A rash of home foreclosures and abandoned dwellings had already taken its toll on the tax revenue for the Village of Summit, a town of 10,000 just outside Chicago. Then, in March, computer crooks broke into the town’s online bank account, making off with nearly $100,000.
“As little as we are, $100,000 represents a good chunk of money, and it hurts,” said Judy Rivera, the town’s administrator. “We were already on a very lean budget, because the tax money just isn’t coming in.”
Summit is just the latest in a string of towns, cities, counties and municipalities across America that have seen their coffers cleaned out by organized thieves who specialize in looting online bank accounts. Recently, crooks stole $100,000 from the New Jersey township of Egg Harbor; $130,000 from a public water utility in Arkansas; $378,000 from a New York town; $160,000 from a Florida public library; $500,000 from a New York middle school district; $415,000 from a Kentucky county (this is far from a comprehensive list).
According to Rivera, the theft took place Mar. 11, when her assistant went to log in to the town’s account at Bridgeview Bank. When the assistant submitted the credentials to the bank’s site, she was redirected to a page telling her that the bank’s site was experiencing technical difficulties. What she couldn’t have known was that the thieves were stalling her so that they could use the credentials she’d supplied to create their own interactive session with the town’s bank account.
“The site even gave her a phone number to call for customer service, but when she tried the number she found it was a residence,” Rivera said. “She also called the bank, which said they weren’t having any technical difficulties.”
The following day, Bridgeview Bank notified the town that someone had executed two sets of transfers: one automated clearing house (ACH) batch transfer of seven payments of slightly less than $10,000 to individuals around the country; and a large wire transfer of nearly $30,000. The bank succeeded in stopping the fraudulent wire, but Rivera said the town has all but given up hope that it will retrieve the other $70,000.
Bridgeview Bank could not be immediately reached for comment.
Looking for advice about what banks and businesses should be doing to help detect and block this type of fraud? Check out this post: E-Banking Guidance for Banks & Businesses.
What she couldn’t have known was that the thieves were stalling her so that they could use the credentials she’d supplied to create their own interactive session with the town’s bank account.
Why couldn’t she have known that? Anyone dealing with online banking should, by now, be aware of these issues.
“She also called the bank, which said they weren’t having any technical difficulties.”
Why didn’t that send up red flags, fire rockets, and sound alert sirens at the bank? Seems that the bank, having been informed that something was up, could be vulnerable to a lawsuit there.
“Why didn’t that send up red flags, fire rockets, and sound alert sirens at the bank? Seems that the bank, having been informed that something was up, could be vulnerable to a lawsuit there.”
As the IS admin for a credit union, I can assure you that it would be quite maddening if every call were fielded with that perspective. An overwhelming percentage of calls received regarding any electronic service (Phone Teller, ATM, Online, etc) amount to user error or some other problematic service beyond the control of the institution. As unfortunate as it is, it would be impossible for even a small bank to provide each call with the attention required to uncover an attack of this nature.
Now, a potential area for growth that I see is stronger, perhaps automated, cross department communication. While a network admin may not have considered the call to be panic inducing on its own, corroborated with the transactions which would have been posted moments later, and (hopefully) eventually reviewed by the accounting staff, the pieces would have come together much sooner. I posted a comment here not long ago about the new Red Flag regulation that is supposed to be effective early June. That’s a good step in the right direction, but I believe it regulates only account and transaction activity which still wouldn’t have aggregated the city’s call for technical support.
“Why couldn’t she have known that? Anyone dealing with online banking should, by now, be aware of these issues.”
Because the only people who are aware of these issues are the geeks who read Brian’s blog. “Normal” people are unaware of of these issues, and even if they were, they would be hard pressed to understand them. This stuff is only reported is the IT Security focused sites as far as I can see.
Also, “one automated clearing house (ACH) batch transfer of seven payments of slightly less than $10,000 to individuals around the country” didn’t set off any alarms either. But, what the hey, it ain’t the banks money!
If they were notified THE NEXT DAY why could they do nothing?
DLD
I have to agree with DLD on the ACH transactions. It is very odd that 7 separate people were paid via an ACH transaction and not one of the payments was recovered. In general any ACH transaction can be recovered the next day since settlement between the banks isn’t usually final. Even if the communication was a little late between the banks it is surprising that every single “mule” was that quick.
One thing to keep in mind is that these mule recruiters generally give mules anywhere from a 2-5 percent bonus if they withdraw the transfer and then wire the money on within a couple of hours after the bank opens.
How dumb is a mule?
The mechanics of this type of compromise come from an infected end user machine and not the bank. The assistant’s computer was infected, from one of many potential ways these days. The attacker learned their bank, and having control over their computer, either change the bookmark URL, or the host file to point to a fake bank web page. The site prompts for login credentials as usual, but then puts up a false “Temporarily Down, Try Back Later;” or, I’ve heard of more elaborate rogue sites occupying the victims with new security questions like “what was your first pet’s name?” to gather more information about the victim for further exploit–or to sell to others.
The best way to stop (or reduce) this sort of crime is to put the onus on the banks basically. If they were held fully responsible for all losses, you can bet they’d put proper procedures in place to prevent them.
I like the sound of “out of band” checks (SMS, call-back etc.). But only as a component of a full suite of security checks.
I disagree. I’ve said this before. While the bank has a responsibility to secure their end, we as end users have a responsibility to secure our end of the deal. If you don’t take steps to properly secure your end and get malware on YOUR system that steals your credentials, that’s your fault, not the banks! Sorry, but where has personal responsibility gone these days? I make a handshake with the bank with the agreement they secure their end and I secure mine. Then when my end gets compromised, I turn around and blame the bank? Uh?
Except, I don’t know how to secure my end *and* banks enable online capabilities for my accounts that I don’t want, never asked for, and can’t disable.
How exactly do I make sure my system is free of malware?
I don’t want my bank account to be able to wire money online. I didn’t ask for this; if I ever want it I’ll go do it in person. Yet, there it is, and where on my bank website is the button to disable.
If you don’t know how to secure your end, I would strongly suggest that you don’t use online banking (or anything of sensitive nature) until you can confirm your system is clean. This speaks to one of the major immutable laws of computer security, “If a bad guy can alter the operating system on your computer, it’s not your computer anymore.”
You must be able to implement a defense in depth strategy that will instill absolute confidence that your system is clean and then ensure it is operated in such a manner as to stay that way.
The best way to test the current state of your system would be to boot from a Rescue CD and run a malware scan. See http://www.krebsonsecurity.com/2010/03/removing-viruses-from-a-pc-that-wont-boot
Even if malware is detected and successfully removed, you may wish to go the guaranteed route to ensure a “clean” system; backup your data, wipe the hard drive and re-install the OS and any needed software from scratch. Either way, be sure to implement a layered defense, commonly referred to as “defense in depth” as outlined below (ordered according to importance):
1. Use a non-admin (limited user) account for daily use (* see below)
2. Use a firewall (preferably a hardware firewall at the perimeter and a software firewall on each computer)
3. Keep the system fully patched (includes ALL software) – NOTE: most vendors release patches monthly
4. Use Antivirus/Antispyware software that is configured to update itself DAILY
5. Practice safe computing (ex. use caution with downloaded files and e-mail attachments, don’t click on links in e-mail, browse wisely, etc.)
6. Routinely (at least monthly) backup your data to external media (CD-R, DVD-R, external hard drive, etc.)
7. Install ONLY required software using the latest versions, uninstall old or unused software (reduces system attack surface and minimizes patching)
8. Use a blocking HOSTS file (http://www.mvps.org/winhelp2002/hosts.htm)
* A non-admin (limited user) account provides a greater level of protection as most malware is written with the assumption the user is an administrator. Without “administrator” access, the malware is not able to run as designed and fails to compromise the system.
The Importance of the Limited User, Revisited – Security Fix
http://blog.washingtonpost.com/securityfix/2006/05/the_importance_of_the_limited.html
You missed the point: in enabling online wire transfers my bank has exposed me to a risk that I didn’t ask for, don’t want and can’t disable. So taking personal responsibility isn’t the problem.
Your list is decent, but checking against malware blacklists, running in user mode, and doing auto updates does not allow me to know that my system is secure. I do all this and more. It reduces risk, but it does not guarantee your system is secure.
I agree with you that consumers need to accept personal responsibility for their (in)actions, including keeping their computer secure.
However, banks have a responsibility to implement and offer strong online authentication.
If you’re a business, and your bank doesn’t offer true multi-factor authentication or out-of-band confirmation for large ACH/wire transactions, there’s not much you can do to improve your security. Banks don’t have a strong incentive to improve their online security so long as the liability falls with the consumer.
This needs to change. The sad thing is that many banks are held back by their technology providers. Even if your bank or credit union realizes this is a serious problem, they are at the mercy of their online banking vendor for improvements.
And good luck with that… I’ve been waiting almost two years to see a deficient crypto algorithm replaced in a major financial platform. Any banking geeks who frequents these boards know the pain I speak of.
There is a critical shotagre of informative articles like this.
Banks need to have tighter authentication security. The end user can have all the latest Anti-Virus programs protecting their PC but just look at the Zeus Trojan.
Over 60% of today’s Malware detection programs have NOT detected the Zeus Trojan being placed on millions of PC’s world wide by Malware. That is not the fault of the user’s. However, Banks can easily and affordably protect their members’ online bank accounts from such exploits.
“The best way to stop (or reduce) this sort of crime is to put the onus on the banks”
Nonsense. The best – the only – way is to use the live CD Brian’s been nagging about for a year now. The best and only way is to stop using Windows. Is this so difficult to understand? Is there some hidden reward in dancing about the solution instead of applying it? Sure seems that way.
“The best and only way is to stop using Windows. Is this so difficult to understand?”
Yes, this is quite difficult to understand. The reason that it is difficult to understand is that there is no evidence to support it.
This story has holes. The ACH could have been retrieved that night or early the next morning. It’s only seven phone calls from one bank to another. The ACH would not hard post with the receiving bank until the opening of business the next day. And I think it highly unlikely that a crook would have done both wires and ACH. Usually it’s the wires that cannot be retrieved, not the ACH. This story just doesn’t add up.
And usually bank security is completely different for ACH and wires since they are separate departments. Wire security is usually a little more complex and involves a confirmation via another mode with password.
I would look inside the bank or inside the victim organization.
Having read a lot of these articles on Brians site I was wondering if we are having the same issues over here in the UK. I have not heard of anything like this going on but that doesn’t mean that it isn’t.
I believe this needs to be tackled by the banks and their customers until the problem is eradicated (unlikely). The banks need to beef up their security, they owe it to their customers. The customers need to take measures to prevent this happening as far as they can (they owe it to themselves) , even if it means spending a few hundred dollars on a new machine without disks and booting it from a CDROM, eg Ubuntu. I am sure the CDROM could be set up to only allow access to the banks website, surely preventing anything from any dodgy sites infectin gth memory, etc. Build in a proxy, privoxy maybe? Squid with squidguard?
Surely businesses should be doing this now? I cettinaly would be if I had a large amount of money in a bank. Prevention is better than cure. Perhaps what is needed is more publicity about this issue.
This is a reward for lazy employees and greedy businesses that feel the need to EFT their funds. Lazy businesses also use automatic telephone answering. With these two procedures, the lazy employees have more free grab-ass time and the greedy businesses have fewer employees. Serves them right.
Hi Brian,
Discovered your blog a while ago and appreciate it quite a lot for its depth. Most readers’ comments add further value to it and you catalyze this by responding to many posts. I am from Europe (The Netherlands) and while skimming a big problem here as well (not only ATMs are being targeted but often thieves hid and let themselves locked overnight in superstores and replace the POS machines with skimmed ones. There are also shoplifters who steal those POSes from shops (rather than usual goods), I guess to modify them into skimmed ones or to reverse engineer their security. However, I am not aware of small and medium sized companies being targeted by computer crooks as in the story above. I’m wondering why is that.
– are those cases happening here as well but do not get publicity being silently solved between the client and its bank ?
– is there some extra security in place preventing those attacks from being successful or recovery of stolen monies being more successful ?
– some other reason ?
Hi George,
Thanks for reading and for your comment. The answer is these attacks are happening almost everywhere. Whether they are succeeding as much in getting away with the money, or whether when losses do occur overseas they get reported on by the press in those places, I can’t really say. I doubt it. Nobody wants to talk about this.
Companies in the U.K., Spain, Australia and pretty much all of our allies are getting hit just as badly, if not as frequently. The crooks are targeting certain banking platforms rather than specific banks in many cases, as often times a large number of banks will use the same back-end and/or front-end technology.
Get the word out about the live CD. Get it in the mainstream. Get it on the front page of newspapers and websites everywhere. Get it on the radio, on the telly. Have governments put public service announcements in all the media. That’s the end to the whole shebang. And if people need financing – ask Bill Gates. He’s got some spare change.
Unfortunately, it’s just not as easy to reverse an ACH transaction as Rob and Tampa Banker implied in their posts. There are a couple of things that can affect your (the bank’s) ability to reverse an ACH transaction. First is timing. Banks typically send ACH transactions to the Fed (and then out to all of the receiving banks) a couple of times a day. If the ACH transaction is received early enough in the day by the Fed (generally before 1pm ET), the transaction could ‘hard post’ as early as the next morning (i.e., send it out before 1pm on Thursday and it will hard post by Friday morning). This is part of the ACH rules. Transactions received by a bank from the Fed prior to 5pm local time on the day prior to the effective date of the transaction must be posted to the customer’s account and available for withdrawal by opening of business (but no later than) 9am on the effective date. In other words, using my example above, ACHs received on Thursday afternoon must be made available to the customer by Friday morning.
So it would be possible that in this case the fraudulent ACH transactions were sent to the Fed prior to 1pm, but the reversing transactions were not sent until later in the day. This could cause the original (fraudulent) transactions to ‘hard post’ on Friday morning, while the reversals were only ‘memo posted’. Additionally (point #2), the receiving bank is under no obligation to honor the reversal transaction. So in my example, the fraudulent funds are made available first thing Friday morning. The money mules are instructed (quite explicitly) to be at their bank as soon as it opens to withdraw their funds. Since the fraudulent funds are ‘hard posted’, the mule is allowed to withdraw the funds. Once the reversal tries to ‘hard post’, there are no longer any funds available, so the bank returns the reversal as non-sufficient funds. The business customer that originated the (fraudulent) ACH transactions is left holding the bag.
Finally, even if both the fraudulent ACH transactions and the reversals were sent to the Fed prior to 1pm, there would be no guarantee that the reversals will be honored. The ACH rule that I referenced above only applies to credit transactions (deposits into the money mules’ account) not to debits (reversal of the deposit). The receiving bank is not required to have debit transactions posted by 9am. So, they could post the deposit first thing in the morning, but wait until their normal daily processing time (usually much later in the day) to post all of the debits.
Don’t forget too that the ACH world is highly automated. The vast majority of processed transactions are not reviewed by anyone at the receiving bank, they are simply posted to the appropriate account. Given the volume of ACH, it would be impossible for most banks to manually review each transaction.
Thanks for the informative post. 🙂
As I stated in a previous post on this thread (April 7, 2010 at 5:27 pm), my view is that of “An Ounce of Prevention is Worth a Pound of Cure”. In other words, while the bank needs to secure their end of the deal, we as end users have a responsibility to secure our end of the deal. If you don’t take steps to properly secure your end and get malware on YOUR system that steals your credentials, that’s your fault, not the banks!
I can’t really accept that the banks could not improve their anti-fraud measures for ACH and wire transactions. Think of how hyper alert they are to any change in purchasing patterns with credit card purchases. They know what your normal spending pattern is, and they flag anything out of the ordinary. It’s quite sophisticated. If they were made responsible for fraudulent transfers out of customer accounts, they’d have hugely improved security in place before you could say Zeus.
Robert — To be clear, most banks don’t have that kind of awareness or technology in place. Most banks no longer “know their customers,” either by name, site, or what their typical activity looks like. Nor have most of them invested in technologies that let them tell whether a given customer’s bank account activity is unusual.
You’re thinking more about the technology that drives credit card transactions, and that isn’t managed by the banks/issuers either: It’s more or less run by Visa and Mastercard. They’re the ones with all the transaction profiling information.
Brian, I hate to disagree, but I think the banks/issuers are the primaries in credit card fraud prevention, and to some extent the merchants and payment processors. My understanding is that Visa and MasterCard are more standards setting consortiums than transaction processing operations. That’s why they publish the PCI standards but aren’t the implementers.
In any case my personal experience has been direct contact with my bank about questionable transactions, and one purchase where the merchant requested additional verification (that was a good one, flagged because it was a new card with a ship-to address different from the billing address, because I was having it shipped to my employer which happened to be the issuing bank, where I was IT security architect – unusual but not a classic fraud pattern!).
I think you’re right, and hit the most critical factor, with the first paragraph about banks not having the technology in place for deposit accounts. The reason is simple, there is no incentive since they don’t bear the losses on commercial accounts. If they had to be responsible it’s a safe bet that they’d be deploying the appropriate safeguards PDQ.
Incidentally, most of them do have technologies that let them tell whether a customer activity is unusual, to meet the requirements of the anti-money laundering regs. They just don’t use the technology for fraud prevention because it is purely compliance driven and reporting oriented (i.e. after the fact, not timely enough for transaction approvals or reversals). Again, make them liable and there’s an incentive for action where presently there is none.
There’s an easy way to settle that. Talk to somebody on the inside as we have.
When something like this happens, cannot the mules be identified, and made responsible for the amount in question? They knew it wasn’t their money so they couldn’t claim ignorance.
Admin,
You, as a user can not secure your online banking session against today’s online exploits, although you should try. Malware carrying Zeus has and will continue to be designed to fly below the radar of Anti-Virus/Malware software so in over 70% of the cases, it will not be detected.
I am currently working with Banks and Credit Unions to provide them with a dynamic virtual token that the user has but does not control. This will fix this problem, which is a Bank issue not a user issue.
Best,
Mike