08
Jan 14

Firm Bankrupted by Cyberheist Sues Bank

facebooktwittergoogle_plusredditpinterestlinkedinmail

A California escrow firm that was forced out of business last year after a $1.5 million cyberheist is now suing its former bank to recoup the lost funds.

casholeA state-appointed receiver for the now defunct Huntington Beach, Calif. based Efficient Services Escrow has filed suit against First Foundation Bank, alleging that the bank’s security procedures were not up to snuff, and that it failed to act in good faith when it processed three fraudulent international wire transfers totaling $1,558,439 between December 2012 and February 2013.

The lawsuit, filed in the Superior Court  for Orange County, is the latest in a series of legal battles over whether banks can and should be held more accountable for losses stemming from account takeovers. In the United States, consumers have little to no liability if a computer infection from a banking Trojan leads to the emptying of their bank accounts — provided that victims alert their bank in a timely manner. Businesses of all sizes, however, enjoy no such protection, with many small business owners shockingly unaware of the risks of banking online.

As I wrote in an August 2013 story, the heist began in December 2012 with a $432,215 fraudulent wire sent from the accounts of Huntington Beach, Calif. based Efficient Services Escrow Group to a bank in Moscow. In January, the attackers struck again, sending two more fraudulent wires totaling $1.1 million to accounts in the Heilongjiang Province of China, a northern region in China on the border with Russia.

This same province was the subject of a 2011 FBI alert on cyberheist activity. The FBI warned that cyber thieves had in the previous year alone stolen approximately $20 million from small to mid-sized businesses through fraudulent wire transfers sent to Chinese economic and trade companies.

Efficient Services and its bank were able to recover the wire to Russia, but the two wires to China totaling $1.1 million were long gone. Under California law, escrow and title companies are required to immediately report any lost funds. When Efficient reported the incident to state regulators, the California Department of Corporations gave the firm three days to come up with money to replace the stolen funds.

Three days later, with Efficient no closer to recovering the funds, the state stepped in and shut the company down. As a result, Efficient was forced to lay off its entire staff of nine employees.

On Dec. 6, the lawyer appointed to be Efficient’s receiver sued First Foundation in a bid to recover the outstanding $1.1 million on behalf of the firm’s former customers. The suit alleges that the bank’s security procedures were not “commercially reasonable,” and that the bank failed to act in “good faith” when it processed international wire transfers on behalf of the escrow firm.

Like most U.S. states, California has adopted the Uniform Commercial Code (UCC), which holds that a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”

As evidenced by the dozens of stories in my series, Target: Small Businesses, companies do not enjoy the same protections as consumers when banking online. If a banking Trojan infection results in cyber thieves emptying the bank accounts of a small business, that organization is essentially at the mercy of their financial institution, which very often in these situations disavows any responsibility for the breach, and may in fact stonewall the victim company as a result. That can leave victim organizations in a quandary: They can swallow their pride and chalk it up to a learning experience, or opt to sue the bank to recover their losses. Of course, suing your bank can be cost-prohibitive unless the loss is significantly larger than the amount the victim might expect to spend hiring lawyers to pursue the case on the often long road to settlement or trial.

The plaintiffs in this case allege that part of the reason the bank’s security procedures were not commercially reasonable was that one component of the bank’s core security protection — the requirement that customers enter a code generated by a customer-supplied security token that changes every 32 seconds — had failed in the days leading up to the fraudulent transfers. I would argue that security tokens are a mere security speed bump whose effectiveness is easily bypassed by today’s cyber thieves. But in any case, this lawsuit claims that rather than address that failure, the bank simply chose to disable this feature for Efficient Services.

First Foundation did not return calls seeking comment. But the bank did produce an incident report that is now public record, thanks to this lawsuit (see the “Exhibit J” section of this PDF case document). The document states that the company had previously performed international wire transfers, and so it saw nothing unusual about half-million-dollar transfers to China. According to the plaintiffs, however, Efficient escrow had merely inquired about the possibility of international wires, yet had not actually performed wire transfers outside of the United States previously.

First Foundation’s incident report also appears to suggest that bank very quickly reached the conclusion that the fraud was the result of misdeeds by Efficient’s controller — Julie Gardner — and not the result of a cyberheist.

“The transaction and session history of Ms. Gardner suggests the possibility of internal fraud,” reads the bank’s report. “Ms. Gardner’s employment with ESE ended with reasons unknown to FFB. Her access from Business Online was removed on Feb. 20, 2013.”

Julie Rogers is an attorney with the Dincel Law Group, which is working with the plaintiffs in this case. In an interview with KrebsOnSecurity, Rogers said that if the bank looked at its processes honestly, it would have asked the customer before processing the international wire. Rogers noted that the bank’s incident report also brought repercussions that spilled out beyond the errant processing of several fraudulent international wire transfers.

“To name a specific employee and say, ‘We don’t think this was cyber hacking at all,’ that’s pretty egregious, and you can’t un-ring that bell,” Rogers said, citing the difficulty that some former employees of ESE have had trying to find new work in the industry.

“When you suggest that, it does some damage, not only to that individual but also to the people associated with that individual,” Rogers said. “That conduct spills out beyond just the processing of a wire transfer. It spills out into an area that isn’t covered by the UCC. Some of the individual escrow agents [formerly employed by ESE] have tried to obtain work at other companies, but the two operators and owners of the company have been subjected to license revocation and suspension that precludes them from running a similar business for five years before they can reapply.”

Rogers said there’s a larger point to these lawsuits: “These banking institutions are saying, ‘We’ll give you 24/7 protection for banking online, which is safe, efficient, and affordable.’ But meanwhile, their budgets are getting cut. The people in charge of fraud are getting laid off. And yet the public is getting more and more drawn into cyber banking.”

There is no question that Efficient Escrow should have detected these fraudulent wires a lot sooner than they did. The point of my focus on these cases is to raise awareness about the need for companies to take steps to avoid becoming victims in the first place. If you run a small business and you bank online, please consider adopting some safeguards to prevent your company from being the next victim of a cyberheist. Banking from a Live CD or from an isolated (preferably non-Windows) computer is the surest way to avoid ebanking heists. However, this approach only works if it is consistently observed.

The average small business usually has one person in charge of the books, and they’re lucky if they have one person in charge of security; very often, it’s the CEO who serves as the CTO,  CFO, CSO and E-I-E-I-O. These attacks launched by today’s cyber thieves against small businesses are any thing but a fair fight: It’s basically one blue-haired lady against an entire squadron of seasoned criminals.

I’ve been writing about this problem for more than five years now, and for good reason: There are millions of small business owners who have absolutely no clue how vulnerable they are and who they’re up against. I travel quite a bit to speak to audiences around the world about cybercrime, and I frequently find myself seated next to small business owners. I always ask the same thing, and I always get the same response. Do you bank online with your business? Why, sure. Did you know that if you have a virus infection that cleans out your bank account, your bank is under no obligation to do anything on your behalf?

I’ll continue to write about this subject, mainly because awareness remains low and there will continue to be new victims every week losing hundreds of thousands of dollars as a result of these cyberheists. Meanwhile, the crooks responsible are upping their game. According to Gary Warner, co-founder and chief technologist at threat intelligence firm Malcovery (full disclosure: Malcovery is an advertiser on this blog), the latest cyberheist malware deployed by the Asprox botnet (PDF) uses geo-IP location to include the name of the would-be victim’s hometown in the malicious file that gets pushed down when the user clicks on a link.

“It geo-codes you and puts your city name into the filename, and antivirus detection of these variants continues to be very low,” Warner said. “We’ve seen this with Asprox malware spam disguised as court documents, airline tickets, and [spoofed emails made to look like they came] from Wal-Mart, Costco and BestBuy.” 

I guess you could say it’s also become a bit personal. One of the most recent versions of Asprox pushes malware that includes the URL of this blog, as well as file descriptor that says “Krebs Systems.”

A copy of the complaint filed by the receiver for Efficient Services is available here (PDF).

Tags: , , , , , , , ,

63 comments

  1. I never thought about things this way – some people set up a corporate entity for managing wealth and investments. If I’m a business client of Bank of America, this is what I’m paying for every month. You’re supposed to keep the hackers from getting into the bank through the electronic door, just as seriously as if it was a bad guy with a machine gun walking into the bank through the front door.

    What a bunch of greedy scum-sucking lowlifes! My tax dollars bailed out all of these damned banks, and when a small to mid-sized business owner is a victim of a financial crime which occurred due to the bank’s negligence, I would expect that bank to take some responsibility. What a crock.

  2. >I would argue that security tokens are a mere security speed bump whose effectiveness is easily bypassed by today’s cyber thieves.

    Blimey, I thought that they might actually make a difference. Think I’ll look into the Live CD/USB idea.

    Is there a particular variant that you’d recommend or use personally Brian?

    http://voices.washingtonpost.com/securityfix/2009/10/e-banking_on_a_locked_down_non.html

    • Hi, use Puppy Linux for a very good and “Windows-like” environment, if that’s what you’re used to. Most people prefer to use standard Linux Live distros, yet sometimes the learning curve can put people off. Puppy Linux is made for everyone, not just techs

    • If you’re looking for a liveboot, look at a live CD/USB distro with KDE as the windows manager (this is what the GUI that sits on top of Linux is basically called, a windows manager, and there are many varieties of them). Check distrowatch.com. I would suggest Kubuntu but this has not been updated in about a year; it is probably ok to liveboot from.

      KDE is probably the UI that is the easiest for a windows (XP, Vista, 7) user to use intuitively as it has a very similar interface. Second easiest is probably anything with Gnome. If you’re used to Windows 8 you may prefer Ubuntu which comes with a default UI called Unity (it has that large icon very graphical user interface; not my thing but other people like it).

      Not that there is anything wrong with Puppy, especially on older machines, but if you are trying things out and want to switch between liveboot and not liveboot, definitely try out Mageia or else look at any of the ubuntu-based official ‘spins’ (listing is available from the distro website). Mint is very easy to use also and friendly to older machines, and some people find OpenSUSE quite good as a default operating system.

      This site might also be helpful to you: http://www.linuxliveusb.com (none of these have any affiliation to me).

  3. >I would argue that security tokens are a mere security speed bump whose effectiveness is easily bypassed by today’s cyber thieves.

    I also don’t quite agree, first the crooks need to be quick and basically online (32 seconds) to phish the code by injection.
    Second: REAL tokens use input parameters like beneficiary account and amount to generate the OTP, therefore a phished OTP is useless.

    So tokens are definitely a step up from static passwords, and as mentioned, state of the art is the one, that uses transaction details, EMV card with PIN, and is not connected to the PC.
    (some people call them “card&reader”)
    Also much safer than SMS tokens – which have been compromised. But that is another story.

    • Brian, one afterthought: what happened exactly in regards to the
      “one component of the bank’s core security protection …token…had failed in the days leading up to the fraudulent transfers.”

      And did it fail from December to January, for all customers? This is gross negligence from the banks side.
      You (as bank) can’t just disable security mechanisms, because they fail.
      What’s next – we don’t lock our branches, ’cause the door is broken?

      • @marty:
        I have no insight whatsoever in this case but my assumption upon reading Brian’s article was that the thieves were somehow involved in making breaking the token (or making it look like it was broken). For example by injecting code in the browser to make it look like the generated codes were not accepted. That would prompt the legitimate user of the token to call the bank’s support who would assume (perhaps too quickly) that the internal token clock got out of sync and because of that the generated codes do not check. Furthermore they would disable second-factor authentication, possible upon request from the company accountant who needed to process transfers. Or, if indeed the accountant was in cahoots as suggested by the Bank’s incident report, a little coffee spilled over the token would do. If the unavailability of the second-factor was entirely due to a technical problem on banks side I’d totally agree with you as being grounds for gross negligence.

        • George, you’re not reading close enough. From the article:

          “one component of the bank’s core security protection — the requirement that customers enter a code generated by a customer-supplied security token that changes every 32 seconds — had failed in the days leading up to the fraudulent transfers.”

          In others, for the time of the outage at the bank, no token entry was required by any customer. It’s surprising that this was the only customer hacked but maybe it was since the hacker had to penetrate the PC used for the transfers.

          • Bruce – yes I know, I was just saying that I consider tokens that generate otp’s more than speed bumps. attacker needs to: steal login credentials, prepare transaction, inject phishing page to steal OTP and do all this in 32 seconds, which means they have to be in “online mode”.
            passwords are speedbumps, otp tokens are maybe checkpoints and tokens that use payment data to authorize transactions are doors to the vault

    • Marty, you do understand that hackers can intercept the code from the token and sign on to the bank themselves and initiate a transfer before the code expires, don’t you?

  4. Great article Brian (as usual)…

    As part of the on-boarding process for these business customers, I think some education needs to happen, in a big way. Even a cursory security review would be beneficial to these businesses. Most of the clients I visited while in banking were clueless when it came to security. Unpatched systems were common…antivirus was not. Segregation of duties was an entirely foreign concept – (i.e. the same person shouldn’t be creating and authorizing the wire transfer). I am in absolutely no way shape or form defending banks (disclaimer – I worked in the industry for several years) but businesses need to start taking some responsibility for their own safety as well.

  5. I used to work at two banks in the security department and this was always a topic of discussion when it came to wire frauds. Not only that but you can put restrictions on accounts. I have two opinions on whether or not the bank should be sued for this incident.

    The first is…if the bank issued tokens to this customer and had dual signers on the account…then the bank shouldn’t be held responsible. You can’t hold everyone’s hand if they aren’t going to step up and protect their own business.

    The second is…if the bank tried to issue tokens but the customer denied them…again…the bank shouldn’t be held responsible.

    If the bank didn’t have tokens in place, which seems unlikely since they have been around a long time, then I can hold the bank a little responsible but not the full amount.

    Whenever I dealt with a customer, I always informed that there should be a separate PC that used a LIVE CD that would ONLY be used to transfer wires and/or scan checks into their system. To buy a barebone PC wouldn’t be more than $200…a cheap cost and solution to at least assisting to prevent stuff like this happening.

    I have also dealt with a few customers that have had wire frauds on their account. It’s not hard to prevent it from happening.

    Your system is only as secure as your weakest link.

    • I work in the operations area of a bank with wires and fraud prevention. I have to say that it amazes me that most of our business customers still want us to provide them exceptions to our fraud deterrent processes. They do not want the hassle of dual control or any other measures to keep their accounts safe. They are also the loudest when there is a loss to their account and they are out the money. All of a sudden it’s the bank’s fault. It is frustrating.

      • Sue:

        When your bank convinced its customers to switch to online banking, did they tell them how convenient, easy, and SAFE it would be? When you try to convince commercial customers to implement dual controls, do you explain to them that, unlike personal banking, they’re NOT guaranteed replacement of their losses, however large? Is your bank, like many banks, complicit in its customers lax approach to online banking? What you hear from your customers may be conditioned by what they heard and read from the bank when they ‘went online.’

        • KFritz –

          Yes, the bank I work at does continually remind our customers of the security level needed to conduct online business and the potential risks. Most banks do that now in light of all of the account takeover losses and security breaches happening. While some are very understanding of all of the now necessary procedures to transfer money and are grateful that the bank is truly looking after their best interests, some just do not want the hassle the extra security entails. We still get a lot of companies who think this is not something that can happen to them.

  6. Brian, how vulnerable is a business account to cyberthreats when the account holder uses more traditional banking methods(teller visit, overnight depository and/or ATM)?

    Would you suggest small businesses who would be irreparably harmed such as your story example consider avoiding banking online?

  7. A good Linux live CD I recommend for doing online banking transactions is LPS-Public (http://spi.dod.mil/lipose.htm).

    • You might want to read this review before offering an unqualified endorsement of LPS.

      http://distrowatch.com/weekly.php?issue=20110704#feature

      I, along with Jesse (the author of the review), am inclined to believe there are probably more secure linux-based LIVE CDs available.

      • PG, that’s a good review article for LPS, thanks for the link. I may not be as well qualified to talk about the subject, but I have used LPS in the past and I believe most of the issues identified in the article with LPS can be addressed by simply rebooting LPS (or any Live CD distro for that matter) before going to a banking website. Any malware loaded previously while surfing the web with LPS (or any Linux distro) would be eliminated.

  8. “they have one person in charge of security; very often, it’s the CEO who serves as the CTO, CFO, CSO and E-I-E-I-O”
    …hilarious!

    • I still a hard sell for a small (9 person company) to add an IT security staff member. Heck, most of these outfits are supported by a break fix kid who knows nothing about the threats we deal with daily.

      • Having someone on salary just to look over the shoulder of the other employees making sure they don’t click “run” on anything is a hard sell. Having someone come in (or even sending all the employees out) to do training on basic security issues should be required for anyone handling money electronically. To do less is simply negligent. Would you give someone access to your cash box who couldn’t tell the difference between 10′s and 100′s? The same risk of ignorance exists in online banking, and it can only be solved through education (education that is not expensive as long as it is applied BEFORE you lose A MILLION AND A HALF dollars).

  9. TheOreganoRouter.onion

    The only people who will end up making money here are the highly greedy attorneys

  10. If your bank does not offer out of band protection that includes a phone call for online banking login AND ACH and wire transactions…its time to find another bank.

  11. WOW! You just saved my butt Krebs! My father owns a small business & I was literally about to set him up with online banking! So glad I read this article. Thanks!

    • @SandyBush: With all due respect and netiquette, the goal of Brian’s efforts is to teach the business community how to use online banking safely. Start by reading http://krebsonsecurity.com/online-banking-best-practices-for-businesses/ . Then read a few more articles on this site that are related to online banking so that you can develop a feel for the current state of online banking. Brian says to “Use a dedicated system to access the bank’s site. ” So that means a new PC and necessary software. Then write the policies and procedures for the use of the banking PC. When the business does online banking correctly, the business should be safe.

  12. I really wish the product that was developed by the former IronKey team would have taken off. They built a product on their IronKey secure flash drives called Trusted Access, targeted for sale to banks to provide to consumers / businesses. Essentially the secure drive contained a stripped down linux VM running on virtualbox portable. There was nothing but a browser you could get to in the VM. The traffic was routed through their private servers, but used the TOR protocol. Based on the vm client the traffic came from, the browser was restricted to only the banks URL’s.

    So essentailly, a bank (lets say ABC Bank) could provide you with this secure, tamperproof, encrypted flash drive, which had a simple menu and icon to go banking. That icon launched a browser in an isolated VM, and it would only let you access abcbank.com and other sites that were part of ABC Bank. Thus making it near impossible to infect the VM, intercept the traffic, or redirect you to a phishing site. They even included a scrambled onscreen keyboard to type in passwords to defeat keyloggers on the host.

    • Actually a VM solution is a minor bump in the road.
      If I’ve compromised the host then I have access to the screen/mouse/keyboard and most important the network stack the vm goes through. I just do a man-in-the-middle between host stack to bank and the VM is never aware.

      Unless your saying the usb Key was only used as a bootable usb drive (i.e. the user has to bootthe computer with it) which then makes the solution almost the same as a live cd.

      Nathanael

      • Doing an undetected MITM with pre-shared keys on VPN (what the Ironkey does) is impossible (at least with commonly available cryptanalysis techniques) since you aren’t faking a cert, you have to fake the signature which is impossible without the private key.

        You are right that a determined attacker could watch via screen snoop/keylog and figure out the password. But a step in the right direction is still a step in the right direction, a lot of the fraud comes from simple browser exploits.

        • The IronKey product, now sold by Marble Security, installed encrypted keyboard drivers, so keyloggers were made ineffective. Trusted Access traffic through the VPN was encrypted end-to-end, even to Marble. I’m sure there are weak points in any system, but this was as close to running a LiveCD while still accessing your PC or Mac desktop.

    • > The traffic was routed through their private servers
      Perfect, just perfect! Very secure! “Give your data to us, we’ll protect you, promise!”

  13. Brian – I didn’t catch the length of time between when the fraud occurred to when ESE notified their bank? Can you shed any details?

    • The first fraudulent payment was posted 12/17/2012; ESE notified their bank on 2/22/2013.

      The staggering amount of time where ESE didn’t notice over $1.5mm was missing, at least to me, shifts the liability to the customer. In fact, ESE didn’t even notice it on their own! It wasn’t until the Calif. Department of Corporations notified ESE that their escrow account was short that they figured out money was gone.

      • Most of that is not accurate:
        - the first transaction was 12/17 for $432K (paragraph 15 of PDF) to Russia. However, this transaction was ultimately recovered.
        - the transactions to China, totaling $1.13M occurred 1/24 and 1/30 (paragraphs 16 & 17 of PDF)
        - ESE contacted the bank 2/22 to investigate all 3 transfers (paragraph 19 of PDF)
        - The CA DoC was first notified on 2/25 (note, after ESE had contacted the bank) by the EAFC (escrow industry insurer) (page 60 of PDF).

        Other things:
        - ESE had already been warned twice, in 2009 and Sept 2012, about failures to reconcile records (page 61 of the PDF). The delay in reconciliation of the December transaction was a third strike.
        - The 12/17 transaction appeared on a 12/31 statement. CA DoC determined this had not been timely reconciled (page 61 of PDF). No similar determination was made about timely reconciliation of the 1/24 and 1/30 transactions (although the failure on the 12/17 transaction was probably enough to revoke their license)

        Definitely, as Brian noted, you would expect ESE to have identified this more quickly. This also was at least a third strike (although now with financial consequences) on ESE’s record keeping practices.

        However, the CA DoC did not know about the problem before ESE (likely, ESE made an insurance claim, and the insurer reported it). There is no information about how this came to ESE’s attention (maybe they needed to release one or both escrows, and found one or both accounts short or empty), but they were ahead of CA DoC on this.

        Also, nothing shows that, as a matter of CA’s law for escrow companies, ESE failed to reconcile the January transactions in time (although ideally ESE would have had more solid practices above the minimum CA requirements). For the January transactions (which is what they are suing over), it doesn’t seem quite fair to say it took a “staggering amount of time” (although the Dec transaction is another matter, and ultimately what CA DoC took them out on).

  14. This is too perfect since someone requested international wire capability etc the month before or so. Even with tokens and a live CD etc, there is nothing you can do about collusion. Sounds like an inside job etc. The bank should fight it etc.

  15. It seems to me that too much security is stacked on the backside and not enough emphasis is being placed on the most vulnerable aspect of everyone online banking session — the customer’s computer.

    What concerns me is that not enough banks and especially their customers are putting the protections in place to deter fraud. Even the FFIEC put out guidance in 2012, enforcement has been so lax that most banks haven’t done anything. Session security provided by companies like Trusteer, SafeCentral and MarbleCloud should be adopted by banks large and small. I’m also worried that small business owners don’t put enough pressure on banks to force them to adopt next-gen defenses. Just my two cents….

  16. As a security person working in a bank. Most business users are looking for easiest and fastest way to access their online banking with the least hassle. Even when I explain the dangers, they still prefer to only give the bank email for online banking security.
    Upping the security – being draconion and enforcing security only costs the bank a customer. We have other protections in place to help protect the customer for wire and ach transactions.
    We aren’t as convenient as the bigger banks – but we are watching out for the customer.

    During the recent Target breach, we contacted customers ASAP and limited card transactions to PIN based only during the Christmas shopping period so they wouldn’t be inconvenienced too much.

    My two cents – a lot of business customers don’t want the latest and greatest in cybersecurity – either they don’t have the funds to spend or it is too much of an inconvenience to them for them to follow the newer protocols.

    • I agree that most business customers don’t want the latest and greatest, but they should be strongly encouraged to adopt it. I would agree that if you walked into an account and asked them to spend $15k upgrading their network security they’d toss you out.

      However, SafeCentral and Trusteer are super easy to use. I don’t know about Trusteer, but SafeCentral is available for $49.99 a year. Doesn’t seem too spendy to me..

      • Trusteer Rapport is provided by my bank and is free. My understanding is that the software runs on your computer as well as the bank’s server and thus prevents a man-in-the-middle attack or monitoring.

        Rapport can be used with any secure website but it doesn’t provide as much protection as it does when the server component is installed.

        • I wish I knew more about the value of Trusteer Rapport in the current environment. I found the following which is just an FYI.
          http://www.trusteer.com/products/trusteer-rapport
          http://krebsonsecurity.com/2010/04/a-closer-look-at-rapport-from-trusteer/
          http://www.youtube.com/watch?v=EimZQgt7WPg

          • The Krebs on Security link provides good information on Rapport. Do you have any questions that I can answer as a user? I’m using it on two Macs even though it may not be necessary on Macs.

            • Disclosure: I work for Trusteer. Rapport offered by your bank is good protection for the client machine (PC or Mac), however there are additional protections your bank can employ to detect fraud from the server side. Ask if your bank is using products that help detect account takeover, man in the middle, man in the browser and other malware techniques used in fraudulent transactions. If they are not, consider banking elsewhere.

              Using a live CD to conduct banking activities can be a good practice but there are caveats in that it may thwart some of the device-ID/device reputation techniques used to assess transaction risk, and it requires a human element of always adhering to strict use only for banking. It also removes a potential audit trail if a problem did occur, leaving a client with no evidence to prove or disprove claims made by their financial institution.

      • An important issue is whether it is fair to put the onus on small businesses to understand why certain security procedures need to be observed. It seems like banks, who are encouraging businesses to go online, are the ones who should be aware of the threats and be responsible for putting into place and maintaining hard procedures to mitigate them. In other words, if anyone is in a position to figure out and implement (for example, always following it) what is a commercially reasonable security procedure, it would be the banks.

        For example, it sounds like ESE had a rush transaction, and an FFB support guy disabled the second factor token to accommodate. The problem with that is not so much that that particular transaction went through (MAYBE the phone call might be considered close enough as far as a second factor – although that should be documented practice), but that then the second factor apparently remained disabled (had it been in place, the transfer could not have been performed just using a captured password). It should have been disabled at most for the single transaction. Probably the better practice is for small businesses to work with banks having a local branch, and require someone to go to the branch for rush transfers or to get a token.

  17. Scary as hell … this is required reading for all business owners (especially newbie entrepreneurs that are green to all these things).

  18. A pile of LIVE CDs costs pennies.
    All these other super geeky technologies cost a fortune and apparently can still be hacked.

  19. Brian: in your Washington Post “Security Fix” column, you warn that Linux newbies shouldn’t try to use the Live CD on a laptop, or over an encrypted WiFi. I’m in the middle between being a newbie or a guru. I’m willing to spend a day getting educated for this task; it will still be less work than buying a new desktop computer and running Ethernet thru the house.

    Can you recommend a forum where I can ask for help while I’m undertaking this?

  20. “the heist began in December 2012 with a $432,215 fraudulent wire sent from the accounts of Huntington Beach, Calif. based Efficient Services Escrow Group to a bank in Moscow. In January, the attackers struck again, sending two more fraudulent wires totaling $1.1 million ”

    Did Efficient even realize that $400k was gone in December?

    • No. In fact, they had been reprimanded by California auditors in the past for lax bookkeeping practices. From what I’ve read, it seems as though ESE was a mess before the fraud.

  21. Frank Partridge

    Most of my day is spent processing domestic and international bank wires. When a request for a bank wire is submitted, whether that request is online, over the phone or fax, or in person, every bank wire should be reviewed by a person at the Financial Institution. At most institutions I am familiar with, it is an approval process that requires multiple people to sign off on sending funds. Bank wires are considered high risk transactions and there should have been processes in place to at least place a quick call to the company confirming their request for a wire. The Uniform Commercial Code is a poor excuse for banks to cover themselves when they make an error.

    Some procedures my institution have put in place to avoid fraud is the option for individuals or a business to only accept wire requests by person at a branch, through a very detailed security process over the phone with a representative, or by fax with signatures we can match and then a phone number we can call back. If you are a small business owner, inquire at your bank to see if they offer the same options.

  22. This raises the question of where else did they get to? Track 2 does not store address and email data. Does this mean that it is now expanded to online purchases? Did they get into the Corporate Accounting DB? This is blowing up very large, very quickly. This could be the end for Target.

    The other question is this: Are the banks/credit unions going to back their customers? To what extent? What if in a month we find out SSNs are included in this. Identity theft is a long, painful, and expensive process for each customer.

  23. “First Foundation’s incident report also appears to suggest that bank very quickly reached the conclusion that the fraud was the result of misdeeds by Efficient’s controller — Julie Gardner — and not the result of a cyberheist.”

    The report seems more of a CYA effort, especially since lawyers had gotten involved at ESE’s end before the report was issued. For example, ESE seems to be alleging that the token requirement was disabled from Nov 2012 onward – the report doesn’t clearly refute that (it seems to say what the procedure SHOULD have been, but doesn’t nail down that it was fully in operation).

  24. I’m not doubting the Plaintiff’s lawyer, but does it jibe with your understanding Brian, or readers, that banks are “cutting budgets” [I assume Infosec budgets] and “laying off fraud” detection staff? Is there hard (or soft) data on that?

  25. Recently Yahoo ads were infecting 27,000 PCs per hour and the infected PCs had keyboard loggers and backdoor entry trojans infected on them. So we can expect more horror stories.

    The best way to eliminate account break-ins or fraudulent transfers is to use a smartphone for authentication, which can render trojans like keyboard loggers and man in the middle attacks useless.

    See the 1-minute video at http://www.sekur.me.

    If you login by scanning a QR code with your phone, not only you can eliminate passwords and hardware tokens, but since the authentication goes through your phone, a keyboard logger never gets to see you userID or password.

    If we extend the same login process to authorize a money transfer, i.e. scan another QR code to authorize a transfer, then none of these problems would occur. We can be safe again.

    The solution is here, today. We just need to implement it.

  26. Have you considered creating a small brochure or .pdf to contribute to Chambers of Commerce or to give to the SBA as a resource for these small businesses? It seems like a good way to reach a wide audience. While you may not hit every small business owner, you’ll have put that information in places small business owners are likely to look.