August 13, 2014

An industrial maintenance and construction firm in Tennessee that was hit by a $327,000 cyberheist is suing its financial institution to recover the stolen funds, charging the bank with negligence and breach of contract. Court-watchers say the lawsuit — if it proceeds to trial — could make it easier and cheaper for cyberheist victims to recover losses.

teciIn May, 2012, Kingsport, Tenn.-based Tennessee Electric Company Inc. (now TEC Industrial) was the target of a corporate account takeover that saw cyber thieves use a network of more than four dozen money mules to siphon $327,804 out of the company’s accounts at TriSummit Bank.

TriSummit was able to claw back roughly $135,000 of those unauthorized transfers, leaving Tennessee Electric with a loss of $192,656. Earlier this month, the company sued TriSummit in state court, alleging negligence, breach of contract, gross negligence and fraudulent concealment.

Both companies declined to comment for this story. But as Tennessee Electric’s complaint (PDF) notes (albeit by misspelling my name), I called Tennessee Electric on May 10, 2012 to alert the company about a possible cyberheist targeting its accounts. I’d contacted the company after speaking with a money mule who’d acknowledged receiving thousands of dollars pulled from the firm’s accounts at TriSummit.

According to the complaint, the attackers first struck on May 8, after Tennessee Electric’s controller tried, unsuccessfully, to log into the bank’s site and upload that week’s payroll batch (typically from $200,000 to $240,000 per week). When the controller called TriSummit to inquire about the site problems, the bank said the site was probably undergoing maintenance and that the controller was welcome to visit the local bank branch and upload the file there. The controller did just that, uploading four payroll batches worth $202,664.47.

[SIDE NOTE: When I spoke with Tennessee Electric’s controller back in 2012, the controller for the company told me she was asked for and supplied the output of a one-time token upon login. This would make sense given the controller’s apparent problems accessing the bank’s Web site. Cyber thieves involved in these heists typically use password-stealing malware to control what the victim sees in his or her browser; when a victim logs in at a bank that requires a one-time token, the malware will intercept that token and then redirect the victim’s browser to an error page or a “down for maintenance” message — all the while allowing the thieves to use the one-time token and the victim’s credentials to log in as the legitimate user.]

On May 9, Tennessee Electric alleges, TriSummit Bank called to confirm the $202,664.47 payroll batch — as per an agreement the bank and the utility had which called for the bank to verbally verify all payment orders by phone. But according to Tennessee Electric, the bank for some reason had already approved a payroll draft of $327,804 to be sent to 55 different accounts across the United States — even though the bank allegedly never called to get verification of that payment order.

Tennessee Electric alleges that the bank only called to seek approval for the fraudulent batch on May 10, more than a day after having approved it and after I contacted Tennessee Electric to let them know they’d been robbed by the Russian cyber mob.

ANALYSIS

This lawsuit, if it heads to trial, could help set a more certain and even standard for figuring out who’s at fault when businesses are hit by cyberheists (for better or worse, most such legal challenges are overwhelmingly weighted toward banks and quietly settled for a fraction of the loss).

Consumers who bank online are protected by Regulation E, which dramatically limits the liability for consumers who lose money from unauthorized account activity online (provided the victim notifies their financial institution of the fraudulent activity within 60 days of receiving a disputed account statement).

Businesses, however, do not enjoy such protections. States across the country have adopted the Uniform Commercial Code (UCC), which holds that a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”

Under state interpretations of the UCC, the most that a business hit with a cyberheist can hope to recover is the amount that was stolen. That means that it’s generally not in the business’s best interests to sue their bank unless the amount of theft was quite high, because the litigation fees required to win a court battle can quickly equal or surpass the amount stolen.

Recent cyberheist cases in other states have brought mixed (if modest) results for the plaintiffs. But Charisee Castagnoli, an adjunct professor of law at the John Marshall Law School, said those decisions may end up helping Tennessee Electric’s case because they hold open the possibility that courts could hear one of these cases using something other than a strict interpretation of the UCC or contract law  — such as fraud or negligence claimsAnd that could lead to courts awarding punitive damages, which can often amount to several times the plaintiff’s actual losses.

“We’re still seeing lawyers who are hunting for their best argument in terms of financial recovery, but what they’re really searching for is a way to get this out of the UCC and out of contract law, because under those you only get actual damages,” Castagnoli said. “And there’s really no way under the UCC and contract law theory to apply an economic recovery that will be an incentive for banks to change their behavior.”

Most recently, for example, Missouri-based Choice Escrow & Land Title unsuccessfully sued its bank to recover $440,000 stolen in a 2010 cyberheist. Choice’s attorney’s failed to convince the first court that the bank’s online security procedures weren’t commercially reasonable. An appeals court confirmed that ruling, and went a step further by affirming that the bank could recover its attorney’s fees from Choice Escrow.

In the case of Patco Construction, a company in Maine that was hit by a $588,000 cyberheist in 2009, a lower court ruled the security at Patco’s bank was commercially reasonable. But an appeals court in Boston called the bank’s security systems “commercially unreasonable,” reversing the lower court.  Castagnoli said the appeals court in the Patco case also left open what the victim’s obligations and responsibilities are in the event that the bank’s security measures fail.

“Even though it looks like from a victim business’s perspective that the Patco case is good and the Choice decision bad, there may be enough good language in both of those cases [to help] Tennessee Electric’s case,” Castagnoli said.”You’d think with a harmonized statute [like the UCC] which exists across all 50 states that we’d have some clarity in terms of plaintiff rights of recovery in these cases, but we really don’t.”

Do you run your own business and bank online but aren’t willing to place all of your trust in your bank’s online security? Consider adopting some of the advice I laid out in Online Banking Best Practices for Businesses and Banking on a Live CD.


57 thoughts on “Tenn. Firm Sues Bank Over $327K Cyberheist

  1. Tom

    Down here in Brazil banks with one-time tokens have long moved to ask for the token in several different steps, including login, payment confirmation, money transfers, etc. This prevents this kind of attack, when the hackers highjack the session and use the one-time token to move funds.

    1. Jim

      Strongly agree. One-time tokens should be used for more than just login. They should be required to verify all new beneficiaries of an ACH batch.

  2. JG

    I have several Windows clients using LiveCD for online banking. Even very unskilled tech users can follow clear written instructions, so my clients actually use it after, especially after hearing about big losses and having viruses removed from phishing attacks.

    I also just bought ZeusGard that Krebs recommended and will see if some clients prefer it over LiveCD.

  3. george

    I think is quite likely this case will settle out of court. From the document linked by Brian it looks like the bank dropped the ball by dismissing their customer concerns (it’s probably maintenance, etc). I normally don’t have much sympathy for grossly negligent and uninformed victims but if I am to believe the linked complaint it looks the victims in this case did some due-diligence accepting and using the extra security procedures and reporting suspicious calls.
    Too bad we’ll probably never know how it end up.

  4. INQ

    Isn’t their an expectation under FFIEC guidance to also monitor for unusual activity (i.e. risky out of profile behaviour)? At least this may catch the easier cases.
    Additionally, I few years ago in NYC, I heard a speaker from Germany say this fraud (against one-time tokens) was a growing trend in Europe. The solution they were exploring was to also include specific details of the intended transaction into a post sign-on token. Usability and change to web banking would be the main challenge – aside from the business case challenge of building for rare events…perhaps a successful law suit would improve that case at banks.

    1. eBankSafe

      There is! However, the FFIEC guidance has not been enforced much and many banks have not implemented the necessary controls.

      However, when this case is evaluated by the Judge, they will most likely find that the account holder is not responsible for the loss because the payment order was not processed in accordance with the agreement because the bank failed to perform the agreed upon security control (out-of-band verification via telephone).

      This is pretty open and shut IMO. The bank is going to lose.

  5. Atty. John Kennedy

    Brian, could you make a video that shows people exactly how this scam works? It is difficult to visualize with words alone but a video would be priceless.

    Another great article btw.

      1. AskJeeves

        1) computer gets infected with malware designed specifically for bank account take overs
        2) victim accesses online account, enters credentials
        3) theives are sent an “alert” to hijack the session. They use a “web inject” to get the extra info they need (one time token)
        4) victim either receives a “maintence” page or a spoofed (fake) account page showing no changes
        5) thieves use this access to transfer money to accounts belonging to “mules”
        6) mules rush to the banks and pull out the funds before frozen and sent back to victims bank (as some of the funds were in this case)
        7) the cash (minus mule fee) is then sent to Putin himself.

        1. SeymourB

          Only a portion of the funds go to Pooty Poot. His underlings take their cut, and their underlings take their cut. One must keep “law enforcement” satisfied so they don’t bother do their job by enforcing laws.

    1. Neej

      As understand it from only reading BK’s article here and previously regarding this incident:

      The customer was infected somehow by malicious software. When the customer attempted to login to the banking facilities the malicious software intercepted the data travelling to and from the customers computer revealing the customers logins and bypassing the one time code (an additional piece of login data that is required to use the facilities).

      Then the malicious software presented a “down for maintenance” type message to the customer to fool them into not using the account to allow the fraud to occur. It (probably now controlled by a human operator though I do not know for certain) proceeded to login to the customers account and transfer money to a number (50 or so) other accounts controlled by the criminals agents – the so called money mules – where it is further processed and sent to the criminal gang.

      So it is a sophisticated scam all in all.

      It all could have been avoided if the customer had not been infected by the malicious software as they attmpeted to use their bank. A good way to make it very difficult or impossible for this to occur is to use a LiveCD as BK suggests.

  6. JC

    Yet another case where a company’s head of finance should have been asking for automated out of band phone call based authentication for all online ACH and Wire transactions. If your banks says “huh?”, it is time to find another bank.

    1. Jane

      “as per an agreement the bank and the utility had which called for the bank to verbally verify all payment orders by phone”

      Was it the customer who was supposed to call the bank and the bank just allowed them to do it for peace of mind but never actually waited for the verbal confirmation?

      1. Peter

        … and was this agreement in writing *and* always followed up from client-side before.

        If either of these two not, tehbank probably wins.

        1. Infosec Pro

          if it was in writing it probably sticks, even if there were occasional previous lapses. if there was consistent failure to perform that was not met with complaints and demands for corrective action it might not hold up, but even that’s uncertain.

          Krebs reported that there was out of band verification but only after the fact. Might have been bank attempting to cover their previous failure. That part well might be the most important, their attempt to perform ex post facto out of band verification demonstrates their ineffective attempt to comply with the contract terms.

          This one is likely to be settled out of court on terms favorable to the plaintiff, just to keep the details off the public record. Might not be though, the bank’s insurance company might go to court even though it results in details being disclosed that embarrass the bank.

    1. JCitizen

      Very good of you Matt to post this; maybe it will help KOS readers to understand the jist of these incidents.

  7. Katrina L.

    Amazing that the bank’s original response was so cavalier—“it’s probably down for maintenance, just try elsewhere…”

    And months later, that attitude resulted in thousands of dollars lost.

    1. NotMe

      When I call my bank I’m always surprised that they can even answer the phone much less help with an issue. Most often I am referred to their website and told to search. Even less often do I get an English as a first language person to help me.

      1. EJ

        Those all sound like compelling reasons to find a new financial institution.

      2. KathyB

        Holy cow! If your needs aren’t being met, you really should consider changing banks. What you are experiencing is unacceptable. Consider a community bank or credit union.

        Based on what I read about this case, I don’t believe the bank behaved correctly. The “probably down for maintenance” should be a red flag for the bank to make a call.

        Disclaimer: I’m an infosec officer at a community-based bank.

        1. Michael

          Since you said you’re in infosec, does your team do any type of training to the customer service staff for this type of issue? If you were a casual computer user, you would likely think that it WAS down for maintenance if that’s what the BANK’S page stated. Just curious…

  8. Question...

    Hi Brian,

    You don’t mention how the controller’s computer was infected with malware? Was this investigated?

    More and more I am of the belief that companies should consider having one computer restricted to online banking only, with no access to email, in order to reduce the clicking of phishing links that download malware.

    1. analyst

      http://www.mnemonic.no/en/Andre-sprak/English/Seminars-and-articles/Banking-Trojan-White-Papers/

      Very good article (‘The Trojan Wars…’).
      We had some clients who had Trojans (more than one!) on a PC. After they were informed they hired company/contractor for ‘cleaning’ PC. After that they were ‘sure’ that they were clean! Please read the article and You will learn that partial cleaning can make infection again (after connecting to the Internet).
      That issue is important for practical communication with clients.

    2. Steve

      Why isn’t the answer ever “just don’t use online banking”? The risk of losing hundreds of thousands of dollars outweighs the benefits in my mind.

  9. MEP

    “Commercially reasonable”: There’s a term of art that has cost untold amounts of money for consumers, businesses and anyone else who isn’t a bank. The laws are literally written for them.

  10. cooloutac

    If i read right, that Missouri based title company not only lost its case against the bank, but then was forced to pay the banks lawyers? wow thats rough…lol

    I also agree with the above posters question.

    Why are emails even allowed in most businesses? Why aren’t certain computers segregated from other networks?

    But then again after reading this article, its even more apparent why these banks could care less.

  11. RS

    I’m not sure how it’s spelled in the rest of the world, but in Louisiana it’s spelled “comptroller” but pronounced “con-troll-er”. Anyway… according to Krebs there is a discrepancy between what TEC got back and what the losses really have been.

    “Under state interpretations of the UCC, the most that a business hit with a cyberheist can hope to recover is the amount that was stolen.”

    So… assuming that particular state has such language in it’s interpretation, TEC would have redress to recover the rest of the money the bank lost them due to what appears to be incompetence on part of the bank. For many small to mid sized businesses that kind of money is a make or break amount I can certainly understand they’d try everything to get it back.

    As for the UCC… businesses usually have a lot of pull with local and state lawmakers. If enough complained the code would be modified. Sometimes the court system really shouldn’t be the first and last resort.

    1. aussie

      here come the grammar police. wow that didn’t take long. comptroller and controller mean essentially the same thing in this context, mate, even down here.

      1. RS

        “Down here” I assume you mean Australia by the name. Krebs and I are both from the US. I’ve never seen “controller” used in that way before, and no I’m not a grammar Nazi so get off your high horse. I was trying to clear it up in my own mind whether he meant the position of comptroller in ‘office of the comptroller’ for a company or some generic office person that controls that single account. It actually makes a difference in statements from that company.

        1. BrianKrebs Post author

          I don’t know if this is the last word on this…word in this context, but…

          “What is the difference between a controller and a comptroller?

          The controller and comptroller titles refer to the same position, which is the person responsible for all accounting operations of a business. The controller title is more frequently found in for-profit businesses, while the comptroller title is more commonly found in governmental and non-profit organizations. Given the non-profit and governmental locations in which the comptroller title is more commonly found, there is a greater tendency for the comptroller job position to require a greater emphasis on fund accounting.”

          http://www.accountingtools.com/questions-and-answers/what-is-the-difference-between-a-controller-and-a-comptrolle.html

    2. nov

      RS,
      +1 That word vaguely threw me too till you mentioned it.
      +1 Seems all businesses in these malware loss cases have redress up to the amount of the loss if the banks don’t follow the customer-business written agreement (per the UCC).

      That is an incentive for the banks to change their rules in these cases (unless all the money is clawed back both the company is ‘out’ and the bank is ‘out’, it’s a matter of how many thousands of dollars per case and continuing cases of thousands of dollars the banks (and customer companies) wish to withstand.

      1. Infosec Pro

        not true that both the company and the bank are out, once the money is gone they get to fight it out in court over who pays. that’s what this and other similar cases are about.

        1. nov

          Correct.

          However, another way I could have stated it along the thought that: There’s still a loss of money. That original amount will not be on the bank’s ‘total deposits’ held in the bank any longer–unless clawed back.

          Unless the company (customer of the bank) wins redress the company is ‘out’.

          If the company does win then: $192k to the company and $192k from the bank that wasn’t listed as part of their total deposits. At some point it seems the bank will have to account for the robbery/loss of money that it pays out but wasn’t part of ‘total deposits’ (I’m not an accountant).

          (In this case, $192 has not been clawed back–it’s not in the banks total deposits and it’s not with the customer company. If the company doesn’t win, both are ‘out’ and the bank I suppose will lose a customer. As of the time the article was written: Neither the bank nor the customer has the ‘original’ $192k that is the object of this court case.)

          1. nov

            In the response I stated “$192k to the company and $192k from the bank”. I mean $192k to the company, from the bank that didn’t have it listed as part of it’s ‘total deposits’.

  12. Rosemary

    Brian,
    Just created boot copy of Puppy Linux for our online banking needs. Thanks for the great advice! I recently had malware on my workstation and so we cleaned the hard drive, updated all releases you mentioned including any Microsoft updates and changed our user id and password with the banks help. Will look into the password generator that you mentioned in a previous entry. Thanks once again!!!!

  13. Harry Johnston

    It should be possible to build dedicated devices – designed specifically for the task of online banking, and able to be programmed with knowledge the bank’s SSL certificate, or better still to use a VPN to access the bank’s network.

    At present, such devices would probably be slightly too expensive to be justifiable for consumer online banking. But the cost would be easily justifiable if you’re dealing with tens or hundreds of thousands of dollars.

    That’s what’s “commercially reasonable”.

    1. timeless

      (My browser crashed composing this message, so it’ll be shorter because I don’t want to rewrite the whole thing again)

      1. A hardware device means you need to provide your own OS+Browser.
      2. An OS needs security updates regularly
      3. A Browser needs security updates regularly
      (both typically need them monthly, possibly sooner — which means you more or less need to expect to update your device each time before you try to do any banking)
      4. Any time you decide you want to update, you have to pray that the guy who wrote the update system didn’t mess up. Messing up can result in a brick, or in you installing evil software (if e.g. the vendor didn’t properly prevent a MITM from providing said software in place of the proper software)

      * Assuming those all work, you end up w/ something very much like ZeusGuard http://krebsonsecurity.com/2014/07/wireless-live-cd-alternative-zeusgard/

      As for SSL Pinning.

      5. SSL Certificates are typically valid for 1-2 years (typically for the banks I checked, 1 year)
      6. Of the top 10 US banks http://www.forbes.com/pictures/eehd45egjjk/top-10-biggest-banks-in-america/ 1 used Entrust, the others used VeriSign, which means there’s some potential to switch CAs
      7. Three are only using Domain Validation certificates instead of EV certificates, which means they *should* be changing their (intermediate) CA to one that is blessed to issue EV certs
      -> https://www.bnymellon.com/
      -> https://onlinebanking.tdbank.com/
      -> https://www.wellsfargo.com/

      If you don’t have a VPN, you’re at risk to one more MITM:
      8. The only thing that a VPN could sort of protect you from is a local attack against your router, and that’s assuming your VPN is well configured to not trust random remote endpoints (otherwise you’re really screwed, but this probably isn’t uncommon).

      Basically, your router is hardware that runs software, it needs regular updates too. And it probably doesn’t get them.
      http://krebsonsecurity.com/2011/12/new-tools-bypass-wireless-router-security/
      http://krebsonsecurity.com/2013/12/important-security-update-for-d-link-routers/

      Basically, if your router is hacked, you’re at risk for a MITM via a DNS change (see lots of articles about DNS changer)

      As for VPNs

      9. VPNs provide two things:
      * a firewall (which you shouldn’t need if your OS doesn’t have any open ports, or your OS could include one)
      * a cryptographic channel (the same sort of thing that web browsers have, in fact, see below)

      10. VPNs are basically hardware + software, they have vulnerabilities
      -> https://news.ycombinator.com/item?id=7598616 heartbleed impacted OpenVPN just like it impacted Web Servers

      Anyway, the DNS vulnerability is supposed to be covered by DNSSEC. Here’s a paper that talks about DNSSEC: http://www.chrismitchell.net/svidad.pdf — in short, we aren’t really at the point where DNSSEC will help. It’ll take a while. I’m more optimistic about IPv6 deployment (which is around 5% in the US, and in double digits in one tiny European country).

      1. Harry Johnston

        1. Sure, and in fact that’s where most of the benefit comes from; but the development and maintenance cost could be spread over the entire international industry. Also, it doesn’t need a fully-functional web browser, since it only needs to connect to the bank. In fact it needn’t be a web browser at all; the VNC protocol or something similar would be preferable.

        2. The simpler the OS, the less frequent the security updates, and the quicker they are to apply; in this scenario I think it should be possible to get it down to under a second. The same applies to 3.

        4. With proper testing (the cost of which can again be spread over the entire industry) and sufficiently simple architecture, this risk can be minimized. It would also be sensible to put the firmware on something like a SD card or a SIM, so even in the worst-case scenario you wouldn’t need to replace the entire unit.

        ZeusGuard is better than nothing, but it has to run on hardware that is both more complex and more diverse than necessary, as well as not being designed with security in mind[*]. This makes the software much more complicated than that of a dedicated device, reintroducing or exacerbating all the issues you’ve already mentioned.

        Also, since it isn’t provided by the banks, it has to use a web browser and can’t do certificate pinning.

        5, 6, and 7 are implementation details, not laws of nature. You could use rolling certificates and distribute the new ones via the existing update mechanism, or have your own root certificate with an extended lifetime – since the bank’s server would *only* ever be accessed via the dedicated devices, there’s no need to use a CA.

        8, 9, 10: you’re probably right that a VPN is an unnecessary complication here; proper implemented, SSL should protect against all MitM attacks. In some cases using a VPN may provide some benefit, e.g., if the unit does use a web browser rather than something like VNC, forcing all the traffic to go through the VPN may help to isolate the web browser from potential attacks. (Of course, I’m assuming here that the attackers are not *inside* the bank’s network).

        [*] Ideally, a dedicated device would use a CPU that was designed for secure coding; for example, it would provide safe integer arithmetic, see http://harryjohnston.wordpress.com/2011/08/19/safe-computing-integer-arithmetic/ for a description of the sort of thing I mean. However, this might increase the cost too much.

  14. NotMe

    “I’d contacted the company after speaking with a money mule who’d acknowledged receiving thousands of dollars pulled from the firm’s accounts at TriSummit.”

    WOW! Really? How can a fellow get an interview with someone who acknowledges breaking several laws? Speaks to the nature of the business if the mule is willing to rat out the scam. I understand protection of sources, but the mule is part of the problem. I wonder if a resourceful fellow could somehow get a mule job to get on the inside of one of these to really investigate all the connections…….

    1. Andrew

      Money Mules are commonly recruited through online job postings for work-from-home opportunities. They might be told they will assist with speeding up payment processing to international countries etc. and believe they’re working for a legitimate firm rather than a cyberheist gang

    2. timeless

      I’m pretty sure in some instances mules have come forward to Brian when they realized something was wrong.

      And in that case, it’s more like a potential mule. A recruited entity which has not yet broken the law.

      1. BrianKrebs Post author

        I have spoken to more money mules than I could possibly keep count of, both the ones who came to me, and the other way round.

  15. Hav0c

    It would be interesting to understand why banks allow real-time setup of NEW routing and account info for something like payroll. I would expect the majority of companies to have a relatively small number (percentage wise) of new account setups per pay period. It would be trivial for a bank to setup statistical analysis of this and flag when there is a 150% increase in payout of which 100% of them are new accounts.

    It is interesting that they do statistical analysis (clipping levels) for credit cards for which they or the merchant is going to bear the cost of the fraud, but NOT for transactions that if fraudulent will hit the consumer/business.

    I am pretty sure this would (or should) fall under the red flags initiative and should fall under FFIEC as well. Then there is always doing the right thing for your customer. Maybe if a company can create an analytics suite for regional banks and the banks can pitch it as part of their marketing there would be an economic incentive to do the right thing.

    I agree it is ultimately the end users fault for failing to protect their system (bank from a distro, etc) but the majority don’t know, many don’t care (until they get hit like this), and unless the mainstream media starts airing this as a PSA, the majority won’t do anything or be educated since the people impacted most likely don’t frequent sites like KoS.

    1. timeless

      I have never worked for a bank, but…

      I suspect that banks don’t actually treat PayRoll as distinct from the preauthorized bill pay that you can set up for a personal account.

      e.g. as a person, I can authorize my bank to pay account routing XX:YY $10 on the 10th of every month.
      I don’t think the bank treats that any different than:
      e.g. as a company, I can authorize my bank to pay account routing PP:QQ $10,000 on the 10th of every month.

      To you/me, we think that these are different, but if you look at the data the bank needs to store, they aren’t.

      Banks, like most entities are lazy and will only do things if forced or coerced, because taking any action incurs an expense. And no one wants to spend money unless they have to…

      1. Hav0c

        Timeless – good points

        I have never worked in finance, but seem to recall separate accounts for AP, AR, Payroll, Expense, nightly sweeps of accounts and daily reconciliations, manual validation of new wire instruction setups, etc. Then again this was at a med/large enterprise and prob has no relation to structure of SOHO / SMB. Cheers

  16. Dave

    One must remember that only the side of TN Electric is presented here since the bank has not filed their response to the allegations. Remember the old saying that the truth lies somewhere in the middle of what both sides state as “the facts”. UCC 4A leaves it up to the courts to decide what is “commercially reasonable” and as Brian cites in the article, there have been a variety of findings (usually in favor of the customer) because each situation has to be examined individually based on the business nature of the transaction, authentication controls that were in place, the terms of the agreement between the bank and the customer, etc. It will be interesting to see how this unfolds.

    1. Infosec Pro

      Dave, my impression (intuitive not scientific) is the opposite of your statement that findings have usually been in favor of the customer. From the various verdicts I recall it seems the banks usually prevail over their customers (not surprisingly, why should this differ from everything else?). Do you know of any objective compilation reviewing such decisions?

      Generally it is not a level playing field. The laws favor the banks, and the case law on “commercially reasonable” is as likely to reflect depth of litigants’ pocket as it is to reflect justice.

  17. mbi

    I’ve always felt the issue of liability should rest with the bank to institute and enforce security measures sufficient to the threat once it is known. After all this is their business and know best how to their operation. Why they would use such an outdated UCC standard is beyond me. It has to be that it just isn’t cost effective and better to let their customers play the lottery of theft than protect them.

  18. bob

    I’m curious how this malware get around TLS/SSL? Does it attach itself to the web browsers process and directly inject HTML into the browser?

    1. BrianKrebs Post author

      Yes. Without getting too technical, the malware grabs the data submitted by the user into the form field of the browser before it gets encrypted.

      Since it can control every aspect of the infected computer, it also can control what the victim sees in his/her browser. So, yes, it injects HTML content into the browser and lies to the user. This injection process is called a “Web inject.” You can see one in action here:

      http://krebsonsecurity.com/2014/06/backstage-with-the-gameover-botnet-hijackers/

Comments are closed.