07
Aug 13

$1.5 million Cyberheist Ruins Escrow Firm

facebooktwittergoogle_plusredditpinterestlinkedinmail

A $1.5 million cyberheist against a California escrow firm earlier this year has forced the company to close and lay off its entire staff. Meanwhile, the firm’s remaining money is in the hands of a court-appointed state receiver who is preparing for a lawsuit against the victim’s bank to recover the stolen funds.

casholeThe heist began in December 2012 with a roughly $432,215 fraudulent wire sent from the accounts of Huntington Beach, Calif. based Efficient Services Escrow Group to a bank in Moscow. In January, the attackers struck again, sending two more fraudulent wires totaling $1.1 million to accounts in the Heilongjiang Province of China, a northern region in China on the border with Russia.

This same province was the subject of a 2011 FBI alert on cyberheist activity. The FBI warned that cyber thieves had in the previous year alone stolen approximately $20 million from small to mid-sized businesses through fraudulent wire transfers sent to Chinese economic and trade companies.

Efficient Services and its bank were able to recover the wire to Russia, but the two wires to China totaling $1.1 million were long gone. Under California law, escrow and title companies are required to immediately report any lost funds. When Efficient reported the incident to state regulators, the California Department of Corporations gave the firm three days to come up with money to replace the stolen funds.

Three days later, with Efficient no closer to recovering the funds, the state stepped in and shut it down.

Up until the past few weeks, the firm’s remaining funds have been tied up in a conservatorship established by the state, effectively barring the company’s owners from accessing any of its money. In early July, the state appointed a receiver to help wind up the company’s finances.

The court-appointed receiver – Peter A. Davidson of Ervin Cohen & Jessup LLP in Beverly Hills — said he and the company are contemplating their options for recovering more of the lost funds from the bank — Irvine, Calif. based First Foundation.

“We’re exploring what choices we have to recover funds for those who had escrows and are owed money,” Davidson said. “We filed a claim with the insurance company and we’re looking at our options for possibly dealing with the bank.”

Davidson said the bank’s business customer logins were protected by a username, password and a dynamic token code, but that the one-time token wasn’t working at the time of the fraud.

First Foundation did not respond to requests for comment.

Efficient’s co-owner Daniel J. Crenshaw said the bank produced a report shortly after the heist concluding that the missing funds were stolen not in a cyberheist but instead embezzled by an employee of Efficient Services. Crenshaw said the bank later backed away from that claim, after the state appointed a local forensics expert to examine the controller’s computer; sure enough, they discovered that the system had been compromised by a remote access Trojan prior to the heist.

But by that time the money was long gone, and Efficient Services was out of business, forced to lay off its entire staff of nine employees. Crenshaw said the company was on track to clear a half million dollars in profit this year and to reach a million dollars in 2014.

“At the end of the day, we want our clients to get their money back, but after that, we lost our business,” Crenshaw said, noting that the company’s 20 former clients who are still owed money have been “very supportive” of suing the bank to recover their funds.  “We lost everything, and it’s entirely likely that my brother and I can get back what we lost and the interest on that, and maybe that will cover at best the attorney fees. But we’re still nine people out of a job.”

Davidson said he’s stumped over why the bank didn’t bat an eyelash when the company’s money started moving overseas.

“This is one of the big issues we have with the bank,” Davidson said. “This company had never sent wires overseas before. Why not pick up the phone and confirm the transaction? That’s where I think the bank may have some problems.”

According to Charisse Castagnoli, a bank fraud expert and independent security consultant, few outside some of the larger banks offer country-blocking capability for wire transfers. For the most part, she said, the smaller institutions outsource their online banking systems to third-party service providers that simply don’t offer the capability to restrict overseas wires. The other part of the problem is that businesses — particularly title and escrow firms — too often fail to ask about placing such limits until an incident like this one occurs.

“It’s not widely implemented,” Castagnoli said. “On the wire side, there are just a few providers — Fedwire and ACI Worldwide are the big ones — and these software systems are ancient.  Most smaller banks use a service provider that handles the Web site and plugs into these wire systems.  Why aren’t there better controls available to businesses and banks so they can manage specific business risks in more appropriate ways? The answer is lack of imagination and lack of capabilities at the software layer. And if customers aren’t demanding it, why would banks spend probably hundreds of thousands to integrate that capability?”

Title and escrow firms are a favorite target of cyber thieves, precisely because banks are accustomed to these customers moving large amounts of money around on a daily basis. In April 2013, I wrote about a Charlotte, N.C. based escrow firm that lost $336,000 in a cyberheist that prompted a lawsuit from its own bank.

Last June, Village View Escrow Inc., another California escrow firm that lost $400,000 in a 2010 cyberheist, secured a settlement with its bank to cover the loss and the company’s attorney’s fees.

Things have gone differently for other title and escrow firms that opted to sue their banks following a cyberheist. Earlier this year, a Missouri court ruled against a $440,000 cyberheist victim. Another case brought by a Virginia title firm that lost $207,000 in a 2010 cyberheist is still making its way through the courts.

Efficient Services is not the only escrow firm in California to be hit with a cyberheist this year. A recent bulletin (PDF) from the California Department of Corporations indicates at least one other company was attacked this year to the tune of almost $1 million.

“Both cases involved unauthorized wires to foreign bank accounts, the DoC warned. “This is an important reminder that each escrow agent must be vigilant in protecting trust account.”

If you run a title or escrow firm — any small- to mid-sized business at all — please take a moment to read my list of recommendations here: Online Banking Best Practices for Businesses.

Tags: , , , , , , ,

57 comments

  1. Businesses: I’d recommend picking up the phone and calling the bank you use. Ask questions, have documented conversations regarding security precautions. If they do not offer the necessary protections, expose it and make a decision. Commercial accounts are not FDIC insured and from what I know only a single digit number of banks are covering deposits lost in this manner.

    I also find it obnoxious that these organizations do not employ some of the most obvious security precautions. The FBI and multiple other agencies have been releasing warnings and spreading information for years. In my own experience I have found that asking banks about blocking international transactions and transfers, or ANY kind of specific activity is hard to come by.

    Some have adopted the necessary measures to protect accounts but for the most part the controls are still nonexistent. The banks that I have supported (2K+) waste more time sending over FBI blocklists for Firewalls and covering all of the network security angles for compliance purposes.

    Banks need to start protecting the money or they might find it will be going out to entities in foreign countries much faster than it will be coming in.

    • The problem is, since FDIC does not cover businesses, and terms of contract tend to preclude similar protections, the bank has little to risk (and typically a far more vigorous legal team and ‘expert witnesses’). As well, since the FDIC does not cover such cases (not that it would, at $1.5M USD), it minimizes reporting — which is to say, it is far easier for the bank to cover its asses to begin with. I find it interesting that, as far as I know, while SARs are common for transactions over, I believe, $10k USD (and actually, I am *not* in favour of SARs, especially since inflation has risen dramatically, but the reporting figure has not risen accordingly — $10k now is far less suspicious than it was in 1980), there is no similar sort of system in place to track these sorts of crimes on a federal, regulatory level. Not that I am in favour of excessive regulation, but it makes it far to easy for the victim company to be victimized twice. I also have issues with the fact that I believe a lot of these companies do not take their own ‘reasonable precautions’ and feel as though they deserve at least some blame at times, but I tend to believe that over-arching patterns of repeated abuse would be a sign that there was a problem with the bank’s system that could be used in the corporation’s favour with fewer civil penalties. Even something like a ‘morbidity and mortality’ review in cases over a certain dollar figure could provide insight, but as the bank bears far less risk than the corporation in every way, there is little motivation for such things to take place, and a high motivation to avoid such things to avoid the results from being subpoenaed in a civil case.

  2. Blanche Dubois

    So the escrow firm had no responsibility to isolate the comptroller’s computer? Restrict and monitor who had access to it, 24 X 365? Restrict its availability during the lunch hour from casual soft porn surfers?
    The trojan just got on the comptroller’s computer by magic?
    Would anyone in the firm leave $1.1 million in cash on his desk overnight, and expect to see it there the following morning?
    Right.

    • You are correct. Whether an employee opened a spear-phished email or visited a website which had been filled with malware, the company could have avoided this. Should the bank have had restrictions on large withdrawals to foreign countries? Certainly, but the company could have required its bank to install such restrictions, with a contract transferring liability if it failed to do so.

      Brian has repeated the solution many times: use a Live CD. It works perfectly, but only if employees don’t surf around before visiting the banking site. People need to understand that cyber-crooks are out there, looking for more loot.

  3. Blanche Dubois,

    Since you obliviously have information on this case we will be in touch soon.

  4. “The heist began in December 2012. … In January, the attackers struck again, ”
    And why the heck didn’t the escrow firm tell the bank, in writing, to lock everything down after the first heist? That’s the very first question I’d want answered if I was on the jury. The firm knew it was a target and they left the door wide open anyway.

    Sorry, no sympathy for the owners. The employees, yes, but not the owners.

  5. ” Davidson said the bank’s business customer logins were protected by a username, password and a dynamic token code, but that the one-time token wasn’t working at the time of the fraud.”

    If the one time token wasn’t working, it very well could have been broken by the would be hackers. The IT staff probably shut that feature off, and by doing so left them with just username and passwords.

    Then the crooks simply look for user names and passwords that exist on spreadsheets from other hacked accounts. The hackers try password combinations and can then get in pretty easy.

    For some reason I do not sense the due care and due diligence of the firm that got hacked. I see some empathy for the victims, and possibility of recouping some of the lost funds but in the end, it’s not the bank’s fault if transactions are going overseas and the client does not question them in a timely manner.

    I am a strong believer in the rings-of-trust theory. Simply place the most valuable computer assets in the center. Assets in the center are extremely controlled. As you go outward from the center the controls are a little less restrictive, but not by much.

    People who believe that what they are thinking that they are impervious to attacks live by the Security by Obscurity rule. organizations who sit back on their…. behinds, leaned back on the chair with hands behind their head become lax in their ways.

    Anyone who subverts controls in an organization to make things easier for themselves is asking for trouble. The exact cause of the issues at hand could have been caused by human error, insider threat, non-itentional or simply lazy IT personnel that did not keep an eye on the systems to avoid issues, SQL injection attacks, or otherwise. Obviously, no one was watching the security controls in place to see the APNIC addresses pounding on the door, over and over again.

    This story just shows another company who let its guard down because they were quite comfortable in the ways they handled things. They were riding high on the hog until the hog decided to throw them off and run away with the satchels.

    Thousand questions about this type of event, and very little answers.

    • December 2012 was a nightmare for me. I had two computers permanently damaged but salvageable. Either a regulator on my mobo or my bios is corrupt and nothing I can do about it. Dell was even getting mad at me because I was telling people how to downgrade their bios. but it didn’t help. We are all using diff versions of linux now. I had to get rid of a couple wires, a vid card, a cd rom drive, parition off parts of hdd’s. (i’m sure due to a dell employee leaking info) maybe a virus in the firmware of my samsung hdd. Samsung did the right thing though and let the info the right sources, quietly, months before December. Even when i was letting people know, probably too late, on non Dell machines it was hard to find the link but seagate had it. But we got it too late, which i guess is usually the case with most people.

      But my computer still runs very good! and we are all on diff versions of linux now. which scares the crap out of me….because TALK ABOUT LACK OF SECURITY!!!! but so i only play games on the windows pc and use linux for everything else now.

      One of the most Evilest times in internet history! I think some of these delusional evil malicous hackers really believed the world was going to end…so sad and in a bubble.

    • “” Davidson said the bank’s business customer logins were protected by a username, password and a dynamic token code, but that the one-time token wasn’t working at the time of the fraud.”

      If the one time token wasn’t working, it very well could have been broken by the would be hackers. The IT staff probably shut that feature off, and by doing so left them with just username and passwords.”

      If the 2 factor authentication was broken, it had to have been broken on the bank’s end, not the escrow company’s end, and we haven’t heard anything about the bank being hacked at all.

      • Your assuming the company that is having these issues didn’t have any sort of IT issues. Software tends to be a two way communication path in most cases. It depends on what the hackers motivation is.

        If the bank doesn’t come out and blatantly admit it was their issue, then it very well could have been an issue interally at the site.

        Its pretty simple to break a two-way trust. Most companies brag about which technologies they use either by 3rd party advertisements or shields or otherwise on their websites.

        When a hacker sees those, he now knows what he needs to focus on. All he has to do is figure out a way around those controls.

        Once he is in, to circumvent any type of control, I am sure it is simply enough to own a computer that performs the transactions. Simply delete, alter or change a critical file, rendering the softare useless.

        The two way communication path is then altered and broken, making the crooks future goals alot easier.

  6. Why were your credentials left here?

  7. It’s amazing that a wire transfer for $432k (or two for $1.1mm) wouldn’t cause a phone call from their bank to confirm.

    I understand that for something like an escrow or title company, this might be a legitimate amount of money to be sending around, but apparently not for this business, since these amounts were literally make-or-break money for them.

    Even for a business that routinely transfers hundreds of thousands of dollars around, even if it means 10-12 phone calls a day from their bank, wouldn’t it be worth hiring someone to answer those phone calls?

    I’m not trying to relieve blame from the crooks, but wouldn’t setting some sort of per-transfer or daily dollar threshold with the bank just make sense?

    • ya thats suspicious. Pretty sad the bank didn’t jump all over that and stress their client, but knows how many clients they have like that. maybe they thought it was normal activity…lol

      It was that time of year.

  8. Blanche Dubois

    Brian
    (Another great article.)
    Request clarification.
    Ms. Castagnoli comments about little or no modern S/W development for a US bank’s processor, to block $ (wire or otherwise) outbound transfers by country.
    Yet in your recent piece on EMV PIN & chip, you reported that European credit and debit card issuers had instituted “geo-blocking” on their processors, apparently with good success, to stop fraudulent $ or Euro transfers via the archaic US mag stripe.
    It would seem that the “country blocking” S/W she mentioned, was at least quite developed in Europe, and could be adapted to US, rather than starting from scratch.
    From that, it would seem rich European banks, insurers, investment houses, also used to transferring cash by wire or ACH-type, would be equal target rich for similar fraud.
    Yet, I haven’t heard of them losing $1 mil. electronically over their lunch hour.
    Does their “geo blocking” S/W protect both debit, credit, and wire/ACH-type transfers?
    Thanks

    • Apples and Oranges, Blanche, on three fronts. First, the credit and debit card fraud protections are very different from those that may surround the ACH and Wire networks. Also, EMV is about credit/debit card transactions, and has little or nothing to do with ACH or Wire transactions, so I’m a little confused by your question. Finally, it’s difficult to talk about European banks and US banks in the same sentence and try to apply the same rules when it comes to fraud, protection schemes and liability rules/guidelines/laws — at least as they relate to ACH and wires.

      • Brian
        Am no expert, but I’m trying to get a fix on the apparent technical lack of US “country block” software development re. wire transfers from small to mid-size US banks (which would block these illegal transfers, even if the fraudsters managed to get the one man or two man security P/W).

        versus
        the apparent success of European financial institutions (across a broad range) in developing “geo block” software that prevents fund transfers to a whole list of countries.

        While agree that wire transfer processing is technically different from ACH and credit/debit card processing, at some core level the US “country block”, & European “geo block” problem is similar.

        It seems a savvy European tech company would have an opening here, with a knowledge base higher than the US, and am wondering why that hasn’t been exploited.

        (I ask this in spite of the real problem and my personal experience: large US banks who have historically treated fraud losses as a cost of doing business, even when the losses were 3%-4% of revenue. Hard to get anyone to invest in prevention when they’re dismissive about a problem.)

        • Geoblocks may not work very well anymore.

          Lets say a hacker lives in an evil country. Depending on the hack itself, and his motivation, he can either hack an orginal user of the site, or the site itself.

          To exfiltrate data or cash, he can muddy the trail quite easily. I am sure they have an intricate botnet that they can bounce off to redirect their traffic.

          With IPv6, this will be a little more difficult to do, but it is do-able. Very little underground traffic takes a direct route. That is one of the reasons why investigations can take so long. The pieces may be scattered across the net, vice in one logical path.

          The point I am trying to make is simple. Geo Block lists worked before hacking became sophisticated.

          Now if you are internal, and have select clients and communications with what are known as trusted sites, you can Whitelist them in the IPS/IDS and firewalls. Give active clients specialty VPN software, which has a limited number of one time tokens. Larger organizations this may not work, but if your core services is small, it works better.

          People ask me all the time about Geoblocks and why they do not work. Circumvention of DNS routes, use of bots for redirection or simply remoting into a bot in the USA, siphon off the funds at the hacked site, and eventually the money finds its way out of any geo-block situation.

          • Blanche Dubois

            Clear. Very helpful.

          • I think “geo-blocking” in this context is not dealing with blocking based on IP addresses, but instead on the locations of the destination banks for the fraudulent wire transfers. For example, “block wire transfers going to banks in Russia or China”, or “block wire transfers to any foreign bank”.

            • To my knowledge geoblocking has to do with ATM’s…
              Outside your home region you can’t get money from an ATM. Unless you ask for it, e.g. for a holiday, business trip. If you forget to retract this ATM geo unblock, you’ll stay vulnerable.
              Maybe the geoblocks are the reason why the fraudsters operate with teams per country nowadays.
              Then again, when they are able to geo unblock your account without your knowledge… How watertight is the solution of unblocking?
              Maybe it’s better to work with several accounts. Making sure not to have any card whatsoever connected to the account with which you receive your income and pay your fixed costs…

            • While on the Internet we usually talk about IPv4 addresses, what Brian is talking about would be SWIFT – http://en.m.wikipedia.org/wiki/Society_for_Worldwide_Interbank_Financial_Telecommunication or IBAN – http://en.m.wikipedia.org/wiki/IBAN addresses or similar.

              “The IBAN consists of up to 34 alphanumeric characters: first the two-letter ISO 3166-1 alpha-2 country code,” – this would make it trivial to block a standard IBAN address if one were willing to invest the money to implement such a feature. But as Brian notes, without demand (or creativity/experience) people don’t implement such things.

  9. 1.1 million, isn’t that about equal to a 2 bedroom house in that part of California? Seems like it would take more than that to impact an escrow business.

    • haha

    • $1.1 million will still get you a pretty nice house in southern California. And, for an escrow company with 9 employees, that’s a lot of money. They probably processed a lot more than that, but it could easily be two years’ worth of payroll.

      • ya they only had 20 clients, and now 9 employees are out of a job. That stinks. A prime example of hackers ruining peoples lives.

  10. ComplianceBanker

    As the Compliance Officer for a bank, I’ve seen this similar scenario occur dozens of times. We’ve now had to mandate our business customers implement “two-touch” controls on outgoing wire transfers, so that one user inputs the wire, and another must approve/release it. This simple concept has caught almost every fraudulent transaction we’ve seen. However, the criminals can get very creative…the Zeus Trojan and its many varieties allows them to put up fake “popup” windows asking for the second user’s credentials (several customers have had this happen as well.)
    I concur with others who are asking where the diligence of the company is/was. How about running some anti-virus software? Spam blockers? Training staff not to click on attachments or links in emails, Facebook, or unsafe sites? Cybercriminals are going to keep succeeding until businesses finally take responsibility for internet security.
    As far as the bank having the capability to identify & block wires to certain countries – if the bank doesn’t have a correspondent relationship with the foreign bank, the wire must go through a U.S. intermediary bank that does. If the wire fields aren’t filled out properly, there’s no way to systematically identify these as foreign wires because the U.S. bank is the receiving bank. The absence of a U.S. intermediary bank on a wire is also a red flag of a fraud – many of these cybercriminals don’t understand that most of the U.S. banking system does not use the global SWIFT system for wires.

    • Reliability of Antivirus and Spyware is low in most cases. There are a lot of cases that Brian and others have pointed out, that AV and AS simply aren’t aware of the software. If the evil software goes through an upgrade, the AV AS signatures may not be able to detect the evil software.

      It boils down to lax of security. It also boils down to putting their weight and bets on the insurance company will cover any losses – unless it is declared that it was their fault, and they failed to follow the prudent man rule, and did not show due care or due diligence.

      Its like being at the casino, they were playing with other people’s money to make money. Where there true focus was before they got hacked, and then hacked before is truly a mystery and it may never be truly understood.

    • “If the wire fields aren’t filled out properly, there’s no way to systematically identify these as foreign wires because the U.S. bank is the receiving bank.”

      I am assuming wires look something like this:
      – initiator
      – optional intermediary
      – final destination

      But if all of the fields are not completed, in other words “final destination” is missing, then how would the money ever reach a foreign bank? Wouldn’t the money just stop at the U.S. intermediary, with that bank scratching its head at the purpose of the wire?

  11. After reading the article, I immediately called my bank, Well Fargo, to see what security they could offer me for wire transfer. Not to worry I was told, if the wire was not initiated by us, the money would be reimbursed.

    Is there a way we could confirm wire transfers? Forbid them to certain countries? maybe get a call if it’s over a certain amount? Sorry, he said.

    Now why do I feel uncomfortable after that conversation. Will the bank really cover me in the event of a false wire transfer? Can I trust them to follow due diligence?

    • In most of these cases, the wire transfer was initiated by a computer physically located in the victim’s business using hijacked login credentials that were entered by authorized representatives of the businesses. The trojan gets on that computer through sloppy security on the part of the customers, practices not under the banks’ control.

      So what does “not initiated by us” mean in that context? It sounds like the person who handled your call has no idea what you’re asking about. There’s no way a bank could or should offer unqualified indemnification when the customer shares so much of the blame.

    • Do we really think Wells Fargo would pony up $400k-$1.1 million dollars to reimburse a fraudulent transfer as a normal cost of doing business?

      And according to the article, the State of California gave the company *3 days* to scratch up the cash. My neighbor gave up after two months of trying to get Wells Fargo to correct a $25 error…

    • “I immediately called my bank, Well Fargo, to see what security they could offer me for wire transfer. Not to worry I was told…”

      Heh. If it’s not in writing, it doesn’t exist.

    • Ask yourself, why would you? The bank isn’t on the hook for the loss, they could probably care less either way. Until they share some financial hit for passing these kind of transactions then they will not take any real steps to stop them.

      Similar to how AV is identified through heuristics and large scale patterns, who besides banks have the resources to determine malicious banking activity? But when they make money either way, why would they care?

    • Did you get his (the banks response) in writing? My concern is what you get with a hypothetical question will be far different from what you get with a real problem.

      Rest assured, if there is a question of money missing or being owed someone…the bank is only going to deal with you through their lawyers.

      • We’re going to try and get what he said in writing at Wells Fargo. I’m not holding my breath. The agent wasn’t in today, and will likely do some fancy steps to say I shouldn’t worry about it. We’ll see and I’ll let you all know what happens.

        I don’t trust the big banks at all since they operate without an ethical framework.

  12. I’ve always thought of title companies as easy targets. Any smaller city will have a few and the offices are typically running off of a Linksys router.

    It’s totally normal for them to move huge amounts of money like this and there’s very little security around their process. They’re literally saving your account number and routing information on your system in Word files.

    This is an area where I don’t think that the company doesn’t bring in enough revenue to cover the security that they need. They have all the security needs of a small bank, but can we really expect these small offices to hire top security consultants that can secure their processes, networks, computers?

    I think that as Brian pointed out, the problem is no one is checking these wire transfers. A simple call from the bank would have prevented this whole situation.

    • This is a good point; a small company probably thinks they don’t need (or can’t afford) security experts. But in an office this small, why can’t every wire transfer be initiated–either in person or by telephone, by known employees of the title company to the bank?

      “Oh, too much trouble!” I’m sure they would say. Given the risk and potential loss of $400k, it ought to be worth some trouble.

    • You don’t need permanent staffed personnel when it comes to the more complicated security controls.

      All any small business has to do is hire a consultant or entity to come in and do an overall security assessment. I am not talking about an Audit or other business ISO type function.

      Bring in a techo-geek. He / She sits in the building, performs vulnerability scans, and whatever else may be done as written in the agreement. Even on a deep end, that would have cost less than 5,000 for sure, probably closer to a grand or less, depending on the complexity and time to complete the project.

      With all the news about hacks, malware and other nasties flying wildly everywhere, one would think that any organization that handles anything worth money ( PII, money, etc;) would at least consider some course of action – rather than saying, OH, woops, they got me too. Insurance company can you help? How about it lawyer, why is it taking so long to sue the bank when we weren’t doing our part?

      • “Bring in a techo-geek. He / She sits in the building, performs vulnerability scans, and whatever else may be done as written in the agreement.”

        There are some problems with that approach, all of them involving the client.

        If management does not fully back and/or understand the conclusions, the changes will be minimal and possibly useless. I’ve worked for a few companies which took the recommendations, removed anything negative towards management, and then released the watered-down solution.

        The other problem is the employee. I remember telling one woman that she should not include classified or sensitive information in an email, that emails of that type should employ some type of encryption. She just rolled her eyes and gave me that look she probably gives to her child. She was the type of person who would open a spear-phishing email and then deny she had anything to do with a theft.

        On the other side, a bank which will remain nameless only allowed for a ten character password, with passwords consisting of letters and numbers only. I told them that passwords should allow for 30 characters (more is okay) and accept special characters, but all I received was a condescending answer of how their security was good enough.

  13. Hey Brian,
    This is absurd you would expect an escrow company like Efficient Services Escrow Group to have top of the range cyber security in place, being attacked twice in two month!!!

    I agree with Matthew Chambers. The first thing I would do.. is call the bank, not wait for a second chance. They were already able to hack the systems.
    John

  14. This seems like a ping pong game.

    Its the Bank’s fault that they didn’t double-check the wire transfer.
    No its the Company’s fault for not adding restrictions to their transactions
    No its the banks fault because their ‘security-token’ didn’t work.
    No its the Company’s fault for not patching their security when they were hacked before.. once bitten twice shy and all that.
    No its the Bank’s fault for not providing proper multifactor authentication
    But then would Efficient Escrow services actually use multifactor authentication?

    They are both guilty!

    But a larger part of the guilt must be placed on the company. Efficient Escrow services knew there was a problem when the first cyber heist happened, they should have taken necessary precautions to find out what happened and then making sure it doesn’t happen again.

    If someone stole money from my online bank account I would make sure that never happens, even if it means changing banks, because the current one doesn’t care about security.

  15. Re country blocking

    Whenever I am in a foreign country I pay in local currency which I obtain using an ATM card (keeping in mind Brian’s warnings about skimmers), since I found that gave me the best conversion rates.

    4-5 years ago I was visiting Romania.
    After I arrived I tried 3-4 ATMs and was told that my bank declined the transaction. Thinking that someone emptied my account I called my bank from Romania.
    I was told that they blocked all withdrawals originating from that country.

    Now, my bank is a relatively small regional credit union with offices in four counties.
    So, it does not have to be a large bank to have country blocking.
    Yes, I realize wire transfers are not the same as ATM withdrawals. But I think the point is still valid.

    • Romania and Bulgaria are probably the most corrupt countries in the EU, especially Bulgaria. Neither has been allowed into the Schengen zone because the other EU countries do not believe they have a handle on corruption.

      • If it comes to fraud – wire or credit card – Bolgaria and Romania are far behind the US. There are not many countries where 1mil wire to China is not doublechecked.

  16. Blanche Dubois

    Brian, Congrats!
    You’ve got a good, very big public issue here. Even gut ripper status.
    Banks, businesses, geeks, security firms, even a weak CA escrow regulator, all on full public display, and all with their sniffers out for blood, blame, and money on the floor.
    And a good deal of comfy self-righteousness…
    Did the CA escrow regulator ever show up BEFORE the swipe, to inspect what he expected, or was he just a license fee collector, now conducting a wake?
    Other than a few PR tears, the escrow owners seem ready to “get back in the game” once they sweep out the debris.
    So who are the “real victims” here, from whom we haven’t yet heard?
    Not the lawyers who deposited money with the escrow firm. They are not out a dime, but they do have “claims”, for “others”.
    It’s the widows and children whose probate lawyer deposited the insurance proceeds/civil jury $ verdict, with the escrow fund.
    It’s the home buyer, whose down payment was deposited. It’s the business buyer whose “good faith” deposit was escrowed. Etc., etc. etc.
    All deposited in the present, with the expectation of a future legal payout. A classic situation for rip-offs or losses. Good luck to all these people eventually getting something.
    Campers, this is our future. It’s 2013.
    To me, this is a situation where the real victims deserve a swift insurance pay out, to get on with their lives, such payout funded by all business participants touched by stink in the loss, funded by each paying a modest premium, their deductible “cost of doing business” in that state. That also gets regular insurance co. visits interested in surprise testing/inspecting your systems (like fire inspectors) to lower their risk or to jack premiums for sloppy CEO in-attentiveness where ever found.
    Intolerable intrusion? Then get out of that business and open a dry cleaners.
    (I may sound harsh here, but a lot of people helped wipe out the real victims. However, I did learn a bit, and far more lingering questions, from the contributors to this forum. Thanks.)

  17. Brian: While I’m not saying that this is the cause of this case (nor could I possibly know anyway), I do wonder how one could rule out the possibility of insider involvement in such a scheme (sort of like how history has shown some companies might set building on fire in order to get insurance money when it is posting accounting in the red)?

  18. I think both parties are at fault, only because we may not have every single detail in this situation so we are forced to see this situation only with the criteria given.

    First of all: Where were the proper internal controls within this escrow company? I assume because this occurred, that dual control had not been adopted? They could’ve asked their bank what controls the bank had in place to monitor for fraud. If they were processing their wire transfers through online banking there should’ve been a dual control option adopted where one person at the business submits the transaction and it requires another business staffer to login to approve the transaction (hopefully the approval would be done with the use of a security token password generator). Even better, the login could require the use of a security token just to access online banking.

    It is a responsibility of the business to ensure that all computers are regularly updated and virus/malware detection programs/firewalls, etc are installed and up to date at ALL times. This may not guarantee protection but it reduces the chances. The bank has NO control over the security of the business’s computers or network.

    HOWEVER, Yes,the bank should’ve had proper controls in place and second guessed the international wire IF international wires were out of character for the business. A callback should’ve been performed. If the wire transfers were being done through business online banking, the bank should’ve strongly suggested that dual control be adopted at the business level and if the business refused to do so, then the bank needed to collect a waiver signed by the customer.

  19. “but that the one-time token wasn’t working at the time of the fraud.”

    “Nothing works and nobody cares.” – Woody Allen

    And so my meme remains strong! :-)

  20. There is specialized insurance for this type of exposure called Cyber Risk Insurance. Many small to medium sized businesses do not buy it, and it appears that this escrow firm did not buy the coverage. It is not expensive for most small companies, including title & escrow companies. But it will get more expensive if companies do not take more aggressive steps to protect their assets.

  21. Here’s another interesting read, from the DHS daily infrastructure report;

    August 8, The Register – (International) ‘Hand of Thief’ banking trojan reaches for Linux – for only $2K. A banking trojan called “Hand of Thief” targeting Linux users was found for sale for $2,000 in underweb forums, according to a researchers from RSA. The trojan includes form-grabbers for several browsers, routines to block access to security updates and measures, and virtual machine detection to avoid analysis Source: http://www.theregister.co.uk/2013/08/08/linux_banking_trojan/

    • The linux strategy is security by obscurity. I guess thats why even the users are not user friendly…lol Its true many offices need to use windows for compatibility with many programs. But I believe linux is getting more popular for home desktops and servers and hopefully they take security more seriously.

      Ubuntu forums were hacked offline for over 9 days recently and I bet they were running ubuntu. Maybe its time they put a firewall in it…or have at least some default iptables rules! Talk about living in a bubble. IMO, I think if most servers and desktops were linux instead of microsoft, the world would be more vulnerable.

      I was talking to some people in netfilter chat room. Some are IT security students who never heard of tripwire or aide, noone uses a program like rkhunter, or clamav, noone uses snort or something similar, noone even logs anything with iptables or uses psad, or any similar programs. The only thing they ever heard of is wireshark which they never use, and amazingly one dude actually uses pgl. (which many feel is useless and pointless because people change ips on the fly, but i disagree) This is the netfilter chatroom on freenode… can you believe that?

      One IT security student from that room was recenlty telling me his bios got corrupt and he had to take the battery out….buaaahaha. They really don’t believe that most of these losers will just hack you for fun or for practice or Just because they can….

      They all think I’m an insane paranoid crazy person. They don’t realize everyone is a target now. And these are the young kids going into IT security!! I think the people who actually have experience socializing on various networks or are conscious about anything going online and learn these skills most likely become malicious hackers and criminals. I think the future of cybersecurity is scary, especially when noone wants it policed and everything is going to be left up to the users as it only gets worse for them and their families.

  22. Its a changing world. They aren’t afraid of what they cannot see. Decades ago, when the melissa or Iloveyou virus came out, it affected alot of computers and people became aware of the attacks that could happen to a computer.

    Now a days, the crooks are focused on owning a device, and using it for as long as they possibly can.

    Though these generations were born with a cellphone or mobile device glued to their ear, all they seem to care about is functionality and signal bars. They live in this electronic quickness mode – everything via waves needs to come in quick and any delays will have issues.

    Big Businesses aren’t going to do Info-commercials that say their products are vulnerable to attacks. The government is too lax on criminal punishments and restitution for convicted criminals.

    With the job market they way it is, people turn to anything that offers cash, even illegal activities.

    The ONLY way to ensure the criminals can be stopped is doing awareness training in a public school level to educate the younger people so they understand what the consequences are at an early age. Do it by classrooms, not by auditoriums – it will be more effective.

    Short of Congress giving the green light to fire a “blue screen” and corrupting critical system files on a severely infested device, the only way to clean up the issue is a heavy awareness campaign.

    =\

    • Teach the babies. Right in between english and math in primary education, I don’t see why not. Its a digital world now.

  23. If they held the wires for a certain length then this wouldn’t be a problem. Unfortunately nobody wants to wait a week to get paid.

    Banks are not secure, never have been, for international payments which is why Bitcoin and other virtual currencies have tried to replace them.

    Ask any virtual currency exchanger on the scams they have seen involving both hard and soft bank transfers, MITM scam attacks and forgeries and the list is endless. Even accepting cash deposit is not safe unless you have high fees or insurance to cover MITM fraud.

  24. The list here is endless. Some commentators clearly do not understand what a wire is, let along how it is transacted. Others believe it’s all the company’s fault, or all the bank’s fault. Certainly the token being “turned off” sounds pretty bad on the part of the bank. However, as the data security officer for a bank, I can tell you that there are many controls that can and should have been put in place. 3 transactions totaling $1.5MM is clearly within the “normal” footprint of any escrow/title company regardless of size, so those advocating transaction limits are offbeat. However, the bank should have placed limits on WHERE the funds could be sent to. Of the online banking systems I’ve seen, all have that capability, but that doesn’t mean that whoever is configuring at the bank/service provider knows how to set it up.
    As another commenter made note, I’ve also seen mandatory input/secondary approval schemes, and forced call-back schemes. All work well, and for those banks that don’t use them, then continued losses and forced regulatory requirements will take care of that.


Read previous post:
Firefox Zero-Day Used in Child Porn Hunt?

A claimed zero-day vulnerability in Firefox 17 has some users of the latest Mozilla Firefox browser (Firefox 22) shrugging their...

Close