24
Feb 10

N.Y. Firm Faces Bankruptcy from $164,000 E-Banking Loss

A New York marketing firm that as recently as two weeks ago was preparing to be acquired now is facing bankruptcy from a computer virus infection that cost the company more than $164,000.

Karen McCarthy, owner of Merrick, N.Y. based Little & King LLC, a small promotions company, discovered on Monday, Feb. 15 that her firm’s bank account had been emptied the previous Friday. McCarthy said she immediately called her bank – Cherry Hill, N.J. based TD Bank – and learned that between Feb. 10 and Feb. 12, unknown thieves had made five wire transfers out of the account to two individuals and two companies with whom the McCarthys had never had any prior business.

“She was told to go to the branch next day, and she did, and the people at the branch were very nice, apologetic, and said, ‘Whatever happened, we’ll replace it,’” Karen McCarthy’s husband Craig said. “She called them up on Wednesday, and they gave her the runaround. Then she finally got to talk to someone and they said ‘We don’t see the error on our side.’”

Immediately before the fraud occurred, Mrs. McCarthy found that her Windows PC would no longer boot, and that the computer complained it could not find vital operating system files. “She was using it one day and then this blue screen of death just came on her screen,” said a longtime friend who was helping McCarthy triage her computer.

Later, McCarthy’s friend would confirm that her system had been infected with the ZeuS Trojan, a potent family of malware that steals passwords and lets cyber thieves control the infected host from afar. ZeuS also includes a feature called “kill operating system,” which criminals have used in prior bank heists to effectively keep the victim offline and buy themselves time to make off with the cash.

Karen McCarthy said TDBank has dug in its heels and is now saying it has no responsibility for the loss.

“They feel that because [the thieves] compromised my computer that it’s my responsibility and that I should look into my insurance, but I don’t have insurance,” McCarthy said. “I had a company that was interested in purchasing us, but they’re not going to do that now.  I’m basically looking at bankruptcy, because I have very little money to operate on now.”

Krebsonsecurity spoke briefly with John G. McCluskey, vice president of TDBank’s corporate security and investigations. McCluskey referred all questions about the incident to the bank’s marketing department, which hasn’t returned calls seeking additional information and comment.

As Mrs. McCarthy found out the hard way, businesses do not enjoy the same protections that consumers have against online banking fraud. Most banks will work with commercial customers to try and reverse any fraudulent transfers, but the chances of that succeeding diminish rapidly after the first 24 hours following unauthorized activity. What’s more, banks are under no obligation to reimburse commercial customers victimized by cyber fraud.

McCarthy said she never would have done online banking for her business if she had understood how precarious it was for her business.

“I go to the bank and I see everywhere signs that your money is insured up to $250,000, but maybe they should have a little asterisk next to that saying ‘except for businesses,’” she said. “If I had understood that, I wouldn’t have been banking online.”

McCarthy said a $41,240 wire was sent to a company in New York called Asbury PHH; two wires totaling nearly $80,000 were sent to a man in North Carolina; and a $28,640 wire was sent to a Kimto LLC in California. Efforts to track down any individuals tied to those entities were unsuccessful.

The fifth wire was sent to a 59-year-old Kennesaw, Ga. resident named Pamela Biagi, who said she got the money after signing up for a work-at-home job over the Internet. Biagi said her employer called itself Adams Interiors, and used the Web site name interiors-a.com (that site is no longer online).

As it happened, that Web site essentially hijacked the good reputation of an interior design firm in Brooklyn, N.Y., claiming it was one and the same and pointing to the firm’s stellar reputation with the Better Business Bureau. Biagi said this was part of the reason she felt good about accepting the job offer.

“I did an online and phone interview with them. They wanted to hire me to be a financial agent, and to help their subcontractors who were going around the country doing interior design work,” Biagi said.

Then, on Feb. 12, she received a wire transfer of $14,875 with instructions to wire the money to another individual in Georgia. Suspecting fraud, Biagi’s bank promptly froze her account.

“The guy I was supposed to send the money to kept calling me…he was real nervous and kept asking me if I’d sent the money,” Biagi recalled in a phone conversation with krebsonsecurity.com. “I told him, ‘No, I’m sitting here with police officers and people from the bank because of all this.’

When confronted with the news of where the money had come from, Biagi said she was “horrified.”

“This has been an absolutely horrible experience for me, and I feel terrible for [Little & King],” she said. “I’m really glad they stopped it when they did. To think that I have been participating in something so horrendous like this is awful. It’s a black mark on my soul.”

Tags: , ,

105 comments

  1. Thanks for being the one beacon of light on this issue, Brian. It’s getting increasingly painful to read about here, and I’m betting that you’ve turned tracking these incidents into a full-time job.

    I continue to go back to the premise that the banks need to be held responsible for this. While I accept that the user has some level of fault due to ignorance, it’s the business financial transaction business processes that are broken here. In my mind, the banks are failing to even provide the limited security of checking one’s government-issued ID when they walk into a branch to withdraw money. That’s a failure to provide due diligence that a transaction is valid, and they should be held liable for it.

    • Michael Businger

      This is another good reason for anyone using online banking to have a dedicated computer that is only used to online banking, no web browsing, no email, no storage of sensitive or critical business data, etc. Yes, this is an additional cost, but I think any reasonable person can see it is much cheaper than the alternative!

  2. Nice work Brian. Yet another example of a small business being victimized (and perhaps destroyed) by these bad guys.

    As bad as this is, what really concerns me is when people start dying because of these frauds. What if the victim company is in the medical field and a PC that was used for online banking also contains vital medical records? If the bad guy uses the ‘KOS’ option after doing his nastiness, all kinds of valuable data could be lost.

    As for the banking industry, there is a deafening silence on this entire issue. They love the efficiencies (and thus increased profitability) that comes with moving all their business customers to online banking….but they’re not saying much in public about these compromises.

    Hopefully, there’s a great deal of panic behind the scenes and some improvements are coming…but I fear it may be too late to prevent wholesale looting of accounts belonging to dozens of other companies.

    In the meantime, this article discusses another fraud on which you have reported and the wider issue of liability

    http://www.bankinfosecurity.com/articles.php?art_id=2227

    cheers

    Nick

    • Thanks for the link, Nick. What concerns me is that the case could hinge on whether the authentication method was a reasonable control. In general, people don’t understand technical cause-and-effect and thus tend to focus on the technology as either enabling protection or failing to protect when it comes to IT-oriented cases. But, this problem is a business process issue, not an IT issue. It wasn’t that the authentication system failed, it’s that the identity verification process failed. I think that establishing that paradigm shift will be the only way for courts to really be able to address the liability.

      • Michael, distinguishing between an “authentication system” and “the identity verification process” may not help much. Once a computer is infected, the malware sits between the user and the bank. The bank could make the user provide a retina scan, and the malware still could just pass it along.

        No form of online authentication can be trusted in an infected environment, including digital certificates and off-line security dongles. But real authentication does exist. For example, the bank might phone the account holder to approve on-line transfers. The difference is an “out of band” communication which (hopefully) cannot be changed by malware.

        When a malware infection is present, nothing the computer does can be trusted, and it should not be used for banking. The problem is that users will not know about the infection. Antivirus scanners cannot detect all malware. Microsoft provides no facility to certify a Windows installation as uninfected. When common tools cannot detect infection, of course users will be banking with infected computers.

        We have a decade of experience to inform us that the current hardware designs and scanning tools cannot prevent infection. Complete protection of current PC’s with their native OS simply is not possible, even with the best equipment, practices and training.

        Once the OS is infected, it stays infected day-after-day, week-after-week, until the OS is re-installed. Consequently, when security counts, we may be forced to consider every Windows machine to be infected. That may be a general banking issue, because about 93 percent of browsing occurs under Microsoft Windows. Secondary platforms like Mac (5 pct) and Linux (1 pct) generally do avoid malware simply by not being the primary target.

        For a safer and free banking alternative on a PC, it is possible to boot a clean OS from DVD and so avoid any existing Windows infection. For more on free Puppy Linux for PC banking, see
        http://www.ciphersbyritter.com/COMPSEC/

  3. Is this the first ZeuS attack that was totally US-based? We always hear about money going to Romania or Ukraine, not to other points in the US. There could actually be some useful follow-up this time.

    Unless, of course, the US points were merely stopovers on the money’s way overseas.

    • I think it’s rather likely the mules are almost always based in the same country as the victim. I’ve seen similar reports from other countries and that seems to be the pattern. For good reasons undoubtedly.

  4. It’s funny that the mule’s bank took action to freeze the money coming into the account, but Little & King’s bank didn’t see any problems until two days after the money transfer. TD Bank has to share some of the responsibility. I wonder what actions TD Bank will take to help other businesses that bank with it. If I banked at TD Bank, I would immediately move my money elsewhere.

    • TD Bank might not have to share anything if things are already in the contractual agreement.

      • Maybe not, but with a couple of lawsuits, bad press is bad press. The bank may not need to share information or change its contracts, but at least work with their existing small business clients. This happened so they need to take some steps, even if Little & King suffers.

    • Most likely this person physically went into the bank to attempt to wire the funds. In this case it is the bank employees job to ask questions as to the origin of the funds that are to be transferred. This is most likely how it was caught.
      The bank should have impemented some sort of uthentication method that would not allow someone to access an account from multiple locations. It may be annoying to have to call the bank when you want to switch from using your home computer to your work computer, but if it saves you the heartache then that is what should be in place. My bank does just that. Wire transfers are seperate part of the internet banking system that requires a cookie, if you try to access that portion of Internet Banking from any other computer you have to call the bank and verify your identity before they will reset the cookie allowing you to access internet banking on a different computer.

      • Zeus steals that cookie.

        With Zeus, if necessary, the attacker can perform ALL transactions THROUGH your computer. Your IP, your cookie, your certificate, your token.

        I don’t know if that is what happened in this case, but with Zeus it is possible.

      • This stuff is pretty complicated, but I do not see how the approach solves the problem.

        “The bank should have impemented some sort of uthentication method that would not allow someone to access an account from multiple locations.” That might solve the problem if all malware just collected passwords for later use from some other computer, but not all malware is like that.

        “Wire transfers are seperate part of the internet banking system that requires a cookie,…” But if botnet malware is resident, it is already in the right machine. It will have the cookie. It can make the transfer. The bank cannot know that malware is doing it. If the bank asks for authentication, the malware will pass that request on to the user, and then return the correct response.

        No form of authentication whatsoever can solve this problem because authentication is not the weakness being exploited. The weakness is that malware can take over and “pwn” (own) the computer. Current computers are particularly vulnerable because they can be infected (that is, OS boot files can be changed by malware to re-install itself upon restart). And once infected, always infected (unless the OS is re-installed). When a customer computer is infected with serious malware, game over. There is no certain way to certify a computer as not having active malware or not being infected. Since the problem is inside a customer computer, the bank has no way to control it, other than by encouraging the customer to use a less-vulnerable system. Thus we see the really serious nature of the malware problem.

  5. I linked to much of your research in a broader piece I posted on my own blog regarding mounting cybercriminal activity. I had a feeling it was only a matter of time before a company was this adversely affected. This after literally months of you trying to raise awareness.

    We need to collectively start making this known to the financial sector broadly. Clearly nobody is taking this to heart at the banks. In my opinion, after the first few incidents, at least one of the banks should have been sending out warning messages to their customer en masse. hey could send letters to their clients saying, essentially, “We have been made aware recently of numerous unauthorized transactions taking place, so to protect you we offer the following advice and protections,” continuing to outline that business account holders should be watching their accounts like a hawk, and immediately (like: within the same day) notifying the bank of these transactions.

    Or, more appropriately, temporarily disallowing online transfers of anything higher than $5,000.00.

    Seriously: why hasn’t one single bank done either of these things?

    I hear from Twitter the second they notice a single phishing attack, and they are extremely proactive about nipping this activity in the bud, and they aren’t even a fundamental service. Banks aren’t even doing 1/10th this in light of what is arguably a crisis situation. Why?

    I think the key is that a banking or financial blogger, or more importantly a mainstream financial news org, should be picking this up, not merely a cybercriminal or tech blogger. (No offense, Brian, you do phenomenal work. But all of the victims of this activity were decidedly non-tech-savvy, and would never have tripped across your postings.)

    SiL / IKS / concerned citizen

    P.S. Did you mean Georgia the country? Or Georgia the state? (I assumed state.)

    • All it will take is for the banks to take on the liability for fraud like the credit card companies already do. Last weekend while gassing up with my Discover card I chose the wrong pump, canceled the transaction and moved one pump over. BOOM the card was declined and I had to go inside.

      Later, at the grocery store, the card was declined (lots of credit room), I came home to an email stating my card was flagged for suspicious activity and I needed to call. All this within an hour, in the same zipcode, and for less than $200 total.

      The mechanisms are available, the paradigm already established, it just needs for the banks to WANT to implement it.

      • Clarification

        I hear it often, that banks are responsible for credit card fraud. They are not. The vendor loses money on fraudulent transactions, not banks. I wish banks were responsible; we would have less fraud then.

    • While I certainly agree that banks should be doing something better I don’t see that notifying customers or putting a $5,000 cap on transactions is a valid solution. IE you instantly alienate and infuriate large business customers who regularly deal in transactions greater than that.

      The only real solution I see at the moment is for banks to implement risk based transaction monitoring for each individual customer account. But there aren’t a whole lot of commercial solutions out there that provide this. And for most banks, developing a custom risk based solution is out of the question. This leaves banks with tokens, password based authentication, and out of band authentication for customers.

      Aside from risk based transaction monitoring the only remotely feasible option for banks to employ “better” security, would be to provision laptops with some non-windows OS on them, and then in a very locked down state, to their customers.

      In almost all of these cases of fraud/theft, a core component is that the clients security/credentials were compromised and the bank didn’t react fast enough. Ultimately banks need transaction monitoring systems in place today, to better assist their customers. And business customers specifically need to re-evaluate their internal practices for online banking to make sure they do their part to maintain their safety.

      • That’s the second line of defence. The first line of defence is to not let Zeus or any of those Greek gods get at you. And Brian’s already outlined how simple that can be. Now I gotta break off as we’re flying to Egypt tonight so we can see who’s swimming in the river. It’s a flight but it’s a long journey and as in all things that matter, long journeys begin with a first step. Cheers. 😉

      • Mike, the problem isn’t that the “bank didn’t react fast enough”, it’s that the banks aren’t responsible at all. As it stands now, businesses are responsible for monitoring their account activity and they have less than 24 hrs to notify the bank to stop a fraudulent transaction. All of the burden is on the business owner and none is on the banks.

        Part of the problem is that the banking institutions and the FBI have colluded to suppress widespread knowledge of this particular banking exploit.

        Clearly, the security model for online banking is both insufficient and insecure.

        • “Part of the problem is that the banking institutions and the FBI have colluded to suppress widespread knowledge of this particular banking exploit. ”

          Really? That is a lot of tinfoil hat stuff there.

          • Actually bob, it’s not “a lot of tinfoil hat stuff there.”

            Please take a look at BK’s earlier post on the issue:

            “Buried Warning Signs”

            http://www.krebsonsecurity.com/2010/01/buried-warning-signs-2/#more-206

          • Reading this story on wire fraud reminds me of a meeting I had with some “treasury” folks and the daily totals for the total amount of cash being wired was in the billion range, I asked how long it would take for them to notice if I wired 250K in my personal account and immediately a flurry of whispering started across the table and the senior director replied “60 to 90 days”. I found out later that even if the amount would have been up to 5 million it would have not raised any alarms for about a month.

            The problem is much worse than you can imagine.

    • ‘We need to collectively start making this known to the financial sector broadly.’

      They already know. They just don’t care because they think they have the situation under control. Of course this brilliant wave of Zeus attacks might force them to think through matters again, but big ships take a long time to turn.

      ‘Seriously: why hasn’t one single bank done either of these things?’

      You’re right. Look what Twitter do as soon as they see anything funky going on. But there’s a difference between web-based startups and suits sitting in a bank conference room running a business that just won’t make it into the Internet age.

      “I hear from Twitter the second they notice a single phishing attack, and they are extremely proactive about nipping this activity in the bud, and they aren’t even a fundamental service.”

      Exactly. They have several accounts one can follow and they tell you by yesterday. Yes that’s proactive and yes that’s great. That’s the way it should be done. Yet I think it’s the bottom line. Twitter want to keep a good reputation; the banks think they’re in the driver seat.

      “I think the key is that a banking or financial blogger, or more importantly a mainstream financial news org, should be picking this up, not merely a cybercriminal or tech blogger.”

      Agreed again. Readers at WaPo used to pick it up a bit but now there’s KoS instead. Mainstream PC fanzines won’t pick it up because some advertisers (ahem) will fight it tooth and claw. They know it’s safer and more profitable to post articles about new touch screens and cellphones and…

    • Good point. And actually my bank does this and also warns me about transactions that look suspicious and either gives me a chance to cancel them or holds them until I OK them. Unfortunately, I can’t name the bank as the last time I named a registrar which does an excellent job of screening fraudulent applications they were hit the next day with a flood of bogus requests. I don’t want the same thing to happen to my bank.

  6. Is it possible to disrupt the recruiting of these people as money mules? If you are sophisticated enough to do an online wire transfer, then you should be able to understand the consequences of being an accessory to grand theft.

    Can wire transfers to specific countries, the usual suspects, if you will, be subject to some kind of 72-hour “hold”? A hold on wire transfer attempts would allow time for automated pattern analysis at the victim’s bank, and “alarm bells” to ring.

    Can sudden flurries of wire transfer activity be likewise subject to telephone confirmation at the client’s phone number of record, by a designated person?

    Of course, one consequence of such measures being put in place would be that it would clearly become the bank’s failure if they are defeated, and then you have liability.

    No, none of this is foolproof, but each would incrementally drive up the degree of difficulty some! Make the thieves move on to easier targets. And if extra work is involved at the financial institution to harden security, then a suitable fee might ease their pain. And if they are unwilling to commit to making simple efforts to protect commercial clients, then perhaps some competitor might!

    A final idea, and somehow this one seems wonderful to contemplate: Full-page local newspaper ads in huge headline type by victimized businesses: “______ BANK LOST OUR MONEY!!!”

    • The full page spread sounds like a good idea but your ad has to offer some solution. Merely getting people to panic won’t advance things. Add something like ‘get a live CD’ and you may have something.

      • I think most banks already are aware of measures to reduce this fraud. They need an incentive to take them. What managers call “reputation management” may be the incentive they need, both for banks and registrars.

    • Ads cost money. That you just got robbed off (both by the crooks and your bank – only difference is, banks are legalised crooks and get government loans).

      I was thinking of your 72-hour hold as well – any transaction above some treshold is delayed – within that period you get notifications plus you need to finally confirm it.
      Right now the transfer is ‘instant’, yet the other party receives it still 1 or 2 days later… so where is the money in that 48 hours? Yup, you guessed it, funding their pyramid schemes that brought down Wall Street – and the rest of the world.

      We now have bank-issued (not free, of course) ‘identifiers’: you enter the code from the screen and then have to enter the code that the device displays – is that any bit safer? Anyone knows more about that system?

  7. After yesterday’s story about Cynxsure I went and looked at some of the larger banking sites (banks in the top 50) to see what, if anything, some of them said about these issues.

    A few have devoted some valuable real estate to make sure we know about their commitment to security. It is not clear on any of the sites whether or not the banks require customers to use any of the measures mentioned. I suspect most of the measures are voluntary.

    Alarmingly, a few of the banks tout how much freedom customers have to control their own set-up. This type of control goes far beyond what consumers are able to do. A corporate customer that is allowed to set up other users, other administrative users, services for other users (wires, ACH, etc.) and assign accounts to other users is inherently hard to protect. Since some banks grant customers this type of administrative control and other do not I can only assume there are competitive market forces at work pushing the two approaches.

    Even with layers of security on the bank side and vigilant users on the customer side, a model that grants corporate users every bit of administrative capability available is problematic. I don’t see these banks (big banks remember) implementing stricter security measures without being forced to do so.

  8. “I don’t have insurance”
    Why not? Is there no such thing as insurance against this? If there is, did her agent not tell her about the product? Or did she just not bother?

    I suspect that, if insurance companies start having to cover these sorts of losses, then you would start to see serious regulatory reform.

    • Agreed. It’s the ‘pass the buck’ syndrome. I don’t know but I suspect the reason protect individuals is their bank accounts aren’t overflowing with cash and are not targeted by the Zeus people. And that’s of course the reason the banks won’t protect businesses – too much money to lose. And the companies insuring the banks have probably had it up to their balance sheets with such shenanigans and the banks know they’re up the creek because of that. They’ll protect you as long as you have nothing to lose, nothing that will cost them anything. That’s very generous of them. 😉

  9. Keep hitting them where it hurts! It’s still totally amazing mules can be unaware of what is going on. Authorities seem to have a benign attitude towards them. But what kind of financial agent has to only keep transferring money to other accounts? What company would really need someone to do that? And why would they ever need anyone to do that?

    I feel sorry for the lady at the promotions company but come on: she wants to be swallowed up by a bigger company and she doesn’t even have insurance? And she’s never heard of the dangers of online banking and Windows?

    At the very least she should read this blog a lot more. Something almost everyone would benefit by.

  10. Maybe it is a naive question but:

    why are there no TANs or so used, i.e. transaction authentication numbers valid only for one transaction?

    At least in Germany most banking transaction have to be ensured by a TAN additional to your banking PIN. Most german banks provide their customers with (at least) indexed TANs or for some additional security TAN generating tokens or RSA-chip card based authentication methods.

    It certainly does not prevent fraud but makes it certainly much harder than just a simple PIN authentication.

    • TANs prevent certain attacks, not all.

      If you have a man-in-the-browser attack going on, you can be making legitimate looking transactions on your side, but the bad guys are doing something else on the bank’s end. They would just take the TAN and pass it on.

      Perhaps the strongest would be some out-of-band system like a smart phone that gives you transaction details, then prompts you for a TAN to approve each one.

      Part of this problem is a lot of the businesses being hit are relatively small, and they will take a short term view when they owner is stressed out with everything else having to go through a multi-step authentication process.

      It seems for now we view these as auto accidents that are acceptable and ho-hum, not as aircraft accidents that raise holy heck. And let’s be honest — we’d save a lot more money if we cut TSA’s budget in half and gave it the states to step up highway safety patrols. Security isn’t always rational.

      • Sorry about a bad editing job, let’s try this sentence again:

        We’d save a lot more lives if we cut TSA’s budget in half and gave it the states to step up highway safety patrols.

      • Agree – but it would reduce these unnecessary I-just-need-the-account-ID-and-rob-everything-in-multiple-transactions cases I guess.

        I guess that certain authentication systems are quite usable for individuals like mTAN s, i.e. your bank sends you for each of your transactions a text message to your mobile phone with a summary of the transaction and a TAN valid exclusively for this transaction. But for companies with some more transactions each day it could get ‘unhandy’.

        Of course man-in-the-middle-attacks are also possible but are certainly harder.

        For larger volumes of transactions there are solutions available since years — in Germany ‘HBCI’ is quite common (with RSA-authentification-card terminals – which are more or less independent of your OS – and which have, in the higher price regions (~100 Euros), also displays showing transaction summaries etc.)

  11. Is it possible to put a black box type warning about these money mule scams at job sites like career builder and monster.com and also, in newspapers in the classified ad section? This woman seemed truly heartbroken at what she was unwittingly doing.

    Also, wouldn’t it have seemed unusual for this small company to be wiring such large transactions? Shouldn’t that have sent up red flags for the bank? Is there some way to put a dollar limit or cap on daily transactions so that small business owners can see and approve of what went on during the day before it becomes time to declare bankruptcy? And finally, haven’t the antivirus vendors figured out a way to spot and stop the zeus trojan yet? This is just so sad.

    • Marine, I like your questions. With regard to the “money mules”, warnings might cause some folks to re-consider, yet they might attract others — who knows? The criminals will just find ways and means of recruiting money mules other than the ones that they currently use.

      Banks can do the things that you implicitly suggest, but such measures take personnel, time and money to implement. Unless there is a Return On Investment, nobody wants to do anything, even with regard to securing their information systems. ROI is often difficult to calculate when the goal is to avoid potential losses, in contrast to decreasing cost and increasing profit. As it stands, the banks don’t lose much, if anything, and their commercial customers lose everything.

      At last report, there were at least 350+ variants of the ZeuS banking trojan, and they are easily produced. There has also been an enormous increase in the number and variety of malware. So, these two things combined makes signature-based detection alone practically worthless. So most AV vendors are developing other methods of detecting malware. It doesn’t seem to me, though, that the ones of which I’ve become apprised are likely to stop ZeuS.

    • These “money mules” need to start being prosecuted – and doing jail time – as criminals/accomplices, since they are in the same class as “drug mules” and “money laundering”. Only then will the (unwitting?) like Pamela Biagi think twice about signing up for “work-at-home financial agent” jobs over the Internet.

      This won’t stop the criminals from continuing to rob banks using computers, but it would likely cause them to seriously change tactics. Also, it would make this form of crime/bank robbery more public when someone like Pamela Biagi goes to jail (hopefully all over the news), instead of just claiming ignorance and simply apologizing for being an accomplice to bank robbery.

  12. “Is it possible to put a black box type warning about these money mule scams at job sites like career builder and monster.com and also, in newspapers in the classified ad section?”

    Sure it’s possible… But they’d just reword their ads and use different types of social engineering to get their mules.

  13. I’m not sure why everyone wants to focus on prosecuting mules or educating people so they do not become mules. There’s plenty of people that would knowingly do this anyway…

    Lets go a step back to where the bank allowed large unusual transactions out of the customer account.
    I refuse to believe that some basic logic can’t be used to restrict, hold, or flag certain transactions or series of transactions based on prior history the same way they do for Credit Card transactions.

    If the bank couldn’t write off the money, file an insurance claim, or have us bail them out, and they had to pay back the customer and eat that loss, THEN there would definitely be something in place to reduce this type of activity.

    • An SMS sent after every transaction as confirmation would help ensure that business owners would be able to get onto any problems within 24 hours. Some banks already do this in Australia.

      Simple. Cheap. Effective?

  14. Brian, you seem to know quite well where the money mule jobs are getting advertised. Did you ever consider to get yourself a couple of GoogleVoice phone numbers and invented names, volunteer as “mule”, and conduct a “man in the middle” attack right into the heart of this fraud scheme? I’d say the time has come to replace honeypots with Honey-Mules (tm:) and to make recruiting of “real” mules more hazardous for the bad guys! Let’s give them a couple of fake mules to contend with!

    • I think there are law enforcement agencies already doing this. The problem is the “heavy hitters” in the scam are outside their jurisdiction.

  15. Anybody know why a major paper won’t pick up Brian’s investigations? A paper like the WSJ, for example, that a good number of small business owners might read.

  16. I enjoyed reading the story and browsing your site Brian. Thanks for taking the time to share it with us.

    It’s really amazing how many folks don’t realize the dangers that are lurking around the Internet. I’ve personally seen Information Technology professionals fall victim to phishing attacks, so how can we secure the general public if IT folks are falling victim?

    Cheers!

  17. Moonlight Gambler

    If the banks won’t take action don’t use their internet facilities for business transactions.

    Have your bank assign “read only” status to your accounts.

    Yes, you will have to do transactions over the counter, but as banks don’t want customers in their bank it will become a bigger problem for them than you.

    Just don’t forget to tell the bank staff why you won’t do online transactions.

    Eventually they will get the message.

  18. I really don’t understand how American banks can escape liability while being unwilling to implement basic security measures such as multi-factor authentication for online banking.

    Here in The Netherlands, all banks are using tokens or other additional measures to implement multifactor authentication due to which theft of credentials cannot be used for fraudulent wire transfers.

    I hope that this company and other victims will sue their banks, and force them to take action. Why doesn’t the American government force the banks to secure their payment systems instead of outsourcing risk to the customer ?

    • I assume that tokens are in place for the account. Why would you assume tokens are not used?

      • @Rob, “Why would you assume tokens are not used?”

        I can’t speak for the OP but speaking for myself it would be because my resume includes some time spent working in Information Security for a part of that bank.

        It was a couple of years ago but based on that firsthand knowledge of their environment, internal plans, status and capabilities I’d be very surprised if they have even started moving toward implementing tokens, let alone have them deployed.

        • Infosec_pro –

          They acquired CBNJ a few years back and CBNJ has used tokens since the early 2000’s. I guess it depends where the account was held or opened.

          It would be interesting to know for sure. If this crime took place while the user was not logged in and tokens were in place it would be the first case I heard of.

  19. I do feel really bad for these victims because the advertised perspective is “look now easy is is with the Internet”.

    I don’t expect the general public to be readers of “Computer Risks to the Public” ( http://catless.ncl.ac.uk/Risks/ ) but people should be aware of the dangers.

    Along that line of thinking, isn’t it time for a court test of Microsoft responsibility and their EULA ?

  20. If we really want to swim up-stream….tell Adobe, MS, Apple, etc.., etc… to not deploy buggy code that enable exploits like Zeus.

    Problem soloved 🙂

    • Interesting…

      Not sure whether or how many major banking players adopt this technology or something similar…but whatever happens, the status quo is not an option!

      The banks probably fear that if they start asking their customers to use it, the customers’ first question will be “…Why – are your current systems not secure??”!

      • Yes- we do ask that question. My bank recently instituted a policy where transfers overseas required an SMS code to be sent to the bank account owner’s phone. That’s great, but I was O/S at the time they instituted it and my phone didn’t have int’l roaming. so Icouldn’t pay someone for another week and a half.
        Yes the bank did hear about it, not that they cared. Granted this was a personal account, but the more these technologies are available for this, the more businesses may ask why they aren’t implemented.

  21. Attention enterprising attorneys!!!

    A new market is opening for YOUR services–Lawsuits against banks which sell online banking to businesses without full risk disclosure. They’ll fight you tooth and nail. Make sure that you demand jury trial(s). Then make sure to select for people who don’t like banks. Given banks’ current popularity, it’s a (nearly)* foolproof business model.

    *Manufacturer supplies no warranty, implicit or explicit.

  22. Notice where in the chain a bank acted immediately? The unwitting mule’s account was frozen and the police were called because it was an individual’s account and they would be liable for the full amount. If business banks (TD Bank) were held to the same liability, there would finally be action against the thieves.

    • You are absolutely right. I was wondering why some of the mules had apparently been instructed to set up LLC’s. Bingo. You just answered the question.

      If the “mule” is an LLC, banks don’t care.

  23. OK. You have documented the problem quite nicely.

    Next step: Propose a solution.

    What specific steps should a company use to avoid these problems?

    I can imagine having a single machine dedicated to all wire transfers, that does nothing else (i.e., to avoid all contact with non-bank websites or email). Doesn’t sound very convenient, but would be more secure.

    Even if the banks were liable, what specific measures would they take to avoid these problems? Keychains? Great, but they’ve been cracked. Biometrics? Fine, until someone rips off the digital image of your finger [retina, whatever]. SSL with pre-loaded cert’s? Nice, until someone rips off your private key.

    Aside from making every one of these people read your column and get hip to the idea that security is necessary, going out and getting really trained, then auditing their app’s. What are these folks going to do that saves their money?

    • SOLUTIONS: For a technical malware solution, the most important step is to not use Microsoft Windows when on line. Using a single machine for wire transfers does not offer nearly the same advantage.

      No form of personal authentication, including keychains, biometrics and digital certificates, can possibly stop a modern malware after infection. The problem is that malware is the man-in-the-middle between the user and the bank. Anything the bank requires can be passed through. Once the account is open, the malware can do anything a user can do.

      Absent some sort of out-of-band communication, banks cannot identify or stop malware running on user systems because the result looks like a user. A technical bank response might be to distribute some sort of easy “live” CD and then refuse to connect to a Windows system, or perhaps offer loss insurance only to non-Windows users. Marketing-wise, customers might consider improved banking security to be an advantage. Or the bank could just call and confirm all wire transfers.

      Our current computer systems are “once infected, always infected” by design, for which training only goes so far. The consequences of even a single mistake can enable an infection which will remain until the OS is re-installed or a clean OS image recovered. But humans will always make mistakes, even after training. Current hardware and software systems simply were not designed to deal with malware infections.

      What someone can do is to load a clean OS from DVD immediately prior to banking. That does not require a dedicated machine.

      Professional solutions may not be quite there yet, and may not be until bank losses get much larger. Currently, for those who really want to throw money at the problem, buy a Mac. Otherwise, learn to run a simple free Linux as a “live” DVD when on-line. For help, see my articles:
      http://www.ciphersbyritter.com/COMPSEC/COMPSEC.HTM

  24. I really feel for the business owner because this loss is not easy to take. But it is their fault for not protecting their computer adaquately. They probably don’t even have an IT staff or adaquate controls around the equipment or their procedures. By controls, I mean that the business should have at least had dual control over the money moving functions. This means the owner plus at least another person, using different machines and different credentials, would create and approve money moving transactions. The attacker would have had to compromise multiple pieces of equipment and credentials to get the money.

    It is a given that the major computer software makers are not making their software secure from these types of malware. Zeus (or any other malware) does not make it on the computer without help. The business owner was probably “admin” on their machine because it was convenient, but that convenience also makes it easy for the attackers.

    Like it or not, my opinion is that the businesses have an obligation to protect their assets, including computers used for financial transactions. They take the tax deduction on it, manage their books on it, and receive their email on it. Computer owners are notoriously possessive of their machines (especially office users). Why suddenly put the blame on someone else when malware is on it? The financial institution did not put the malware on the computer did they?

    Who is to blame if a business left the store doors unlocked after closing time, left the valuable inventory on the loading dock, or did not shread employee records and simply let them get transmitted to an identity thief? I think we would all agree that the business owner is responsible and accountable for the loss.

    So should businesses who don’t protect their access credentials or their machine/access equipment be allowed to pass the blame to the bank (or any other financial institution)? I think not.

    Basic steps any business should take:
    1. Don’t be “admin” (default) of the machine. Be “user” on the machine.
    2. Separate financials from other uses. The losses suffered in one incident covers the cost of a separate machine many times over.
    3. Separate custody and control. If you create a wire or send payroll, you should not also be the approver using the same credentials and same machine. Ask the institution for another set of credentials and buy yourself a second machine to do the approval task. Sounds stupid if you are the only person in the office, but I’m thinking this business owner who is going to be bankrupted is thinking the inconvenience would have been worth the $400 for a netbook or other low-end machine. Obviously, it is a lot cheaper than an insurance policy and a lot lower than the loss she is taking.

    These are my opinions as a business owner and “family IT guy” for the contaminated machines I have been asked to work on over the years.

    • I also feel really bad for this business owner.

      But, in a vein similar to your comment, the business owner admitted that she opted to take the risk and not purchase insurance for her business. I did that too during the first few years of my business. Then I “grew up” as a business owner, and started paying out $200/month to insure my business against lots of different calamities.