A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a U.S. district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks.

In May 2009, Sanford, Maine based Patco Construction Co. filed suit against Ocean Bank, a division of Bridgeport, Conn. based People’s United Bank. Pacto used online banking primarily to make weekly payroll payments. Patco said cyber thieves used the ZeuS trojan to steal its online banking credentials, and then heisted $588,000 in batches of fraudulent automated clearing house (ACH) transfers over a period of seven days.

In the weeks following the incident, Ocean Bank managed to block or claw back $243,406 of the fraudulent transfers, leaving Patco with a net loss of $345,445. Because the available funds in Patco’s account were less than the total fraudulent withdrawals, the bank drew $223,237 on Patco’s line of credit to cover the transfers. Patco ended up paying interest on that amount to avoid defaulting on its loans.

Patco sued to recover its losses, arguing in part that Ocean Bank failed to live up to the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password. On May 27, a magistrate recommended that the court make Patco the loser by denying Pacto’s motion for summary judgment and granting the bank’s motion.

David Navetta, a founding partner of the Information Law Group, said that Patco has about another week to dispute the magistrate’s recommendations, but that it is unlikely that the judge overseeing the case will overturn the magistrate’s findings.

Navetta said the magistrate considered the legal issues and propounded an analysis of what constitutes “commercially reasonable” security.

“Many security law commentators, myself included, have long held that reasonable security does not mean bullet-proof security, and that companies need not be at the cutting edge of security to avoid liability,” Navetta said. “The court explicitly recognizes this concept, and I think that is a good thing.”

But Avivah Litan, a fraud and bank security analyst at Gartner, took strong exception to the way the magistrate arrived at the recommended decision, calling it “an outrage.”

“In my opinion, this is frankly an egregious injustice against small U.S. businesses,” Litan said. “It is also a complete failure of the bank regulatory system in the United States, which should come as no surprise, given the history of the regulators in the 21st century.”

The Technology

Ocean Bank relied on service provider Jack Henry to process bank-to-bank transfers, and it selected an authentication process that required customers to log in with a company ID, user ID and password. Customers also were asked to provide answers to three “challenge questions” that would be asked if the system scored a transaction as “high risk.”

The Jack Henry product came with a risk scoring system developed by RSA‘s Cyota, which rates the riskiness of transactions by using several factors, such as the location of a user’s Internet address, when and how often the user logs in, and how the customer navigates the site. Challenge questions were prompted when the risk score for a transaction exceeded 750 on a scale of zero to 1,000 (RSA considers transactions generating risk scores in excess of 750 to be high-risk). Ocean bank also kept track of customer “device IDs,” an amalgamation of attributes from the customer’s PC that could be used to create a unique fingerprint for that machine.

Until 2008, Ocean Bank set its dollar amount threshold — transfer amounts that would automatically require the answer to a challenge questions regardless of the Cyota fraud score — at $100,000. But in July 2008, the bank lowered that threshold to $1. The bank told the court that it did so to enhance security following ACH fraud at the bank that targeted low-dollar amount transactions. After the change, customers were forced to answer a challenge question whenever they used the bank’s system.

The Analysis

Patco’s security expert, Sari Green of Portland, Me. based Sage Data Security, told the court that by setting challenge questions to be asked on every transaction, the bank greatly increased the risk that a fraudster equipped with a banking Trojan would be able to compromise the answers to a customer’s challenge questions. Patco also argued that because the questions were triggered on every transaction regardless of the scoring of the transaction, that system did not provide any additional security.

Navetta said the magistrate considered the question of whether Ocean Bank’s security was sufficient. The magistrate analyzed whether the bank’s security satisfied “multi-factor authentication” guidelines by incorporating at least two of three checks: Something the user knows (such as a password), something the user has (such as the passcode generated by a one-time token); and something the user is, such as a biometric identifier. (Those guidelines were established in 2005 by banking regulators at the Federal Financial Institutions Examination Council (FFIEC).

Navetta said the magistrate accepted the bank’s argument that the password-based scheme used by the bank was multi-factor as described in the FFIEC. “To some degree the court acknowledged that the bank’s security could have been better,” Navetta said. “Even so, it was technically multi-factor as described in the FFIEC guidance in the court’s opinion, and ‘the best’ was not necessary.”

The magistrate wrote that while the guidelines say two out of three of those factors should be incorporated, it says nothing about how banks must respond when one of those factors detects an anomaly. More importantly, the magistrate accepted the bank’s assertion that a device ID satisfied the “something the user has” requirement.

The magistrate was unswayed by evidence presented by Patco’s lawyers that modern malware threats like ZeuS can modify content in the victim’s browser (and thus prompt users for the answers to all of their secret questions). ZeuS also allows attackers to tunnel their communications through a victim’s own PC and browser, an attack method that can negate the value of a device ID as a second factor. Navetta said Patco’s main theory concerning the weakness of the bank’s security was that the lower dollar threshold set by the bank made customers easier prey for predators like the ZeuS Trojan, but that the magistrate was unconvinced by that argument because Patco did not have actual forensic evidence that a keystroke logger was the culprit. The magistrate said Patco erred by “having irreparably altered the evidence on its hard drives by running scans on its computers and continuing to use them prior to making proper forensic copies.”

Avivah Litan said the methods used by Jack Henry to support Ocean Bank were not appropriate to the risks associated with online business banking in 2009.

“Zeus, browser-based Trojans and other modern-day threats are known by anyone following online banking security to circumvent all the methods that were being used at the time by the bank and its processor,” Litan said. “Unfortunately, the 2005 FFIEC guidance referred to examples of relatively crude online theft techniques that were commonplace in 2004 and 2005. The cybercriminal of 2011 has long ago bypassed and surpassed those old techniques.”

The FFIEC was on the verge of releasing updated guidance at the end of last year to clarify the new and stronger types of multi-layered defenses required in 2011.  Litan said those updates were expected to explain that the examples of strong online banking security measures which they listed in 2005 have been rendered useless and obsolete by next-generation cybercrime techniques.

“It’s truly disappointing that the much-needed update was never issued, no doubt because of internal politics and disagreements among the regulatory agencies,” she said. “The regulators should not leave these matters in judges’ hands to decide and should protect U.S. businesses from bank shortcomings that compromise the safety and security of their accounts,  just as consumers are protected under Regulation E. In my opinion, this judge did not correctly interpret the 2005 FFIEC authentication guidance.”

Patco co-owner Mark Patterson said the company hasn’t yet decided whether to appeal.

“The one thing the judge mentioned in his decision is that there is basically zero case law on [question of what constitutes reasonable security] for the banks,” Patterson said. “Not anymore. That’s why we’re concerned this could have national implications. Tons of small businesses continue to be at a huge risk for this type of thing happening to them.”

The magistrate’s recommendations are by no means a done deal, even if the district court adopts them. The decision could be appealed, possibly all the way to the US Supreme Court. Interested parties could present further legal argument by filing amicus curiae (friend of the court) briefs at any time during the appeal process.

A copy of the recommended decision is available here (PDF).

KrebsOnSecurity will continue to follow this case and to bring you updates on new developments as they happen. Stay tuned.

Several readers have asked to be notified if the U.S. map showing recent victims of high-dollar online banking thefts was updated. Below is a (non-interactive) screen shot of the updated, interactive map that lives here. Click the red markers to see more detail about the victim at that location, including a link to a story about the attack.

Organized cyber thieves stole more than $600,000 from the Catholic Diocese of Des Moines, Iowa earlier this month. The funds were spirited away with the help of dozens of unwitting co-conspirators hired through work-at-home job scams, at least one of whom was told the money was being distributed to victims of the Catholic Church sex abuse scandals, KrebsOnSecurity.com has learned.

In a statement released last week, the diocese said the fraud occurred between Aug. 13 and Aug. 16, apparently after criminals had stolen the diocese’s online banking credentials. The Diocese it was alerted to the fraud on Aug. 17 by its financial institution, Bankers Trust of Des Moines.

The diocese also said the FBI and U.S. Treasury Department were notified, and that the FBI had taken possession of several diocesan computers. To date, roughly $180,000 has been recovered.

The diocese added that law enforcement had advised them that the theft seems to have been the work of a highly sophisticated operation based overseas, which moved the stolen money out of the United States by recruiting people who unknowingly act as intermediaries.

“While the Diocese of Des Moines is protected by insurance and anticipates the restoration of the funds, we have been advised that such criminal activity is rampant,” Des Moines Bishop Richard Pates said. “Obviously, any entity that experiences such a crime should be significantly concerned.”

Once again, the theft involves so-called money mules willingly or unwittingly recruited by a specific money mule cash-out gang whose work I have written about several times already. Among the mules involved in this incident was a man in Newnan, Ga. who received almost $30,000 of the church’s cash. Daniel Huggins, the 29-year-old owner of Masonry Construction Group LLC, got mixed up with a company calling itself the Impeccable Group, claiming to be an international finance company operating out of New York.

Huggins said the Impeccable Group recruited him via e-mail, claiming it had found his resume on job search site Monster.com. The Impeccable Group told him he would be doing payment processing for the company, and on Aug. 16, Huggins’ erstwhile employers sent him two payments, one for almost $20,000 and another for slightly less than $10,000.

Huggins said he contacted the Impeccable Group shortly after the transfers because the amounts seemed quite high and the transfers appeared to be coming from the Catholic Church. The scammers apparently were ready for this question and were quick on their feet with a reply that was as plausible as it was diabolical: Huggins was told the money was going to be distributed as legal settlements to people who had been affected by the clergy sexual abuse scandals that have rocked the church in recent years.

“The told me it was going to be payouts to some of the settlements in the sex crimes cases against the Church,” Huggins said.

Huggins’ bank discovered the fraud and froze his account while there was still almost $10,000 left in it from the fraudulent transfers. Huggins said he was told to expect a call from lawyers for the Des Moines diocese, but he’s conflicted about whether he will return the money he made from his part in the scam: Minus the Western Union and Moneygram wire fees, Huggins earned commissions totaling nearly $800 for helping the thieves transfer the stolen money out of the country.

“I already sent the money to pay off my credit card balance,” Huggins said. “I guess I’m still up in the air on that one.”

The screen shots below were taken of Huggins’ “task manager,” an online communications panel that Impeccable Group used to communicate with money mules they had recruited.

A business telephone equipment company in Texas is trying to force its bank to settle a liability claim over an attack by organized cyber thieves last year that cost the company $50,000.

Attorneys for Dallas-based Hi-Line Supply Inc. recently convinced a state court to require depositions from officials at Community Bank, Inc. of Rockwall, Texas. Hi-Line requested the sworn statements to learn more about what the bank knew in the time surrounding Aug. 20, 2009, when crooks broke into the company’s online bank accounts and transferred roughly $50,000 to four individuals across the country who had no prior business with Hi-Line.

While the contents of that deposition remain closed under a confidentiality order, Hi-Line’s lawyers say the information gleaned in the interviews shows serious security missteps by Community Bank, and that they are ready to sue if the bank does not offer a settlement.

“In the event Community Bank refuses to resolve this matter, now that we have uncovered some of the information obtained by virtue of the court’s order, Hi-Line intends to assert claims for misrepresentation, violations of the Texas Deceptive Trade Practices Act, fraud, and breach of warranties, among other things,” said Michael Lyons, a partner with the Dallas law firm Deans Lyons.

Hi-Line president Gary Evans said the fraud began on Thursday, Aug. 20, about the same time the company processes its normal $25,000 payroll. After Hi-Line submitted that batch of payments to its bank, the unknown intruders attempted two more transfers of nearly identical amounts on Friday and the following Monday, Aug. 24.

Evans said he had trouble logging in to his account on Thursday and had the bank reset his password, but the fraudulent transactions hadn’t showed up on his account at that time. He said he took that Friday off as he always does, and when he tried again to log in after returning to work on Monday, he again found the bank’s site would not accept his password.

“When I finally got the bank to reset my password and got into my account, I noticed the duplicate payroll batches and said ‘Why are you all pulling my payroll out three times?’” Evans said of his recollection of how he came to realize his firm had been robbed. “At the time, as I was resetting my password, I had to scroll through the bank’s online customer agreement, which basically said the bank is not responsible for any fraud. I should have known at that point that they were not going to take any responsibility for this at all.”

Evans said the bank should have detected that something was amiss, and not just because of the unusual and repeated payroll batches. He said the crooks accessed his account from five different Internet addresses with locations that were nowhere near Texas, including from computers located more than 1,300 miles away, in Washington, D.C. and Maryland.

Community Bank did not respond to requests for comment. But in protesting the deposition, Community Bank claims (PDF) that hackers had infiltrated Evans’ computer with a virus and used it to steal his online banking credentials, which included a user name, password, PIN and several challenge/response questions.

The organized criminal gang that hacked and robbed Hi-Line could not have succeeded without the assistance of “money mules,” accomplices who were willingly or unwittingly hired through work-at-home job schemes to help cyber thieves launder stolen funds. Among those lured into the scam was Josh Enlow, a 28-year-old gas station attendant in Phoenix. Enlow said he was hired by an entity calling itself The Total Group Co., which initially contacted him in an e-mail stating it had found his resume on a job search Web site, and would he be interested in an “accounts payable” position?

A few weeks later, Enlow received “several” (he says doesn’t recall how many) deposits — including one transfer for more than $8,400. He then wired the money to individuals in Eastern Europe as instructed, he said. (See screen shots below taken from the Total Group Web site.)

The receipt Enlow received for one of the transfers from Hi-Line's hacked account.

When cyber crooks stole nearly $35,000 this year from Brookeland Fresh Water Supply District in East Texas, the theft nearly drained the utility’s financial reserves. Fortunately for the 1,300 homes and businesses it serves, Brookeland had purchased cyber security insurance, and now appears on track to recoup all of the unrecovered funds in exchange for a $500 deductible.

As this attack and a related case study I wrote about last month show, cyber theft insurance can be a reasonable and effective investment in an era when ultra-sophisticated cyber thieves increasingly are defeating the security that surrounds many commercial online banking accounts.

The attack on Brookeland’s Internet banking account began on Friday, April 9, about the time that General Manager Trey Daywood had authorized the utility’s payroll transfer — just a half hour before the 2 p.m. the bank’s cutoff time. A few minutes later, unidentified hackers went in and deleted Daywood’s payroll batch and set up their own payroll, sending sub-$10,000 payments to seven individuals across the United States who were recruited to help launder the money through work-at-home job scams.

Daywood soon heard from his financial institution, Texas based First National Bank, which thought the $34,038 amount was quite a bit higher than the organization’s regular payroll total. But the bank only called after it had finished processing the fraudulent transfers, and most of the unauthorized payments still were sent out the following Monday.

“It was only after I signed affidavits of forgery and had them notarized that our financial institution began the process of trying to retrieve the money,” Daywood said. “It was very clear from the beginning that their attitude was, ‘Hey, it’s not our problem.’  Which was professionally disappointing to me.”

I contacted First National multiple times for a comment on this story, but have yet to hear back from them. I will update this story if that changes.

Financial institutions are required to use “commercially reasonable” security measures to deter fraudulent attacks, but experts say just how far banks need to go for their security to be considered reasonable is a standard that is ill-defined, and is likely to be decided by several ongoing lawsuits filed in state courts. Banking regulators also encourage institutions to use so-called “multi-factor authentication,” or a user name and password in addition to some other type of authentication mechanism. However, according to Daywood, First National Bank allowed commercial customers to access their accounts online with nothing more than a user name and password.

When consumers lose money due to cyber fraud, retail banks are required by law to refund the money — provided the victim doesn’t wait too long in reporting the unauthorized charges. Commercial banks, however, are under no such obligation, although they usually will work with the victim customer to try to reverse as many of the fraudulent transfers as possible.

According to Brookeland, First National Bank managed to reverse a little less than half of the bogus transfers — $15,338 to be precise.

Daywood said the attackers also evaded procedural security measures the company put in place to ensure that two employees signed off on every transaction. Prior to the attack, another Brookeland employee was responsible for initiating payments — including payroll batches — but that employee had no authority to approve the transactions.

“They went in and changed the authority of that employee to make it possible for her to create and initiate the fraudulent batch under her login name,” Daywood said. “It’s a mystery as to how they could do that, because I am supposed to be the only one who has authority to do that through my admin account.”

Daywood said he expects Brookeland will recover the remaining lost funds through its insurance program. But he said the incident has consumed most of his time for the past several months.

“I’ve lived, breathed, ate and slept this since it happened,” Daywood said. “You’re looking at hundreds of hours of research, on and on.”

Further reading:

The Case for Cybersecurity Insurance, Part I

Avoid Windows Malware: Bank on a Live CD

E-banking on a Locked Down (non-Microsoft) PC

Target: Small Businesses

In very few of the many stories I’ve written about online banking fraud against businesses has insurance paid for much — if any — of the losses victim companies suffered. However, several victims I’ve interviewed in recent incidents did have cybersecurity insurance coverage bundled as part of larger business risk insurance policies. In each case, the businesses suffered fairly substantial thefts, and appear likely to recoup all of their direct financial losses.

The most recent incident involved Golden State Bridge Inc., a Martinez, Calif. engineering and construction company that builds bridges. The thieves used an extremely stealthy but as-yet-unclassified strain of malicious software to steal the company’s online banking credentials, and on May 19th, the crooks used that access to set up a series of fraudulent payroll payments totaling more than $125,000.

Initially, the attackers set up two batches of automated clearing house (ACH) payments –one for $50,000 and another for $75,000 – effectively sending a series of transfers to a dozen different money mules, willing or unwitting individuals lured into helping the criminals launder stolen funds by wiring the funds overseas and taking a small commission (usually 8 percent) for themselves.

When the first two batches were processed by Golden State’s bank on May 20, the thieves apparently figured they were home free, and set in motion another seven bundles of fraudulent payments for several hundred thousand dollars more, according to Ann Talbot, the company’s chief financial officer.

“Once they executed those first two successfully, they must have been like, ‘Oh, we’ve hit the mother lode! Let’s go for it!’,” Talbot recalled. “Had they succeeded in putting those through, we and the bank would have been looking at losses of more than $750,000.”

But Talbot noticed the fraudulent transfers the day the money started moving out of Golden State’s accounts, and sprang into action to get the seven new batches canceled. Unfortunately, by that point most of the mules who were sent loot in the first two batches had already withdrawn their transfers.

Talbot said nearly all of the money mules were located on the East Coast, which she believes is a tactic designed to give the attackers the longest head start possible before West Coast victims notice the fraudulent transfers.

“These mules were with East Coast banks, and most of them had [withdrawn] the money from their banks before we were even open for business,” Talbot said.

For what it’s worth, I observed this same pattern of the thieves relying mainly East Coast mules in an earlier post, Charting the Carnage from eBanking Fraud.

SECRET QUESTION CHECKUPS

Like many financial institutions serving primarily business customers, the California Bank of Commerce — Golden State’s bank — pushes most of the security and authentication for its online banking systems out to customers, requiring a simple username and password, and occasionally prompting customers to provide the correct answer to one or more of their “secret questions”.

Read more after the jump….

According Golden State Bridge, the bank has a curious practice of automatically verifying all of its customers’ secret questions and answers every 180 days.

“So how does it do this? It flashes them on your screen and asks, ‘Are these your secret questions and answers? Click ‘Yes’ or ‘No’,” Talbot said.

And when was the last time Golden State was prompted to confirm their secret questions and answers? Why, the very day before the fraudulent transfers began, Talbot said.

“I don’t know how long that malware or Trojan was on our machine, it could have been weeks or months,” Talbot recalled. “All I know is, we saw this fraud the day after the bank prompted us to confirm all five of those questions and answers.”

Virginia Robbins, chief administrative officer at California Bank of Commerce, declined to discuss Golden State’s claims or even confirm whether the company was a customer. But she emphasized that security is never about just software and hardware.

“Any financial institution can put all of the controls they want in place, but if their client isn’t following the instructions or doing things properly, there are certain challenges,” Robbins said. “We do look for all of our clients to use dual controls. and we want to make sure there are multiple points of control. Because what we’re seeing today is that a malware compromise can happen at a single point in the system, and so there have to be multiple controls in place on the customer’s side.”

Indeed, Talbot acknowledges that she and her co-workers aren’t blameless in this incident.  For example, the company had previously instituted a series of checks and balances to ensure that no single employee could both initiate and approve a payroll batch. Yet, at one point recently, Golden State Bridge undid that protection to accommodate a special case, but never bothered to put those restrictions back into place.

THIRD TIME’S A CHARM?

Golden State Bridge purchased $1 million worth cybersecurity insurance as part of a broader business risk policy offered by Arch Insurance Group, one of several firms now offering cybersecurity coverage. The company decided to get the insurance after suffering another major cyber crime incident almost three years ago.

In 2007, Golden State was banking with a financial institution aptly named Bridge Bank located in downtown San Jose. One day, the company opened for business to find that someone had wired $79,000 out of its accounts, destined for an account in Russia. Talbot said Bridge Bank shared the Internet address from which the fraudulent online login originated, and that she traced it back to servers operating out of a large building just four blocks away at 55 South Market St.

The owner of those servers was a problematic [and now defunct] hosting provider named McColo. In 2008, in response to questions from The Washington Post and security researchers about massive amounts of fraud, spam and other cyber crime activity flowing in and out of McColo’s servers, the hosting provider’s two upstream Internet providers pulled the plug on the company. As a result, the volume of spam sent worldwide tanked overnight — by some estimates as much as 75 percent. A nest of other fraudulent activity also evaporated (at least for a while) after McColo’s unplugging: One expert I spoke with who helps retailers control online fraud told me $250,000 worth of retail fraud committed against his customers on a typical day completely stopped the day McColo was unplugged.

Talbot said she’s glad Golden State purchased the insurance: The company managed to recover three of the fraudulent transactions, and its total loss now stands at just shy of $100,000. Golden State Bridge is confident that after paying its $10,000 deductible, the insurance company will cover the rest — probably by going after the bank. But Talbot said she’s worried she won’t be able to afford cyber risk insurance after this latest incident.

“I don’t think it will be offered to us again, or if it is, the cost will probably be so incredibly prohibitive that it may not be worth it,” Talbot said.

David Green normally only accessed his company’s online bank account from his trusty Mac laptop. Then one day this April while he was home sick, Green found himself needing to authorize a transfer of money out of his firm’s account. Trouble was, he’d left his Mac at work. So he decided to log in to the company’s bank account using his wife’s Windows PC.

Unfortunately for Green, that PC was the same computer his kids used to browse the Web, chat, and play games online. It was also the same computer that organized thieves had already compromised with a password-stealing Trojan horse program.

A few days later, the crooks used those same credentials to steal nearly $100,000 from the company’s online accounts, sending the money in sub- $10,000 and sub-$5,000 chunks to 14 individuals across the United States.

Now, Green’s firm — DKG Enterprises, a party supplies firm based in Oklahoma City — is wrangling with its bank over who should pay for the loss, said Joe Dunn, the company’s controller. So far, DKG has managed to recover just $22,000 of the $98,000 stolen in the April 27 incident.

Unlike consumers, businesses that lose money as a result of stolen online banking credentials usually are left holding the bag. As such, I’ve frequently advised small business owners to avoid banking on Windows systems, since all of the malicious software currently being used by these criminals to steal e-banking credentials simply fails to run on anything other than Windows. What’s more, the tools these crooks are using — mainly the Zeus Trojan — almost always outpace anti-virus detection at least by a few days, and by then it’s usually too late.

But the advice about banking on a dedicated, non-Windows machine only works if you follow it all the time. As this incident shows, it does no good for small business owners to use a Live CD or a Mac or some other approach only some of the time.

“He knew better than that,” Dunn said of his boss’s logging into the family Windows machine. “The thing about it is this wouldn’t have been able to happen if the security had been place that is currently in place, which means he can only access the bank’s site from his Mac. We no longer allow access from any other computer other than his.”

Dunn said that not long after the fraudulent transfers were sent out, he heard from one of the money mules that were sent the firm’s money and asked to wire it overseas to the fraudsters.

“This guy, he went to go use his debit card to fill up his car at a gas station and his card was declined,” Dunn said.  “He was trying to figure out what had happened, so he researched where the money came from, went online and called the first number he could find and of course he got me. All I could do is refer him to the FBI. I think he’d figured out by that point what had happened.”

Dunn added the company’s bank is disavowing any responsibility for the incident, but that there is a small silver lining.

“Our take is we weren’t provided the utmost security to prevent this from happening,” he said. “It’s sad in this day and age, and we’ll probably have to take it as a hard lesson learned. On the bright side, though, the owner’s wife now has a new Mac.”

Further Reading: Target: Small Businesses

Last week I traveled to Cooperstown, N.Y. to deliver a keynote address about the scourge of online banking fraud that I’ve written about so frequently this past year. I flew into Albany, and in the short, 60 minute drive west to Cooperstown, I passed through tiny Duanesburg, a town whose middle school district is still out a half million dollars from e-banking fraud. On my way to Cooperstown, I also passed within a few minutes of several other recent victims — including a wrecking firm based on Schenectady that lost $70,000 last month when organized thieves raided its online bank account.

Alexander “Sandy” Jackson‘s world started crashing down on Apr. 20, the day he learned that more than $70,000 of company’s cash had been transferred to 10 complete strangers scattered about the United States. Since then, the owner of Jackson Demolition Service has spent a good deal of time trying to retrieve that money. So far, he and his bank have recovered about one-third of the amount stolen.

Oddly enough, Jackson first learned of the fraud after being contacted by an individual who received close to $5,000 of the firm’s money.

That individual was Montgomery, Ala. resident April Overton. In March, Overton responded to an e-mail from a company that said it found her resume on Careerbuilder.com, and would she be interested in a work-at-home job entering tax information on behalf of American tax filers? Overton said she accepted the job, and for more than a month worked several hours each day completing various tax forms with personal tax information sent to her via e-mail, forms that she then had to fax back to her employers, who claimed to be Tax World LLC, at www.taxreturnsworld.com.

“I was basically processing tax returns, and they’d have me log in to a site every morning between the hours of 8:30 a.m. and 11:30 a.m., and would send me information, have me filing out [IRS Form] 1040 tax returns,” Overton said.

The information at taxreturnsworld.com indicates that the company is based in New Jersey, and that it has been in business since 2002. However, the state has no record of a business by that name, and the domain name was registered in March 2010 via a Russian domain name registrar. In addition, the same Web server hosts an identical site reachable through the domain worldtaxreturns.com. A message left at the phone number listed on both sites was not returned.

Overton said she spent more than a month entering and faxing tax information for Tax World before she was paid. The payment took the form of an unexpected $4,700 deposit into her bank account from a company in North Carolina. She said she spent that money, assuming it was payment for her work, until the deposit was recalled by the issuing bank, at which point her account went thousands of dollars into the red.

A few days later, she received another $4,700 deposit, this time from Jackson Demolition Service. Suspecting that the rug was about to be pulled out from beneath her yet again, she picked up the phone and called the wrecking firm, effectively alerting workers there to the missing money. Overton’s bank, however, appears to have used the deposit from Jackson to replace the overdraft amount from the previous deposit from the North Carolina firm.

“She got a $4,700 deposit and spent it right away, but her bank overdrafted her account because that deposit got recalled,” Jackson said. “Then my money comes flying in there and her bank grabs that to replace the missing money.”

Overton has promised to repay the $4,700 to Jackson. Meanwhile, it remains unclear what Overton’s employers were doing, if anything, with the completed tax forms, although experts say it’s not uncommon for organized criminal groups to secretly file taxes on behalf of other people, request a refund and then later request that the refund check be sent to a new address.

The closing slide in my presentation up in New York included a list of tips that I urged small business owners in the audience to consider in order to avoid becoming the next victim of this type of crime. The thrust of my speech was that today’s attacks against online banking have become so sophisticated that banks need to adopt authentication mechanisms that work even when their customers’ PCs are already compromised by organized criminal gangs.

Unfortunately, very few commercial banks are prepared to meet this threat. As such, I encourage small business owners to take a few simple precautions, such as banking online only from a dedicated computer. This can take the form of a laptop or desktop that’s used only for online banking and nothing else; a Mac OS X system (all of the malware used to steal online banking credentials simply fails to run on non-Windows computers); or a bootable Linux installation that runs off of a CD-Rom or DVD.

By the way, if you ever get a chance to visit Cooperstown, N.Y., consider staying at the picturesque Otesaga Resort Hotel there, where I snapped this photo last week right before a thunderstorm moved into the area.

Further reading:  Target: Small Businesses

A New Hampshire-based IT consultancy lost nearly $100,000 this month after thieves broke into the company’s bank accounts with the help of 10 co-conspirators across the United States.

On Feb. 10, Hudson, N.H. based Cynxsure LLC received a voicemail message from its bank, Swift Financial, a Wilmington, Del. institution that focuses on offering financial services to small businesses. The message said to contact the bank to discuss an automated clearing house (ACH) payment batch that had been posted to Cynxsure’s account.

The next day, Cynxsure’s owner Keith Wolters returned the call and learned from Swift that someone had put through an unauthorized batch of ACH transfers totaling $96,419.30. The batch payment effectively added 10 new individuals to the company’s payroll, sending each slightly less than $10,000. None of the individuals had any prior business or association with Cynxsure.

Wolters said the bank told him it would try to reverse the transfers, and in the meantime it issued the company a provisional credit, replacing all of the stolen funds. But when he went to draw on that amount, Wolters found he was not able to withdraw money from the account. The next day, Wolters said, the bank reported that it had been unable to reverse the transactions. Shortly thereafter, he said, Swift withdrew the provisional credit.

Cynxsure’s attorney is now drawing up papers to sue the bank.

“We have done our best to make sure we’ve done everything we possibly can to protect our side of the equation,” Wolters said. “We’ve put a lot of time and effort into making sure something like this couldn’t have come from our side. We’re not going to be one of those companies that goes quietly into the night after something like this.”

James Reilly, operations leader at Swift Financial, declined to comment on the incident, saying only that “it is against our corporate policy to discuss this matter further due to customer privacy and possible litigation.”

Wolters said his is the only computer used to access the company’s accounts online. Since the incident, he has conducted numerous scans with a variety of anti-virus and anti-malware products – which he said turned up no sign of malicious software. Wolters is holding out hope that perhaps the incident is related to a story that he said a Swift Financial executive told him about an incident last summer in which a Swift employee was caught gathering customer online banking credentials without authorization, but that story could not be independently confirmed.

Swift, like all commercial banking institutions serving businesses in the United States, is required under federal guidelines to secure customer transactions using some form of “multi-factor authentication,” or something else in addition to just a user name and password.

Swift and many other commercial banks have chosen to adopt a technology that requires business customers to “register” the computer they use to do online banking, by answering a set of “secret questions.” Customers are generally prompted to answer these questions if they try to access their accounts from a new computer or if the customer tries to log in to his or her account using an Internet address that the bank has never seen associated with that account before.

Wolters said the bank told him that whoever initiated the bogus transaction did so from another Internet address in New Hampshire, and successfully answered two of his secret questions.

The Cynxsure manager said he thought a fingerprint scanner attached to the Windows laptop he uses to access his bank account online would help thwart any attacks from password-stealing malware. The scanner stores passwords as encrypted image files; when his bank or any other site asks for a password, Wolters doesn’t enter the password in the site. Instead, he merely presses his thumb onto the scanner, which in turn decrypts the stored password for that site and pastes the information in the password field of the site he’s visiting.

Unfortunately, these scanners aren’t designed to defeat attacks from malware such as the ZeuS Trojan, which is often mislabeled as an invader that records computer keyboard keystrokes. It can do that, but its most useful feature is one that intercepts all data the user enters into user name and password fields. This feature, called a “form grabber,” effectively snatches the credentials before the browser can encrypt the information and send it over the https:// connection.

The fingerprint reader, when presented with the proper finger or thumbprint, will decrypt the appropriate stored credentials for the site currently active in the user’s browser, and paste that information into the relevant forms on the site. If a Trojan like ZeuS were present on the machine, it would be just as able to rip out that information after the unsuspecting victim hits the “submit” button in their browser.

True, it is still not clear yet whether the attackers in this case used ZeuS, or any other malware for that matter. Still, similarities between this attack and others strongly suggest the work of an organized crime gang operating out of Eastern Europe that typically steals banking credentials using the ZeuS Trojan, and funnels the stolen funds in the same way as Cynxsure was hit.

Last week, I wrote about criminals using ZeuS to siphon roughly $150,000 from a Michigan insurance company. The attackers in that case sent the money to 15 people across the United States that had no prior business with the company, and the hackers defeated the bank’s battery of secret questions in that attack as well.

Alas, Cynxsure may still get some money back, albeit a paltry 1 percent of what was taken. One of the individuals who received a $9,500 transfer from Cynxsure’s account, 26-year-old Merit Moll, from Collowhee, N.C., said he got the payment after signing up for a work-at-home job offered to him by a company calling itself the Element Group. The company’s Web site, formerly at element-groupinc.ws, is no longer online. But Moll said he was told to create an account at the site and check his Web-based e-mail at the site once a day for messages that a new task was ready. On Feb. 9, Moll got his first (and last) task, and was asked to wire the money in $3,000 chunks to three different individuals in Ukraine.

When confronted by his bank that the money he’d received and forwarded on had been stolen, Moll said he told his bank to take the $750 commission he’d received for his work, as well, as the rest of the money in his account (around $250), and make sure it was given back to Cynxsure.

“That was every last penny I had,” Moll said. “I told them, ‘Please take it, I wish I could do more. This is me sending what money back that I can, saying, I am really sorry. They really fooled me.’”

Cynxsure’s Wolters said he hasn’t seen a dime of the money yet.

A screen shot of Merit Moll's account at Element Group