June 28, 2010

A California escrow firm has been forced to take out a pricey loan to pay back $465,000 that was stolen when hackers hijacked the company’s online bank account earlier this year.

In March, computer criminals broke into the network of Redondo Beach based Village View Escrow Inc. and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm.

Owner Michelle Marisco said her financial institution at the time — Professional Business Bank of Pasadena, Calif. – normally notified her by e-mail each time a new wire was sent out of the company’s escrow account. But the attackers apparently disabled that feature before initiating the fraudulent wires.

The thieves also defeated another anti-fraud measure: A requirement that two employees sign off on any wire requests. Marisco said that a few days before the theft, she opened an e-mail informing her that a UPS package she had been sent was lost, and urging her to open the attached invoice. Nothing happened when she opened the attached file, so she forwarded it on to her assistant who also tried to view it. The invoice was in fact a Trojan horse program that let the thieves break in and set up shop and plant a password-stealing virus on both Marisco’s computer and the PC belonging to her assistant, the second person needed to approve transfers.

As a guarantor of payment for residential real estate transactions, Village View Escrow holds other peoples’ money until the sale of a property is complete. Failure to come up with the funds when a real estate deal is finalized can spell bankruptcy and possibly worse for an escrow provider. Since the incident, Marisco has had to take out a $395,000 loan at 12 percent to cover the loss (she managed to get $70,000 in wires reversed).

“I’m working for nothing right now, and can’t afford to pay myself,” Marisco said in a phone interview.

Officials from Professional Business Bank did not immediately return calls seeking comment.

Marisco said her bank disavowed any responsibility for the incident early on, and that the bank believes the thieves had even used her company’s Internet address to access the account, apparently by leveraging the Trojan they had planted to tunnel their connection through her machine.

Village View Escrow depends on wires to finalize residential real estate sales in the California area, but had never before sent a wire outside the United States. Yet, several of the wires were sent internationally, including a direct $88,000 wire to PrivateBank in Latvia, and a $94,000 transfer to Norvika Bank, also in Latvia.

The rest of the money was sent via wire to numerous individuals across the United States who were willingly or unwittingly recruited over the Internet through work-at-home job scams that promised work as international finance agents for a company that claimed to help corporations move their money abroad faster than they might be able to do otherwise.

At least the thieves were honest on that point.

The case of Village View Escrow shows that while small businesses are frequently the target of this sophisticated type of e-banking fraud, small business owners also often are involved in helping to fleece the victims. Indeed, many of the fraudulent wires that the thieves sent from Village View Escrow’s online account were for amounts between $10,000 and $30,000 that were sent to checking or savings accounts belonging to small business owners.

E-banking thieves normally keep their fraudulent transfers to less than $10,000 to avoid the anti-money laundering requirements of the retail banks. But the fraudsters can move far more money through business accounts without raising any red flags.

According to Village View Escrow, one of the mules was a real estate agent in Houston who received two wires totaling $34,000. Another fraudulent wire for $29,000 was sent to an upstart software firm in Tennessee.

“Probably 60 percent of them were people who were trying to start a small business,” said Ken Holloman,Village View Escrow’s information technology consultant. “They were everything from a guy who had started a gem company, another that had started a watch company…most of them were just trying to some business going and some income coming in.”

I have said it before and will say it again: No online banking authentication system works unless it starts with the premise that the customer’s machine is already compromised by malware that gives thieves complete control over the customer system. But for better or worse, the commercial banks have no (dis)incentive to do much to improve the integrity of online banking transactions because the current regulations effectively hold them blameless when a customer loses money.

Some commercial banks are adopting security measures that don’t merely involve pushing the security entirely out to the customer’s computer. But regardless of whether the legal equation changes, small to mid-sized businesses can dramatically reduce the risk of becoming the next victim of this type of crime by either using a dedicated PC for online banking, or by accessing their accounts only from a computer booted up into a Live CD.


81 thoughts on “e-Banking Bandits Stole $465,000 From Calif. Escrow Firm

  1. Russ

    From what I gathered from this article, a small change in the bank’s procedure might have helped curb this incident quickly: The bank should have required any disabling of wireless transfer notifications to be accompanied by a phone call and written notification from a pre-established contact. That might seem like overkill but it would make it much more difficult for the baddies to disable such notifications.

    But gracious, $465,000 gone, plus that harsh interest rate; it will be tough recovering from this.

    1. Russ

      Pardon, I used “wireless” instead of “wired”. My fingers muscle memory betrayed me!

    2. Jane

      I don’t think even “overkill” would have been necessary. When I moved, my bank and credit card companies each sent confirmation letters to both my new and old addresses. Why wouldn’t a single email confirmation be sent when the notifications setting was changed?

      Although maybe this slightly earlier warning would have been taken as an inconvenience and not an indication of trouble.

  2. Terry Ritter

    Brian says:

    “businesses can dramatically reduce the risk of becoming the next victim of this type of crime by…using a dedicated PC for online banking”

    Even if the “dedicated PC” is *supposedly* used only for banking, all it takes is a moment of inattention to infect it for the foreseeable future, and we cannot expect to detect the infection. I think the dedicated PC is a disaster just waiting to happen.

    A free Linux LiveCD is more trustworthy because it resists infection.

    1. Jane

      I agree, but as others have mentioned before me, the folks at risk are often unwilling to reboot to a LiveCD or even use a non-Windows operating system.

      The dedicated PC is at least better than nothing. If the business is willing to pay $300 for a simple machine, maybe another $50 to have someone set up the hosts file to blacklist a few obvious “no-nos” wouldn’t be out of the question.

      … Incidentally, is there a way to set up whitelisting on a Windows machine instead?

      1. Terry Ritter

        “the folks at risk are often unwilling to reboot to a LiveCD”

        Even though a LiveCD requires some learning, that is the slow, non-emergency, trial-and-error type we all know. We can screw up a lot while we get the system working. Actual use is pretty straightforward.

        In contrast, doing the correct thing in each online situation may not allow screw-ups. Building a new capability is different than the tough love of learning the correct real-time response to what may or may not be a danger or an attack.

        “The dedicated PC is at least better than nothing.”

        No, I do not agree. The dedicated PC is a disaster waiting to happen.

        The dedicated PC is deceptive. There is nothing more secure about it than a normal PC, except the claim that it surfs only to the bank. But if has ever been anywhere else we cannot know, and if there is a bot in place we are unlikely to detect it. Hoping for security where there is none is not an advantage.

        1. TJ

          Terry, you can write Puppy Linux, Puppy Linux, Puppy Linux until you’re blue in the face (and trust me, you have), but that doesn’t change the fact that the vast majority of people would rather have their teeth pulled than try to learn the simplest function (i.e., opening a browser) in Linux. That’s why, no matter what great new Linux distro is introduced to the world, desktop Linux remains perpetually stuck at just 1% market share.

          That said, if an individual or business invests the time and money to set up a dedicated PC for the sole purpose of banking, at least they’re cognizant of the threat, which in my mind is half the battle. Obviously, a dedicated PC isn’t immune to human fallibility. but constantly pushing a solution that 99% of the planet regularly rejects is not my mind truly affecting change.

          1. Terry Ritter

            “Terry, you can write Puppy Linux, Puppy Linux, Puppy Linux until you’re blue in the face (and trust me, you have)”

            I just tell the story. I have spent a great deal of time looking at alternatives, and so far this is it. For a long while it looked like there would be no solution at all. No amount of add-on scanners or firewalls or user education is going to solve the problem, and meanwhile people are getting hurt.

            A strong solution has been identified, even if it does require some effort to implement. Now there is a choice. For a long while, there was none. For those who still want to play Russian Roulette online, more power to them.

            “Obviously, a dedicated PC isn’t immune to human fallibility. but constantly pushing a solution that 99% of the planet regularly rejects is not my mind truly affecting change.”

            Not only is a dedicated machine not immune, it is actually dangerous. It is the illusion of security, instead of the reality. Pushing a dedicated machine as a solution simply because that is easy is a security delusion. Good luck with that.

            As far as I am aware, there is no realistic alternative, and especially not free and available in a few hours. People either can learn to boot a free Linux LiveCD, like Puppy Linux, or they can take their chances with any other option and substantially less security.

          2. Phil Cooper

            I LIKE operating in that 1% crowd. The fact that my **** OS is only 1% of the market makes it an unattractive target for hackers and crackers. I’ve encountered malware sites that tried to take control of the browser and install .exe files on my system, but failed. It’s a little unnerving to actually watch an attack in progress, but with my **** system all it takes is a couple of mouse clicks and the offender is gone.

  3. Andy

    I live in the UK, so regulations for banks may be diffetrent over there. Having read a fair few of similar articles from Brian I get the impression that the banks don’t actually care about their business customers and try to put the onus on them when it comes to incidents like this. Someone needs to give the banks an ultimatum on security.

    Russ, you’re right, the phone call and written notification would certainly have helped. Certainly the bank should not have allowed the wireless transfer notifications to be disabled. Perhaps when something or someone tries to disable alerts then it should lock down the account and get some alarm bells ringing in the bank but make it look like the money is transferred, when in fact it doesn’t go anywhere, or maybe into a temporary holding account?

    Brian – perhaps you could get these companies together and they could start lobbying Congress to make a few changes to present regulations? I’m not sure how it all works, but you’ve got your finger on the pulse, maybe you could get the ball rolling, get these companies together? A lot of companes lobbying COngress would be betetr than maybe one or two separately .If it saves one company losing a lot of money it is a step in the right direction.

  4. Bill

    Brian: Your link to live CD leads to two blogs from Oct 2009 on this important subject. One question from a reader in Oct was not answered, which I think is extremely important. Perhaps you can comment.

    The question is how to remove all banking info from your PC so that using live CD indeed will provide the increased level of security that all of us are looking for. I have a feeling that this could be quite involved. For example, I use Quicken as well as a browser (Firefox) to access several banks.

    Thanks, I think others will be interested also in your answer.

    1. BrianKrebs Post author

      Bill, thanks for your question, but I think maybe the reason I never answered that question is that I didn’t understand the thrust of it, and I still don’t.

      If you choose to store sensitive personal information on your computer and that computer gets compromised, then obviously that is a problem that Live CDs cannot address in some respects. For example, if you choose to store your online banking user names and passwords in your browser, or in plaintext files on your computer, then you have a problem because any malware that infects your system has access to that information (and any credentials stored in the browser will almost automatically be stolen). If you also choose to store your Social Security number, credit card information etc on your system, same deal.

      The LiveCD approach is meant to block malware that may already be on your PC from being able to intercept online banking credentials when you pass them to your bank as you log in. Assuming you don’t store these credentials on your hard drive or store them in the browser or pass them in a regular browser session on Windows, the LiveCD should do its job just fine. But again, the liveCD approach breaks down pretty quickly if you only use it some of the time, as I tried to explain in this column:

      http://krebsonsecurity.com/2010/06/using-windows-for-a-day-cost-mac-user-100000/

      I am not aware of threats that seek out peoples’ stored Quicken information. Mostly, thieves are after information that they can quickly convert into cash.

      1. Bill

        What I’m asking is, if I adopt a more secure system such as Live CD, how do I remove all my financial data that resides on my system, from previous less secure days of banking. Or is that not possible? In other words, if you used typical unsecure banking methods, are you forever vulnerable because your info remains forever on your system? Or can it be removed?

        1. Michael

          Pardon me for horning in.
          I’m not sure what you’re asking as well.
          If you’re asking how to really destroy files on C:, you should never delete files but should erase them instead. Erasing overwrites the actual file sectors where the data live but deleting only corrupts file addresses and the data remain intact. Deleted files can be recovered from a disk but erased files are gone forever (you back up, don’t you?). Unused space on C: should be periodically erased as well. I use Eraser from heide.ie. If you want to erase C:, then reformat it or physically remove C: from your box and let it befriend a hammer.
          If you’re asking how to protect data on C: while driving the LiveCD, C: isn’t mounted by default when the LiveCD boots which means C: isn’t accessible to the OS. Everything you need is on the LiveCD (YMMV) so there’s no need to mount C: and data on C: will be safe as long as C: remains unmounted. If you have to access C: while driving on the LiveCD, reboot from LiveCD first, then mount C:. Think of it this way: LiveCD+net is OK, LiveCD+C: is OK but only after LiveCD reboot, but LiveCD+net+C: is not OK. You can also physically remove C: from your box.
          @ geeks: I’m linux-illiterate. Besides attacking linux directly, can a linux virus mount C:, write Windows malware to it, unmount it and self-destruct? Can the box be infected on the next Windows boot like on the next Black Tuesday? BTW, puppylinux never talks about creating and driving on a user account, only as root, presumably because it runs in RAM and hence uninfectable, while everything I’ve read so far says to always drive as a user and never as root. But a linux virus with root privileges could infect C: with Windows malware, couldn’t it?

          1. dannyo152

            Well, that malware has to start running. The point about a LiveCD is that by being on a CD, a third party cannot add files to it. In theory, the originating server of the Live CD os could be compromised, but this isn’t easy, doing it undetectably is very, very hard.

            Mounting the C drive is something that only root could do, but mounting would not start any programs. (There’s no auto-run like there is with CDs and USB drives.) Also a binary written for Windows does not run on Linux. While a live CD os has a single account, it isn’t root. It may, though, gain elevated privileges by a prepending of sudo on a command line; this, too, is not something a program could just do without the user authorizing.

            Now nothing is 100% guaranteed safe, but combine a read-only os, an os that will not run a Windows binary, the ability to easily unmount the hard drive (if it even mounts), and a fully functioning browser that cannot save data, and that seems hard to compromise. The live CD is inconvenient because it requires rebooting before and after, and any cookies the bank’s site attempts to send will not be saved, because the CD is read-only. This can be a nuisance if the lack of a cookie means there are more steps to log in. (I know, as a former customer, the above-mentioned PBB sets up its online accounts this way. PBB also forces new passwords every couple of months.)

            But, PBB allowing an online change of wiring notice policy without a written confirmation seems a horrible policy. Why would any one ever get tired of hearing when money leaves their account? Especially these days.

        2. -

          1. backup documents and bookmarks (and whatever similar). 2. fresh install

      2. David McCullough

        Compromise is a matter of degree. I think the point is that there is no perfect solution. However, a Live CD banking session is far safer than an un-patched Windows XP installation since the latter is the attack vector of least resistance right now.

        To eliminate the risk, businesses would have to start physically visiting their banks again and sever all online capability. That is something that most businesses probably won’t consider unless they become a victim and possibly show up on Brian’s blog.

        But, based on the tricks Brian reported on here, the thieves are getting cleverer all the time. It could be a matter of time until they can bypass the business and steal directly from the bank.

        So, I doubt that banking will ever be completely safe in the modern cyber-world. That’s not comforting to me as one of those small business owners.

  5. Andrew Barrett

    If the thieves can change the requirement for outbound wires, surely they can change the phone number and other contact information of the account holder.

  6. Stardance

    @Andrew: surely they can change the phone number and other contact information of the account holder, but what would be the point? The effect, of course, depends upon how the bank has implemented the “alert” that is generated when the thieve disable the notification that is sent when a wire transfer occurs, because there are multiple possibilities, several of which that would not be in favor of the thieves.

  7. xAdmin

    “a few days before the theft, she opened an e-mail informing her that a UPS package she had been sent was lost, and urging her to open the attached invoice. Nothing happened when she opened the attached file, so she forwarded it on to her assistant who also tried to view it. The invoice was in fact a Trojan horse program that let the thieves break in and set up shop and plant a password-stealing virus on both Marisco’s computer and the PC belonging to her assistant, the second person needed to approve transfers.”

    Once again, the person behind the keyboard strikes again! Not only did she compromise herself, but also the one other person required to approve money transfers. And not only one person, but two failed to follow well known computer security rules. To me, that’s just inexcusable and why no amount of technology will ever truly solve this problem. Time after time, it’s always a human that will somehow, someway find a way to screw up! 🙁

    1. xAdmin

      Yet, it is expected that these same people, who have trouble following basic Internet security do’s and don’ts will somehow remember to use a LiveCD? As many LiveCD proponents have said, all it takes is one time to screw up. Again, technology is not the solution. It can help, but it will NEVER replace common sense or what I call critical thinking skills.

      1. Terry Ritter

        “As many LiveCD proponents have said, all it takes is one time to screw up.”

        A user on a LiveCD system can be just as smart as a user on a conventional system. If a user avoids taking the Trojan bait, there is no problem. But if not, the consequences vary widely, and the difference is due to the system, not the user:

        On a conventional system, the user error leads directly to a bot infection on the boot hard drive, with the financial consequences these articles describe.

        On a LiveCD system, the user error does not infect the boot CD, and the system still starts clean on every session. The LiveCD also runs Linux, so most likely no bot ever runs at all. There are no financial consequences.

        Users will screw up. The current danger is bots, and the LiveCD prevents bot infection while a conventional system does not. A LiveCD gives the ordinary user some welcome freedom to screw up without serious consequences, which brings peace of mind.

        1. xAdmin

          I agree that a LiveCD provides a lot more room for error due to the fact malware authors are not targeting it (RAM is still writable and exploitable and there ARE other possible infection methods, so it’s not impossible, just improbable at this time). But, you missed my point.

          All it takes is for a LiveCD user to forget to use it or for whatever reason don’t have access to use it (CD gets scratched, CD drive problem, etc.) and bingo, they’re right back to using some other system of possible dubious nature and/or open to making stupid errors like opening attachments from unknown sources.

          Thus why I said technology will never be the solution here. Prevention is the key regardless of technology and it always ends with the weakest link, the person behind the keyboard. No amount of dumbing things down to the lowest common denominator is going to solve this. There will always be low hanging fruit ripe for the picking. No amount of technology or user education will change that. Or I could’ve simple said, “You can’t fix stupid!” 😛

          1. Terry Ritter

            “I agree that a LiveCD provides a lot more room for error due to the fact malware authors are not targeting it”

            The LiveCD advantage is about much more than just being Linux instead of Microsoft Windows, although that alone will eliminate most malware. A LiveCD starts each session clean, whereas a system that boots from a hard drive can be infected and we would not know.

            Although it is theoretically possible to infect hardware designs in some cases, that is not the current problem. If and when that gets to be a problem, maybe we can find hardware which is particularly resistant.

            “But, you missed my point.

            All it takes is for a LiveCD user to forget to use it or for whatever reason don’t have access to use it (CD gets scratched, CD drive problem, etc.) and bingo, they’re right back to using some other system of possible dubious nature and/or open to making stupid errors like opening attachments from unknown sources.”

            Of course I did not miss your point. Yes, a CD can be scratched, but it is easy enough to create multiple CD’s at the start, or to create another from the original file. People have been living with CD’s for decades and know the issues.

            Yes, a user can decide not to use the LiveCD online, but most users do not have that option because they do not use a LiveCD at all. Nor are they forced to. Anybody can take whatever risk they want, but they should at least know the potential costs. Not using a LiveCD online may be the largest of stupid errors.

            “Thus why I said technology will never be the solution here. Prevention is the key regardless of technology”

            So-called “prevention” does not work, for if it did, we would not have a problem. Blaming users is convenient, because they are buffaloed by the technology. But the equipment is the problem, not users:

            If a car, in its normal environment, suddenly and without notice became undetectably dangerous to operate, would we blame the driver?

          2. Marty

            I agree that a LiveCD is not a panacea. I can forsee scenarios where a LiveCD can create a genuine false sense of security. Where a small business gets a LiveCD today and never updates it, still using that same LiveCD 2 years from now (with all the latest vulnerabilities), thinking they are “secure” because they are using that LiveCD. Where a small business thinks they are being even “more secure” and runs a LiveCD on a dedicated computer. A computer they boot from LiveCD and never turn off, perhaps because its on an older, slow computer with an old slow CD drive, and they don’t want to take the time to boot it up everytime they want to do online banking, thinking they are always “secure” because they are using a LiveCD.

            As has been pointed out, the user behind the keyboard is likely to compromise any form of end-user, desktop computer security, so the only real solution is to ultimately take them and the desktop computer out of the security picture.

            As Brian has stated here and previously:

            “No online banking authentication system works unless it starts with the premise that the customer’s machine is already compromised by malware that gives thieves complete control over the customer system.”

          3. Terry Ritter

            @Marty:

            You seem to be taking the quote…

            “No online banking authentication system works unless it starts with the premise that the customer’s machine is already compromised by malware that gives thieves complete control over the customer system.”

            …much farther than I think anyone should.

            Currently, there is no system that can offer secure banking transaction authentication in the presence of a live bot. Many previous failures give substantial reasons to doubt that any such system could exist. Even if possible, the bot would still own all your data.

            So, on the one hand we have a dream of security that might someday surmount a bot which owns our computer.

            On the other hand we have the reality of something which prevents the bot, actually does work now, but requires some effort.

            For some, a very tough choice apparently.

          4. Marty

            @Terry

            Point taken. However, it is also important to not over generalize. The focus here is on bank robbery, more specifically how a bank can prevent this form of bank robbery – not about a desktop computer bot that could “own all your data”.

            Ultimately, in the context of Brian’s article/post, and his quote about a compromised customer system, the focus is on a bank detecting and preventing anomalous transactions which result in bank robbery (my post below goes into more detail on this point).

          5. Terry Ritter

            @Marty:

            “The focus here is on bank robbery, more specifically how a bank can prevent this form of bank robbery – not about a desktop computer bot that could “own all your data”.”

            And the banks have handled the robberies so well! They could have done their online security stuff already, but have not. To a large extent, that leaves commercial customers on their own to protect their online banking. It is more than interesting that such a thing is possible without bank assistance.

            The real problem is not the bank, it is a bot in the customer computer (which might well be a laptop). It turns out that a bot can be avoided by a mere customer without waiting for a bank or congress to get a clue.

          6. Marty

            @Terry

            “The real problem is not the bank, it is a bot in the customer computer (which might well be a laptop).”

            I say the real problem is the bank. The state of the customer’s computer should be mostly irrelevant to online banking transactions.

            “And the banks have handled the robberies so well! They could have done their online security stuff already, but have not.”

            Likewise, the customers could have used secure computers, but have not, and likely never will, regardless of the technical solutions available. Trying to secure every customer owned general computing endpoint device in the online banking universe will be next to impossible, for a variety of reasons.

            This is why the focus must be on ensuring that the banks properly secure their online banking systems, so the state of the customer’s computer doesn’t matter.

          7. Ben

            “There will always be low hanging fruit ripe for the picking.”

            This is absolutely true and the reason that banks would currently benefit most by educating their customers. If Bank A educates their customers honestly and frankly about security risks and convinces 90% of their customers to switch to dedicated PC’s (and the users actually use them properly), and Bank B does not, the losses are going to be experienced primarily by Bank B.

            The thieves are looking for the easiest money. If it’s easier to get the money from Bank B’s customers, that’s where they’ll get it.

            There is absolutely no solution to this that will be considered reasonable by business customers and that will stop 100% of all attacks. Businesses will always be considering cost and convenience in the decision to implement, and there will always be human error and the criminals will always be adapting to change, making sure that no static solution is a permanent one.

            Users have to continue to evolve with the threats, just like prey has to evolve to protect itself in the wild. The more we evolve in different directions (using other operating systems, dedicating PCs, using different tools), the harder it will be for the predators to get us all at once. Education is vital to protecting your customers, and continuing that education with more and better solutions is just as important.

          8. curiousity exploited the pc?

            retail customers should just avoid online financial activity.

            businesses with multiple daily transactions need to learn to do their job. the pc’s security shouldn’t have loaded the trojan.

      2. McLovin

        xAdmin made some very interesting statements about the PEBCAK error at the root of the problem. The article eludes to two people needing to perform the transaction, and it seems both were duped by a simple email attack that all of us are hit with on any given day were they not? This may be a stupid question given someone will spout off with (ZERO-DAY!), but where were the anti-virus program and anti-spyware programs in all of this? Did they even have any of this protection, as it sounds like they were foolish enough to have none. Or, did they win the lotto and land the zero-day vunlerability (which is doubtful)?? Even if it was a zero-day, some anti-spyware and software lockdown and block anything from infecting and changing the computers settings, so why wouldn’t they be using something like that on so critical a system(s)? Black-Ice and programs of such nature block anything outbound, so even if a Trojan got in, wouldn’t they work to tunnel that was described?

        Anyone?

        1. McLovin

          Last sentence was meant to say, “wouldn’t they have worked to stop the tunnel that was described?” Very interested in comments about such software, and if they wouldn’t work for some reason.

    2. Sallaia

      People are missing xAdmin’s point. I work directly with these users (I work for a bank in electronic banking) and boy, let me tell you how difficult even logging into the online banking system can be for some of them! One customer keeps trying to use Netscape Navigator (let the horror of that sink in). The users of these online banking systems are not always computer literate and if they are easily succumbing to phishing scams or have trouble keeping passwords straight, logic says that there will be times they don’t use a LiveCD. This is a fact of human behavior which has to be taken into account since security is only as good as the weakest link.

      1. Michael

        No, I don’t think people are missing xAdmin’s point. The only problem lies in how to fix the weakest link which, for this discussion, is the illiterate or literate-but-oops-made-a-mistake user that trojans are exploiting. One way (xAdmin’s point) is to fix all users through education, etc. The other way is to fix the banks so illiterate users and infected boxes won’t matter. Is it easier to try to fix ~50,000 banks or is it easier to fix ~100 million (present and potential) online-banking users? I sort of agree with xAdmin in that no technofix will ever be secure with illiterate users in the equation but fixing ~100 million users seems insurmountable IMO. We give driving lessons in high school, issue licenses after a test, and yet people run stop signs, tailgate, drive drunk, etc. Fixing ~100 million users is like herding ~100 million cats but an order to fix the ~50,000 banks from a regulator will force improvements. I think the optimal answer is somewhere in the middle with fixes to both banks and users (as much as that can be accomplished) and this battle will never end. It’ll always be measure and counter-measure.

      2. -

        i’ve experienced atms that rejected simple (not mine) passwords, with no explanation.
        just try another day.

    3. TJ

      Sorry, but your argument here is the equivalent of saying a women who opens the front door of her home to a man wearing a UPS uniform, who proceeds to force her back into the house and rape her, is really at fault because she stupidly fell for the authentic looking UPS uniform and compromised herself.

      Let’s not forget who’s really at fault here – very intelligent cyber-criminals – who go to great lengths to trick people into letting down their defenses so they can proceed to destroy the financial lives of small businesses and the people who work there.

      Unfortunately, not everyone is as computer savvy as the readers of KrebsonSecurity. They have many other responsibilities, like struggling to run a successful business or just make a living.

      1. xAdmin

        While you make some valid points, your analogy is by no means equivalent. It’s more an apple to oranges comparison. People are naturally more attune to physical security threats than cyber ones. There would be many physical attributes such as body language that would come into play. Even if someone were to open the door to what appears to be an authentic looking delivery person, there is still the physical aspect of forcing unwanted action onto someone else and the ensuing choice/counter choice each person has as to how far it goes and how it ends. There is no equivalent in computers. The program is going to execute as it’s been programmed to do, nothing more, nothing less, although defensive measures can greatly reduce its chances of doing that.

        My point still stands that two people here completely failed to follow very well known cyber security rules regarding suspicious e-mail and attachments. As such, a better analogy would be in failing to follow well known physical mail rules regarding suspicious packages. In either case, the receiver has a certain amount of responsibility to ascertain the safety and possible risk in opening the attachment/package and the ensuing result.

        “Unfortunately, not everyone is as computer savvy as the readers of KrebsonSecurity. They have many other responsibilities, like struggling to run a successful business or just make a living.”

        I would think that makes it even more important to follow well known cyber security rules as the risk is greater. All the more reason to be extra cautious online and strictly follow well known rules of the road. As the old idiom goes, “An ounce of prevention is worth a pound of cure.”

      2. -

        Crime victims aren’t at fault for crimes they suffer. (Though blaming the victim has become a popular ‘meme’ in this “brashly” offensive/antagonistic era of conservative political correctness.)
        However, crime exists, so people are better off defending themselves.
        Community college business curriculum should add security methods, though this solution assumes “struggling” business people take business courses.

  8. Konrads

    The US regulators are amazingly lax on protecting their businesses. Give businesses same level of protection as individuals and you’ll see a whole lot of progress in banking security.

  9. KFritz

    My kingdom for an attorney! Have none of these victims (a word I’ve come to detest for overuse, but applicable here) found an attorney who can make a case against just one of the banks? One victory for one client of one bank could open the floodgates for litigation. T

    1. Greg C

      @Kfritz,
      There are many cases ongoing on this issue. We’ll see how it ends up but I don’t expect major changes in policy or law. Just because we see a problem doesn’t mean the lawmakers and regulators see it the same way.

      Extending consumer-level protections to small businesses opens a whole new can of worms….the inside job. How difficult would it really be for a small business owner (or employee) to wipe out his own account through a few mules…transfer to an offshore account in an assumed name…then cry “malware” and get the money back? $10,000 difficult? $100,000 difficult? $1M difficult? As the stakes rise it becomes more and more tempting to try something.

      THIS is the kind of fraud the banks are used to dealing with.

      1. KFritz

        Very Difficult. For businesses of the size that KOS has been writing about for the last 18 (?)months to stage this kind of stunt and make it look believable seems almost impossible. But maybe I don’t know enough. Do your work for a bank or represent a bank as an attorney or advocate?

        If one of the victims can find a young, competent, ambitious attorney to sue on a contingency basis, a bank could take a very large hit indeed. That’s what I’d like to see.

    2. InfoSec Pro

      KFritz, remember that it’s not a level playing field, the banks have much deeper pockets therefore much better legal resources. Also if the plaintiff has a strong enough case the bank will settle out of court with a stipulation that the settlement remain confidential, so that they do not set a precedent accepting responsibility.

      It’s a simple cost-benefits computation for the banks, as long as the cost of litigating and settling is less than the cost of actually securing their systems things will not change. The ability to shift the costs of fraud onto their customers makes it unlikely to change soon.

      As things stand now the cost of fraud is borne by the small business, who (in this case at least) is responsible for enabling it, so why should the banks bear the cost of preventing it?

  10. mrmikel

    Most of this is so easy to stop if the banks/credit unions implemented a white list for ACH transfers. And also if they were willing to slow down the process for changes. But too big to fail. Too big to care.

  11. Alex Pline

    Some form of two factor authentication would go a long way to solving this problem. Not perfect, but certainly a huge impediment to these kinds of sustained attacks. The one that some banks are implementing is the text message one time password as the second factor since everyone, certainly in this context, has their phone with them. I wish this would become more pervasive. Oh, and this should not be by passable by default.

    1. Jane

      If you’re going to implement a one-time password, why would you use an insecure second channel instead of an RSA key? I didn’t think text messaging was encrypted or protected in any way.

    2. Matt

      Actually the lack of encryption with SMS authentication isnt the main security problem. In countries which have tried to use SMS widely the main danger is the thieves simply ringing the telecom company and requesting all calls be forwarded to a new number, this is done with very little authentication which cant be googled from profiles. Also there is the rise of phone trojans now they all have internet access. There are a list of other problems with SMS based authentication here http://www.passwindow.com/security.html

      1. JCitizen

        I really like the Passwindow idea; we’ve hashed it out, and I notice your link shows new information that was added after our discussion on the idea on Tech Republic.

        This relatively cheap solution, is also scalable to more advanced obfuscation without a significant cost to either party.

        The only part I don’t understand is how the bank handles that particular transaction; I assume it is a one time authentication for only one transaction, and even if the porthole is hijacked, the same number will be worthless. Playback would also be worthless to the criminal, as he doesn’t have a clue the original pattern.

        Even a simple geometric guessing game would take the crook too long to hash out, and discovery of the trojan would be likely. It would help if banks that adopted this new 2 factor method would educate customers to the fact that they are going to have to work to maintain a safer PC environment – also.

        My particular defense in depth, protects my PC even if it is compromised. I’ve discussed this before on this site. I won’t be boorish and repeat it. Think of it as like interlocking machine-gun fire in a military battle map. If one link fails another covers the target.

        1. Matt

          Thanks JCitizen, yes your assumptions are correct. You are also right as it has progressed alot since it first went public with the static challenges which had vastly lower interception rates. I wish I could go back in time and present it with the animated method where I can get 10k+ interception values (well beyond any normal use range a trojan may be able to scavenge) in fact even just in the past few weeks there has been a new behind the scenes inventive modification which a few of the cryptologists involved have preliminarily suggested appear to destroy even long term analysis so its still growing as a method.

    3. Terry Ritter

      In general, bots defeat 2-factor, 1-time and even retina-scan authentication if the results go through the infected computer, see:

      “Once pitched as an additional layer of security for E-banking transactions, two-factor authentication is slowly becoming an easy to bypass authentication process”

      http://www.zdnet.com/blog/security/modern-banker-malware-undermines-two-factor-authentication/4402

      “Trojan-based, man-in-the-browser attacks are circumventing strong two-factor authentication”

      http://www.gartner.com/DisplayDocument?id=1245013&ref=g_fromdoc

      1. Matt

        It should clarified that while OTP style 2 factor is being regularly defeated, trojans are unable to defeat 2 factor methods which allow the user to perform transaction authentication. I think it is a little general to cast aspersions across all 2 factor methods when there are a small number of 2 factor transaction authentication methods with no practical online attacks. However I do agree that the glass house of OTP tokens many banks are issuing needs to be exposed.

        1. Terry Ritter

          “there are a small number of 2 factor transaction authentication methods with no practical online attacks.”

          I am willing to admit the possibility that some form of 2-factor might work for transaction authentication even with a live bot, but the extensive history of 2-factor failure is not encouraging.

          The real problem is the bots, and the people behind them are cleverer than us. Trying to work around a live bot infection which can do anything in the computer is basically crazy. Even if it could be done, secrecy is already lost. Do we really want to encourage banking in a powned machine?

          Banks and customers need to find a way to be bot-free before worrying about trivialities like authentication. Without a bot, 2-factor works.

          1. Matt

            Please stop referring to 2 factor like its a single method. There are multiple methods of 2 factor transaction authentication which work even with a bots, I have listed these many times before, I know I dont need to with you. They have all been around for a long time and no one has yet come up with any practical online attacks against them even while assuming the bot has complete control over every aspect of the machine.

            All of us regulars on here are committed to finding solutions to the problem, each with a different view on different aspects of the problem. You cannot describe a solution as “trivialities” or “crazy” its either a solution or its not and we should all be encouraging solutions I am sure you will agree.

            The problem above is online fraud, if you admit transaction authentication solves the problem then its a solution. Once we have a list of solutions then we can move on to cost and usability and find a generally recommended solution to online fraud. I would like to see a master list of online problems and solutions somewhere with lists of pros and cons below them so we don’t have to go over the same ground again and again. A standard definition of IT security language would be good too.

            Regarding the secrecy issue I just recommended a client of passwindow give their customers the option to encode their bank balance into a challenge so secrecy is not lost to a potential bot.

    1. Reid

      I suppose one could argue the point that the bank was at least a co-conspirator.

      I think this is also true in cases of identity theft. When banks or other financial institutions allow someone to open an account without adequate identification they are facilitating a crime.

  12. zeos

    While I think the banks should be more vigilant in regards to suspicious transfers; how can people continue to be stubbornly ignorant about basic computer security. Refusing to learn how to properly and safely use a computer in your business is like a roofer who refuses to learn how to use his nail gun and then is surprised when he wakes up in the hospital with a nail sized hole in his leg.

    Even though I’m referring to this person specifically, it is more of a broad generalization. in most of these stories you see something like this: “she opened an e-mail informing her that a UPS package she had been sent was lost, and urging her to open the attached invoice. Nothing happened when she opened the attached file, so she forwarded it on to her assistant who also tried to view it.”

    A computer is a tool like a butcher knife, or a
    harpoon, or…uh, a…an alligator, and should be treated as such.

    1. slacks

      Two excellent points in these comments that bear elaboration:

      1) For the most part, the people who have the aptitude to use a Live CD are also the ones who will not be fooled by the UPS package spam e-mail. I think it is a stretch to ask your typical business owner to purchase and use a dedicated PC or switch to a Mac work station, much less become familiar with Linux or other complex-sounding threat reduction options.

      2) In every one of these cyberfraud cases, the human element has been the weak link. And as long as there is a human element, the fraudsters have an inroad. People are generally trusting and can be conned. You can set up multiple out-of-band authentication methods and some people will be talked out of it. At some point, we need to accept that and work to educate people about these threats and not look to technology to protect us when common sense is our best defense.

  13. Matt

    Id like to hear experiences from any businesses using LiveCD and how they manage their accounting software, invoices etc in relation to that.

    1. Sean

      Short answer: pencil and notebook. Sux, but still better than losing $465k.

  14. Marty

    Another great article Brian!

    Glad to see you restate what is probably the most profound statement regarding online banking:

    “I have said it before and will say it again: No online banking authentication system works unless it starts with the premise that the customer’s machine is already compromised by malware that gives thieves complete control over the customer system.”

    This should be the first requirement in any online banking system and we can only hope that the FFIEC and other regulatory bodies come to enforce such a requirement.

    Regarding this particular bank robbery, the bank’s incompetence would be laughable if it weren’t so tragic.

    The bank has a security mechanism to send an email to the customer each time a new wire is sent out of the customer’s account. This security mechanism is turned off just prior to several large wire transfers. The change in security configuration itself should raise a flag to the bank to hold all new wire transfers until the security configuration change can be verified with their customer, let alone the wire’s occurring right after the security change.

    To make matters worse for the bank, several wire transfers are to international accounts and the customer has never sent a wire outside the U.S. Again, the international wire alone should have caused the bank to hold the wire transfer until it could be verified with their customer. Given that a primary security mechanism (the new wire emails) was turned off just prior to these anomalous international wire transfers makes the bank even more responsible.

    The real kicker here is that the victim (Michelle Marisco, the bank’s customer) has had to take out a $395,000 loan (at 12 percent) to cover the loss (bank robbery). One can only hope that Michelle Marisco didn’t take that loan out from her bank that was robbed (Professional Business Bank). That would be even more tragic (perhaps even criminal?)

    Lets see… Professional Business Bank is robbed due to their own incompetence (lack of proper security), essentially being an accomplice to robbing their own bank. Then, the bank’s customer, Michelle Marisco (who the bank was allowed to associate with the bank robbery), is forced to take out a loan from the bank which was robbed, in order to pay the bank the money that was stolen from the bank.

    Seems to be a pretty lucrative situation for the Professional Business Bank! Bank gets robbed. Bank forces customer to pay back stolen money. Bank makes 12 percent interest on stolen amount. Not much incentive here for the bank to implement proper security controls to prevent future bank robbery.

  15. xAdmin

    “No online banking authentication system works unless it starts with the premise that the customer’s machine is already compromised by malware that gives thieves complete control over the customer system”

    Once a system is compromised, it’s not your system anymore. It belongs to the bad guys. Game over!

    So, how are the banks going to mitigate this issue by assuming that all customers’ systems are infected? Do you mean by detecting the presence of malware, denying account access and in big bold red wording telling the customer their system is infected?

    1. Marty

      “So, how are the banks going to mitigate this issue by assuming that all customers’ systems are infected?”

      There are a lot of ways.

      The most basic and simplest, is to implement anomaly detection in their banking systems. Brian’s articles describing these bank robberies all have one thing in common – transaction anomalies. Wire transfers at off hours, where all previous transactions were during normal business hours. International wires, where all previous transactions were US only. Security configuration changes, with transactions to new accounts right after the change. Transfer of dollar amounts that aren’t typical of all previous transactions. One time transfers to new accounts, where all previous transactions were to existing accounts. The list of anomalies goes on and on.

      The banks (actually in most cases it is really the financial services companies the banks buy insourced or outsourced banking services from), today have the ability to detect all these types of anomalies and to hold the transaction until it is verified. They also have the ability to establish account restrictions (i.e. never allow international wire transfers, only allow transfers to certain types of accounts, inter-intra state restrictions, to create pre-established account white lists, etc.). There is quite a long list banks can choose from.

      Why don’t they? They don’t have to! Right now, banks can choose customer “convenience” over security because the impact (bank robbery) resulting from poor security is an externality to the bank. This has been demonstrated by Brian’s articles, where the impact on the bank resulting from this form of bank robbery is typically small, if there is any at all, and in some cases, the bank robbery may even be beneficial to the bank 😉 . Since banks are currently allowed to pass their loss resulting from this form of bank robbery onto their customers, there isn’t much incentive for them to change anything.

    2. Jane

      Contrast the bank’s lack of reaction to the reactions of credit card companies. For instance, I got a credit card when I first started college. I used it once every week or so for gas, and once a semester for a few hundred dollars in books. Every semester I got a phone call within hours of leaving the book store. The difference is liability.

  16. RonB

    As the CEO, CTO, CFO & most likely CSO, small business owners should be taking the time to understand the risk(s) to their company and then taking steps to Avoid, Accept, Mitigate or Transfer the risk as they see fit. Has anyone noticed that several of the larger companies are now including cybersecurity threats in their 10-k filings.

    If you asked small business owners which would they prefer – perform online banking transactions the comfortable way and risk losing $400k or learn a more secure method which decreases the likelihood of online theft, which do you think they would choose?

  17. Dennis A.

    Brian,

    A number of your reports on this subject have drawn comments from others outside the USA, questioning our banking regulatory system (in one way or another).

    Here’s a question: how frequently does this type of attack succeed in stealing funds from banks in other countries? If this type of theft occurs only in the US,….well, you can complete that statement.

    1. Hescomintoosoon

      It’s easy because, for starters, you don’t click on random links like the one you posted?

  18. PlayMoreSka

    “The vast majority of people would rather have their teeth pulled than try to learn the simplest function (i.e., opening a browser) in Linux. That’s why, no matter what great new Linux distro is introduced to the world, desktop Linux remains perpetually stuck at just 1% market share.”

    That is not the reason. The reason is that Linux ships on very few PCs. Most people use the OS that came on the PC and have little motivation to install or even boot from a new one, even one that could offer better usability, security and ROI.

    At least that default OS will be something other than Windows, with the shipping of new OS like Meego, Chrome and Android on PCs — not just phones and tablets.

    But back to LiveCDs. Banks should offer customers crypto-intense LiveCDs that are tuned to their systems — or at least that will provide a better, more professional impression than the dog that is Puppy Linux.

    1. Matt

      Banks will never offer customers LiveCD’s to their customers, even the ones who want it primarily because of driver issues. They would need to offer a complete custom made system with it as well (no hdd or other memory a trojan could hide) and then there would also be liability issues. People are going to have to create them by themselves.

      I know if I was an attacker I would make nice replicas of the discs with “version 2.0” written on the front and mail them out to a customer list which could be gleaned in a number of ways. The same could be done with any off the shelf laptops if the targets were wealthy enough.

      Actually if I were an attacker I wouldnt bother with trojans or LiveCD’s, with these new obscure non latin addresses being approved by ICANN lately its time to go back to oldschool phishing, with a jabber instant messenger added to steal OTP values.

      No matter what the solution it must involve some form of transaction authentication.

    2. george

      You’re right, too many customers who buy a computer run it with the default OS it come with AND the bloatware almost invariably (read always!) the hardware vendor bundles it “to add value”. In fact, I’m very disappointed the trend started by the first EEE netbooks from Asus (to be bundled with Linux) is completely gone now and virtually all current netbooks are bundled with Windows. Most likely hardware vendors responded to marked demand which is, looks like, 99% for devices installed with Windows.

  19. Peter

    There is a very important fact here: banks declare the end user liable for the transaction in their contracts (ditto for credit cards, the whole “moving to PIN” effort was merely camouflage).

    This means that banks will only ever do the absolute minimum to protect THEMSELVES. As they are already legally covered it thus means a “cheapest bidder” process – the needs and indeed the security of the end user is only a very small part of the decision process..

    1. Tomato

      “The things that make you go hmmm…” Peter’s ridiculous statement reminds me of what a silly customer of mine said to me recently. Something to the tune of, “I recently got hacked while surfing the net via my ISP that I pay good money to each month, and felt that they should cover the costs of rebuilding my computer since they allowed me to get hacked by letting that garbage through in the first place. Even after a good 30 minutes and two managers, they wouldn’t as much as allow me to skip a single bill! In the future, how can I force them to pay me for your work so that I don’t lose any money when it happens again?” He thought I had to pickup my lower jaw because they didn’t pay him…is it ethical not to tell him the real reason why?

  20. ironkey

    Using a product like TrustedAccess from IronKey, along with other forms of authorization and authentication (someone already mentioned authentication codes via sms msging or phone call) could have helped prevent this disaster. This is a great case study of how not to run your business. A company like this would do well to quarantine all e-mail attachments, have IT automate the presentation of the quarantine through a secure document gateway as well as expose this gateway to partners and clients such that legitimate documents can be presented and shared securely.

  21. Shawn A.

    Authentication is just one piece of the puzzle. The sad part is that for many banks offering cash management solutions, the security of the end-point is usually never addressed or discussed.

    I’ve seen many banks side-step the whole issue as far as possible by extending remote banking capabilities before considering all the risks, and failing to re-address the risks as the threat landscape changes. However, the lack of viable / acceptable / effective solutions is what’s most likely causing the lack of regulatory pressure.

    I find it interesting that no one has mentioned the various browser lockdown solutions from vendors such as Trusteer or PrevX. Has anyone had experience with either of these products? From my research, it seems their effectiveness is fairly proven, however at the occasional expense of usability.

    1. JCitizen

      I am currently evaluating Prevx on my 64bit honeypot in my lab. Unfortunately, I don’t seem to catch much of anything that can actually run on this machine. I’m sure many of the modern malware can run in 32bit mode on 64bit systems; but they seem to go dormant with my defenses in place.

      Apparently there are many malware that are AV/AS aware, and play opossum when real time protection is enabled.

      However; if I run a program that has to read the keyboard as a part of it’s normal operation, Prevx blocks it automatically. So I can partially vouch for that capability. I’ve had several false positives, but they were obvious from the file name and location. CNET user reviews suggest you never use Prevx to actually remove anything from the PC; I use other methods for that.

      When I was on XP; and using Snoopfree Privacy Shield; I got a lot more action, with all kinds of malware attempting to read the video screen or keyboard entries. However this venerable utility is obsolete, as it doesn’t work deep enough, into the lower layers of the operating system to foil Zues variants. In those days all I had to do to rectify spies, was to do something like run CCleaner to dump temp files, etc. or run one of my malware scanners and find it that way.

      Some malware always slips through in between updates and imposing real time protection.

      If your interested, try the free Rapport; it supposedly does the same thing, and is also gaining ground among IT techs. I haven’t had time to evaluate it, but will be recommending it to clients who are on a serious budget.

  22. self-defeating assumption?

    “No online banking authentication system works unless it starts with the premise that the customer’s machine is already compromised by malware that gives thieves complete control over the customer system”
    IOW, bank server must assume the client browser is not controlled by the customer. In which case, the only rational choice for the bank server, is to block the client ip.
    Seriously, if the bank assumes all customer interactions are fake/hijacked/impersonated, the bank and customer should give up while they’re ahead.

    I don’t see how bank can be responsible for customer’s equipment, unless the bank leases dedicated “untamperable” package (like cable tv box, or creditcard swipe and approve gizmo, postage meter, dsl modem, etc.) for customer’s location .. a personal atm? Embedded os? Biometric ‘dongle’ strategy? (But, “if you have to ask ‘how much’, you can’t afford it”)

Comments are closed.