In very few of the many stories I’ve written about online banking fraud against businesses has insurance paid for much — if any — of the losses victim companies suffered. However, several victims I’ve interviewed in recent incidents did have cybersecurity insurance coverage bundled as part of larger business risk insurance policies. In each case, the businesses suffered fairly substantial thefts, and appear likely to recoup all of their direct financial losses.
The most recent incident involved Golden State Bridge Inc., a Martinez, Calif. engineering and construction company that builds bridges. The thieves used an extremely stealthy but as-yet-unclassified strain of malicious software to steal the company’s online banking credentials, and on May 19th, the crooks used that access to set up a series of fraudulent payroll payments totaling more than $125,000.
Initially, the attackers set up two batches of automated clearing house (ACH) payments –one for $50,000 and another for $75,000 – effectively sending a series of transfers to a dozen different money mules, willing or unwitting individuals lured into helping the criminals launder stolen funds by wiring the funds overseas and taking a small commission (usually 8 percent) for themselves.
When the first two batches were processed by Golden State’s bank on May 20, the thieves apparently figured they were home free, and set in motion another seven bundles of fraudulent payments for several hundred thousand dollars more, according to Ann Talbot, the company’s chief financial officer.
“Once they executed those first two successfully, they must have been like, ‘Oh, we’ve hit the mother lode! Let’s go for it!’,” Talbot recalled. “Had they succeeded in putting those through, we and the bank would have been looking at losses of more than $750,000.”
But Talbot noticed the fraudulent transfers the day the money started moving out of Golden State’s accounts, and sprang into action to get the seven new batches canceled. Unfortunately, by that point most of the mules who were sent loot in the first two batches had already withdrawn their transfers.
Talbot said nearly all of the money mules were located on the East Coast, which she believes is a tactic designed to give the attackers the longest head start possible before West Coast victims notice the fraudulent transfers.
“These mules were with East Coast banks, and most of them had [withdrawn] the money from their banks before we were even open for business,” Talbot said.
For what it’s worth, I observed this same pattern of the thieves relying mainly East Coast mules in an earlier post, Charting the Carnage from eBanking Fraud.
SECRET QUESTION CHECKUPS
Like many financial institutions serving primarily business customers, the California Bank of Commerce — Golden State’s bank — pushes most of the security and authentication for its online banking systems out to customers, requiring a simple username and password, and occasionally prompting customers to provide the correct answer to one or more of their “secret questions”.
Read more after the jump….
According Golden State Bridge, the bank has a curious practice of automatically verifying all of its customers’ secret questions and answers every 180 days.
“So how does it do this? It flashes them on your screen and asks, ‘Are these your secret questions and answers? Click ‘Yes’ or ‘No’,” Talbot said.
And when was the last time Golden State was prompted to confirm their secret questions and answers? Why, the very day before the fraudulent transfers began, Talbot said.
“I don’t know how long that malware or Trojan was on our machine, it could have been weeks or months,” Talbot recalled. “All I know is, we saw this fraud the day after the bank prompted us to confirm all five of those questions and answers.”
Virginia Robbins, chief administrative officer at California Bank of Commerce, declined to discuss Golden State’s claims or even confirm whether the company was a customer. But she emphasized that security is never about just software and hardware.
“Any financial institution can put all of the controls they want in place, but if their client isn’t following the instructions or doing things properly, there are certain challenges,” Robbins said. “We do look for all of our clients to use dual controls. and we want to make sure there are multiple points of control. Because what we’re seeing today is that a malware compromise can happen at a single point in the system, and so there have to be multiple controls in place on the customer’s side.”
Indeed, Talbot acknowledges that she and her co-workers aren’t blameless in this incident. For example, the company had previously instituted a series of checks and balances to ensure that no single employee could both initiate and approve a payroll batch. Yet, at one point recently, Golden State Bridge undid that protection to accommodate a special case, but never bothered to put those restrictions back into place.
THIRD TIME’S A CHARM?
Golden State Bridge purchased $1 million worth cybersecurity insurance as part of a broader business risk policy offered by Arch Insurance Group, one of several firms now offering cybersecurity coverage. The company decided to get the insurance after suffering another major cyber crime incident almost three years ago.
In 2007, Golden State was banking with a financial institution aptly named Bridge Bank located in downtown San Jose. One day, the company opened for business to find that someone had wired $79,000 out of its accounts, destined for an account in Russia. Talbot said Bridge Bank shared the Internet address from which the fraudulent online login originated, and that she traced it back to servers operating out of a large building just four blocks away at 55 South Market St.
The owner of those servers was a problematic [and now defunct] hosting provider named McColo. In 2008, in response to questions from The Washington Post and security researchers about massive amounts of fraud, spam and other cyber crime activity flowing in and out of McColo’s servers, the hosting provider’s two upstream Internet providers pulled the plug on the company. As a result, the volume of spam sent worldwide tanked overnight — by some estimates as much as 75 percent. A nest of other fraudulent activity also evaporated (at least for a while) after McColo’s unplugging: One expert I spoke with who helps retailers control online fraud told me $250,000 worth of retail fraud committed against his customers on a typical day completely stopped the day McColo was unplugged.
Talbot said she’s glad Golden State purchased the insurance: The company managed to recover three of the fraudulent transactions, and its total loss now stands at just shy of $100,000. Golden State Bridge is confident that after paying its $10,000 deductible, the insurance company will cover the rest — probably by going after the bank. But Talbot said she’s worried she won’t be able to afford cyber risk insurance after this latest incident.
“I don’t think it will be offered to us again, or if it is, the cost will probably be so incredibly prohibitive that it may not be worth it,” Talbot said.