20
Jun 14

Oil Co. Wins $350,000 Cyberheist Settlement

facebooktwittergoogle_plusredditpinterestlinkedinmail

A California oil company that sued its bank after being robbed of $350,000 in a 2011 cyberheist has won a settlement that effectively reimbursed the firm for the stolen funds.

oilmoneysmallTRC Operating Co. Inc., an oil production firm based in Taft, Calif., had its online accounts hijacked after an account takeover that started late in the day on Friday, November 10, 2011. In the ensuing five days, the thieves would send a dozen fraudulent wires out of the company’s operating accounts, siphoning nearly $3.5 million to accounts in Ukraine.

The oil firm’s financial institution, Fresno-based United Security Bank, successfully blocked or recalled all but one of the wires – for $299,000. Nevertheless, TRC  later sued its bank to recover the remaining wire amount, arguing that USB failed to offer a commercially reasonable security procedure because the bank offered little more than a user name and password to help secure the account.

“For all intents and purposes, they got a user name and password, but were never offered any other security,” said Julie Rogers, an attorney for the Dincel Law Group, the San Jose firm that represented TRC in the dispute (as well as another California cyberheist victim that successfully sued its bank for $400,000 in 2012).  “TRC had a cash management liaison assigned to them by the bank who assured them that this was all safe and reliable.”

Last week, just days before the case was set to go to trial, the insurance company for the bank settled the lawsuit, agreeing to cut a check for $350,000 to the oil company and with neither side admitting fault in the incident. Under California law, the most that any business can recover from a cyber fraud lawsuit is the amount stolen from its accounts — plus interest.

Dennis Woods, founder and CEO of United Security Bank, said the hack took place on TRC’s computers — not the bank’s — after an employee at TRC fell for a phishing scam. Further clarification indicates that the TRC employee likely had malware on his computer that deployed a “Web inject,” a malcode component that springs into action when the victim logs in at an online banking site.

Web injects are so named because they inject code into the victim’s Web browser window, causing a pop-up screen that prompts the victim to enter additional sensitive information, such as a Social Security number, date of birth, and mother’s maiden name. That information is useful for thieves in changing victim account settings at the bank that aids in the subsequent cyberheist, such as resetting account access, adding authorized users and changing contact email addresses. For more on what a Web inject looks like, see this video.

Woods said he was disappointed with the insurance company settlement because it prevented the case from going to trial.

“I was very eager for the court to say that customers can make all the agreements in the world but that they are not bound by them,” Woods said sarcastically. “TRC had signed up for an online banking product where they could automate certain things — sending wires, putting stop payments in, etc. — and when you do that, we come to your office, we train you, and you sign lots of agreements that state very clearly what the bank’s responsibilities are and what the customers’ are.”

TRC attorney Rogers said the bank never proved the phishing claim, nor allegations (however likely) that the company’s servers were hacked.

“It turns out the bank’s expert ended up writing an incident report blaming it all on TRC, but they never actually looked at the [allegedly compromised] TRC computer,” Rogers said.

Lawyers, banks and oil companies. Many readers no doubt will have trouble shedding a tear for any of the parties involved in this dispute. But those who own their own businesses should take heed: Banking online carries serious risks. As we have seen time and again, a single virus infection can ruin your company. And I wouldn’t count on the lawyers to save your firm from the very real cost of a cyberheist: These court challenges can just as easily end up costing the victim business well more than their original loss (see Ruling Raises Stakes for Cyberheist Victims).

Businesses do not enjoy the same protections against cyberfraud that are afforded to consumer banking customers. If this is news to you, or if you’d just like some tips how to reduce your exposure to online banking fraud, please take a moment to read my recommendations here: Online Banking Best Practices for Businesses.

55 comments

  1. Referral Link to the Agora Dark Market:

    http://agorahooawayyfoe.onion/register/FxywW2TNCh

    Almighty Krebs, let this comment through and I’ll give you $5 in Bitcoin.

    • mark strelecki

      Wow. What’s that URL all about, hmmm?

      • That URL appears to lead to a darkweb site that returns a 404 error. If you go to the main page, there is a login, but the register link from there also returns a 404 Not Found error.

    • the link is doomed just like bitcoin.
      Link is DNS error.

      Brian, I love this blog, keep up the great work.

      • Where are my bitcoins? :)

        Rachael, it’s a dark web link. You need to be using specialized software like Tor in order to reach the site, which appears to be a drug market similar to Silk Road.

        • Thanks, I’m showing my lack of web savvy. :)

        • “Where are my bitcoins?”

          heh. Two things… one, Agora of course went kaput two hours after I posted the referral link. So until the site comes up again, my attempt at spamming was useless.

          Second, post a BTC wallet… I’m not donating to you through CoinBase. Anonymity, man!!! :-)

          • Ooooooooooohhhh. You just wanted my bitcoin wallet address? Gosh, why didn’t you just say so before? ;)

            • My understanding is that bit coin addresses are free and that you can have as many as you like. So, I’d just create one and use it once to receive the 5BTC and then send them to CoinBase…

  2. Minor nit: could you fix your ‘share on twitter’ link so it shares the title of the blog post instead of just ‘check this out’?

  3. There was an article in the CU times earlier this year on the concern MFA would have a negative affect on the “user experience”. Sounds like a convenient excuse to not deploy it. But, until either side is willing to pay for, and adopt, some type of OOB authentication (not picking between the picture of a dog and a balloon), this will be just another story in a never-ending succession of law suits.

    • MFA is just as easily defeated as a user name and password these days, except you typically have to be present to intercept at the time they are doing the transaction.

      At a minimum, banks should be requiring user name, password, MFA Questions, and Anomaly Detection. That’s just for small banks, and that’s in addition to offering extensive educational opportunities for customers to learn how best to protect themselves. (They can start with the Business Practices post by Mr. Krebs. It’s a great way to illustrate how a small business is not doing enough to protect itself.)

      Larger banks and those with the budget should also offer additional OOB and possibly sandboxing technology and/or items like Trusteer Rapport.

      If your bank does not offer at least the baseline security services these days, YOU ARE THE LOW HANGING FRUIT.

      • I would like to see some sort of ability to use a physical token that can be used with MFA to log into websites such as a bank.

        And one which you can physically remove from the machine and lock away somewhere when not in use, and one that cannot be spoofed, hacked, or otherwise cloned, and without which one cannot login and use the bank.

        The technology exists for things like Windows domain logins, but as far as I know does not exist for public-facing websites such as banks.

        • The technology exists, but it is expensive for banks, and customers hate hardware tokens.

          There are even hardware tokens that utilize USB sticks to implement hardened sandbox technology and IP Whitelisting to ensure that you can only log in through their sandboxed devices. It’s pretty slick, but very pricey for banks.

  4. TheOreganoRouter.onion.it

    Interesting article , but once again the blood sucking attorneys are the real winners here, not TRC Operating Inc.

    • If not attorneys and the rule of law how do you suggest disputes be resolved, pistols at dawn? Taking turns in the dunking chair?

      This time it seems there was a legitimate dispute over facts, and the insurance company decided to settle rather than pay more lawyers bills. Not bad, imnsho.

      • I agree. This line has to be drawn in the courts so it can be moved with relative regularity. Relying on legislators or the FFIEC to provide up-to-date guidance on what is considered commercially reasonable is too slow and does not offer enough protection to Businesses.

        Resolving these in court cases means banks have to stay ahead of the “minimum” requirements in order to protect against litigation.

      • TheOreganoRouter.onion.it

        Still the attorneys get about thirty percent of that $350,000 which would be around one hundred and five thousand. They don’t work for free !

        • Typically corporate law firms work on retainer, plus hourly billing rates, and don’t get portions of settlements.

          It’s only law firms working with non-established clients, who don’t pay the firm’s costs up front, that take a sizable chunk of the eventual settlement in lieu of up front payment.

          I used to work for a Fortune 100 company, the corporate law firms they hired out (for lawsuits in-house counsel was too busy to take on) didn’t get a piece of the settlement. That being said, the costs were often an appreciable chunk of the settlement, but the firm got paid whichever way the suit went – win or lose.

      • How about dunking lawyers at dawn?

      • It IS bad that it was settled. There needs to be a body of case law established.

  5. So here is where this is heading in the larger scheme of things:

    1) Lawsuits galore. Firms will be sued for failed to exercise proper diligence to protect assets of the their customers or partners

    2) Legislation by the truckload. Agencies at the state and federal levels will start to crank out regs and laws aimed at protecting digital assets and disclosure of failure to do so. The compliance regs will become onerous.

    3) People will vote with their wallets. If a firm demonstrates lack of due care or even appears to have done so, they will lose big.

    It’s ugly out there. It’s ugly in here. It’s just plain ugly, but there’s gold in them thar hills if your a consultant!

    • re gold in them thar hills: http://www.despair.com/consulting.html

      there’s gold, or maybe fools’ gold, for the cyber criminals as well. Average brick and mortar robbery take is under $4k. Couldn’t find the average cyber heist take but found enough stories of multi $100k or multi million scores to think it’s much larger.

      quite the economic driver, eh?

    • “3) People will vote with their wallets. If a firm demonstrates lack of due care or even appears to have done so, they will lose big.”

      No way. People’s heads are generally too far up their nether regions to even notice a potential problem, much less even care.

      This abysmal security situation absolutely will not change until it costs the banking industry more to not comply with best practices than to comply with them. Not before.

  6. KOS wrote “TRC attorney Rogers said the bank never proved the phishing claim”

    And that’s the problem: it is difficult to prove that a breach resulted from phishing. And given that, in my professional opinion, the vast majority of breaches are started by phishing, look forward to a never-ending stream of litigation, i.e. welfare for lawyers.

    “‘I was very eager for the court to say that customers can make all the agreements in the world but that they are not bound by them,’ Woods said sarcastically.”

    And we will have jury cases where almost no one on the jury understands computer security, so the courtroom will resemble the original OJ trial. Not to mention that the rest of us will subsidize the companies who refuse to take computer security seriously.

    If we had a working government, the Treasury Department would create fair guidelines, something like:
    – All banks must offer true 2FA and business customers must use it.
    – Both the bank and the Treasury Department would be authorized to visit customers to verify that security measures are not being over-ridden, with these visits being unannounced.
    – Limits on wire transactions must be created where certain banks are black-listed (but a single transaction can be over-ridden by bank employees after consultation with customers), e.g. foreign banks and U.S. banks which serve as middlemen for foreign transaction.
    – Limits on the dollar amounts of wire transactions must be created. This will need to be negotiated with the customer.
    – Multiple wire transactions to the same bank or customer must require consultation with customers.
    – Customers must give banks multiple contact telephone numbers with at least one being a land-line and one being a cellphone.
    – Banks must have the authority to stop suspicious transactions without incurring liability.
    – Any customer found to be short-cutting security procedures would incur liability *starting* at 50% (this will be known as the Fazio regulation).

    And when customers complain that the paperwork is reducing their efficiency, tell them to stop whining.

    • I agree that clear guidelines are a necessity, but part of the problem is in ineffectual enforcement by the FDIC for smaller banks. It has gotten a lot better since the release of the revised FFIEC guidelines, but the FDIC and State regulators hold the bar at vastly different heights for different sized financial institutions.

      I worked at a bank that was about 4B in asset size, and we were growing at quite a clip during the downturn by acquiring failed FIs. Most of the FIs we acquired had very messy business practices that did not seem to meet FDIC standards at all, but they were smaller, so the rules were not applied as strictly.

      Part of that is understandable, due to budget concerns and the fact that larger FIs are more likely to be directly targeted by malware, but the new low-hanging fruit is the business that doesn’t protect themselves and does business with a small, local, bank that doesn’t implement effective layering for their security.

      For medium to larger FIs, most the things you mention are already a requirement by the FDIC. Wire limits, Dual Control (with other employees of the FI), tokens, OOB, and anomaly detection are all becoming standard operating procedure for banks who wish to not end up in litigation. Customers sometimes hate it because they see it as inconveniencing them for nothing, but when a bank catches attempted fraud, the light bulb always goes on.

      What I don’t get is how a bank doesn’t build the business case for offering advanced layers of security to their customers. It may cost you 200,000 over 3 years to put a solid system in place (as an example), but if that protects you from a $350,000 settlement, then you have won.

    • If the bank kept proper (as in organized) logs of customer transactions, they would know when the breach occurred. It’s easy to prove phishing when the bank knows the exact date and time of the first login from an address that didn’t belong to their customer (e.g. IP from Russia).

      But there is an appreciable cost to implementing this kind of organized logging, so most often banks – especially smaller banks – will just enable logging (or, worse, not enable it at all, for “performance”) and have absolutely no realistic way of wading through all the flotsam and jetsam later.

      • Not quite true. Based on the customer connection logs, how do you differenciate an access obtained via phishing vs those obtained via hacking the bank itself?

      • SeymourB wrote “It’s easy to prove phishing when the bank knows the exact date and time of the first login from an address that didn’t belong to their customer”

        I think you and I are talking about two different things.

        From the way I read the article, the phishing was done via emails sent to TRC. Malware was injected into TRC’s PCs as a result of these emails. TRC’s logon credentials were stolen.

        Did the cyberthieves access the bank directly or through TRC’s PCs? If the former, then the bank’s logs should have noticed an IP address which was out-of-area. If the latter, then the bank had no way of knowing that the access was anything other than normal. And even if the cyberthieves accessed the bank directly, they may have used a U.S.-based VPN which gave them an IP address which was fairly close geographically-speaking.

        Brian’s article suggested that TRC’s PCs contained malware with a web inject, which is fairly damning evidence that they were the phished party.

  7. Brian I love your blog, greetings from Chile!

  8. there are two basic lessons about computer security that the general public needs to become aware of:
    (1) you must protect the software before there can be any discussion of protecting data or transactions
    (2)transactions must be authenticated using a proper digitial procedure such as public key encryption. the pen&ink procedures we used on our paper based transactions are not effective in a digital network environment.

  9. In this case I can clearly see the bank being at fault. The business is also to blame to some degree by banking with a bank with poor security and not training employees.

    EVERY business MUST do security awareness training on a regular basis. There are too many non-tech savvy employees charged with great responsibility left to fend for themselves and given a false sense that their AV software will protect their computer. People are always the weakest link but I firmly believe that educating users often is the best way of preventing cyber heists.

  10. Diane Trefethen

    Brian – the “Web inject” video is too blurry to see clearly. Since requests for further identifying info are common, do you have any suggestions on how to differentiate between a bank’s legitimate request for more info and a Web inject’s fraudulent request?

    • The easy way to always do the right thing is to never provide information/install software unless you yourself initiate the action.

      • Diane Trefethen

        “The easy way to always do the right thing is to never provide information/install software unless you yourself initiate the action.”

        That is impractical vis-a-vis Web inject. If you try to log onto your bank’s website and you get a pop up stating they don’t recognize your computer and need more info to verify who you are, if you don’t give it, you don’t access your bank account.

        So what are clues that a pop up is a Web inject and not your bank’s legitimate request for more info?

        • It doesn’t matter what the clues are. If a popup comes up from your bank, from Paypal, from Brian Krebs, from Jesus Christ or from a web inject asking for that kind of info, you don’t give it. Period.
          There is no legitimate reason any legitimate business would get that kind of sensitive information via that channel.

          • Diane Trefethen

            @Rick
            So what you are saying is that anytime you see one of those popups while you are trying to access your bank account or a credit card account, you should abandon the effort, pick up a phone, and call them, right? Then, to verify your identity, instead of revealing your first pet’s name, you have to tell some clerk (possibly in India) your account #, your full soc sec #, your mother’s maiden name, your mailing address, and probably some other important bit of information, all on an NSA tapped phone line.

            But, what if in addition to your original reason for trying to access your bank account online, you also received a popup telling you that you had to change your password? Banks do that, you know. Now what? You have to do that online and your bank won’t let you access your account until you comply. What would you do to maintain the ability to review your account on line?

            Or is your solution to never access any accounts online?

            • Did you even look at the popup we’re talking about? There’s a difference between asking for SPII like that popup, and asking for Fluffy’s name.

              And, no, I don’t have one bank account or one credit card account that forces a password change. Do you?

            • Personally, I don’t bank online. For small businesses, I think it’s worth investigating alternatives.

              Someday I should sit down with some small business owners and interview them. I don’t have the time to do that now, so maybe Brian, or krebsonsecurity.com can do it for me:

              Questions:
              1. How many outbound transactions do you do per week?
              2. How many of them need to be done the same day?
              3. How many could be done a couple of days later?
              4. How many could be done once a day?
              5. Does your bank have branches in your area?
              6. Do you have an official bank representative?

              10. Do you have an accountant?
              11. How often do you interact with your accountant?
              12. I’m assuming that you pay/file quarterly income taxes. Am I wrong?

              20. I assume you have insurance and health care. Am I wrong?
              21. For each insurance (including health) provider, do you have a representative?
              22. Does that representative visit your premises?

              If most transactions can be delayed, perhaps they could be done as a batch in person.

              I’ve had one bank where I had a designated banker – and this was as a personal customer. I’m under the impression that corporate accounts are much more likely to have such arrangements (this article mentioned one).

              Instead of forcing each company to maintain security of each computer that could possibly connect to get bank, why not turn this on its head?

              Have your designated banker visit your premises on a schedule. They bring whatever computer they like, whatever Internet or dialup of whatever access they like, and whatever out of band authentication they like. You provide them with a list of the transactions you want made, and any schedule for them (in case some aren’t “ASAP”). For conditional transactions, you set them up with a “safe word” – a protocol you can use to contact the bank to cancel / suspend for transactions.

              A banker could probably visit 6-8 customers per day – about 30-40 per week. The banker would get to know their customers and their habits.

              I don’t really think that a “designated” banker should have more than 50 customers anyway. I’m willing to listen to some “designated bankers” views of the world too.

    • Diane, you can make the video full screen, which should make it easier to see. Also, sometimes Youtube takes a few moments to sharpen the picture, particularly with text

      • Diane Trefethen

        @Brian
        Thank you for the “tip.” However, as it turned out, the bigger I made the screen, the blurrier it got. What DID make a difference was changing the Quality setting from 144p to 480p.

        I see that the video has 11 possible pieces of info with three “highlighted” – State Issued, Expiration Date, and Select your card type.

        Clues:
        1) There are too many choices. When banks or credit cards ask for additional verifying information, they usually ask one question at a time. They do not present a menu.
        2) Over half the items are info that you don’t normally supply TO a bank for identification purposes but rather info the bank supplies to YOU.
        3) The biggest red flag is the questions themselves. When you provide a company with info that it can later use to verify that you are you, they ask for trivial information, like Maternal Father’s Middle Name, Your High School, Name of First Pet, etc. None of this information will help someone log into an account. It is only useful AFTER you’ve logged on and the company’s server has a problem with what it sees such as a different computer than you usually use or you are not logging in from your home state. However, all of the choices in the Web-inject request information that is NON-trivial, information that WILL assist in the logon process.

  11. Shame on the company for not having an IT infrastructure robust enough to quarantine and recognize an infection on a pc used for banking, Shame on the bank for offering such ineffective controls to prevent there customers from being taken advantage of to the tune of hundreds of thousands of dollars. I see a good deal of fault in the company that had the infection, but the bank not even bothering to offer tighter security controls is the bigger issue to me.

  12. After being hacked several years ago, Google banned Windows for corporate use. Sensible move.

    Any folks who do not follow this advice have been warned of the consequences.

    Yes – Windows is seductive. It’s easy, so easy. Now – wake up and keep your money safe.

  13. Mr Krebs, all the best on your future
    coming book.

    I hope it hits the #1 on the NYT booklist!

  14. Diane Trefethen

    @Rick
    1) “Did you even look at the popup” is getting a bit snarky, especially since I started that thread with, “Brian – the ‘Web inject’ video is too blurry to see clearly.”
    2) I have several bank accounts, several credit card accounts and a couple of brokerage accounts. Only one (1) of them has not REQUIRED that I change my password at least once in the last 5 years. My primary bank requires a change every 6 months, not just a fly-by “Would you like to change” but “You are required to change.”

    @Brian
    Again, I ask, are there clues that a request for further identifying info is from a Web inject and not from one’s account holder?

    • As Dennis Woods, founder and CEO of United Security Bank, says in the article malware on the computer deploys a “Web inject.

      For average netizens, detecting the malware is what determines whether the popup came from a (malware/malicious) web inject or from the intended institution .

      Antivirus may or may not detect malware causing web injects or any other malware. As always, not following safe computing rules increases the chance of malware (and malicious web injects).

    • Similar to what Rick says, I’ve never seen a credible institution ask for sensitive information in order to change a password. Online, if a credible institution asks for sensitive information such as a Social Security number, date of birth, or mother’s maiden name then that institution would be further risking customer sensitive information.

  15. From the article (and another article before), “Businesses do not enjoy the same protections against cyberfraud that are afforded to consumer banking customers.”

    Corporations are people at least, according to the legal precedent of ‘corporate personhood’. “Corporate personhood is the legal concept that a corporation may be recognized as an individual in the eyes of the law.” (wiki)

    I don’t know what rule creates this banking protection for consumers but non-protection for banking corportations.

  16. I read this and shake my head – even our local credit union has better authentication than this bank. And it is a small customer owned organization. Is the typical bank that far behind in security now days? Sheese!

    The CU site notices anytime there is an IP or browser change, and puts you through a rigorous 2nd factor authorization; and all authorized vendors have to be setup in person by the account owner. I realize some businesses can’t be set up that way, but it would seem most of them could; the rest of them would surely be tripped by IP address anomalies, set by parameters. I don’t know a lot about big business banking, but if a little credit union can do this much, it should seem plausible that bigger banks would have something even better for business customers?

  17. I think Diane’s question could be rephrased to “is the cookie from the bank, or the bad guy?” And ” how is Joe Good guy or Diane supposed to differentiate between them?”

  18. I’m curious if this judgment will be reused for things like the Target compromise. Banks could imply that Target didn’t do it’s do diligence and try and re-coop their costs from Target.

    Honestly, I’m hoping this spirals a bit so that companies will start seeing liability in not doing their do diligence when it comes to cyber security.


Read previous post:
P.F. Chang’s Breach Likely Began in Sept. 2013

The recently-announced credit card breach at P.F. Chang's Chinese Bistro appears to have gone on for at least nine months:...

Close