01
Feb 10

A Tale of Two Victims

facebooktwittergoogle_plusredditpinterestlinkedinmail

When a computer virus infection at a business allows thieves to steal tens of thousands of dollars from the company’s commercial banking account, banks typically don’t reimburse the victim company. But the truth is, most banks make that decision on a case-by-case basis.

Take, for example, the case of two Umpqua Bank customers in Vancouver, Wash., both of which suffered major financial losses last year after compromises at employee computers allowed thieves to access their accounts remotely.

Libby Tucker, a reporter for The Columbian, set the stage nicely in an A1 story on Dec. 5, 2009:

Battle Ground Cinema Clark County businessman Elie Kassab watched more than $81,000 vanish from his Battle Ground Cinema bank account in March. Umpqua was alerted to the thefts and traced the money to several East Coast accounts but was only able to recover $18,193.53 before the money disappeared offshore.

Similarly, Shared Hope International, a Vancouver-based nonprofit for impoverished women, lost $179,000 in May when three unauthorized transfers swept the funds away to a Russian bank. That money was not recovered.

In both cases, Umpqua confirmed the thefts, and identified security breaches in its clients’ computer systems that it says allowed the thieves to access their accounts remotely. Umpqua has since refunded the entire amount lost by Shared Hope but is still battling with Kassab over who’s to blame for the fraudulent transfers.

So what happened? According to The Columbian, both companies were refunded the lost money, but the bank demanded Kassab give the money back after its forensic examiner reportedly found a  number of virus infections on his PC. The bank never asked for the $179,000 back from the other victim organization, which was founded by former U.S. Congresswoman Linda Smith (R)

Elie Kassab, President and CEO of Prestige Development

Elie Kassab, Battle Ground Cinema owner and CEO of Prestige Development

In a phone interview with krebsonsecurity.com, Kassab said Umpqua has since frozen more than $22,000 in his business bank account. When asked why he thought the bank treated him differently than the charity, Kassab said he had no clue, but shared with me some very interesting information. Turns out, the guy who conducted the forensic review on his computer also conducted the same review on the compromised Shared Hope PCs.

As readers can see from viewing these reports — one for the Battle Ground Cinema PC (.pdf) and the other for the Shared Hope system (.pdf) — password-stealing banking Trojans were found on both computers. Shared Hope’s scan shows the presence of the file “sdra64.exe,” which is a common component of the Zeus banking Trojan. Kassab’s scan indicates his system was also infected with a banking Trojan (“Win32.Banker,” the name some anti-virus products assign to Zeus infections).

Neither Shared Hope nor Umpqua Bank returned calls seeking comment.

Kassab said the bank’s action caused a number of checks he’d written for his business to bounce. “I had written checks for about $11,000, and now they’re holding that money,” he said. “[The bank] came back and said we want you to agree to forfeit the money and pay our experts’ fees. I pretty much told them to go screw themselves. Right now, I’m sort of just waiting for them to sue me.”

I have interviewed more than 100 victims of this type of crime in the past year, and I can say that while the larger banks are almost equally the targets of such attacks, they tend to settle customer disputes quietly. If they do reimburse victim customers, banks often require those customers to sign a non-disclosure agreement that prohibits them from discussing the terms.

Not all smaller banks are as inconsistent as Umpqua in the way they treat different customers victimized by the same scam. For example, Delaware based WSFS Bank disclosed last year on its quarterly financial report that wire fraud against two of its customers cost the bank more than $1.5 million. Stephanie Heist, vice president of marketing at WSFS, declined to discuss the details of the attacks, but said the unauthorized wires occurred as a result of compromises on the customers’ computer systems.

“It wasn’t our systems that were affected,” Heist said. “There was no breach into WSFS systems.”

According to WSFS’s 2nd quarter 2009 earnings statement and transcript of the earnings call with investors, WSFS reimbursed two clients for fraudulent wire transfers totaling $1.3 million, and paid an additional $200,000 in computer forensics charges.

Tags: , , , ,

63 comments

  1. Imagine that! Someone with political connections getting special treatment from a bank!

  2. Here in the uk Barclays bank offer Kaspersky Internet Security suite free to all online customers. It may be all banks will need to offer antimalware apps to help catch most malware before it leads to financial loss.

    • It’s far cheaper to outlaw Windows.

      • The Windows fanboys are out in force today.

        Previously, Mr. Krebs has STRONGLY suggested the everyone use a bootable Linux CD system when conducting online banking. Being on a CD, it is absolutely incorruptible; being Linux it would be highly resistant to viruses, even if it were not on a CD.

        I guess the Windows users can’t handle the truth.

    • You people truly are a mystery. You come here every day to see what else Bk has dug up, your system has zip security so you can’t protect a thing – and yet you want to hang onto it? Have you ever seen a secure system? Do you have any clue what it looks like? I love Bk but read around – you people are turning into the laughing stock of the security blogosphere.
      http://bit.ly/9RMVxP

    • I’m not entirely comfortable with the idea of my bank offering free security software. There are a number of issues to consider.

      1) I may already have security software installed. Most people have OEM versions of Norton or McAfee installed on their machine by default. There may be real incompatabilities, trying to run two different sets of security software on Windows.

      2) Will my bank give equal weight to my case if I present them with a fraud incident and I’m running Norton and the same report but I’m running *their* security software?

      3) At what point will my bank decide the edict “you were not running our security software, therefore you are entirely liable”? This is my most ardent fear. At this stage of the game, the bank will not listen to “I’m running Linux/MacOS/ReactOS and therefore cannot run your software”. Only legal action and expert testimony will result in fair justice being served. Enormous costs involved, of course.

      I only run Microsoft Security Essentials. I’m savvy enough to not put myself in a position where malware has any chance to install on my machine. The worst I get are tracking cookies. Unfortunately, I’m far from the lowest common denominator or even the average Windows user. Having the great mass of mostly untrained Windows users, clicking away merrily on every Facebook advert, free iPhone offer, “you’re the 19284820th visitor” banner and virtual stripper screensaver – this is why we have to worry so much about security that AV / firewall software is nearly a necessity, even for the clued-up.

      • ‘I only run Microsoft Security Essentials. I’m savvy enough to not put myself in a position where malware has any chance to install on my machine.’

        O RLY? lol

      • “I only run Microsoft Security Essentials. I’m savvy enough to not put myself in a position where malware has any chance to install on my machine.”

        So that means your computer is turned off, unplugged and locked in a safe? Oh wait, no, you are on the internet. You can literally get a malware infection anywhere, such as from an advertisement on a trusted site, served from Uzbekistan.

  3. $200,000 to do computer forensics on just two small companies? This must come to hundreds of person-hours.

    Maybe they swept /all/ their customers’ machines?

  4. No, it wasn’t the bank systems that were compromised. It was those good old Windows systems some people think are too precious to toss out. But as seen in the PlainsCapital story where there were several warning lights that went off and should have been acted on, it’s probably possible for the banks to check things such as sender IDs to help ensure the transactions are legit. If Bill won’t protect his clients, maybe the banks will. Great article.

    • Don’t be silly. If everyone were using Linux, you can bet the bad guys would have figured out a gazillion ways to compromise it as well.

      • If if if. More of that annoying fanboy mantra. But they haven’t, and that’s what’s important – namely that if you took the initiative and switched today, you’d be safe too. Right now. This minute.

        You’d have no more need for McAfee or Windows Defender or all those silly software titles. You’d be safe. Today. And so what if several years down the line the black hats do succeed in attacking Linux? They won’t – not like this. Nobody will ever be able to attack like they’ve done with Windows. As if. But so what? What difference would it make anyway? What difference does it make right now? If that day comes – and here’s a clue: it won’t because it’s technically impossible – but if that day comes: you change again.

        Those already in the know understand it can’t be like that anyway. The EFF, the FSF, and most security experts have for YEARS been advising against using Windows. Bill Joy can’t understand what Bill Gates thinks he doing – or if Gates even knows. Bill Gates apologised to the work seven years ago for all the ‘pain and suffering’ his software causes. Now there are three European governments cautioning their citizenry, several far eastern governments with nationwide programs to eliminate Gates’ software – and all you can come back with is the equivalent of ‘it’ll always be this bad’?

        What a brave new world you represent.

        And the security issues aren’t that simple anyway. It takes chops and time to understand what should be eminently obvious to all. And could be if there weren’t so many fanboys obstinately refusing to look at the real system security issues.

        You’re tacitly (and foolishly and dangerously) advocating people stay on a platform that’s literally getting the bejeezus kicked out of it, on a platform where even tonight more people are going to lose big money or their identities or both, when over 90% of all SMTP traffic comes through spam generated by Windows boxes and less than 10% of all mail traffic is legitimate.

        Bk himself says ‘don’t use Windows for banking’ and even published a tutorial on how to run a Linux CD instead. Are you going to say the black hats will find a way to corrupt read-only CDs too? And so you’re just as safe – or safer – staying right where you are?

        Do you have ancestors who sailed the Titanic and never left the bar because they thought it’d be just as bad on any other boat?

        This isn’t about platforms. It’s not about rooting for the home team. It’s about making people secure. It’s not appropriate to come with excuses such as ‘oh it doesn’t matter, they’ll attack Linux too’. What’s appropriate is that everyone be secure. And don’t look now, but you’re about as far from being secure as you can be. Ridiculously and tragically so.

  5. Note that in both West Coast cases, the infections were found and cured by shareware, some of the same products that I cause to be installed on 3000 computers a year. This is reassuring.

    What is not reassuring is that in one case 15 hours passed between detection and fixing. Not smart. (Perhaps this is why the bank did not make them whole.)

    • @SoloOwl, please explain your assertion. I see no attribution of shareware anywhere in either Krebs’ column or the original report.

      It seems much more likely that the original infections were caused by shareware or freeware, perhaps the “fake AV” malware that is so common these days.

      • oh, I see now – you were confused by the reports Brian referenced to show the password stealing malware. Those were much after the fact during forensic analysis, not related to detecting the fraud.

        Reading the news story from The Columbian it’s clear that the cinema detected the activity from monitoring their accounts and transactions, and were still unable to stop or recover the funds.

        That’s the real scary part, they were exercising appropriate financial controls and made efforts to prevent fraudulent transfers before the transfers were made, and were still unable to prevent the loss!

        It will be very interesting to see whether the absence of after-hours contact and response by the bank will become an issue in the litigation. I’d think it should, if the bank offers 24 hour access to immediate transfers it should offer 24 hour access to effective incident response!

  6. What can we do to help convince congress that simple username/password “protection,” the same level of security on webmail accounts, does NOT constitute “commercially reasonable security measures”? Does the obvious contrast against what credit card companies employ mean that our representatives our well aware of the facts here but are just for some reason in the back pockets of corporate banks?

  7. great article!

    seems like we are moving away from banks being so forgiving for businesses who are infected with malware/trojans, or who fall victim to phishing and that results in money transfers.

    Brian i’d be curious on what you think about that.

    not to go all APT…but its also interesting to see more and more people that “have nothing of value” to actually have something of value. whether it be the ability to transfer funds, access to other networks, or customer information.

  8. I’m really, REALLY surprised that some kind of warning has not yet gone out to all commercial bankers out there, or that more banks – especially smaller ones – have not warned their customers about this infection and the very real risks that it poses to their savings.

    Seriously this is month #8 that this has been reported by Mr. Krebs, and nearly every week we keep hearing about yet another digital heist taking place, with no resolution for the victims.

    When is someone going to make this a national if not international warning? This is ridiculous.

    SiL / IKS / concerned citizen

  9. LOL @ Rick – how can you be so blatantly ignorant in a public forum? Why exactly is this Windows’ & Bill Gates’ fault? Any operating system that has as much market share as Microsoft does will, no doubt, face the same problems. Authors of malware have no problem infecting any operating system with their ‘software.’ They are not stupid – they are trying to infect as many people as possible.

    • Ignored because it’s just plain stupid. Good luck with your AV updates, fanboy. We’re all sitting here on the sidelines and laughing at you. As you won’t listen to logic and reason, that’s all there’s left for any of us to do.

      Oh – just heard there’s a new Windows trojan on the loose. Have fun.

      • What? You have yet to post anything resembling ‘logic’ as you call it. Please answer my question – how is this Microsoft’s and Bill Gates’ fault? Also, just to clarify – you are telling me that if a Linux based OS or Mac based OS were used by 95% (educated guess) of the population, then we would basically be malware free because they wouldn’t figure out how to infect those systems or they wouldn’t find every single vulnerability? Oh and btw I am in no way a microsoft “fanboy.”

    • ‘Any operating system that has as much market share as Microsoft does will, no doubt’

      OK, will comment on this. Show us your diplomas. Show us what you’ve studied in system security architecture.

      Besides – and see above – that lame type of reasoning doesn’t help you today but it sure helps us. Try to grasp this. I’ll write in monosyllabic words if I can:

      1. You are on Windows today and you are not safe.
      2. We are not on Windows (today) and we are safe.

      Keep repeating that over and over, first #1, then #2, until it starts to sink in.

      Did you have ancestors in the bar on the Titanic too?

    • It’s Microsoft’s fault in a manner of producing such a poor quality software as overall.

      Every OS has flaws, but with the price of Windows, I would expect to get a lot better designed and written software.

      It is not fault of the M$, when an user wishes to see the dancing bunny and installs the malware manually. But it is M$’s fault, when the malware installs by merely visiting a compromised site.

      IE is one of the unsafest browsers available. It’s a product of M$. Then you have Windows, a product of…

      An example? Using Firefox on Ubuntu (linux), I can browse pornsites all I want, without getting an infection. Doing same with Windows? With IE?!
      As another example, With FF+Ubu, only thing I can get compromised in Facebook, is my FB account. And then, there’s that botnet called coobface, or what it’s name was…

      Every OS has flaws, but with the price of Windows, I would expect to get a lot better designed and written software.

  10. “It wasn’t our systems that were affected,” Heist said. “There was no breach into WSFS systems.”

    Oookkkk…. I suppose she would make the same statement if the same bank robbers walked into her branch with guns and stole the same money from her bank. “Our systems were not compromised, we handed over the money and the bank robbers left a note with some names on. We contacted those customers to let them know their money was stolen from our bank so they can begin to repay us”.

    Bank robbery is bank robbery regardless of whether it occurs with guns or with computers. In both cases the bank is equally responsible for protecting their customer’s money. Period.

    • Marty, your logic is flawed. If the robbers walk into the bank and steal money, the end user has no part to play in the robbery. Thus, the responsibility is directly on the bank!

      Once the end user and their infected computer are added into the mix, the end user now has skin in the game. Is it the banks fault the computer is infected?

      The bad guys are going after the weaker link because too many people fail to properly secure their end of the deal.

      • It is still bank robbery.

        “Is it the banks fault the computer is infected?” Yes, if they allow that infected computer connect to their bank’s computer systems in a manner which would facilitate bank robbery.

        Is it the banks fault they get robbed if they let people freely wander their lobby wearing masks and carrying guns? Banks have put in place several layers of protection to properly secure their customer’s money from physical threats. Banks need to ensure similar measures are in place if they allow computer access to their customer’s money which the bank is protecting.

  11. It is sad that Banks are still having this type of problem. I’m sure we’ve all heard of the World of Warcraft game… One of the neat (I’m not sure how recent) add ons that we have been given an option for is the account Authenticators.

    Once you purchase an Authenticator (cheap ~$10 USD, I think), and follow the simple instructions to get it set up with your account, you cannot do anything at all in your account on Blizzard’s web-site without the code from the authenticator (which changes based on some sort of algorithm).

    My question to any bankers who may read this — or perhaps a good question for Brian to ask the next time he speaks with a bank… “Why don’t you use something like the Account Authenticator?”

    If we work our way up the food chain at Bank X, they may listen and finally start a trend of doing stuff like that.

    • Based on Brian’s previous writings, an “account authenticator” as you mention, is presumably just the one time password generator part of a multi-factor authentication system which has proven useless in the Zeus trojan/modified man-in-the middle attack

  12. The banks are not the ONLY ones culpable here. Those whose computers have been infected need to be held accountable for not properly securing their systems and keeping them that way! Just as we expect banks, and other entities we choose to do business with, to secure their systems. Shouldn’t the same be expected on the other end?

    An ounce of prevention is worth a pound of cure!

    • I don’t agree with “blame the victim” reasoning.

      If I walked into your bank, impersonated you, and withdrew all the money from your bank accounts, then what, it would be your fault?

      If the bank is robbed because they didn’t properly authenticate an account holder (in-person or via computer), to ensure it is truely the account holder, then it is the bank that is responsible for any loss.

      In the same manner the bank has physical systems in place to detect/prevent impersonation, if they provide computer access to bank accounts, then they must have equivalent computer based systems to detect/prevent impersonation, which must remain secure regardless of the state of the customer’s computer.

      • You’re missing my point. I’m not blaming one party, just pointing out that the bank is not the only one at fault in many cases. Are we really going to pass the buck so to speak and hold the bank responsible for something that is completely out of their control (the end users computer)? Once a computer is compromised, it is not your computer anymore, plain and simple! It belongs to the bad guys and no amount of authentication security is going to matter anymore. It’s game over!

        We are not helping ourselves by ignoring the responsibility the end user and their computer play. An ounce of prevention is worth a pound of cure! (It is better to try to avoid problems in the first place, rather than trying to fix them once they arise)

        • “Are we really going to pass the buck so to speak and hold the bank responsible for something that is completely out of their control (the end users computer)?”

          That’s the whole point. This is completely within their control. The bank has chosen to take custody of their customer’s money, so they alone are responsible for ensuring it is properly protected against any/all threats. Why would any bank allow something so completely out of their control to access to their money? Doesn’t seem very responsible, no more responsible than a bank that would let people freely wander behind their teller counters or inside their safe.

          “Once a computer is compromised, it is not your computer anymore, plain and simple! It belongs to the bad guys and no amount of authentication security is going to matter anymore. It’s game over!”

          No argument here! As stated earlier, how responsible is it for a bank to allow such a device to have access their money! If they do, then it is the banks fault if something bad happens (i.e. bank robbery).

  13. Does ‘Regulation E” apply the these types of thefts?

    • No. Regulation E only applies to consumers, not businesses. More details at Wikipedia’s article on Regulation E.

      What is needed here is for Congress to require banks to treat business customers the same as consumers. Banks will be much more concerned about security.

  14. I somewhat agree with Marty about the “blame the victim” reasoning. However, no matter what-computer based authentication mechanisms are pushed out to end-users (be it a bank or online game or whatever), if someone has a trojan on their computer and it is recording keystrokes… There is always a chance that the hacker will be prompted for the same set of authentication mechanisms when they visit that site’s web page (in the case of a random question type site).

    However, if you offer users an extra layer of security, such as an authenticator that lives on their keychain (or next to their computer), the extra layer of security offers (a little more) peace of mind to the banks as well as to the end-user. Even if the hacker is able to get the person’s serial number for their authenticator, they still have to figure out the bank’s algorithm / hashing key / insert some other super secret generationscheme here before they can even begin to try to access the end-user’s account.

    Implementing something like this should not be difficult. Why are the banks not doing something like this?

    • Not true. Criminals defeat USB tokens all the time. I have written about several specific cases, and I have several more coming down the pike.

      Basically, the attack works like this. Bad guy controls the target’s browser through the use of a powerful banking Trojan like Zeus or Clampi. Bad guy’s Trojan lies in wait until the victim visits his or her business banking page. Normally, the login process is like this: first page asks for username/password, then submit; second page asks user to input the six-digit token from the keyfob. The attacker’s trojan will simply re-write the bank’s Web page on the fly as displayed in the victim’s browser, to ask for both the user/pass combo plus the USB token key all on the first page. User hits submit, and is redirected to a page that says “the bank’s site is down for maintenance, please try again in 15 minutes.” Meanwhile, the bad guys have already interactively logged using that victim’s username/password + valid USB token.

      • It would help if some banks implemented the calculator tokens correctly (so that the token value was dependant on the transfer amount) so MITB transfer attackers were limited to a loss equal to the transfer amount.

      • And that makes it a social engineering hack — NOT a failure of the token. Blaming the token is like arguing that the 8-inch steel walls of a vault “failed” because someone talked their way past the guard.

        In addition, most security tokens display two codes per transaction: the primary one that serves as a second factor, which can be used only once, and a secondary one that will match a code appearing on the bank’s true website.

        If a security token like this is used properly, it’s hard to defeat. I’ve never seen a case yet, but never say never…

        But social engineering will always be a soft target.

        • Social engineering hack ? or ineffective safe lock ?

          Criminals go for the weakest link with the lowest risk … pwning the online channel is the attack of choice I think we both agree the tokens help a little.

          FTR – I’ve never seen a token that displays a second code to verify, but I’ll take your word for it.

          • “Social engineering hack or ineffective safe lock ?”

            My point is that it can be the same thing. No matter how good the security (the “safe lock”), there will always be times when a fraudster can con someone out of their key.

            You can used a locked down Mac, multiple security tokens and biometric authentication, and there will always be a percentage of people who will respond to a phone call or an e-mail asking them for their credentials for a seemingly valid reason.

            My point is that many, many banks could do better with authenticating their clients, but let’s face it, even if and when the technology closes the holes, humans will remain the weak link. People still fall for the “pigeon drop” scheme, for goodness sakes. Fraudsters are using electronic means to cast a wider net.

      • The Blizzard authenticator tokens only last between 10 and 20 seconds, so the hacker would quite literally have to be sitting there watching for a key to come in and immediately try to log into the user’s bank account. I could see this happening, and it obviously does (or the hackers have a bot to do it for them)…

        What about embedding some kind of magic-number in the web-application’s code (not visible to browsers) so that if a trojan or hacker submits correct credentials, access is still denied?

        I’ve been toying around with a way to do this using only the app-server, without having to push the magic-number to a client, but haven’t thought of a good way to accomplish it. Any ideas?

      • In most cases the only bank sites that allow wire transfers are business/corporate applications. Those applications usually require more than one challenge per session, especially if a wire transfer is being completed. It can still be defeated as suggested but adding another challenge in the process flow can make it harder.

        All the major providers of these applications have several features that can be used to help users prevent or at least detect this more quickly. Dual authorization could prevent many cases. Alerts can be sent to users notifying them of selected transactions (wires). User’s with wire transfer privileges should consider pulling a report at the end of every day to check transfers. Many banks can automate this for customers.

        In general the bank’s are now aware of the issue and need to add some additional layers of security. Doing business with malware infected customers is a reality they need to prepare for if they want to retain customer’s trust online.

  15. Why don’t these businesses have insurance against this sort of thing?

  16. I hadn’t thought about them actually doing it live… Guess I need to update my thought process on these password-stealers!

    Besides –once they get in with the USB key, they can keep the login session as long as they keep the browser window busy clicking around on stuff (should be trivial).

    • I’ve got a (European) bank account which comes with a gadget (Digipass) you have to use to electronically sign transactions. In principle, the session is still vulnerable to man-in-the-middle attacks, but one of the two numbers you have to enter is the euro amount of your transaction; this makes it pretty obvious when someone tries to empty your account. It’s somewhat inconvenient but I like the peace of mind it provides…

  17. I still think the bank and customer should set up a list of known vendors. These vendors are someone who the customer does business all the time. When the bank gets an electronic request for funds from an unknown vendor, the bank contacts the customer for authorization. Or maybe the customer tells the bank that there is a new customer on the list. Kind of like when you are going to be traveling and you let the credit card companies know that you actually are in Rome (or where ever) and not to start declining charges because of location.

    The list change could be done over the phone or even in writing (actual paper and ink, not an email) on company letterhead with a signature to match the bank records.

    • The banks should be able to work that out based on past events too and as your transaction history grows better understand and predict the fraudulent transactions.

  18. Looking at the pdfs of the “eveidence” I would hope that the Bank’s investigators followed proper forensic principles and took a forensically sound image of the drives before letting loose Spybot and Anti-Malware. If not then in fixing the malware they just trashed the digital chain of evidence for any case the Bank might want to lodge against Kassab in recovering the funds. Also why use two different malware scanners?

    • It never hurts to have a second opinion. I will often times run Spybot on a machine, and follow it up with MalwareBytes or something else just to make sure that the computer is a bit cleaner. Things MalwareBytes catches might not be caught by Spybot, and vice versa.

    • Agreed — using at least two different programs to detect malware in a system you know is already infected would be pretty standard. The highest rated programs achieve 95% detection rates. That means one in twenty malware programs will be missed. Anyone who’s tried to clean the malware off a relative’s computer during a Christmas visit knows there can be a lot more than twenty on a single machine.

  19. These banking trojans have been successfully targeting businesses for far too long. Clearly, not enough business owners are adequately informed regarding this attack vector. Both the Banking industry and Small Business organizations should be informing their clients and members of these types of attacks.

    Additionally, these attacks rely on money mules to transfer funds. There have been enough fraudulent money transfers to detect a pattern here. Greater scrutiny on wire transfers overseas is needed, perhaps a waiting period of 48 hours or so would help.

    A whitelist of accounts that small businesses use commonly would help banks to detect when an account has been compromised. Any account not on the whitelist would have to be approved by whomever is responsible for the account via a phone call with authentication protocols that are not used online.

    Part of the problem is that banks don’t have a financial incentive to increase security for online transactions. Until they do, it’s unlikely that anything will change. Considering the trends in malware, things are going to get much worse before they get better.

  20. Are any banks mandating that their corporate customers use a bank supplied netbook for online banking? A netbook running a hardened version of Linux, with a version of Firefox allowing only access to the bank might then permit the bank to guarantee reimbursement if the company’s funds are stolen.

    • Banks are afraid to mandate any security measures, even effective two-factor authentication or simple IP geolocation mechanisms.

      The internal discussions rationalize it as “customer convenience” (ignoring the inconvenience of fraud to the victimized customers!), but I think the real underlying issue is reluctance to give customers any basis for doubting the security of online transactions.

      Remember that getting rid of brick and mortar and staff cuts costs. The back office functions are already online to provide information to customer-facing staff, it’s a lot cheaper to cut out the staff and give the customers access directly to the silicon farm, even if that access has some security flaws.

      fyi, my knowledge of internal bank attitudes is based on my experience working for a bank, with the job title “information security architect”. We were at that time well within the top fifty US banks in size.

  21. “But the truth is, most banks make that decision on a case-by-case basis.”
    The bankers are likely pragmatists. Their legal dept probably reviewed their legal standing and signed forms on file to determine their liability, settlement costs and potential PR for each case.

  22. Good Job BK. I live in Clark County, and i have first hand knowledge with this case from the Columbian Newspaper
    and from talking to former employees of Umpaqua in Vancouver. Umpqua took over a failed bank in January of 09 and they botched that takeover so bad and now they are taking over Evergreen Bank in Seattle.
    if you want to learn more about Umpqua Bank, Google “Umpqua sued over summit role”. The bank’s culture leaves little to be desired. Supposedly you trust bankers with your money. Not this one. Several former employees left becasue senior management was asking them to LIE. to put the blame for mistakes on the customers.

  23. In the case of BG Cinema, and Shared Hope, a good bank would have contacted their customer before sending the money out. When i talked to the owner of the Cinema, he told me that the bank sent out 2 batches of AChs on two consecutive days, in Violation of the agreement he had with the bank. they also told him that they notified the FBI, and gave him the inspector” s name and phone number. When he called the FBi, they had not even heard of the case. They also lost 3 of his bank account signature cards, sent out ACH’s to the wrong accounts and committed several other ridiculous mistakes.
    I suggested that he file a compaint with the FBI, Departments Of Financial Institutions , Attorneys General in all the stated where the bank operates, and the SEC since the bank is a public company.
    He said that he is no longer intersted in getting his money back,
    but more intersted in letting every busines owner he can know what happened to him, and to share with them his experiences and knowledge. he said ” if you bank on line, you must be vigilant about watching your account, especially when some one gives your money away, and then blames you for the mistakes”.
    I was told that the customers private information was out in the open during the transition from the failed bank to Umpqua. The common denominator between the BG Cinema and Shared Hope is the bank, and i believe that is how the thieves got the information. Since the Columbian’s artilce, several other people have mentioned that they had a very similar experience . An Investigation is in order.

  24. I will heed you advice and do what you suggeste and more.

  25. Perhaps those of us that know (even a little bit) about this kind of stuff should get together and make a screen cast or short video or something and post it on to get people aware of this particular attack vector.

    Ways that crooks can get your information (phishing, fake web-sites, et al).

  26. Why can’t we demand the government demand that Banks stop all ACH’s to the countries where the stolen monies are going to? How many more people need to get hurt and lose their jobs while the STUPID banker allow the crimes to happen under their watch. The fox is in charge of the hen house.