bank`s security staff. Even mid-range credit card processors are declining orders if the IP of the supposed credit card owner is NOT in the same state where the card is issued. What shall we talk about transactions of a U.S. company, made from Italian IP and Romanian IP? This is an absurd! Bank should take its responsibility in the same way if masked robbers had infiltrated and empty the safe.
Like or Dislike:
4 
1
I court reporter for lawyers of a bank for 20 years. I would NOT assume the bank was an innocent party here. Quite often banks perpetrate fraud on their customers, forge their names and create false paperwork after the fact.
Like or Dislike:
2 
1
Exactly. The days of robbing banks is over for the most part. Why risk your life and limb when you can rent services of a botnet — log some credentials and rob the bank that way? FDICwhat? All this while still in your spiderman pajamas while playing xbox live.. Bank physical security great….
Well-loved. Like or Dislike:
10 
3
The bank didn’t have a compromise, the customer did. Their online banking creditials (user id’s and passwords) were obtained by criminals looking specfically to steal money. The banks cannot control what people do on their computers or what virus and malware may inadvertenly downloaded on their computer. In most cases customers are given the information they need to protect themselves and they choose to ignore it. Like having the most up to date virus protection that continuoulsy scans for problems, using a dedicated machine with no other internet access for financial transactions, and not allowing one person within the company to be able to create wires and also send them. A seperate level of approval is needed. Everyone always says bad bank but what about the companies who take no action to protect themselves?
Well-loved. Like or Dislike:
30 
23
And who are you again? How dare you be arrogant enough to assume I was wrong. I have plenty of protection on my computer. Notwithstanding, the bank is also supposed to contact its customer if a transaction is unusual. In my case, it certainly was. Hindsight is 50-50. Know what you are talking about before you open your mouth.
Hot debate. What do you think?
9 
14
So, here’s the problem. Cyber-criminals have two primary methods for bypassing legacy security controls.
1) They are testing their code against the latest virus signatures from McAfee, Trend, and Symantec prior to releasing their code on the web. Those 3 companies alone make up 80% of the AV market, and the bad guys know that, and are given an opportunity to tweak their code prior to releasing it for sale or use. Also, the viruses now are poly-morphic, which means that they alter themselves everytime the infected machine clicks on a file or visits a web page.
* As a note, the VP of security at Symantec recently said that they have released more virus updates in the last year then the previous 17 years combined.
2) There is also the issue of exploit code/script. Did you know that there are 6 web application exploits that occur every 45 minutes? For example: The Aururoa attack used a vulnerability within IE 6 to provide a back door to execute commands on the victims PC and take control. From there, they can remotely do anything/everything they want and it typically depends on what type of machine they infected (Is this a Home PC or a Corporate PC). Do they want to steal passwords, send spam, or be used in a DoS attack are all options for them!
So here’s my question for everyone – especially any security professionals: If your a home user or a business, how are you going to protect against these methods?
What are you going to do when the very the bad guys are testing their malware against your AV signatures? Don’t say to just stay away from the bad sites because 70% of the top 100 sites have been compromise in the last 6 months.
How do you know if any of the applications you are running are vulnerable and how would you protect yourself anyways if there is no patch available?
I actually do have something that will greatly reduce the likelihood of this happening to you, but I would be interested in hearing what you think first.
Like or Dislike:
4 
1
I don’t doubt there are malware authors who specifically try to avoid detection by the three most popular AV programs. It would explain some of the poor performance by those programs I’ve seen when I upload things to virustotal.com. But I was previously assuming they were trying to avoid detection by *all* of them, so it doesn’t actually change my approach. I would never trust something just because my AV program didn’t detect a problem. And I’ve certainly found bad things on good sites, so I don’t assume I’m safe by not going to bad websites.
You can use some other operating system other than Windows; it’s a good suggestion, but not an option for everyone. You can have a dedicated machine for banking that doesn’t run Windows, as has been suggested here. You can use a CD that will boot your Windows computer using a different operating system before doing online banking, as has also been suggested.
For general web browsing, I would suggest using an alternative browser, like Firefox. In addition, I would add Noscript, so that javascript runs only if I allow it, — and I would only allow it when I expect it to be needed, usually only on a one-time basis, and only for the domains I choose. I have FF set to always ask where I want a program stored when it is downloaded, even though I always put it on the desktop. That way, I am always alerted that a download is going to occur and can cancel it if it is unexpected/unwanted. Finally, I keep up with announcements on sites like this one about other exploits that have been reported, such as those using .pdf files, so that I can be particularly alert when there is an unpatched vulnerability being exploited.
Nothing is ever 100% protection, especially if someone is specifically targeting you, but it lowers the risk for the average web user considerably.
Like or Dislike:
3 
1
> I actually do have something that will
> greatly reduce the likelihood of this
> happening to you, but I would be interested
> in hearing what you think first.
So how do we find out more?
(Note that I have just finished three 18-hour days in a row working on something that will require no awareness, much less effort on the part of organizations banking online, but would reduce the probability of a loss due to cyber-thievery against commercial accounts to *zero*! Instantaneously. )
Like or Dislike:
2 
1
WAKE UP! i am a victim of this exact crime and have learned there is NO protection or software I can purchase to protect my company’s online bank accts from this particular virus – but the banks CAN set up multi levels of authentification and chose not to because commercial accounts. unlike personal, take the hit so no worry on the bank’s end.. starting with a simple block when money is transferred from the US from an account that has never transferred money period, let alone to a well known terrorist group recoginized by Homeland Security! Do your homework and get back to me.
Like or Dislike:
0 
3
1st line of defense: Don’t bank online. But if you HAVE TO bank online, then…..
2nd line of defense: Use a dedicated machine with a Linux O.S. (see also http://www.distrowatch.com &/or http://www.linux.org/dist/list.html for comprehensive listings). Can’t use a dedicated machine? Then…..
3rd line of defense: Boot the machine off of a Linux disk and save your data to a USB flash drive. And DO NOT store your login IDs and passwords electronically; but DO store them in a physically secure place (e.g., a safe).
Like or Dislike:
0 
0
You got it!
Like or Dislike:
0 
2
You may think a larger bank offers more up-to-date electronic security, but if they don’t have a local branch, it isn’t practical to bank in person and you’ve introduced other risks in the system. A “hayseed bank” might be the best choice in a rural community if its staff knows the businesses in their town aren’t likely to wire money to Eastern Europe. A small business could represent a significant client for a small bank. They may even know their clients’ employees well enough to spot someone impersonating one of them by phone.
(BTW, is anyone else annoyed by the way the comments are threaded on this site? It’s pretty hard to see if any new ones have been added since you visited last.)
Well-loved. Like or Dislike:
11 
1
Being a recent victim myself, your remark is on one of the stupidest I’ve heard to date. Obviously a customer has an expectation that his bank is secure; that your money is safe. That is the very essence of a bank. Clearly our money is safer under our pillows. Perhaps you are smarter than the rest of us business owners who have been quite sussessful until the bank walks away and says ‘”opps, your problem.” And the saddest of all, to add insult to injury, the bank sues the business? That’s really messed up and shameful.
Well-loved. Like or Dislike:
12 
8
Karen,
If you are *that* Karen, Brian Krebs or Troy Owen can give you my phone number. Give me a call. There may be something I can do, as a private investor, not just as a “lobbyist”.
Have you talked to Pete King about what TD Bank did to you? Rep. King is on *all* the relevant committees.
–Jim Woodhill
Like or Dislike:
3 
2
wake up! obviously they assumed the bank was safe, – isn’t it a “bank” after all? otherwise why wouldn’t they leave their money under their pillow? Were they ever told otherwise regarding any risks? i think not. They are machinists, not fraud experts!
Like or Dislike:
2 
2
This will be an interesting case.. There definitely needs to be a stronger standard in the authorization process with logging on to web-based banking. The single factor authentication now does nothing once the attacker has sniffed/logged the credentials from a user’ computer with their Trojan. If the bank has some form of location based security for their site based on the origination of the IP it still becomes ineffective as the attacker (thief) can proxy the traffic through the persons computer they received the credentials. We need a stronger industry standard for online banking in terms of verification of user on account.. Right now the system is weak!
I’m Joe Hacker in St. Petersburg with my Zeus botnet sniffing your keystrokes or form entries when you log on to your US bank. All I have to do is then login with those and the bank based on their 1-factor security standard and mule away all your money. GG .
The standard for OS-based security against malware/viruses/trojans is a whole other onion to peel…
Well-loved. Like or Dislike:
12 
5
While this would help, it would merely kick the can further down the road.
Let’s say for example you added some other authentication mechanism so the bad guys can’t just log in from Romania. They still have an infected machine at the company in question – the next time someone at that machine tries to do some banking, the malware can cause the transfer to be redirected and for a different amount without the user knowing. If the malware is clever, it would alter the page being displayed to make it look like everything is normal.
Well-loved. Like or Dislike:
9 
1
I know this.. Sessions hijacking/modification. There have been examples of what you have stated for some time now in the wild. That is partially what I was alluding to with my post saying that part of the problem is the online banking system and its authentication problems along with the assumption that once you login with your credentials you can initiate a transfer. There needs to be new mechanisms that prevent muling-related instances and require possibly a phone call to the bank or some other human mechanism before initiating a transfer. There needs to be better standards for banks that participate in online banking..The actual OS level security is a much more complex and entrenched issue that will not change for a long time.
Like or Dislike:
3 
0
I think email authentication schemes should die. 90% of the public logins in to POP/IMAP using unsecure methods. At least us SMS or tokens for 2nd factor authentication.
If you computer is owned by a trojan all bets are off, no matter what. That’s why Brian in the past has pushed for Non-Windows based OS or boot CDs, because once your owned there’s nothing the hacker can’t mimmick. Or just hijack a legiment session you started. 2nd factor methods just help with brut force and maybe some old fashion phishing schemes.
Well-loved. Like or Dislike:
7 
0
That’s just great but more consumers use windows than macs because they don’t know otherwise; it’s the way it is. If they did, they wouldnt use windows, obviously. Unless they want to be robbed. Hmm….
Like or Dislike:
1 
2
The Zeus can also bypass multi-factor authentication. Banks are required now to have multiple layers of security. The fact is the crooks are better and faster at circumventing security measures then banks can update their systems.
Well-loved. Like or Dislike:
11 
0
Along with the authorization security needed to be beefed up so does the wire transfers..
Well-loved. Like or Dislike:
4 
0
Brian: I’m thinking about why the bank took the aggressive step of suing its customer, which normally is not considered good publicity for the bank. (What are the bank’s other business customers are thinking when they see the bank is suing its own customer?)
My guess is that the bank decided it needed to seize the initiative. $200,000 is pretty much all that is at stake monetarily in the lawsuit. That’s is a relatively small amount for a lawsuit on a sophisticated topic like this. From the perspective of the customer (a smaller enterprise), the sheer cost of gearing up for the lawsuit (marshaling lawyers, experts and evidence and distracting management) pretty quickly starts to approach the $200,000 figure. The litigation costs become an incentive for the customer to just give up . . . settle and agree to stop talking about the incident.
From the bank’s point of view, suing a customer is not fun. But the incident is already publicized, and the bank apparently thinks it can (sorta) clear its name by prevailing with the lawsuit and forcing the customer to remove and/or retract the news item on its web page. Plus, if the bank prevails, it avoids reimbursing the customer for the $200K.
–Ben Wright, Dallas, Texas
Well-loved. Like or Dislike:
12 
1
Although I agree with what you are pointing out here; it does seem ridiculous to pay lawyers $200,000 to initiate and follow through to a lawsuit, when simply paying the victim the same money would have been settled out of court instantly!
I realize the bank probably doesn’t want precedent set here also, but it is still ridiculous.
Like or Dislike:
1 
0
^ Interesting case ^ Uh Huh!
What a retarded thing for an apparently foolish bank to do! I hope Hillary Machinery have shipped out by now to somewhere with real 2 factor auth, transaction profiling and a CSO worth their salt!
WTFH didn’t they spot the foreign access ? .. I’m sure that they could deny all transactions from IPs outside the US and cause very little loss of business too. OK, thats a little extreme… Put them on hold and make a damn phone call …
If you log in to paypal via a proxy/tor node in another country and then from home within a very short space of time your account is frozen.
Yes I said login… You don’t have to do anything else. & the exact same thing happens with the two factor auth tokens too!
I hope this causes bouts of hilarity for the prosecutors involved… on both sides & they learn and invest in a CSO.
CSO for hire… (It’s cheaper than taking your eye off the ball).
Hot debate. What do you think?
10 
11
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
3 
16
This should interesting in court. Most people do not realize that when the bank takes your money as a deposit, it becomes the bank’s money, no longer yours. The bank statement is more like an IOU that is collectible when you choose.
I would argue (and no, I am not a lawyer) that the bank lost its own money and I want mine back.
Well-loved. Like or Dislike:
13 
6
This is going to be a very interesting precedent and it will be interesting to see how the courts rule on this one. The key to solving this problem in the long term is to create a much higher level of integrity in the ACH supply chain. Think tamper-resistant seals in the physical world and translate that to information supply chains. Trusted timestamping (see ansi x.995) and software like Trusteer or TrustDefender on the desktop are starting points in creating infrastructure with a higher level of resiliency.
Well-loved. Like or Dislike:
5 
0
Saying that “requiring your private credentials information” is “reasonable security measure” is a joke. In my opinion, reasonable measures should include:
- Require “side channels” confirmation for transfers that exceed an estipulated amount. You need to go to an ATM or call the bank’s hotline to confirm the destination account’s data entered online.
- Set a “max number of transactions/day” trigger to contain the damage if the perpetrators try to make several small transfers like in the example here.
Well-loved. Like or Dislike:
16 
1
The only problem is that the side channels can get compromised in a coordinated attack. That is, the thief could implement the transfer and then call the bank hotline.
Here’s another idea already in use. My Etrade account uses a physical key that I carry with me. The key shows a six-digit combination that changes every minute. Once I log into my Etrade account, I authenticate with the six-digits appended to a password that I memorize. On the other end, Etrade locks into my IP address and TCP source port (my session identity), so even if an eavesdropper were to capture my keystrokes, he would not be able to log in because the Etrade session would only accept my session identity. The thief could even proxy through my machine, but the session identity would be different, so he would not get through. Additionally, the password changes every minute, further complicating the process for the thief.
I’m not saying that this is a foolproof system, but it’s the best I’ve seen so far.
Well-loved. Like or Dislike:
15 
1
But if your machine became compromised, then even the eTrade keyfob is no longer adequate protection. I suppose you are correct in saying that it would be a huge improvement in what most people have now, and if a few people were to start doing it, all it would mean is that that the bad guys would pick on those who don’t. But eventually if enough people started using tokens, the bad guys would change their methods as required.
This gets to the point of why Brian was recommending that people use something like a boot CD for online banking. Both to keep people from capturing your credentials, and also to ensure that your own machine itself isn’t compromised.
Well-loved. Like or Dislike:
14 
4
Yes that was his point. And it was a very good point. But it would seem by reading these comments that the subtlety of it all went over everyone’s heads.
Well-loved. Like or Dislike:
9 
3
IP Addresses can be temporarily moved by a Hacker and even CUNA Alerted all Credit Unions across the nation on Oct. 8th, 2008 that using IP addresses to ID your PC was not secure.
Real-time Keloggers, such as the Zeus Trojan, have made any security requiring the user to type in their credentials to be a useless solution, including the OTP token that changes every minute.
The SoundPass solution that Anheuser-Busch Employees’ Credit Union has been using for a couple of years is the best MFA solution available. Check it out.
Like or Dislike:
4 
2
Uh, where do we “check it out”?
Like or Dislike:
3 
0
Since the weakness being exploited is not authentication, I do not see any form of MFA solving the problem. Unfortunately, the weakness is in the customer computer.
Like or Dislike:
0 
2
Terry,
You are correct that nothing that goes through Windows can be trusted. There are, however, TOOBA (Totally Out-Of-Band Authentication) solutions available.
What needs to be “authentified” (to coin a verb ) are transactions that *add a new payee* (vendor or employee). Lighter-weight authentication can then be used for logon and even making a payment to an established payee.
Like or Dislike:
1 
0
The PlainsCapital memo sent on November 12 reads, in part: “The process of registering a computer to be used in conjunction with the specific login credentials involves receiving a secure access code, which is delivered to a specified email or phone number tied to the user account.” Did I miss something? That’s like locking a door and hanging the key by a string from the doorknob.
There are a gazillion ways to hijack email accounts, so using an email account to register a computer IP address does nothing to provide an additional layer of security.
The bank ought to cough up the extra $200k and then fire their online security team.
Well-loved. Like or Dislike:
17 
3
Exactly, if emails were secure, we wouldn’t need ssl or secured e-commerce sites, we could just send a cc# over on an email or simple cgi mailto: form.
Well-loved. Like or Dislike:
5 
0
The security team aren’t necessarily to blame. The security team are hired by the pinstripes who hold the purse strings and decide what software is going to be used. Some security teams are worthless because even today all they know is MSFT seen through rose coloured glasses. But it mostly wouldn’t matter anyway. It’s about management. A good security team would categorically refuse to use Microsoft products if they were allowed to. Often they’re not allowed to and they have to work around incredibly stupid situations. And because they can’t pick the environment, the companies will always be compromised and they’ll always be given the blame, even though they knew better and tried to get the pinstripes to listen. The blame goes to the pinstripes. To those who made the decisions. To those who said ‘yes we can work with MSFT for our online banking systems’.
Hot debate. What do you think?
11 
9
I agree the blame falls on a whole raft of things, including management, the OS, etc. But I think the situation is a lot deeper than that. The fact that management can act like boneheads is nothing new, yet great things are still accomplished at companies. Same goes for MSFT: I’m not a big fan of them, but I can’t deny that there’s some awesome software written on that OS, perhaps despite its shortcomings.
In my original comment, I was only pointing out that the failure highlighted in the memo goes to a fundamental flaw in logic. Qualifying an IP address with an email is a bad idea. I don’t know the whole situation, so I can’t pass judgment on anyone, but looking in from the outside, it appears that such a fundamental flaw in logic is indicative of a basic failure to understand security, and as such, whatever security team decided on that approach ought to be examined closely.
Like or Dislike:
3 
1
There are really two problems here: First, the bank should have had two factor security. Second, they should have had a real verification process in place. Email is not trustworthy for something like this. Shoot, email isn’t trustworthy for anything you don’t want other people to see.
It amazes me that the bank didn’t make a phone, that they didn’t shut down the transactions until they had actually spoken with a pre-approved representative of Hillary. Who was in charge of their security, anyway?
Well-loved. Like or Dislike:
15 
1
Fantastic case. Want to see innovation in online security? Place the liability on those with the resources and ability to manage the risk. It’s time to update the laws to hold finserv accountable. We owe Hillary a cold one (please don’t take that out of context
)
Well-loved. Like or Dislike:
14 
3
Years ago there was a German insurance company sued by a client who’d lost a lot of money through the insurance company’s flawed bookkeeping. The insurance company went into a panic and started hunting the bug and were able to prove it was caused by customised software they’d bought from a German software house. They sued the software house.
The software house went into a panic and started hunting the bug further. They were able to prove the bug was actually caused by a flaw in Lotus Symphony. So they sued Lotus.
Now Lotus went into a panic and started hunting the bug further. They were able to prove the bug was actually in their C compiler. The compiler was generating a short jump when instead it should have been generating a long jump.
The compiler was built by Microsoft.
Hillary’s site isn’t much to look at but at least they had the brains/good fortune to pick a secure web server.
HTTP/1.1 200 OK
Server: Apache
Accept-Ranges: bytes
Content-Length: 70210
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html
Not so with the bank. Note their ‘expires’ date is over a fortnight ago. Class.
HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: text/html; charset=utf-8
Expires: Tue, 12 Jan 2010 02:50:02 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 12.0.0.6421
Content-Length: 35351
Connection: close
One can in theory criticise Hillary’s for one thing: not knowing enough (or asking enough) to shun any bank using Microsoft’s dangerous web software. There are IIS/ASP zero-days out there even Microsoft can’t find.
But that’s not the point. The point is that good security people know to avoid Microsoft web software like the plague. And they also know enough to be able to implement an Apache/Linux system if they have to. And they know in general how to build and sustain secure infosec systems. But the likelihood here is the bank never gave that a thought and went and hired on people who don’t know how to give that a thought either.
The moral is that if your bank is running IIS/ASP then they’re probably not too clued in about security and should be shunned. That’s Hillary’s only indiscretion. Everything else is firmly at the feet of that ‘stable and strong’ bank.
Well-loved. Like or Dislike:
19 
14
I am on the customer’s side here. One glance at their website should tell you everything you need to know:
http://www.hillaryinc.com
I can deduce from this page that they don’t even have a CTO, much less a CSO. The bank has the burden of being up-to-date on technical security issues, especially when the login IP of a Texas company is from *Romania* and they are transferring $100K chunks by wire. There should have been red lights flashing and red flags waving, or at least a phone call made to the company manager to verify the transfers.
Well-loved. Like or Dislike:
22 
3
Hilarious…..PlainsCapital is now looking for a Wire Transfer Risk Specialist in Fort Worth.
http://www.careerbuilder.com/JobSeeker/Jobs/JobDetails.aspx?lr=CBCB_FWST&SiteID=api_WDHR8F96W06WY727794B&Job_DID=J8G4676B6HNBZ28RN69
Well-loved. Like or Dislike:
21 
1
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
3 
13
yeah, and you gotta love the job requirements, HS diploma or bachelor’s depending on which part you read, and one year experience. That qualifies you to prevent wire transfer fraud and in your spare time process wire transfer requests as back up to the regular staff.
I’m impressed. NOT!
Well-loved. Like or Dislike:
9 
0
It appears that the bank has pulled the Wire Transfer Risk Specialist career opportunity listing off the web. Maybe they found someone or maybe they are rethinking the job requirements. I looked at it on the bank’s website on Tuesday and should have printed/screen-captured it. From what I remember they were looking for someone with a Bachelors degree and 1 year of direct or similar experience. Those requirements are alarming. Hopefully it was an inexperienced employee who posted the opportunity incorrectly. The alternative is a reflection on the bank management’s overall awareness of infosec.
Well-loved. Like or Dislike:
5 
0
Hillary’s being pretty vocal with the alert on its web page and its statements in the press. I think that is a key reason the bank has initiated suit.
To prevail in the lawsuit, little Hillary may have to spend a lot of money, quite possibly much, much more than $200K. If Hillary fights and loses the lawsuit, the bank might then (in theory) sue Hillary for defamation, which could cost Hillary a whole lot more. I suspect the bank would like Hillary to think about all those costs and decide it’s in Hillary’s best interest to just settle this and shut up.
Well-loved. Like or Dislike:
14 
3
Then perhaps if there’s enough negative publicity and loss of clientele, the bank can be induced instead to drink from the cup of STFU. One would hope so!
PS. Again: kudos to Bk for getting all this fantastic material. Nobody else covers it. Bk deserves our thanks.
Well-loved. Like or Dislike:
15 
0
maybe so, but I can find no case law on any similar cases; can you? And geez!, can you imagine what follows if Plains can’t prove thier case?
Like or Dislike:
1 
0
@tx_plow_boy “I can find no case law on any similar cases; can you?”
In the 1990s, I devoted a chapter of my book The Law of Electronic Commerce to this topic. To refresh my memory, I’m looking back at that chapter. . . . The dispute is largely governed by Uniform Commercial Code Article 4A and the online banking agreement between the bank and the customer. Although the topic is complex, generally speaking, Art. 4A protects the bank if the bank can show it used commercially reasonable security. Section 4A-202(c) even provides a procedure where the bank can get the customer conclusively to agree in advance (such as in the online banking agreement) that the procedures to be used are commercially reasonable. Given the terms of 4A, a well-crafted online banking agreement can go a long way toward positioning a bank for victory in a case like this.
The 1995 edition of my book analyzes form agreements published in the banking industry as of that time, where the form language was tilted to favor the bank in the event of a dispute like this. I suspect that most banks today use agreements that tilt pretty strongly in favor of the bank’s interests.
For this case, of course, I have not read the agreement, and I don’t know the details.
Like or Dislike:
5 
2
I think Brian is right on the money when he bascially says that consumer accounts have all sorts of protection under the law but business accounts have to fend for themselves, hence the need for “a well crafted online agreement” the banks need to assert that thier security is “commercially reasonable” to protect themselves from claims that it really isn’t that secure.
I deduce from Brian’s statement that a consumer can truely trust the bank to secure thier money and although a bank will gladly take a businesses deposits, the security rests with the business, not the bank. If this is truely the case then banks really are giving thier commercial customers a false sense of security.
Well-loved. Like or Dislike:
8 
0
it’s not defamation when only the facts are stated and no mention of “not a good bank to do bus. with” or similar comments.
Like or Dislike:
3 
0
Lets assume online banking keeps using one factor authentication for everything, and this password keeps getting sniffed. But if you want to add a new payee account to your profile, you have to confirm this action with an SMS (out-of-band).
It’s been a long time since I last had to add a payee to my online bank – folks and shops I need to pay don’t change much from month to month. Thus, locking down this function would effectively limit what the bad guys can do, and would not hardly annoy the average customer once the “regular” payee accounts are set up. But I guess banks prefer to spend our tax TARP money on lawyers and lawsuits rather than on improvements to their products that would actually benefit their customers.
Well-loved. Like or Dislike:
12 
7
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
2 
9
Brian:
On articles about money being stolen, would it be possible to somehow work into the article that spyware, malware, and stuff like that is no small matter.
When I read articles like this, it’s easy to form a mental picture of sophisticated break-ins, but the usual route is almost always some common malware on a PC.
Thanks for publishing, I’ve enjoyed reading your stuff for years. Keep up the good work.
jp
Well-loved. Like or Dislike:
5 
1
Hi Jack. Whenever possible, I always include information about the malware that may have hit the victim. I think this is important information, but unfortunately in this case I was unable to learn what malware was responsible, or indeed even confirm that it was malware-related.
That said, I don’t doubt for a moment that malware *was* involved, and I would estimate that there is a better than 75 percent change that the culprit is once again our friend Mr. Zeus/Zbot.
Well-loved. Like or Dislike:
5 
0
Set aside the foolishness of calling the use of an IP address as a second factor in multifactor authentication. Set aside the many ways an attacker can compromise a system, keylog or otherwise obtain credentials. What worries me is that the bank seemingly has no abuse monitoring on account activity.
Are $100,000 transactions common for this customer?
Are *multiple* $100,000 transactions within a relatively short business timeframe common for this customer?
What percent of the account balance did these transactions represent (cumulatively) and is this frequency and amount atypical for this customer?
Has this customer transacted with these recipients before?
Credit card abuse programs analyze buying patterns. I would expect banks to do no less. If PlainsCapital represents an industry norm, we should re-think online banking. If PlainsCapital’s practices are anomalous in the industry, then it’s no surprise they are proceeding as you describe.
Well-loved. Like or Dislike:
17 
1
I looked at the hillaryinc dot com website and it appears they deal in machine tools and other industrial equipment, so a $100,000.00 transaction should not be out of the norm for them. And while they might not have directly done business in the past with anyone in Eastern Europe, other businesses do import equipment from there.
The gotcha here is that the business and the bank had no procedure in place for out-of-band authorization of money transfers. Cell phones are cheap these days, one can get a “TracFone” and put a 1-year card on it for less than $100.00 a year. This phone would be the contact number for the bank’s authentication team/software to send a text message requesting authorization for a specific transfer. The business has a pre-set validation password they can text back or voice-call back. More than one cellphone number for backup in case the primary phone is lost or stolen. The bank sits on the transaction request, not allowing it until the authorization comes in.
If such a system is compromised, it means an inside job, at the bank or/and the business.
Like or Dislike:
3 
0
The time will come when all transactions over a certain dollar amount will require a “second channel of authorization” – probably a voice confirmation or phone call from a reliably-traceable telephone.
In the meantime, if a bank senses a login from a computer that “doesn’t make sense” for this customer, like Romania, it should treat it with suspicion.
Well-loved. Like or Dislike:
12 
1
The bar to preventing this fraud is pretty low, for instance the european TAN system would have prevented this loss but thats irrelevant, what on earth would this bank do if this loss had come via a man in the browser attack that pwn’s dual factor auth, and where this loss came from the victims actual PC? or ‘local’ attacks via one of the proxy networks where the crooks use PC’s in the victims home town?
When banks realise that they cannot rely on authenticating to a point of reasonable confidence the better.
For anyone who’s not aware: http://en.wikipedia.org/wiki/Man_in_the_Browser
In all fairness, some banks do get it, I play havoc with my banks transaction profiling by using some cards only online or only when I travel. They false positive all the time, even with verified by visa etc, but they have an automated service ring my mobile within seconds, I answer a few out of band security questions and I’m good to go again.
No banks perfect though, their 2 factor device implementation is poor as it does not authenticate the transaction amount so I still call them mostly insecure
Well-loved. Like or Dislike:
7 
1
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
8 
14
You know, given that a site like Facebook, which processes precisely zero financial transactions, has a feature which can tell when you’re signing in from an “unfamiliar location” (as reported by F-Secure last December,) you would think that any financial institution’s online properties would be doing this by default!
Seriously it is not rocket science.
I think we’re on the verge of a seismic shift in terms of how banks handle these incidents. Unfortunately I also think it’s far, far too late for the victims of these rampant thefts.
At what point does this become perceived as an “international incident” by a government? Witness Google v. China at the moment. This is a far more damaging series of crimes, and very clearly Russian, Ukranian and Romanian law enforcement are not doing anything about it.
SiL / IKS / concerned citizen
Well-loved. Like or Dislike:
8 
0
I agree with many of the commenters.
The “strange computer” notification happens with my bank if I use a computer that is not one of my usual computers.
The multiple transfers within a short period of time to “new” accounts, never used before.
These are all things that the bank should be aware of. Just the idea of a series of transactions within a short time that is out of the norm for this company should trigger some sort of pro-active response from the bank to the customer. Even if the transactions were delayed by a certain amount of time while being verified wouldn’t seem to be unreasonable.
Someone mentioned that the credit card companies will notice unusual cc behavior and contact the customer. That’s because the cc company gets to absorb the cost of the improper charges, less the $50 ‘deductible’. A business bank has absolutely NO incentive to stop the transfers since it’s up to the business customer to notice that extreme amounts of money have vanished from their accounts. They also have to notice this happening within a relativeyl short period of time.
I think the Hillary case should be an eye-opener to the business banks to step up to the plate and make the banking experience for their customers a mutually positive experience.
Well-loved. Like or Dislike:
11 
1
Does the bank require businesses to use Internet Explorer to do online banking? If so, do they provide a list of all the URLs that should be added to the “Trusted Zone” in order for their site to function?
It’s absurd that financial institutions insist a company allow its employees to not only use IE, but to do so with the general security level at the lowest setting in order for their site to work. Add to that the fact that no matter what a small company tries to set up for its employees to use, its Windows computers will reset IE to the default browser every time Windows gets an update, and you can easily predict they’re going to get pwned.
Like or Dislike:
4 
3
If you go to the hospital for surgery, the surgeon doesn’t insist on an HIV test first then only sterilize the instruments afterwards if the test is positive. Hospitals use “universal precautions.” If you would treat a patient’s blood differently if you knew that patient had HIV, then you should treat *all* patients’ blood that way. You assume a certain percentage of patients are infected but have false negative tests. It’s the only way to make sure all HIV positive blood is handled safely.
Similarly, you can’t expect computer users to keep their computers 100% safe, and you can’t expect an up-to-date AV program to detect 100% of infections. If companies who have computer experts on their payroll, like Google and Adobe, can get hacked, why do financial institutions set up systems that assume small businesses will be completely able to avoid it? Why don’t they have systems that assume hacking will occur occasionally, no matter how careful the customer is, and take that into account?
If your computer is hacked, the attacker has the passwords to your bank and your email account. He can use your computer as a proxy to log in to the bank from your IP address. He can always spoof your phone number for caller ID, even without having access to your computer or phone system, and if your business uses VOIP, I suppose he could log into your account and receive your incoming phone calls. He may get enough information to take control of your home computer, too. Banks need to assume those things can happen and are happening when there’s $800.000 of incentive involved. Then they need to come up with some type of “universal precautions” based on that assumption. (Not wiring hundreds of thousands of dollars to Romania without pretty good methods of confirming it would be a good start.)
Well-loved. Like or Dislike:
17 
0
The bank had an opportunity to take a step forward… instead they have chosen to take a step backward. Instead of suing the customer the bank should be working with its security vendor(s) and the customer to pinpoint where the security broke down then take steps to ensure it will not happen again.
Well-loved. Like or Dislike:
14 
0
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
4 
11
If you computer is owned by a trojan all bets are off, no matter what. That’s why Brian in the past has pushed for Non-Windows based OS or boot CDs, because once your owned there’s nothing the hacker can’t mimmick. Or just hijack a legiment session you started. 2nd factor methods just help with brut force and maybe some old fashion phishing schemes.
Hot debate. What do you think?
7 
4
While I don’t know what standards and procedures USA banks may adhere to, here in Australia, it’s common practise to use two phase security.
With this procedure in place, in order to complete any transaction over any value, business customers request an on-line transaction, then get a confirmation via SMS, to their nominated mobile (cell) service.
The also get a follow up link (URL) to click on.
They can’t finish the procedure without the random key code provided via the SMS.
The SMS also provides the date and the amount.
This method is as near as drop dead secure as it can get, as even if your local computer system has been compromised, hijacking your SMS receipt, via a different service, is magnitudes of orders, more difficult.
(Unless your a three letter, US Fed. Gov. security acronym)
This method is also very low cost, is easily implemented and is easily sold to clients, as it is terribly secure.
The only consideration is that it takes slightly longer to process a transaction.
I am a business owner who uses this method, I find it terribly convenient.
As do banks, which find it helps to almost eliminate fraudulent transactions.
The there is no argument, as the audit trial will soon prove whether it was attempted fraud, or a criminal act of identify theft.
Well-loved. Like or Dislike:
6 
1
That’s funny! I had always read SMS is one of the easiest forms of communication to intercept and manipulate. Maybe you country has a different SMS form of service than the rest of the world?
http://www.zdnet.com.au/sms-two-factor-authentication-dead-in-3-years-nab-339284387.htm
Like or Dislike:
0 
0
let me get this right, PlainsCapitalBank, an $87M TARP recipient is using taxpayer money to sue a taxpayer rather than using it to beef up security to protect them.
Well-loved. Like or Dislike:
13 
1
A good rant on this can be found at
http://radsoft.net/news/20100126,00.shtml
including more information about how the “compromise” was effected (emailing the account credentials to Earthlink in response to a request from a computer in Italy?) and how the fraudulent transfer requests were entered (from Romanian IPs).
I hope Hillary’s lawyers have the good sense to enter discovery motions for all the documentation around the design and operating procedures of Plains’ security systems. They should get some tremendously entertaining reading, and might well induce the bank to rethink their legal strategy based on what would come out in open court if they proceed.
It will certainly be interesting!
Well-loved. Like or Dislike:
8 
0
What happened to Hillary Machinery, Inc, also happened to a friend of mine. So many similarities, it sounds like the same perpetrators. The bank is a regional TX bank. I am not concerned with assessing blame at this point. I am concerned with protecting my business cash!
Lessons learned, as taught by Secret Service Investigator to my friend during the course of the investigation:
(1) No wireless PERIOD, no smart phone internet banking.
(2) One and only one computer used for internet banking.
(3) No web surfing or email use on dedicated internet banking computer
(4) passwords changed daily and cache, history and cookies all cleared after each session, even if you don’t think there is content to erase.
(5) Robust virus protection geared for networks, with automatic updates EVERY 4 HOURS (SS Agent said having just one company’s security software may not be adequate—yikes!) Another expert on the case reported that protection may not be 100% even if virus definitions are updated every 15 seconds.
(6) Most likely, the wires that were recalled successfully were held up in larger banks which have better security. The wires were were suspicious to them.
(7) Money was transferred over a two-day period during holidays in less-than-$10K amounts so as not to arouse suspicion by receiving banks.
(8) Use firewalls.
(9) Investigator didn’t say it directly, but hinted at using an Apple for internet banking, not a PC.
I’m sure there is more, but this is all I can remember from our conversation. Please add, subtract or append. I just want to be solution not blame-oriented.
Dave
Well-loved. Like or Dislike:
6 
1
Dave,
In Authentify, Inc.’s view, this problem should be resolved via legislation rather than litigation. Congress needs to extend the protections currently in place for consumer accounts to SMB accounts. We will be bringing this issue to the attention of the House Committee on Financial Services / Subcommittee on Financial Institutions and Consumer Credit this week. Please put me in touch with your friend who was victimized in the same way Hillary Machinery was.
Thanks,
Jim Woodhill
Chairman
Authentify, Inc.
jim.woodhill@authentify.com
Well-loved. Like or Dislike:
4 
0
@Dave:
You list is part of the picture – I might add that few seem to be aware that Microsoft has a free utility called “steady state” that locks the hard drive to ANY changes in files. Ordinary files would have to be stored on another drive or partition. I’m not sure which versions of Windows that it is available. If not available for your version, maybe a look at Faronics would be in order.
You would still want AV and AS solutions in place, in case the present session were somehow compromised. This would entail unlocking the drive at least two times a day, to update the operating system and/or AV/AS utilities. You would not want to do any unnecessary surfing during these updates; and immediately relock the drive afterward.
Some say a Puppy Linux Live CD would be better; your mileage may vary.
Like or Dislike:
1 
0
The first thing that’s needed (at least helpful) in hacking Plains Capital is a valid user name and password. If you go to http://www.plainscaptial.com, you’ll see that the bank violates one of the “Security 101″ rules — the user name and password are sent in the clear! (http, not https). And they claim to have adequate security measures? Are you joking?
Well-loved. Like or Dislike:
6 
0
If you enter an incorrect password, it gives you an SSL page. But if you entered a correct password the first time, it would be transmitted unencrypted, correct?
Like or Dislike:
3 
0
Add: small typo in that URL, it should be http://www.plainscapital.com
Like or Dislike:
1 
0
HAHA retards!
http://www.plainscapital.com/personal-banking/pages/index.aspx
POST /personal-banking/pages/index.aspx HTTP/1.1
Host: http://www.plainscapital.com
Well-loved. Like or Dislike:
5 
0
Their homepage account login form uses javascript to intercept the http form submit and then submits it securely. However, if javascript is turned off in your browser, the form submits the password in cleartext.
Game over for PlainsCapital.
Well-loved. Like or Dislike:
12 
0
Could use of Data Loss Prevention tools from Prevensys (http://www.prevensys.com) help to avoid this disaster?
Like or Dislike:
0 
2
How? The attack came from outside the customers network.
From the banks prospective this looked like a normal transaction as they let it happen
Second vector authentication like http://www.adeptra.com/ would have I’m pretty sure. Unless the bad guys could edit the contact details online
Like or Dislike:
2 
0
What does everyone here think of using smart cards issued along with other forms of ID (i.e. built into drivers licences) from the states as authentication to secure sites like banks?
Like or Dislike:
0 
5
Being a native Bubba, for the last 20+ years at least, I would wonder why a business in a major city (Some think Dallas is suburban Plano, but that’s another issue), would do their banking 300 miles away in Lubbock. Within the last 20 years, “Branch Banking” became legal in Texas, it was not before. It’s likely that this is personal, too, in some way. For the record, 200k would get my full attention, but in the words of a recent President, bad blood too would get my “fuller” attention.
In addition, the U.S. District Court for the Eastern District of Texas is the venue of choice for some, shall we say, “novel” torts. Plano is in this District, Lubbock no. The Bank might be thinking the venue is more of an advantage than the PR hit is a disadvantage.
Like or Dislike:
1 
0
Gartner issued a report on Where Strong Authentication Fails and What You Can Do About it http://www.gartner.com/resources/173100/173132/where_strong_authentication__173132.pdf that contains interesting reccomendations on how to mitigate from these attacks. We need both banks and the security industry to catch up with mitigations for these cybercrime attacks. Also FFIEC need to update the document on guidelines for authentication in the banking environment since thos provisions for MFA are not adequate to mitigate current threats.
Like or Dislike:
3 
1
According to a statement released by Town of Poughkeepsie Supervisor Pat Myers, Town of Poughkeepsie bank accounts were hacked on January 12, 2010, and four unauthorized transfers totaling $378,000 were made from the TD Bank account and deposited in banks in the Ukraine. These transactions were discovered the next day and the bank was immediately notified of this activity. The police were called in to investigate.
http://www.townofpoughkeepsie.com/supervisor/PressRelease126.pdf. I am not a computer guy just a town tax payer looking into what happened and it there is any recourse. I appreciate your comments.
Like or Dislike:
2 
1
WRITE YOUR CONGRESSMAN AND BOTH SENATORS. If you would like a sample letter, send me an email at jim.woodhill@authentify.com.
The banks always take the position that these incidents are a “commercial contract” matter. Nonsense. Your town has become the victim of a *crime*. It is axiomatic in political science that what to do about crime is everywhere and always a political question. If somehow, somewhere, a bank can get a judge to agree that under current law it is “commercially reasonable” for them to allow their customers’ money to be stolen, then “current law” will have to be changed.
Well-loved. Like or Dislike:
4 
0
Update analysis of the PlainsCapital Bank v. Hillary Machinery lawsuit, especially the intriguing public relations dimension: http://bit.ly/public-relations .
Like or Dislike:
0 
0
Excellent link Benjamin! Seems like a settlement is already in place.
Our congressmen need to look at this, and not only change the liability laws, but help the banks with their security concerns. After all we are supposedly in a “cyber-war” with enemies already. It only makes sense for the government to help the little banks out on the infrastructure and costs on this new security,. if they mandate the requirements.
Consumer’s Union has more or less joined the fray, with political action to improve credit card practices and fraud protection. CU is a BIG lobby, I didn’t hesitate to join, and we now stand together to put pressure on congress and the banking industry as a whole!
Like or Dislike:
1 
0
On the issue of 2 factor authentication; I am dumbfounded as to why banks cannot offer their customers these technologies, when online gaming companies such as Blizzard Entertainment, creators of the massive multi-player online game World of Warcraft, do so for a nominal fee. Surely people’s real dollars are worth far more than in-game gold.
http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24660
Like or Dislike:
0 
0
Sadly, 2-factor authentication does not protect against having a resident bot infection in the customer computer, and bots are our current problem.
Like or Dislike:
1 
0
> Sadly, 2-factor authentication does not protect
> against having a resident bot infection in the
> customer computer, and bots are our current
> problem.
The way I described the situation with respect to cyber-thievery from commercial accounts on the Hill this week is that 2010 is to this new problem as 1996 was to identity theft. We just want to get to 2003 (by which time Congress was Mad As Hell and Was Not Going to Take It Anymore) in fewer than 7 years. We need to because the attackers are “destroying livelihoods”, not just inflicting “temporary inconvenience”.
(In The Fair and Accurate Credit Transactions Act of 2003 (FACTA), Congress did an absolute reversal of the burden of proof in identity theft cases, and specified a 4-working-day maximum for the credit reporting agencies to get a disputed account off one’s file. The equivalent action today would be to extend Federal Reserve Regulation E to commercial accounts, *retroactively* to, say, late 2004 when the “Lopez” incident happened at Bank of America in Miami.)
Like or Dislike:
2 
0
I am happy to agree that network computing and online banking have a serious malware problem. Indeed, modern malware may have the potential to sink the online banking industry. Nor is replacing lost funds an answer, since losses drive up banking costs for everyone. However, simply requiring some form of 2-factor authentication also does not address the problem, because it generally does not prevent bots from doing their work.
Could there possibly be some form of 2-factor auth that would work? Maybe. But that is what the security vendors used to say (and some probably still do) about ordinary 2-factor. They were wrong, wrong, wrong. Alas, that means you will have to be considerably more forthcoming about technical details beyond the usual broad hints with an implied “trust me” smile. The solution must work.
It seems strange that Microsoft, with about 93 percent of browsing occurring in Windows, does not get more blame for not producing a sufficiently secure product. The question is whether Windows, running on the expected hardware, is fit for the purpose of online banking.
The best solution for those who need secure online banking NOW is to learn to run Puppy Linux from DVD. Start from my article:
http://www.ciphersbyritter.com/COMPSEC/PCBANSQA.HTM
Like or Dislike:
1 
0
> I am dumbfounded as to why banks
> cannot offer their customers these
> [true 2-factor authentication] technologies
Why World of Warcraft takes identity more seriously than, say, TD Bank does would be a great question to ask the executives of offender banks!
But note that RSA token cards were just beaten at FifthThird Bank. So losses are happening even at banks that complied with the FFIEC’s 2FA guidance (though not with “layers” of defenses, apparently). Mercifully, FifthThird did the right thing and reimbursed the (commercial) customer even though they were not legally required to. (Yet… )
Well-loved. Like or Dislike:
4 
0
FYI the funds were “restored” to the Town of Poughkeepsie accounts “with the assistance of TD Bank and various law enforcement agencies”. See the official press release dated 3-18-10.
http://www.townofpoughkeepsie.com/supervisor/Restored_Funds.pdf
Like or Dislike:
1 
0
Good news! Was this helped by Brians publicity? & do you know what changes were made on the banks side to firm up security?
Like or Dislike:
0 
0
It was somebody’s publicity. From the wording of the press release, I suspect that to get their money back, they had to try to undo some of the harm to TD’s reputation.
Like or Dislike:
0 
0
Wow. Conducted in meatspace, it would go something like this:
Bank Teller: Hello, how can I help you?
Customer: At this time, I would wish to be withdrawing $100,000.
BT: Ah, well, I’ll need to see some ID…
C: Here is passport.
BT: Uh, sir, the person authorized on this business account is Larry Sanderson, but your passport says you’re Ladislau Sandulescu… are you shhuuuurrrre that you’re allowed to withdraw from this account?
C: [quickly consults Romanian-English dictionary] Most definitely, of it I am certain.
BT: You wouldn’t lie to me, now, would you?
C: No, a truth which is not I would never say!
BT: Uh… well… OK then! [hands over $100K] Anything else I can do for you today, sir?
C: [turns and runs for the door, knocking over several people]
[... several minutes later...]
BT: Nice to see you again sir, how can I help you?
C: At this time, I would wish to be withdrawing $110,000.
Like or Dislike:
3 
0
I read all this. After having court reported litigation my client’s bank client was involved in, I determined banks are your enemy (in the 70s and 80s). After reading this, my decision to do no internet banking is validated. Isn’t it funny how your bank pressures you into internet banking, oh, how secure it is. And your bank has bought your politicians who should be your line of defense after ye bank.
Face to face is the only way if that can be accomplished. Person-to-person international banking exists, or at least it did when I was doing the court reporting.
I foresee a trend of mama and pappa eschewing all large chains in favor of down-the-street ‘people you know.’ Back to the 40s.
Like or Dislike:
1 
0
The weakest link will always be the end user. There are numerous phish and botnet type attacks designed specifically to harvest this type of information.
With that said—I am disappointed that more financial institutions do not employ simple technologies such as RSA tokens for their electronic commerce/banking applications–even some of the biggest banks still don’t issue tokens to their retail/business customers. RSA type tokens are commercially available and easily incorporated into applications that require login credentials.
Yet when offered, I still find banking institutions that are reluctant to spend the $10-20 per token that would prevent many of these types of fraudulent transfers when their customer’s login credentials are stolen.
Like or Dislike:
1 
0
The problem is not a lack of login credentials, tokens or verification. The problem is malware infection, which means a live bot may exist in the customer computer between the user and the bank. Any credentials of any form whatsoever demanded by the bank can be allowed through by the bot, which then has full access to the account. The bot can change the screen display so the user thinks nothing bad has happened. As long as the bot is present, there is no security. And there is no guaranteed way to detect a bot, especially if it has been customized. To avoid existing infections, learn to boot free Puppy Linux from DVD with Firefox and security add-ons.
Like or Dislike:
1 
0
I had a debit card with a major bank that had my picture on it. It fell out of my pocket, and someone picked it up and immediately charged almost $1000 at a convenience store, where the clerk didn’t bother to compare the picture on the card (or the signature) to the person using the card.
The bank said “tough luck” and would not even investigate the fraud.
Now, at least, to use the card I have to enter in my zip code (and since I have an unusual zip code, this offers me a modicum of security).
As a result, I now insist on choosing a bank that requires PIN numbers for credit cards, just as debit cards work.
Debit cards do not have the legal loss protections of credit cards (although if Obama’s banking reforms pass this may change), and credit cards traditionally don’t have PIN security. So it was hard to find to find a secure credit card.
The only company that supports the consumer is American Express, but since they have high bank fees, many retailers won’t accept them. The hunt for an honest, secure, universally-accepted bank is unending.
Like or Dislike:
1 
0
Most bank staff cannot comprehend network security. Attempts at enlightening them often proves unfruitful. It often takes auditors to compel banks into action. I still know of banks that won’t use Multi-factor authentication. I know that’s not comprehensive but it’s better than nothing at all. (Why position yourself to be low hanging fruit?)
The problem with Debit cards is that once you provide a PIN to a merchant, you are entrusting the key to unlock your bank account with the merchant’s security. And most merchants are clueless when it comes to anything close to Payment Card Industry security. As an example: in 2007 in Southern California, it was speculated that Office Depot Databases were compromised. Hackers harvested Debit card numbers and corresponding PINs. Wamu, BofA, and Wells Fargo reissued 250,000 debit cards in response. The actual breach was never positively identified.
Everytime you use a Debit card and provide your PIN for a retail transaction, you’ve just entrusted it to the merchant’s network security.
I would suspect that using Debit cards with various retailers also increases your chances of encountering Card Skimmer too. Yet banks issue Debit cards to customers by default. Bank staff doesn’t even know how to issue a simple ATM Card anymore.
Since electronic deposit is quickly becoming the industry standard practice, the business model needs to change because the bad guys are adopting more quickly than the financial institutions and merchants. The “It’s too complex” or “It’s too expensive” is no longer an acceptable excuse.
Like or Dislike:
1 
0