November 6, 2012

The $180,000 robbery took the building security and maintenance system installer Primary Systems Inc. by complete surprise. More than two-dozen people helped to steal funds from the company’s coffers in an overnight heist in May 2012, but none of the perpetrators were ever caught on video. Rather, a single virus-laden email that an employee clicked on let the attackers open a digital backdoor, exposing security weaknesses that unfortunately persist between many banks and their corporate customers.

The St. Louis, Missouri-based firm first learned that things weren’t quite right on Wednesday, May 30, 2012, when the company’s payroll manager logged into her account at the local bank and discovered that an oversized payroll batch for approximately $180,000 had been sent through late Tuesday evening.

The money had been pushed out of Primary Systems’ bank accounts in amounts between $5,000 and $9,000 to 26 individuals throughout the United States who had no prior interaction with the firm, and who had been added to the firm’s payroll that very same day. The 26 were “money mules,” willing or unwitting participants who are hired through work-at-home job schemes to help cyber thieves move money abroad. Most of the mules hired in this attack were instructed to send the company’s funds to recipients in Ukraine.

“The payroll manager contacted me at 8:00 a.m. that day to ask if I’d authorized the payroll batch, and I said no, it must have been a bank error,” said Jim Faber, Primary Systems’ chief financial officer. “I called the bank and said they said no, they did not make an error. That was a helluva wake-up call.”

The company’s financial institution, St. Louis-based Enterprise Bank & Trust, declined to comment. But of course, mistakes were made all around. Primary Systems’ employees failed to be wary of virus-laden email attachments, and relied too heavily on its firewalls and antivirus software to block attacks. The bank failed to bat an eyelash before processing a $180,000 transfer marked as “payroll” on a Tuesday, even though the company has always processed its payroll batch on Friday mornings. It also failed to flag as strange the overnight addition to Primary’s payroll of 26 new employees located in nearly as many states, even though almost all of the victim firm’s legitimate employees are based in Missouri.

The only parties to this crime who didn’t make missteps were the thieves. According to Faber, investigators believe the crooks cased the joint virtually before launching the heist, which came in just below the $200,000 threshold that would have prompted the bank to obtain verbal permission from Primary Systems for the transfer.

“If it was over $200k, [the bank] wouldn’t have allowed the transfer to happen without confirming it with us,” Faber said. “But this just flew right under that kickout. Our payroll is a lot less than that. This was six times our normal payroll and was in mid-week.”

According to Faber, Enterprise Bank allows commercial customers to move as much as $200,000 at a time without requiring more than a online banking username and password. Updated ebanking guidelines issued last year by federal financial regulators call on banks to conduct more rigorous risk assessments,  to monitor customer transactions for suspicious activity, and to work harder to educate customers — particularly businesses — about the risks involved in banking online. The new guidelines also call for “layered security programs” to deal with these riskier transactions, such as methods for detecting transaction anomalies, dual transaction authorization through different access devices, and the use of out-of-band verification for transactions.

Like most other financial institutions, Enterprise Bank does offer Positive Pay, a service whereby the company electronically shares its check register of all written checks with the bank. The bank therefore will only pay checks listed in that register, with exactly the same specifications as listed in the register (amount, payee, serial number, etc.) Faber said Primary Systems declined to use that service prior to the breach, but that it is now using it. The company also now does its online banking solely from a “standalone dedicated computer that only hooks up to the bank,” he added.

Faber said he wishes the bank had explained the sophistication of the threat facing small businesses, and the exposure that these organizations face when banking online. Under “Regulation E” of the Electronic Funds Transfer Act (EFTA) consumers are not liable for financial losses due to fraud — including account takeovers due to lost or stolen usernames and passwords — if they promptly report the unauthorized activity. However, entities that experience similar fraud with a commercial or business banking account do not enjoy the same protections and often are forced to absorb the losses.

If you run a small business and bank online, ask your financial institution what services and add-ons they may offer to help you manage the risk to your accounts. If you’d like to significantly decrease the likelihood that your business will suffer a cyber heist, consider adopting a dedicated PC approach, and/or banking online only from a Live CD distribution.


27 thoughts on “Cyberheists ‘A Helluva Wake-up Call’ to Small Biz

  1. Philip

    I doubt this will change until/unless the banks end up with a larger slice of the liability, either through a change in laws, or when angry corporate customers band together and sue for better protection or restitution. There are lots of cost effective measures that could have made the fraud in this case much harder for the crooks to pull off. Either the bank didn’t offer these measures, or they didn’t sufficiently inform their clients about the risk of not using them. Both is negligent in my opinion, given the rampant spread of this problem.

    1. qka

      The bank did offer “Positive Pay”, and the customer declined to use.

      Blame needs to be assigned to both the customer and the bank in this case.

      1. Jim Woodhill

        > Jonno
        > November 6, 2012 at 10:33 am
        > …and yet the bank did offer Positive Pay,
        > and the company declined to use it until
        > after they were robbed. Whose fault is that?

        According to the opinion of the trial court in BankCorp South’s counter-suit against Choice Escrow, in which BankCorp South pled a similar defense (customer rejection of a superior security procedure in favor of an inferior (but easier-to-use) security procedure), the fault is with the bank.

        As with Brian Krebs, IANAL either, but consider: can a given set of security policies and procedures truly be “commercially reasonable” when if the bank’s commercial customers were aware of them and their implications in the current threat cyberthreat landscape, that bank would *have* no commercial customers?

        Banks that truly believe in their doctrine of “Shared Responsibility” should disclose to their commercial customers the risks the latter are taking by doing online payments at all. The free market could then be the judge of “commercial reasonableness”, rather than people in long black robes. But there is no effective disclosure, so all the victims are caught completely by surprise.

        Look. Elizabeth Warren won over Scott Brown. Her Consumer Financial Protection Bureau (CFPB) brainchild has started writing regulations. Banks that don’t get with the program and adopt the Krebs Rule and stand behind it with a money-back guarantee are now taking regulatory risks as well as losing in the courts to Silicon Valley Law Group, for multiples of the amounts stolen.

        — Jim Woodhill, Advocate for the Victims

    2. Jim Woodhill

      Philip,

      > I doubt this will change until/unless the banks
      > end up with a larger slice of the liability, either
      > through a change in laws, or when angry corporate
      > customers band together and sue for better
      > protection or restitution.

      The law definitely needs to be changed, but not to give America’s small- and medium-sized banks more of the liability. As I have noted in previous posts in this thread, Silicon Valley Law Group (with whom I am in no way affiliated other than as a fan) will be happy to stick any bank whose failure to follow The Krebs Rule with regard to its security procedures with 300% or more of the liability, and the courts have been cooperative. That is, the banks are liable *now*, under *current* law.

      As the Advocate for the Victims, I find myself in the strange position of being the Advocate for America’s Small- and Medium-Sized Banks as well. These organizations are victims too. Today, I am assured by their industry associations, they eat the losses in the majority of cases. But more importantly, it makes no more sense to expect community bankers to become cybersecurity experts than it makes sense to expect a Primary Systems, Inc. to do what the Pentagon and Sandia Labs have proven themselves unable to do–keep enemy malware out of networks that include PCs running Microsoft Windows.

      Nor is it good public policy to even wish that they could. We need our “Enterprise Banks” funding enterprises not hiring cybersecurity experts that are not there to be hired anyway, and our “Primary Systems”s adding employees in their line of business, not trying to defend themselves in cyberspace. And America *sure* does not need its SMEs to do what PATCO Construction has done, abandon online banking altogether and go pack to paper checks and in-person deposits.

      In any case, giving responsibility to stop this crime to the banks, which is what the courts have really already done, *won’t stop the crime*. American money will still be flowing the eastern Europe to fund next-generation cyberattackware. Only the online banking outsourcers are positioned to stop the crime, but the FFIEC Guidance does not apply to them.

      This is a problem for the political branches to solve, not the courts, nor the regulators (who lack the necessary statutory authority).

      — Jim Woodhill, Advocate for the Victims

  2. Doug

    It’s a shame….I would think that this company and the bank would have some type of an “account manager” at the bank that deals with their account….you’d think something like this would get noticed and the bank would at least make a courtesy call to check that this transaction is indeed authentic. But that would be too much work for the bank….actually giving some customer service.

    Stuff like this will continue to happen because people are too lazy or apathetic to do anything else.

    A 200k transaction warrants a phone call, but 180k doesn’t, especially since all the other signs of something is “fishy” like 26 new employees, sending money all over the country, etc….oh no that’s a perfectly normal transaction, nothing to see here….. ridiculous.

  3. Jonno

    …and yet the bank did offer Positive Pay, and the company declined to use it until after they were robbed. Whose fault is that?

    1. Dlewis

      This type of fraud must be managed collaboratively by the FI and the Business. Pos Pay could have caught it but if any of you have used Pos Pay before you know it’s both cumbersome and time consuming. It’s just as cumbersome for the FI to support properly…..hence the exposure in this case was enough! The only product I know of that works independent of Online Banking/Cash Management and is FULLY automated for both the FI and the business is ACH Alert. CapitalMark Bank in Chattanooga, TN shared several examples of preventing fraud like this in a white paper earlier this year. Clearly until FI’s support and promote this level of sophistication for collaborative fraud protection…….losses like this will continue.

  4. Russ

    Brian, in addition to “…consider adopting a dedicated PC approach, and/or banking online only from a Live CD distribution” why don’t you recommend a Google Chromebook? Now for only $250 it seems like an ideal non-infect-able machine for electronic banking. Users would still need to be wary of phishing but at least the malware/keylogger threat would be neutralized.

    Comments please?

    1. kurt wismer

      i can’t speak for brian, of course, but i’d consider a chromebook as falling under the dedicated pc approach.

      and if money is an object, $250 may be cheap but a free liveCD is cheaper.

      as for non-infectable – don’t count on it. just because there’s nothing targeting them today doesn’t mean there won’t be tomorrow.

  5. Jon

    How can a bank these days not insist minimally on two-factor authentication?

    1. Doug

      It’s up to us as the consumers, to be wary. Your average person doesn’t have any concept of what security measures to trust and what is better than the other…they trust the banks to know what they are doing, and to have the safe keeping of their money or transactions to be held accountable by the banks. After all, isn’t this what FDIC insurance is for? People don’t have any clue.

      Banks, like any other big corporation, could care less about the individuals, and are only concerned with their own interests and increased profits.

      1. Niclo Iste

        It’s not that the banks don’t care or are “out there to get you” they have to also find a way to get people to want to use their services. The average user out there is going to be turned off by having to jump through too many hoops and therefore will go to a less secure bank because it’s that much easier for them to use. So don’t blame the bank, blame the population. The banks are out there to make people happy to a degree so they will have them as customers. If the people don’t like the policies they go elsewhere.

        1. Dlewis

          The bank mentioned in this article has risk management products and procedures in place – Pos-Pay, Processing Limits, Multi-Factor Auth and most likely several other required anti-fraud tools. This is what most community banks offer. Bank Systems & Technology posted an article this week highlighting a survey of IT Spending for community banks. 51% of the community banks surveyed are not concerned with cyber fraud.

          Maybe this bank wasn’t concerned either since they had comparable tools in place…..

      2. Jim Woodhill

        > Jon
        > November 6, 2012 at 12:18 pm
        > How can a bank these days not insist minimally
        > on two-factor authentication?

        “Authentication”, as in “logon authentication” is an unfortunate and very persistent terminological confusion in information security as it applies to online banking. A simple userid+password is fine to log on, as long as the ADD PAYEE transaction is protected with totally out-of-band *transaction confirmation* backed by fraud-detection analytics that are able to figure out that a small Springfield, Missouri company like Choice Escrow could not possibly intend to send the entire contents of a title account to the island of Cyprus in a single transfer over a weekend.

        Commentators on this thread are not wrong that requiring two-factor authentication for transactions as common as a new payment to an old, known-valid old payee, much less the logon transaction is onerous. But such heavyweight security measures are only needed on ADD PAYEE and a few account-control transactions to stop fraud. These are very few in number for the typical small- and medium-sized enterprise online banking customer.

        Words matter. I discuss the terminology problem financial services information security (including the FFIEC 2005 and 2011 Guidances) has at greater length in my June, 2012 testimony before the Subcommittee on Capital Markets of the House Committee on Financial Services, which can be found through:

        http://financialservices.house.gov/Calendar/EventSingle.aspx?EventID=296813

        — Jim Woodhill, Advocate for the Victims

  6. JOB well done

    What can i say , JOB well done .
    shame they didnt steal all the money .Only joking

  7. Niclo Iste

    As much as I do feel it’s unfair of the banks to handle this situation the way that it was handled I also believe that the blame still lies on the company. I have worked the IT department for several businesses large and small and I have noticed the poor practices followed by the users. In my most recent position I had personally argued with the entire IT upper management in a meeting explaining to them all that believing that a corporate anti-virus with firewall is a bulletproof vest against viruses is a catastrophic mistake. They fought back arguing that why would it not work if it wasn’t corporate level, they actually believed the sales rep in the statement that once you install this and it’s up to date you will never have a threat again. Now if IT upper management thinks this way just imagine what the normal user base of that firm thinks. Realistically you can’t hold a bank liable for this way of thinking. Sure the bank should have strong policies but just like any security system it takes one flaw to bring it down. If the business is unwilling to learn or properly secure themselves there is no level of bank security that’s going to save them. Security isn’t a one person job it’s team level support on all levels. Basic hacking/social engineering teaches this as the first step.

    1. Richard Steven Hack

      Not to toot my meme again – well, I will, anyway…

      This is the number one problem in infosec – the inability of people outside of infosec (and quite a few INSIDE infosec) to understand that current “best practices” (when even those are in place) are a FAIL and that there is no security.

      Just about every infosec conference has at least one talk about how infosec is failing massively and requires a drastic overhaul in CONCEPT. The concept that needs to be understood is precisely my meme:

      “You can haz better security, you can haz worse security. But you cannot haz ‘security’. There is no security. Deal.”

      There are a whole slew of corollaries deriving from that approach that could improve infosec for organizations and individuals.

      Getting this through to your average corporate environment monkeys is the major hurdle to ever improving infosec. (Yes, I know you’re not supposed to call the users “monkeys” – but they are if they can’t even be convinced they need to be part of the security effort.)

      Computer crime is a GROWING problem and that growth will not even be SLOWED until a major revamp of people’s notions of security are altered. And like any sort of “mass change”, that’s highly unlikely until the situation is dire enough to FORCE people to change their belief system.

      1. kurt wismer

        while i am a fan of the idea of using memes to get ordinary people to think about security concepts (as my website would probably indicate), i don’t think simply using lolspeak makes something a meme.

        but keep at it. the more security memes the better.

        1. Sastray

          Yes, but it’s an improvement on the original meme:

          “Computer crime is a GROWING problem and that growth will not even be SLOWED until a major revamp of people’s notions of security are altered. And like any sort of ‘mass change’, that’s highly unlikely until the situation is dire enough to FORCE people to change their belief system. Cheezburger.”

    2. Neej

      You nailed it on the head IMO.

      People have been lulled into a false sense of security by the notion and/or the marketing efforts of security software vendors into believing that “no infection reported = there’s no infection” and “a firewall will stop everything”, both demontrated to be completely false in thousands (or millions … it’s routine is what I’m saying) of cases.

      In all likelihood the malware instances used to carry off this attack would have been virgin, never used anywhere else, and tested against all, or at least whatever security solution the firm had employed, to ensure it was FUD.

      It’s hard to see how to get people to stop taking this attitude: for one it’s just easier than treating any system as though it’s infected (which is really how one should operate). And any security company marketing its products as “we can protect you against most things except in certain situations” is not going to get many customers if their competitors are claiming nothing can get past them are they…

      Oh well … live and learn I suppose, live and learn. Hopefully :p

  8. AlphaCentauri

    If any one of those 26 mules had been an undercover investigator using a fake identity, the victim’s bank could have been notified the minute the transfers occurred, before the mules’ banks opened in the morning to allow them to withdraw the cash.

    Since the mules are being recruited via means like spam that go out to millions of people, and since the criminals never have face to face contact with the mules, it’s possible for undercover investigators to create so many fake identities that they far outnumber the “real” mules. It could significantly reduce the likelihood of the crime being successful.

    But unlike a lot of internet crime, amateur fraud hunters can’t help here. The scam baiters have to have real bank accounts, the banks have to know to alert them in the middle of the night if they receive a transfer, and they need to coordinate notification the other bank where the victim has an account so they can call back all 26 transfers. Banks have to set up a system to cooperate with each other on this.

    1. Dlewis

      The technology is available to completely prevent this, without the bank having to do it for the business…….that’s part of the problem, the business can manage this better than the bank can as it’s their activity/their business. It’s up to the bank to provide the technology so they can do that.

  9. Jim Woodhill

    Brian,

    RE:

    > Under “Regulation E” of the Electronic Funds Transfer
    > Act (EFTA) consumers are not liable for financial losses
    > due to fraud — including account takeovers due to lost
    > or stolen usernames and passwords — if they promptly
    > report the unauthorized activity. However, entities that
    > experience similar fraud with a commercial or business
    > banking account do not enjoy the same protections and
    > often are forced to absorb the losses.

    You have been including this statement in stories about malware-based corporate account takeover/ACH fraud since your WASHINGTON POST days, but recent the outcomes of recent legal actions show that it is no longer true, if it ever really was. Since Silicon Valley Law Group’s settlement of Village View Escrow vs. Professional Business Bank and, especially, the Federal Court of Appeals for the First Circuit’s angry reversal of the only case the banks have won on their doctrine of “Shared Responsibility” in PATCO vs. People’s United Bank, proved the correctness of the prediction of DC District Court judge John M. Facciola at RSA 2012 that the future of lawsuits over this crime (especially since the issuance of the FFIEC 2011 Guidance) has been “summary judgment for the plaintiff”.

    So you are correct that bank accounts tied to a federal TaxID are not covered by EFTA, but incorrect that they are not protected by UCC-4A and other legal provisions such as the common law that the First Circuit ruled are “consistent” with UCC-4A.

    You should therefore advise all the victims you encounter to call Julie Rogers & Co. at Silicon Valley Law Group if their bank does not immediately take responsibility for violating the “Krebs Rule” of online banking (that all ADD PAYEE transactions must be confirmed via a means independent of the Windows computer through which they were initiated). As you yourself noted in:

    http://krebsonsecurity.com/2012/06/bank-settles-with-calif-cyberheist-victim/

    BANK SETTLES WITH CALIF. CYBERHEIST VICTIM

    > Last week, Village View announced that it had reached
    > a settlement with its bank to recover more than just
    > the full amount of the funds taken from the account
    > plus interest for Village View Escrow.

    Indeed SVLG got a LOT more money out of Professional business Bank than anyone would ever think possible who was familiar with the limitations of recovery in UCC-4A. This was because SVLG got creative on causes of action, and employed novel pleadings that were endorsed immediately afterwards by the (unrelated) decision of the Court of Appeals for the First Circuit in its reversal of PATCO vs. People’s United Bank.

    Victims today *do* have recourse to the courts, without reference to EFTA / Regulation E, and without being able to sustain the huge up-front legal expenses that trail-blazing PATCO did. They just need the right law firm.

    Julie Rogers, Esq.
    Kim Dincel, Esq.

    Silicon Valley Law Group 25 Metro Drive, Suite 600 San Jose, CA 95110
    Tel. (408) 573-5700
    Fax (408) 573-5701
    http://www.svlg.com/

    – Jim Woodhill, Advocate for the Victims

    1. brian krebs

      Jim,

      It’s my understanding that none of the decisions so far are binding on any other court, so a court could review the whole issue of good faith and reasonable security de novo, or decide that those issues don’t need to be addressed at all. But again, IANAL, so I’d welcome any other folks who know these decisions to weigh in as well.

      1. Jim Woodhill

        Brian,

        > But again, IANAL,

        Me neither, though I sure have been spending a lot of time with them lately! (A patent troll is suing all the big storage vendors claiming to have invented data deduplication when, the lawyers reminded me just recently, *I* did back in 1991.)

        Anyway, it would seem to me that the logical thing for non-lawyers to do, especially since the banks have gotten uniformly creamed in the courts on “Shared Responsibility”, is to say that consumer accounts are protected by Regulation E while commercial accounts are protected by UCC-4A. The banks have been asserting in court that UCC-4A offers protections inferior to Regulation E, but, so far, have not been able to win on that assertion.

        Julie Rogers and/or Kim Dincel of Silicon Valley Law Group might be able to help you word the above better. As allowed by the opinion of the Court of Appeals for the First Circuit in PATCO vs. People’s United, SVLG’s pleadings in cyber-bank-robbery cases have gone well beyond UCC-4A’s provisions, which have allowed recoveries in settlements far beyond those provided for in UCC-4A.

        — Jim Woodhill, Advocate for the Victims

Comments are closed.