March 22, 2010

An Arkansas public water utility and a New Jersey town are the latest victims of an organized cyber crime gang that is stealing tens of millions of dollars from small to mid-sized organizations via online bank theft.

On Thursday, officials in Egg Harbor Township, N.J. acknowledged that a sizable amount of money was taken in an “outside intrusion into a municipal banking account,” suggesting in public statements that computer criminals were responsible.

On Monday, details began to emerge that implicate the work of the same gang that Krebs on Security has been tracking for close to a year now.

Mayor James J. “Sonny” McCullough confirmed that the thieves took close to $100,000 from town coffers, sending the money in sub-$10,000 chunks to individuals around the country who had no prior businesses with Egg Harbor.

McCullough said the town is working with local authorities and the FBI.

“There’s a possibility that the bank will be able to [retrieve] some of the money,” McCullough told Krebs on Security.

According to at least two sources, some of the money was sent to John P. Higgins Sr., a resident of Tampa, Fla. On the afternoon of March 18, Higgins received a bank transfer of more than $8,700 from Egg Harbor’s account. A woman who answered Higgins’ mobile phone on Monday morning declined to identify herself or answer direct questions about the incident, hanging up after saying only that their lawyer had been contacted and that Mr. Higgins was wary of being caught up in further scams.

In a separate incident on March 4, organized crooks stole roughly $130,000 from North Garland County Regional Water District, a public, nonprofit utility in Hot Springs, Ark. Again, thieves somehow broke into the utility’s online bank account and set up unauthorized transfers to more than a dozen individuals around the country that were not affiliated with the district.

Manager Bill Reinhardt said the district is still investigating how the thieves gained access to its accounts, and that it had notified the FBI about the breach. Reinhardt said the district has so far worked with its bank to reverse about half of the fraudulent transfers.


44 thoughts on “Organized Crooks Hit NJ Town, Ark. Utility

  1. wiredog

    Can’t find a North Garland County Regional Water District in Az. There is one in Ar…

    1. BrianKrebs Post author

      How embarrassing. You are of course correct. I have corrected that somewhat glaring geographical error.

  2. Ron Nielson

    I’ve read about many of the cyber heists and it seems that they are always related to wire transfers. All of my credit card bills, utilities, and other periodic payments are paid thru ACH debits which are different than wire transfers, I believe.

    If the problem is with wire transfers, isn’t one solution to tell the bank not to honor any wire transfers? Of course, this would preclude the use of a wire transfer when that might be needed for legitimate purposes.

    1. William

      I’ve read about them too. They’re all related to money and Microsoft Windows.

      Just a thought.

    2. infosec_pro

      “wire transfer” refers to an electronic transaction cleared through the ACH, so your “ACH debits” are exactly wire transfers, as are automatic payroll deposits. That’s why the blanket prohibition of wire transfers is not practical, and anything that increases processing overhead (e.g. manual intervention for authorization or review) is undesirable.

      The issue is scale, the more banks can use online access to close brick and mortar branches and reduce staff the more they can do with less. Related is the fact that commercial customers bear the loss, unlike consumers where the bank bears the loss.

      It’s just going to get worse. This weekend I was hearing about “remote deposit” on the radio, where checks don’t have to be taken to the bank but can be presented for deposit electronically using a scanner from the customer’s computer desktop. Such a great opportunity for new malware!

      1. Michael

        Looked up “wire transfer” and “automatic clearing house” on wikipedia and they seem to be different animals.

        1. infosec_pro

          @ Michael, “wire transfer” is the transaction, “automated clearing house” (a/k/a ACH) is the entity that processes the transactions.

          Strictly speaking a wire transfer could be processed through some other entity, for example Western Union is used by money mules to process cash transfers, or SWIFT processes trans-national inter-bank transactions. SWIFT could arguably be an automated clearing house, although the acronym ACH is generally used to refer to the domestic US entity that processes domestic transactions (originally it was the automated facility through which checks were cleared, which evolved to become purely electronic as banking regs evolved).

          Anyway, I was replying to Ron Nielson’s original comment “ACH debits which are different than wire transfers” which is simply not true. ACH debits are necessarily a form of wire transfer, and in fact they are potential avenues for fraudulent activity. So Ron clearly has a false sense of security, which semantic nuances should not encourage.

          btw I still have ACH contacts from my banking days, if more details are required please supply direct contact info…

          1. Ron Nielson

            I was under the impression that a wire transfer is different than an ACH debit/credit transaction in that the ACH debit/credit transaction is reversible for a period of time (30 days?? 60 days??) and that wire transfers, once delivered at destination, are not reversible. When you do a wire transfer, you pay something in the $20-$30 range and most ACH debit/credit transactions are free or little cost. There must be something different that distinguishes them.

            And when looking at the reporting of fraud, they almost always specifically mention wire transfer, not ACH debit/credit transaction. Is that just a misunderstanding of the action used in the fraud?

            At the company I worked for, we did ACH debit/credit transactions for the vast majority of our collections ($15M/day or more) and on rare exception, we did wire transfers, the internal company processing of which was different for each type. That’s the basis for my questions. Our company thought they were different so I think they’re different.

            Perhaps not different enough to help form some type of defense against fraud, though.

          2. Michael

            Thanks for reply. Searched for ” ACH ” on wire transfer page, and “wire transfer” on Automated Clearing House page, and found nothing. Surely some mention if related? Also, all my banks charge $$$ for wire transfers but $0 for ACHs.

  3. Bob

    These occurrences seem to be happening at an increasing rate. Why isn’t one of the banking committees in our federal government looking at some of these incidents? Yes, they are supposed to be looking at the big overall picture of the banking system. But, this affects real people, real businesses, real money. The regulations to fix the “Big Picture” that they are discussing will be easily circumvented by the ingenious bankers anyway, so why bother?

    Whitelists for banking customers would seem to be a no-brainer solution.

    1. Bob

      Actually this is a continuation of the previous comment.

      How soon would a banking committee look at this issue? When it hits one of them personally/professionally. Chris Dodd and Barney Frank really don’t care about the normal people. But, let one of their family businesses get hit, you will see the issue escalated to the sky.

    2. Steve Shelby

      Sure, Bob. More laws. Because the crooks really pay attention to them.

      It’s up to the end-user to secure themselves. And like Health Insurance, once they reach the big scary point of self realization that they have to actually do something themselves, then they will do something themselves.

    3. James R. ("Jim") Woodhill

      Bob,

      On March 22 2010 you wrote:

      > Why isn’t one of the banking committees
      > in our federal government looking at some
      > of these incidents?

      No member (or their staffers either) of the House Committee on Financial Services’ Subcommittee on Financial Institutions and Consumer Credit with whom Authentify has met so far had previously heard of this problem, nor the member of the Senate Banking Committee’s Subcommittee on Financial Services either. As it happens, *Howard Schmidt*, Obama’s new cyber-security tsar had not heard of it before I mentioned it to him at RSA 2010 on March 4.

      Congress would need at least 100X its current staff to be on top of all the emerging issues that people are sure they “ought” to be on top of. Until Congress expands its staff (and its budget) it behooves those of us with leading-edge awareness of emerging problems to simply go up the Hill and brief our elected representatives on them, rather than sit back and complain about what “they” are not doing. In a democracy, there really is no one here but us chickens! Refer to the NEWSWEEK article by Nick Allard, head of Barton, Boggs’ lobbying practice about how “We Need More Lobbyists”:

      http://www.newsweek.com/id/233444

      > How soon would a banking committee look at this issue?

      It’s a long shot, but the Senate Banking Committee has already reported the current banking reform act out. It is now before the Senate and could (in theory) be amended. I don’t think this problem *should* be addressed via amendment without hearings unless I can get the American Bankers Association (ABA) to endorse our proposed solution. I will know more on Monday after our first meeting with them.

      > Chris Dodd and Barney Frank really
      > don’t care about the normal people.

      How well do you know these gentlemen? I have not had the privilege, but I *have* seen Rep. Frank rage at financial services industry miscreants who richly deserved such treatment.

      And, anyway, Chris Dodd is retiring so the person to go to on the Senate side is Sen. Chuck Schumer. I can tell you that at least his office has heard of the problem–God Knows, his state has enough victims! I hope to get in to share ideas with his staffer for his participation in the Subcommittee on Financial Services in DC this week.

  4. Tom Seaview

    I used to live in Egg Harbor Township, and I know Mayor McCullough. I’m sorry to see this happen there.

  5. Matt

    It would be good to know the name of the bank involved. They could have avoided the problem by using a two factor transaction authentication method.

    1. BrianKrebs Post author

      Matt – Just out of curiosity, what kind of two factor auth. do you think would have stopped one of these attacks?

      1. MGD

        Not to intrude ……

        A simple secondary factor that is not completed via an online internet process.

        A confirmation numeric code generated by the bank and displayed on the screen every time a new “payee” is enrolled in ACH, and every time a first transaction is initiated to a new payee.

        In order to complete either of those two types of transactions, a bank toll free number must called and the numeric code entered from a registered phone number that has been set up previously by the account holder.

        Toll free numbers use ANI and cannot be spoofed. The assigned call in number/s for the commercial account must be set up in person, at the bank, by an individual listed on the corporate resolutions who is also authorized to sign checks for the business. The number can only be changed in a similar procedure.

        All transactions (new payee, and first transfer) will have a pending and incomplete status until the confirmation code has been entered from the pre-authorized telephone number. Those pending transactions will show both online, and on account statements, so that the account holders will be aware an incomplete attempt has been made. Assuming the account holder is smart enough not oblige an unknown caller by making a call on their behalf, or allowing outside access to their phone system, then this procedure is relatively painless and effective.

        So far the Automatic Number Identification (ANI) used in the toll free system, which is not the same as “caller id”, is hardware driven, is independent of any caller settings, and to date is not spoofable.

        MGD

        1. Mike

          The bad guy controls the computer. He simply intercepts a legitimate dialog, replaces it with the number associated with his fraudulent transaction, and waits for someone to call to authorize their expected transaction. By the time someone figures it out, the money is already gone.

          You can make this sort of thing more complicated, but as long as a mechanism exists by which people get enormous sums of money irrevocably deposited into their accounts with no effort spent by the banks to detect and block/delay potentially fraudulent transactions, the rewards are great enough for the bad guys to spend a lot of effort on overcoming new defensive tactics.

          1. MGD

            “….. The bad guy controls the computer. He simply intercepts a legitimate dialog, replaces it with the number associated with his fraudulent transaction, and waits for someone to call to authorize their expected transaction. By the time someone figures it out, the money is already gone. ….

            No, each pending transaction of either a new payee added, or a first transfer is read back to the account holder rep over the phone first ( auto text to voice) .. Payee added 11:59 am on December first …. Jane Doe, account number, routing number( routing # is then auto converted to voice statement of regional bank area)….then “Enter confirmation code for this transaction”. Likewise a first transfer will state the date/time, Payee first and last name, the amount, the account number, routing number and conversion… then “enter confirmation code for this transaction”. See later post by TheOtherGeoff which expands on this. Other variable criteria can be preset for the account, such as TTL, the amount of time, “minutes – hours” within when the confirmation by phone must occur or the online transaction is voided.

            MGD

        2. Matt

          Its sounds like a good solution for some specialty business situations. My concerns would be it could be shifting the security issue sideways into different areas and also the downside would be you are locked into a specific landline which means it wouldn’t work for many people who want a portable banking solution. I travel a lot so it wouldn’t be any good for me. From a security point of view it reminds me a bit of the SMS solution which at first glance sounded like a great idea however then it turned out to easier for criminals to call a victims telecom and get their numbers moved around/ forwarded without the actual user knowing and intercept their codes that way, usually the only authentication required is knowing the users mothers maiden name or similar googleable basic information such as users birthday. It seemed like an easy patch to require telecoms to up their authentication requirements however then most countries enacted anti competition legislation demanding telecoms make it *easier* for users to switch their numbers around between providers and so the whole security chain fell apart. Its a wise security adage – a chain is only as strong as its weakest link.

      2. Matt

        We know we are essentially dealing with a MITM attack, more specifically I believe a MITB attack as Zeus hijacks the browser not just for old style keylogging but also to bypass the OTP tokens many banks have deployed to their business customers. From everything I read it seems you have to assume that software solutions alone cannot stop Trojans getting into machines and once inside a users machine the Trojan can if the attacker wishes control just about any aspect of the machine to deceive the user. So the focus should be purely on the one thing we can get a handle on which is transaction authentication, assuming of course the user’s machine is already compromised. In this circumstance there are only 3 solutions I know of and the bank should have been aware of and implementing to prevent these types of attacks.

        First would be to use transaction signing electronic tokens and require the user sign each transaction (which many banks don’t demand). Even with a compromised machine I know of no way to circumvent this authentication. The downside, apart from the expense of the devices, is that it is a long and laborious process for the user requiring many actions back and forth (up to 40+ digits) none of which the user can get wrong. I believe that is why many banks don’t request this feature be used even after they supply the necessary devices.

        Second would be the IBM ZTIC, a much more user friendly device where the user must verify the transaction details on the device itself not from the screen which we are assuming is compromised by the Trojan. The only downside would be the cost of the devices and the need for USB and compatible software to hardware.

        Third would be my own solution a printed user key pattern http://www.passwindow.com With the manual visual challenges I can include transaction information directly into the encoded challenge alongside the authentication code (see the security page) in this way it is not possible for any Trojan to interfere with the transaction information being displayed to the user on the user’s machine or on the network. Being so simple it also avoids a whole host of complicated hi tech electronic attacks. The tokens themselves cost almost nothing to make as they are merely printed unique key patterns, It does not require any batteries, hardware or specific software as it simply runs off an image on screen so it can run off pc, laptops, mobiles, TVs anything with a screen without regard for incompatibility issues. Its also doesn’t require a USB port which I personally consider a security risk especially in a work environment with the increasing number of Trojans using them as a vector.

        I have avoided including some other solutions such as burnt linux discs as I just cant believe the usability will be there for the common man. The average guy never installed security certificates in his browser because he had no idea what it was about and didn’t want to know. The sandboxed OS idea also fails if you assume the attacker has complete control of the users system whereby they could simulate a linux os reboot. (I know it’s a stretch but it is possible). Another attack could be snail mailing people a new *improved* linux disc . I don’t doubt its security however.

        1. Terry Ritter

          In the best of all possible worlds, banks would quickly provide a real solution for everyone.

          In contrast, Linux “live” DVD’s are available now.

          I am, in fact, writing this under Linux loaded from DVD on a laptop with no hard drive. But I rarely see Linux, per se, since I spend most of my time in the Firefox browser. And if Firefox is “usable” under Microsoft Windows, surely it is usable under Linux.

          1. Michael

            @ Terry Ritter and Matt: Am non-geek, agree puppylinux DVD solution within reach but not easy reach. Toshiba says their later-softmodems absolutely do not work with linux; had to buy hardware modem and get used to no dialing noises. Good install help sites were hard to find (Terry’s one of the best, thanks!), had to diddle around for some hours. Haven’t found capable linux screen grabber to capture/crop/etc. transaction details (know of one?); scribbling details down on paper now. Linux lacks the software breadth Windows has, no software reviews, etc. Yes, linux doable but a tad exasperating. Matt’s PassWindow provides excellent security at very low cost making linux DVD unnecessary. PW has something the usual hardware dongle does not have – an encrypted bank-to-user com channel that permits the bank to safely send the user single-use passcodes associated with transaction details in real time with a live trojan in user’s browser. And it’s very cheap. PW encryption is breakable with use but could be made virtually unbreakable with single-use patterns on users’ cards (powered cards, costs more). Linux does not yet offer the ease of Windows+PW+software_breadth.

          2. Terry Ritter

            @Michael:

            “Am non-geek, agree puppylinux DVD solution within reach but not easy reach.”
            Anyone who wants Puppy Linux should try to find a geek to set up Puppy with Firefox and add-ons. After that, normal use is fairly straightforward. I like to imagine that, given instructions, even non-geeks can set up Puppy and Firefox if they put in the effort.

            “Toshiba says their later-softmodems absolutely do not work with linux; had to buy hardware modem and get used to no dialing noises.”
            That can be seen as a lesson: For the software developer, the needed changes would be relatively minor, being pretty much the same code with different interfaces to a different OS. But making the changes involves learning Linux and finding and learning a new development environment. Because Linux is a small market, that seems like too much trouble. This same issue is what malware authors face in trying to profit from their work, which is what gives anything other than Microsoft Windows a security advantage. The example is evidence that developers do avoid working on a secondary platform.

            “Haven’t found capable linux screen grabber to capture/crop/etc. transaction details (know of one?);”
            Actually, I prefer to see Firefox as the main program platform, with tens of thousands of add-on programs to choose from. For graphical screen capture I use “Shooter,” but one might consider something like “printpdf” or an on-line variant like “Web2PDF” or even just cut-and-paste to Google Docs or Google Mail.

            “Yes, linux doable but a tad exasperating.”
            Anguish is to be expected upon making any major change. Some things are actually better on the Puppy side, but mostly we just find different ways to accomplish our goals. Seeing Firefox as a program platform adds another level of opportunity to do things the way we want, opportunities which also work under Microsoft Windows.

            “Matt’s PassWindow provides excellent security at very low cost making linux DVD unnecessary.”
            Well, that is a claim and a conclusion. Sadly, there is no mechanical crank to turn and process the truth of such a claim. Security people tend to use old systems for a reason.

            While I am not a protocol guy, I have been around cryptographic protocols for a while and have seen many failures. A deep understanding of protocol issues usually is a lot harder than it seems at first. For example, a serious protocol error recently was found in SSL (a protocol central to Web security), even after all this time and all the implementers who looked at it. Not too long ago, dongles and 2-factor auth in general were going to save online banking, a simple idea which also turned out wrong.

            If we allow the possibility of infection, that is, a live bot calling home on broadband as we work, we are just daring the bot-master to find a way in. Such an “in your face” approach requires security protocols to be nearly perfect, something which cannot be proven. The better approach is to lose the bot.

            Puppy Linux from DVD avoids the bot, resists the bot, resists infection, is easily reconstructed as clean, and is available now. We do not have to wait, and we do not have to trust a new protocol.

            “Linux does not yet offer the ease of Windows+ PW+ software_breadth.”
            Not only does Linux not have “software breadth” now, it never will. Puppy Linux right now is good enough for secure banking, email and browsing. Puppy seems to have almost accidentally collected all the tools needed to construct a more secure environment than current Microsoft Windows can possibly offer. Almost 93 percent of browsing occurs under Microsoft Windows. If the Microsoft approach to malware actually worked, there would not be a malware problem.

            Although we often talk about insecurity in the context of a bot infection, that is really just a nod to the ubiquity of Microsoft Windows. The real problem is the infection. A hard-drive infection can be acquired by a single human mistake and remain in place until the OS is re-installed. Trying to attain banking security with a bot in place is a Windows-context recognition that we do not have tools to find every bot, and may not want the hassle of a re-install. Security argues for a different context.

            We can accept weakness if we can avoid problems. And when avoidance just means doing the banking first, that seems more than good enough. But that only applies to Puppy from DVD, not Microsoft Windows.

            Trying to live with the bot is the problem of Microsoft Windows. Avoiding the bot is the advantage of Puppy Linux from DVD.

  6. Marty

    Citibank recently enhanced security on their site which I first thought was a pain but now recognize as a nice enhancement. When adding a new payee, they require you to reenter your ATM card info which they never did before. In addition any changes or additions to payees are emailed to the email address on record. I think the additional steps reduces the chance of theft or at least will enable it to be spotted within a day.

  7. Gannon

    This is just out of control.

    Point of Order, though: Are Municipalities a “Business Account” or a “Personal Account” for notification purposes ?

    My memory of mostly useless factoids seems to indicate a thing called the Lindbergh Law. Something similar for Small Business is needed. The FBI, if they are going to do jurisdictional triage, should be taking responsibility.

    Just my 2 cents.

    1. MGD

      @Gannon,

      They are commercial UCC accounts not subject to consumer protection laws.

  8. Henry S. Winokur

    It seems to me that there are multiple ways of addressing this problem. The first is almost at the top… with the banking industry fixing the problem. But since our banks don’t like this kind of thing, then it’ll be up to the Feds to do something about it. Of course, the anti-big government folks will see that as a problem, until it happens to them and then they’ll be asking why something wasn’t done to protect them (the answer is obvious–you can’t have it both ways.) I’m sure it’ll be like the health care debate that is going on now. Certain folks don’t see the benefits until they work for THEM.

    Another way to deal with it is to make it a crime and start arresting the mules. Without them the process stops.

    1. Blair

      >> Another way to deal with it is to make it a crime and start arresting the mules. Without them the process stops.

      It already is a crime, and the mules are technically liable for the amount they received.

      But the mules are the small fish. One of the reasons money mules are used is because they’re pretty easy to replace (those “work at home” scams). Arrest all the mules you like, you still won’t have solved the problem.

    2. KFritz

      The mules are never more than one time players. As I’ve been reading it, they’re usually caught. It happens to desperate and not overbright folk, abundant in the current economy. They’re lured by websites which match their weaknesses, slick design, poor wording. BK has posted this before.

      http://www.bobbear.co.uk/

  9. AlphaCentauri

    @Ron – my understanding is that the wire transfers aren’t used to actually move the money out of the victim’s account. It is transferred to the money mules’ accounts by creating new employees and setting up direct deposit for their fake “paychecks.” Then the money mules are expected to wire it out of the country quickly. You’d have to block wire transfers for people who currently have no business with the bank or the victims. While we associate wire transfers with shady activity, they are an important way for people to get money to relatives who don’t have bank accounts.

    @Matt and Marty – the only kind of confirmation that would be valuable is one that does not involve the victim’s computer in any way. If it’s an email confirmation and the scammers control the computer, they can respond to the email, too. If it’s a code number from an ATM card, nothing gets to the bank unless ZeuS relays it. If it’s a fingerprint, it has to be digitilized to be submitted, and ZeuS gets that, too. You can have as many extra passwords as you want, but unless the mere fact that the bank is asking for more passwords communicates something to the user (e.g., that there are too many password requests for the number of transactions), the trojan always gets the information first. There was an interesting bit of information that multiple customers of Fifth Third Bank had been hit in a short interval, so if the scammers are sticking with a single bank, they will know its verification protocols.

    @Brian — do we know which operating system(s) the banks’ servers are running? Do we know that no one has created “ZeuServer2010 Enterprise Edition” or something like that? A man in the middle would work at either end of the transaction.

    1. Pat

      This is exactly the point and what constitutes the “It’s not my fault” on both sides of the transaction. Once the computer is taken over, there is no defense. The client sees a normal financial transaction occurring and the bank responds to what it sees as a normal financial instruction. Problem is both are normal from each side; it’s the blind spot in the middle where the malice occurs and is unstoppable. These transactions need to be made on a clean machine.

      1. Matt

        There are a very few solutions I outlined above which are still secure even assuming the users machine / network are entirely compromised. Theres still hope in this war yet 🙂

  10. emv x man

    “sending the money in sub-$10,000 chunks to individuals around the country who had no prior business with Egg Harbor.”… it’s rather surprising the ‘no prior business’ aspect didn’t alert the banks security systems.
    Unfortunately, these kind of losses – and the publicity around them – that will move the banks in the US to take more effective measures.
    One can’t help thinking that until the banks are more responsible for losses incurred they won’t be inclined to invest money to prevent the crimes.

  11. TheOtherGeoff

    re MultiFactorAuthentication:

    An OOB authenticator is required… calling a phone number (office phone for a bank) , having the transaction read to you (“you are sending $8939.38 to VanDelay Industries via money Transfer”) and entering in a PIN is the logical solution… it can’t be caught by a man in the middle/man in the browser attack.

    Several vendors (Authentify comes to mind, but as does StrikeForce, and PhoneFactor… and I’m sure others). Tying this to the back end (not the web site, but the actual transaction engine) would separate and generate the appropriate security (tying it to Anti Money Laundering that all banks must employ).

    1. Mike

      There’s no possibility that any reasonably sized business will do this for every bank transaction, so it’s a non-starter. So what are the selection criteria? If they are something something simple like transaction amounts, the bad guys will just work around it. If the criteria are more complex, and reflect actual suspect behavior, why not just use those criteria as a trigger for investigation by the bank? (Just as is done for credit cards…) They could put a hold on the transaction and contact the customer out of band to verify its validity. (Note the difference between “customer does something obnoxious for every transaction” and “bank investigates suspicious activity”. Reacting to “something seems odd here” is actually something that banks used to do routinely before humans were taken out of the loop.) This is why it’s ridiculous to say that the banks aren’t responsible because the computers are compromised, etc.–they already do fraud identification for other transaction types, and the only difference is where the liability rests. Of course they’d like to put all the burden on the customer, but if wishes were horses…

    2. Matt

      Unfortunately using phone systems be it landline or mobiles is not a secure platform to build an authentication system from. In many circumstances it is far easier for an attacker to get a telecom to transfer / forward / spoof victim’s calls to an attacker’s anonymous mobile than it is to go through the complexity the Zeus Trojan overcomes. Often this process is only authenticated by knowing the victims basic details such as date of birth etc What makes it worse is many telecoms are forced under anti competition legislation to make the transfer of numbers between networks easier as many shady ones previously used tougher transfer processes to try to lock users into unfavourable deals.

      You have to expect if there is mass adoption of an authentication system there will be mass targeting of that system by criminals and any holes in the system, no matter how small, will be broken wide open.

    3. AlphaCentauri

      @TheOtherGeoff
      “An OOB authenticator is required… calling a phone number (office phone for a bank) , having the transaction read to you (“you are sending $8939.38 to VanDelay Industries via money Transfer”) and entering in a PIN is the logical solution… it can’t be caught by a man in the middle/man in the browser attack.”

      If I were a criminal and there were hundreds of thousands of dollars available if I pull off a successful scam, I would try to have your phone number changed in the bank records. I would even be willing to send a letter on official looking stationery in advance of my plan to empty your accounts, during the time while I am recording what you do when you make your legitimate bank transactions. I might even fax it from your computer. Then I would call you with the transaction you think you are making to have you enter your PIN. I can even record the tones from your phone when you do it. When the bank robocalls me at the new number I gave them to confirm the fraudulent transaction, I can confirm it. To have any phone confirmation, even if restricted to the most suspicious transactions, you would need a foolproof way of preventing the criminals from updating phone records that doesn’t prevent you from accessing your own account if you are at a different phone, or if your bookkeeper’s cell phone is stolen and your employees need to be paid.

  12. BrianKrebs Post author

    Just to clarify, in both incidents the fraudulent transfers were made via automated clearing house (ACH) payments, which are essentially bank to bank transfers, usually between two banks in the United States. In ACH fraud, the scammers generally try to disguise the ACH transfers as bogus payroll payments, and indeed in at least one case above the bogus ACH batch went through at around the same time the victim entity normally files their legitimate payroll batches.

  13. Michael Rowland

    Technology alone, no matter how sophisticated, will never solve this problem. We had to acknowledge that fact before we could create an industrial-strength banking solution for the real world.

    Our approach is documented at http://www.intercomputer.com.

  14. BrianKrebs Post author

    Jim Woodhill wrote in to say he was having trouble posting this comment, so I’m doing it for him at his request:

    ——

    AlphaCenttauri,

    There is always a “next” attack scenario. The bad guys in Eastern Europe having to execute the kind of “Mission: IMPOSSIBLE” scenario you describe rather than just have a future victim’s browser touch an infected web site (e.g., via a successful spear-fishing attack) is a problem that our industry should be seeking to “create” rather than “solve”!

    Note that this “dial-back” security technique also moves the fraud from a gray area of the law (UCC-4A’s language about “commercially reasonable” “security procedures”) to one where the law might be more clear (bank culpability for allowing a person with a heavy European accent to get them to change your registered phone number).

    And how, exactly, do you propose that the bad guys even find out which phone number they are trying to change? One would presume that even an organization like PlainsCapital Bank would have its CSR insist that the impostor know what the current dial-back number is before they will change it to a new one. (And, who knows? They might even have the wit to *call* the current number to see if the real customer answers!)

    At some point, the effort per dollar gets too high and the bad guys will move to some other crime. I am afraid that is as good as it gets in this Fallen world.

  15. security systems

    I took a class in college while doing programming where we discussed some security systems and how banks will constantly have money traveling through the air. My teacher got requested to work on a bank’s system but it was like millions of dollars floating at any moment so if you messed up (and you had to work while it was live) you could misplace more money in a minute than you’d make in your life.

Comments are closed.