The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. It’s too bad the committee has already finalized its witness list: It likely would be shocked to hear the story of Tennessee Electric Company Inc., a firm that lost $328,000 earlier this month in an account takeover that defeated multiple security measures commonly used by commercial banks to stop cyber thieves.
Executives at the Kingsport, Tenn. based construction and maintenance contractor thought that the security procedures employed by their bank — one-time tokens and verbal approval for all transactions — would deter attackers. But they recently discovered how deftly today’s e-thieves can bypass such defenses.
The attack began sometime before May 9, when thieves stole the online banking credentials for Tennessee Electric, presumably with some type of malicious software such as the ZeuS Trojan. That morning, the company’s controller Jenni Smith logged into the firm’s account at the Web site of Tri-Summit Bank, entering her password and a one-time password generated by a key fob supplied by the bank. After Smith entered the information, however, her browser was redirected to a Web page stating that the bank’s site was down for maintenance and would be offline for about an hour.
But the thieves lurking on Smith’s PC intercepted that one-time password, used her connection to log on to the bank’s site, and redirected her browser to the fake maintenance page. Meanwhile, the attackers used that browser session to put through a batch of fraudulent payroll payments to at least 50 “money mules,” willing or unwitting individuals scattered throughout the United States who were recruited to help the crooks funnel the funds out of the country.
Greg R. Boehling, Tennessee Electric’s CEO, said Tri-Summit Bank was supposed to call the company to get approval before allowing automated clearing house (ACH) transfers, but that for some reason the bank dropped the ball in this case.
“No one at all called us, although [the bank has] been religious about this in the past, even to the point of getting approval for a $50 expense report payment via ACH,” Boehling said. “All of a sudden, this happens and we get nothing.”
Tennessee Electric did eventually get a call from the bank, but only after the bank had approved the fraudulent ACH batch.
“Hours after the batch went through, we got a call from the bank where they asked, “Oh by the way, did you approve this ACH batch?’, and we said, ‘Absolutely not!’” Boehling recalled.
So far, the firm and its bank have recovered about one-third of stolen funds, he said, adding that the FBI is investigating the incident and is examining Smith’s PC.
Tri-Summit could not be immediately reached for comment. Unfortunately for Tennessee Electric, the company — not the bank — is on the hook for the loss. Unlike consumers, who are largely protected against liability for cyber theft, companies that suffer cyber heists are legally responsible for the losses and have no such protection.
At 9:30 a.m. on Friday, June 1, the House Committee on Financial Services will hold a hearing entitled, “Cyber Threats to Capital Markets and Corporate Accounts.” Invited witnesses include executives and officials from The Depository Trust and Clearing Corporation, The Securities Industry and Financial Markets Association, NASDAQ, and the Coalition Against Online Banking Fraud, a group started by Jim Woodhill, the founder of Authentify.
Update: 9:48 a.m.: An earlier version of this story incorrectly identified the name of Tennessee Electric’s bank. The above copy has been corrected.