A Texas bank that’s suing a customer to recover $1.66 million spirited out of the country in a 2012 cyberheist says it now believes the missing funds are still here in the United States — in a bank account that’s been frozen by the federal government as part of an FBI cybercrime investigation.
In late June 2012, unknown hackers broke into the computer systems of Luna & Luna, LLP, a real estate escrow firm based in Garland, Texas. Unbeknownst to Luna, hackers had stolen the username and password that the company used to managed its account at Texas Brand Bank (TBB), a financial institution also based in Garland.
Between June 21, 2012 and July 2, 2012, fraudsters stole approximately $1.75 million in three separate wire transfers. Two of those transfers went to an account at the Industrial and Commercial Bank of China. That account was tied to the Jixi City Tianfeng Trade Limited Company in China. The third wire, in the amount of $89,651, was sent to a company in the United States, and was recovered by the bank.
Jixi is in the Heilongjiang province of China on the border with Russia, a region apparently replete with companies willing to accept huge international wire transfers without asking too many questions. A year before this cyberheist took place, the FBI issued a warning that cyberthieves operating out of the region had been the recipients of approximately $20 million in the year prior — all funds stolen from small to mid-sized businesses through a series of fraudulent wire transfers sent to Chinese economic and trade companies (PDF) on the border with Russia.
Luna became aware of the fraudulent transfers on July 2, 2012, when the bank notified the company that it was about to overdraw its accounts. The theft put Luna & Luna in a tough spot: The money the thieves stole was being held in escrow for the U.S. Department of Housing and Urban Development (HUD). In essence, the crooks had robbed Uncle Sam, and this was exactly the argument that Luna used to talk its bank into replacing the missing funds as quickly as possible.
“Luna argued that unless TBB restored the funds, Luna and HUD would be severely damaged with consequences to TBB far greater than the sum of the swindled funds,” TBB wrote in its original complaint (PDF). TBB notes that it agreed to reimburse the stolen funds, but that it also reserved its right to legal claims against Luna to recover the money.
When TBB later demanded repayment, Luna refused. The bank filed suit on July 1, 2013, in state court, suing to recover the approximately $1.66 million that it could not claw back, plus interest and attorney’s fees.
For the ensuing year, TBB and Luna wrangled in the courts over the venue of the trial. Luna also counterclaimed that the bank’s security was deficient because it only relied on a username and password, and that TBB should have flagged the wires to China as highly unusual.
TBB notes that per a written agreement with the bank, Luna had instructed the bank to process more than a thousand wire transfers from its accounts to third-party accounts. Further, the bank pointed out that Luna had been offered but refused “dual controls,” a security measure that requires two employees to sign off on all wire transfers before the money is allowed to be sent.
In August, Luna alerted (PDF) the U.S. District Court for the Northern District of Texas that in direct conversations with the FBI, an agent involved in the investigation disclosed that the $1.66 million in stolen funds were actually sitting in an account at JPMorgan Chase, which was the receiving bank for the fraudulent wires. Both Luna and TBB have asked the government to consider relinquishing the funds to help settle the lawsuit.
The FBI did not return calls seeking comment. The Office of the U.S. attorney for the Northern District of Texas, which is in the process of investigating potential criminal claims related to the fraudulent transfers, declined to comment except to say that the case is ongoing and that no criminal charges have been filed to date.
As usual, this cyberheist resulted from missteps by both the bank and the customer. Dual controls are a helpful — but not always sufficient — security control that Luna should have adopted, particularly given how often these cyberheists are perpetrated against title and escrow firms. But it is galling that it is easier to find more robust, customer-facing security controls at your average email or other cloud service provider than it is at one of thousands of financial institutions in the United States.
If you run a small business and are managing your accounts online, you’d be wise to expect a similar attack on your own accounts and prepare accordingly. That means taking your business to a bank that offers more than just usernames, passwords and tokens for security. Shop around for a bank that lets you secure your transfers with some sort of additional authentication step required from a mobile device. These security methods can be defeated of course, but they present an extra hurdle for the bad guys, who probably are more likely to go after the lower-hanging fruit at thousands of other financial institutions that don’t offer more modern security approaches.
But if you’re expecting your bank to protect your assets should you or one of your employees fall victim to a malware phishing scheme, you could be in for a rude awakening. Keep a close eye on your books, require that more than one employee sign off on all large transfers, and consider adopting some of these: Online Banking Best Practices for Businesses.
It’s interesting that Luna has asked the Court to ‘slow track’ the litigation against them. I would be surprised to see that being granted, as I am sure TBB will vigorously demand that their legal action see a courtroom swiftly. I can’t see Luna being successful here since they declined the additional controls.
Also – I think you have a link wrong, the ‘TBB original claim’ link is to a Luna document they submitted to the US District Court.
Thanks, pookie. Fixed the link.
Lots of similarities it would appear to the Choice Escrow account that Choice ended up losing since they had refused (twice) to adopt a dual authorization option. But UCC 4-A leaves it up to the court to decide if the bank used a “commercially reasonable” security procedure so each case will be looked at independently. The court will look at the wires, their destination and amount and see if those elements should have raised attention by the bank. All kinds of issues to be reviewed.
But the fact that the funds are still being held within the US, one would think that TBB could claw back those funds without any real problem.
“…$1.66 million in stolen funds were actually sitting in an account at JPMorgan Chase, which was the receiving bank for the fraudulent wires.”
Or, Luna (victim customer of the bank) can’t get the stolen funds returned? More than two years later, Luna and the bank still can’t prove fraud for rightful return of stolen funds? Luna and the TBB didn’t commit the crime, so why’s JPMorgan sitting on stolen funds? So, JPMorgan has a way of discovering funds are stolen; but TBB, a smaller bank, doesn’t.
I wouldn’t doubt that it is the FBI brow beating the banks that is retarding the process of moving the money out of Chase. I’ve seen more than one case in Colorado where individuals lost money to swindles and couldn’t even get it back because the FBI was commandeering all funds until the “investigation” and prosecution was over. I really think this should be considered a violation of the Constitution Articles, because of a robust protection for private/corporate property. Of course, since it is government property, in this instance, that may be a factor here.
Two factor authentication could have prevented the funds from being removed if it was implemented by two people with two different cell phone numbers, along with email notification that the transfer is in process.
They’ll learn soon enough…
While 2FA is something I heavily endorse, it can and will be done wrong.
I’m waiting for an article by Brian about vendors which let you turn off 2FA easily, or change the 2FA destination.
We’ll start seeing victims who have their 2FA phone numbers changed / 2FA disabled and then their funds stolen once there’s significant uptake of banks “using” 2FA.
The other attack is SMS / phone call forwarding. Instead of attacking the bank / payment processor (many of which will mess up), you can attack (socially engineer) the phone provider and get them to enable call/message forwarding (which results in the confirmation code going to a disposable number controlled by the attacker).
Could there be a scenario wherein the FBI could sit on the funds hoping to be able to sieze them for the benefit of the U.S. government?
Admiral Obvious here.
” the bank pointed out that Luna had been offered but refused “dual controls,”” This situation is analogous to the federal requirements to have seat belts installed in cars. The addition of seat belts was opposed in the United States even as the mangled bodies were being removed from car wrecks. Now, years later, seat belts are the norm, babies are required to be in special car seats which are held to the back seat by a seat belt. Anything else is considered dangerous, irresponsible and illegal. There are also far fewer mangled bodies.
The banking laws need to be changed to make dual controls mandatory or to replace that level of security with something better. We will quickly become accustom to the “new way” and be happy that the bad old days are gone.
” This situation is analogous to the federal requirements to have seat belts installed in cars.”
Which doesn’t require drivers and passengers to use the seatbelts. (although many states have do require usage)
I haven’t checked, but from Brian’s reporting, my guess is that the dual control was “another username and password” which is *not* a useful control.
If one of the computers in your network is affected by malware/a trojan, the odds of it spreading to the other computers in your network are quite high. And it’s likely that the second “control” would do the authentication from the same terminal — resulting in no actual increase in security.
I’m not saying that there shouldn’t be dual controls. I am saying that 2FA should be required *before* a careless requirement for dual-control.
Meanwhile, 1.66MM is earning interest on that frozen chunk of money. Hmmmm…..where will that go?
Executive recreation reimbursement fund.
(AKA hookers ‘n blow fund)
You’d think US banks would just block transfers to companies in Heilongjiang, or at least require some extra verification for doing so with large sums.
“US banks” isn’t a monolithic entity.
http://www.swiftbic.com/banks-in-UNITED-STATES.html
lists 4801 banks (technically a bank can have multiple swift codes, and a bank in theory could have 0 swift codes), but it’s a good round number to start from.
It’s possible that some portion of those banks (say 1-2%) are smart enough to block certain regions. But, there are lots of regions, and trying to maintain whitelists or blacklists by region is hard.
There are 1860 swift codes for China:
http://www.theswiftcodes.com/china-19/
and 883 for Russia:
http://www.theswiftcodes.com/russia-9/
fwiw, a swift code more or less looks like:
http://en.wikipedia.org/wiki/ISO_9362
4 letters: Institution Code or bank code.
2 letters: ISO 3166-1 alpha-2 country code
2 letters or digits: location code
if the second character is “0”, then it is typically a test BIC as opposed to a BIC used on the live network.
if the second character is “1”, then it denotes a passive participant in the SWIFT network
if the second character is “2”, then it typically indicates a reverse billing BIC, where the recipient pays for the message
as opposed to the more usual mode whereby the sender pays for the message.
3 letters or digits: branch code, optional (‘XXX’ for primary office)
You could /probably/ try to block by Country, and then when someone needs a country, whitelist the country and a region, and then when someone needs a region, whitelist by bank, or something. But that’s really really painful.
And the goal of banks is for everything to be automated, anything requiring a person slows things down and introduces another source of error, in addition to requiring paying a head.
http://www.theswiftcodes.com/united-states-24/ only lists 2355 US banks, but I think the swiftbic.com number is probably more accurate.
shame they didnt stole all of the money .
Another amazing round-up!
Hey Brian – the VPs are running around yelling about the Bash bug like its Y2K. Your thoughts?
Brian –
Take care of your units… M = thousand; MM = million
$1.66M = $1,660
$1.66MM = $1,660,000 (which you spoke of in your column).
Wrong.
Many people use k for thousand and m for million:
$20k = $20,000
$20m or $20M = $20,000,000
I suggest engaging brain before keyboard in future.
language is dynamic and slowly changing over time…I believe in North American vernacular M = Million, K = Thousand…however I have seen MM for Million and M for Thousand within the same industry. And people complain about kids using emoticons!
M is 1000 in roman numerals: http://en.wikipedia.org/wiki/Roman_numerals#Reading_Roman_numerals
M is 1,000,000 in SI:
http://en.wikipedia.org/wiki/Mega-
MM is 1,000,000 in “some financial contexts”:
http://en.wikipedia.org/wiki/Million
I think that most Americans are used to ‘1M’ = ‘1 million (american)’ and ‘1B’ = ‘1 billion (american)’
http://www.writingservices.eu/abbreviations-howtowritethem.htm
> ‘M’ is the abbreviation for the English word million and is capitalized to distinguish it from ‘m’, a thousandth.
http://www.unc.edu/~rowlett/units/dictM.html
M [1]
an informal abbreviation for million in expressions such as “$500M” for 500 million dollars or “Unemployment Reaches 4M” in a newspaper headline. …
http://www.unc.edu/~rowlett/units/dictB.html
B [1]
informal abbreviation for “billion,” generally meaning the American billion 109. …
$1.66 million in stolen funds were actually sitting in an account at JPMorgan Chase, which was the receiving bank for the fraudulent wires.
Can someone explain this?
The funds were sent to china but never made it?
The funds were sent to china but recovered from the Chinese bank and sent back to FBI controlled account?
The funds were sent to china and then sent to accounts in the US by crims and then the FBI froze them?
Very few small banks have direct international wire transfer capabilities. Instead they have agreements for larger banks to act as middlemen. So TBB (the originating institution) wired funds the Chase (the sending institution) with instructions to send the money on to the bank in China (the beneficiary institution). It sounds like the funds were frozen at Chase before the final transfer.
http://intermediarybank.com/category/international-wire-transfer/ has a vaguely workable explanation of intermediary banks.
Alex’s explanation is also reasonable.
IME, there are perhaps 10 or 20 major US banks that seem to do the vast majority of international wire transfers (and thus your money probably goes through one of them when you send it between your US bank and some non US bank). [Sorry, I can’t find a good citation for this.]
Chase is one of the largest US banks and does a significant portion of those international transactions.
Note: as a person doing international transactions regularly, there’s a significant incentive for you to bank at a bank which is one of these banks: It means that you are less likely to have one of those other intermediate banks skimming a transaction fee off your transfers.