June 22, 2010

In very few of the many stories I’ve written about online banking fraud against businesses has insurance paid for much — if any — of the losses victim companies suffered. However, several victims I’ve interviewed in recent incidents did have cybersecurity insurance coverage bundled as part of larger business risk insurance policies. In each case, the businesses suffered fairly substantial thefts, and appear likely to recoup all of their direct financial losses.

The most recent incident involved Golden State Bridge Inc., a Martinez, Calif. engineering and construction company that builds bridges. The thieves used an extremely stealthy but as-yet-unclassified strain of malicious software to steal the company’s online banking credentials, and on May 19th, the crooks used that access to set up a series of fraudulent payroll payments totaling more than $125,000.

Initially, the attackers set up two batches of automated clearing house (ACH) payments –one for $50,000 and another for $75,000 – effectively sending a series of transfers to a dozen different money mules, willing or unwitting individuals lured into helping the criminals launder stolen funds by wiring the funds overseas and taking a small commission (usually 8 percent) for themselves.

When the first two batches were processed by Golden State’s bank on May 20, the thieves apparently figured they were home free, and set in motion another seven bundles of fraudulent payments for several hundred thousand dollars more, according to Ann Talbot, the company’s chief financial officer.

“Once they executed those first two successfully, they must have been like, ‘Oh, we’ve hit the mother lode! Let’s go for it!’,” Talbot recalled. “Had they succeeded in putting those through, we and the bank would have been looking at losses of more than $750,000.”

But Talbot noticed the fraudulent transfers the day the money started moving out of Golden State’s accounts, and sprang into action to get the seven new batches canceled. Unfortunately, by that point most of the mules who were sent loot in the first two batches had already withdrawn their transfers.

Talbot said nearly all of the money mules were located on the East Coast, which she believes is a tactic designed to give the attackers the longest head start possible before West Coast victims notice the fraudulent transfers.

“These mules were with East Coast banks, and most of them had [withdrawn] the money from their banks before we were even open for business,” Talbot said.

For what it’s worth, I observed this same pattern of the thieves relying mainly East Coast mules in an earlier post, Charting the Carnage from eBanking Fraud.

SECRET QUESTION CHECKUPS

Like many financial institutions serving primarily business customers, the California Bank of Commerce — Golden State’s bank — pushes most of the security and authentication for its online banking systems out to customers, requiring a simple username and password, and occasionally prompting customers to provide the correct answer to one or more of their “secret questions”.

Read more after the jump….

According Golden State Bridge, the bank has a curious practice of automatically verifying all of its customers’ secret questions and answers every 180 days.

“So how does it do this? It flashes them on your screen and asks, ‘Are these your secret questions and answers? Click ‘Yes’ or ‘No’,” Talbot said.

And when was the last time Golden State was prompted to confirm their secret questions and answers? Why, the very day before the fraudulent transfers began, Talbot said.

“I don’t know how long that malware or Trojan was on our machine, it could have been weeks or months,” Talbot recalled. “All I know is, we saw this fraud the day after the bank prompted us to confirm all five of those questions and answers.”

Virginia Robbins, chief administrative officer at California Bank of Commerce, declined to discuss Golden State’s claims or even confirm whether the company was a customer. But she emphasized that security is never about just software and hardware.

“Any financial institution can put all of the controls they want in place, but if their client isn’t following the instructions or doing things properly, there are certain challenges,” Robbins said. “We do look for all of our clients to use dual controls. and we want to make sure there are multiple points of control. Because what we’re seeing today is that a malware compromise can happen at a single point in the system, and so there have to be multiple controls in place on the customer’s side.”

Indeed, Talbot acknowledges that she and her co-workers aren’t blameless in this incident.  For example, the company had previously instituted a series of checks and balances to ensure that no single employee could both initiate and approve a payroll batch. Yet, at one point recently, Golden State Bridge undid that protection to accommodate a special case, but never bothered to put those restrictions back into place.

THIRD TIME’S A CHARM?

Golden State Bridge purchased $1 million worth cybersecurity insurance as part of a broader business risk policy offered by Arch Insurance Group, one of several firms now offering cybersecurity coverage. The company decided to get the insurance after suffering another major cyber crime incident almost three years ago.

In 2007, Golden State was banking with a financial institution aptly named Bridge Bank located in downtown San Jose. One day, the company opened for business to find that someone had wired $79,000 out of its accounts, destined for an account in Russia. Talbot said Bridge Bank shared the Internet address from which the fraudulent online login originated, and that she traced it back to servers operating out of a large building just four blocks away at 55 South Market St.

The owner of those servers was a problematic [and now defunct] hosting provider named McColo. In 2008, in response to questions from The Washington Post and security researchers about massive amounts of fraud, spam and other cyber crime activity flowing in and out of McColo’s servers, the hosting provider’s two upstream Internet providers pulled the plug on the company. As a result, the volume of spam sent worldwide tanked overnight — by some estimates as much as 75 percent. A nest of other fraudulent activity also evaporated (at least for a while) after McColo’s unplugging: One expert I spoke with who helps retailers control online fraud told me $250,000 worth of retail fraud committed against his customers on a typical day completely stopped the day McColo was unplugged.

Talbot said she’s glad Golden State purchased the insurance: The company managed to recover three of the fraudulent transactions, and its total loss now stands at just shy of $100,000. Golden State Bridge is confident that after paying its $10,000 deductible, the insurance company will cover the rest — probably by going after the bank. But Talbot said she’s worried she won’t be able to afford cyber risk insurance after this latest incident.

“I don’t think it will be offered to us again, or if it is, the cost will probably be so incredibly prohibitive that it may not be worth it,” Talbot said.


60 thoughts on “The Case for Cybersecurity Insurance, Part I

  1. Carl

    It’s nice to know that this type of insurance is available, but as the CFO acknowledged, FOLLOWING good risk management policies and practices is the best insurance and is the most affordable.

  2. John

    No matter how many policies and procedures in place you can’t discount the human element. A CFO, CIO or risk manager should be aware of, and take advantage of these types of risk transfer tools. The cost is extremely low relative to the potential losses. The money Golden State will recover from their insurance carrier will far exceed the premium paid for this type of coverage.

    1. JR Nicholson

      John, you hit the nail on the head about the cost of this coverage. My firm provides Data Security and Cyber Liability insurance programs in conjunction with our risk consulting services. We do not generate significant revenue from the sale of these products, but the ROI to our clients enhances our credibility within the relationship and allows us to assist them in other areas. Our model, shared by 0ur strategic partners in Accounting, Law and Management Consulting, is “Educate First”.

      Once a holistic risk management review has been conducted (management/staff buy-in, policies & procedures, technological & human controls, vendor/supplier analysis, contractual review, indemnification recommendations, etc.), client leadership is in a much better position to answer seemingly simple questions such as “Where is our data right now?”, “Who has access to what?” and “What is our duty to our stakeholders?”. Once proper internal/external solutions have been implemented and a reasonable comfort level has been established, then a meaningful review of insurance options should occur.

      It should be noted that while most larger insurance companies and brokers have offered this coverage for over a decade, very few have firsthand knowledge of real world claims scenarios, many of which may be located online. I don’t intend to plug anyone’s database or blog, but the FTC can recommend sites where actual losses are detailed.

      Don’t buy in to the 1% world of horror stories and fear mongering. Most data breach claims are low-tech and involve what Cisco calls “The Human Firewall”. Review the public information available to your company from the FTC, implement a program internally or with a trusted partner, verify your trading partners are doing the same and then discuss the need for insurance with experienced professionals. While the risk is real and your technology cannot close all the loops, you have the power to protect your current assets and future earnings through consultation and implementation of proactive measures.

  3. Marty

    Okaaayy. The bank is clearly responsible for this fiasco…

    Let’s see, sending the customers secret account questions and answers in the open (the equivalent sending the customers account password in the open)!! Then the bank robbery occurs the day after this irresponsible “verification procedure” takes place. And then the bank not having proper controls to detect the robbery right after this “verification procedure”. Wow!. Game, Set, and Match.

    1. Wladimir Palant

      The bank’s “verification process” was certainly convenient for the criminals, no question about that. Still, with only five secret questions/answers – how long until the keylogger would have picked up all of them? These questions are clearly useless as a measure to stop such attacks, they won’t even count as a second authentication factor.

    2. FarVision

      The bank undid the controls on their end, and the business in question did not have proper anti-malware installed (to get the false banking popups). Both are culpable.

  4. TE

    After reading BK’s numerous blog posts and reader comments on the subject of online banking fraud, and putting a bit of thought into it, it seems to me that the banks need to get together and promote their own version of Linux, stripped down (e.g., no Adobe bloatware) and customized for online banking, and little else, and encourage their business customers to use a dedicated machine running that Linux for online banking, and distribute a “live CD” version for retail customers. Windows will simply never be a secure platform for banking. What would the hardware cost to run Linux, a few hundred dollars? The CDs could be handed out for free. Banks could offer the deal that they would cover any loss for a business customer using the Linux distro, but refuse to cover any losses for a customer using Windows.

    Yes, the hackers would then aggressively start targeting the banking Linux, but it would be a lot easier to keep that secure than Windows.

    1. Russ

      Banks are actually moving in what could be considered the OPPOSITE direction you are suggesting. So many ATMs are now Windows boxes. I know this because of how many have STOP messages, BSODs, and other Windows elements sitting on the screen. Once I even watched the screen as did a network boot and began re-loading remotely. It is spectacularly confidence shaking.

    2. Helly

      Recently had the opportunity to work with a small business owner on this very issue. All of their employees received a spam email, linking to a site that was confirmed to be delivering a dose of Zeus. I educated the individual on the risks and how he was a direct target. He was even only using windows machines, he thinks with AV. One person handles all banking interaction, passwords, etc.

      I mentioned the risk, sent a link to this site, and explained live CD’s. Absolutely zero interest from the company, didn’t even bother to tell his employees. Live CD’s might work for some companies, but others remain deliberately ignorant. This individual is also confident his bank will protect him…

      No solutions here, just wanted to complain that some of the best/cheap solutions don’t work. For who knows why.

      1. BrianKrebs Post author

        Sadly, Helly, this is all too common. Nearly all of the companies that were victimized got hit because the CEO or the CFO opened a poisoned e-mail attachment or clicked on an ill-advised link. The phrase “one virus infection can ruin your business” doesn’t mean much until it happens to some of these business owners, and then they get religion.

    3. Braden

      Great idea on the Linux LiveCD… Banks might embed access keys in the LiveCD requiring access via the LiveCD with no email client or access to any other websites. There are solutions to network problems-either require access over SSL only (defeating sslstrip style attacks), or actually create a secure tunnel into the bank. Convincing the customer to reboot is the harder problem, but when incidents like this continue, the customer may demand it-an insurance deductible of 10k is not chump change.

      As an aside, I want to say that since you created this blog, you’ve been doing a fantastic job reporting on security issues. Better than any other reporter out there. Thanks!

      1. Terry Ritter

        “There are solutions to network problems-either require access over SSL only (defeating sslstrip style attacks),”

        Virtually all banks already force SSL on their pages. The California Bank of Commerce pages do indeed shift to SSL for login, and, presumably, thereafter.

        “or actually create a secure tunnel into the bank.”

        SSL *is* a secure tunnel. Adding more encryption is not going to solve the problem.

        The problem is a live bot inside the customer computer which waits for something good to come along, then jumps on it. The cure is to not have a bot:

        * The bank cannot detect a bot or kill it.

        * The customer may not be able to detect a bot even with antivirus scanners.

        * The customer can kill any bot in Microsoft Windows by re-installing the OS from CD. But that only lasts until the next infection, which also may not be detectable.

        * The customer currently can avoid almost all malware by using any OS other than Windows when online.

        * The customer can prevent almost all infection by using a LiveCD online.

      2. timeless

        Sadly, I’m waiting for the day when malware vendors start sending free CDs to people which claim to be from banks indicating that they’re updating BankOS disks which supersede their current BankOS disks.

        The only good thing about this is that someone will be able to go after these criminals for mail fraud . Unfortunately, I suspect that the USPS will drown under the weight of such complaints, just like everyone else does.

        I’m not saying I’m entirely opposed to LiveCDs, but there are problems with them. Web browsers are secure for perhaps 3 months, if users are lucky. Web site certificates should be good for not more than 2 years. As an example, chase.com’s certificate expires: August 7, 2010 2:59:59 AM GMT+03:00 and was only valid from July 27, 2009 3:00:00 AM GMT+03:00. I’d expect them to replace their certificate sometime in July. (I picked Chase randomly, on the plus side, it redirected me to https immediately, on the minus side the site is not EV.) You can’t really bake any secrets into the CD beyond the site certificate or the specific CA you intend to use as your issuer, and none of that is valid for more than 2 years (CAs get bought or change which root they use often enough). As a result you’re opening your users up to attacks by Postal Mail since you have to train your customers to accept updated mailers. Now it might be the case that physical addresses aren’t well known, but I suspect that they can be retrieved by enough malware or social engineering prompts.

        I happen to live outside the USA, and I don’t understand my postal mail. In it, I get bills which are incomprehensible except for an account number, a reference number, and an amount. I’m a robot, so I basically take these numbers, enter it into a web form and confirm my transaction (two factor auth: password + plastic card with list of randomish numbers). Roughly speaking, anyone could send me a bill, and I’d probably pay it. If I wanted to be paranoid about web security, I could take the bill to my bank and ask them to pay it for me. But that doesn’t protect me from paying someone I wasn’t supposed to pay. And my housing company changed recently, so the new bill was to a different company whose name (like the last) meant absolutely nothing to me.

        In the USA, it’s not uncommon for people to be informed (by postal mail) that their bank sold their mortgage and that they should now send their payments to a new bank/address. So, the problem I’m describing isn’t limited to foreign countries.

    4. Matt

      I would have concerns about the LiveCD solution for business which wouldnt be able to to run the accounting and general admin software on the same box that the internet banking is done from. Most of the online banks here in Asia offer account synchronization downloads for different accounting packages, I doubt this would be possible as well as any localized email with invoices and sales etc which would all need to be done from the cloud. Of course the accounting data could be saved to a writeable local drive but that would defeat the security of doing LiveCD in the first place. The alternative is manually transcribing all the sales and transaction data from one box to another which I can imagine the accountant balking at.

      1. Jane

        This is probably a stupid question, but how does writing to the hard drive from a LiveCD session defeat the purpose?

        Do the Money/Quicken/CSV/etc. files contain sensitive information (other than, possibly, names and dollar amounts)? I save those files and confirmation pages to my hard drive — am I setting myself up for trouble?

        1. BrianKrebs Post author

          Jane — Some of the folks I’ve spoken with who have gone the live CD route use their windows machines for quicken/quickbooks,etc but use a separate, Live CD-enabled machine to actually log in to their bank accounts.

          Certainly, if the machine your Quicken/etc data is kept on gets compromised, there is a risk. However, the attacks I have been writing about all required the theft of the victim’s online banking credentials. Unless you’re also storing those on the machine you use to do the Quicken/et. al. or accessing your account from that machine, then you’re taking the appropriate precautions, I think.

        2. James

          Jane,

          I also use Quicken for my banking but they are off line on a thumb drive or a SD with a CD for back up in case something happens (corrupted files or the like). In no way will I ever use Quicken to access my bank account online!

          For the banking part I log in separately and work from there and log off immediately after I am finish.

      2. Terry Ritter

        “Of course the accounting data could be saved to a writeable local drive but that would defeat the security of doing LiveCD in the first place.”

        That depends on what one expects from a LiveCD.

        The first online security advantage of a LiveCD (or DVD) is that it is not Microsoft Windows. Currently, this alone will avoid almost all malware.

        The second online security advantage of a LiveCD is to prevent almost all infection, specifically by booting from a CD which a virus cannot change. That means a simple restart will establish a clean system suitable for online banking.

        A connected drive is yet another issue: If Linux malware is picked up during a session, the bot might be able to read any attached drive and send the contents to the botmaster. Security can be improved by using an external drive for sensitive information and minimizing the exposure. For example, after a clean restart, go to the bank, download to the sensitive information drive, then gracefully unplug that drive (after asking the OS) before going anywhere else. Never go anywhere but the bank while the sensitive information drive is attached.

        1. Matt

          Yes I agree, its essentially a cost / time / security tradeoff. There is no question a LiveCD is much more secure than just running normal system. Id really like to hear some sample cases of people using it in a business enviroment.

      3. Richard

        Unfortunately you can’t have both security and convenience. Perhaps the simplest approach is to use a USB key with the Linux Live CD – transfer the accounting data onto that key from a separate Windows PC, then download/upload from that via the Linux live CD.

        It’s worth noting that the Linux live CD would become a target itself if it became popular, and that Linux requires software updates just like Windows. Hence it might be better to have a dedicated Linux PC that is updated automatically.

        However, as long as the user of the live CD PC only uses it for banking, and never for email or other websites, the risk of a successful attack on that PC is fairly low – only a direct attack on the browser used on that PC would succeed. This is where Google Chrome might be better, as it is very quick to update it every time you boot the live CD.

        1. JCitizen

          @Richard:

          Puppy Linux updates the OS and the browser as soon as you boot to the network. However, it doesn’t hurt to refresh the disc every so often, so there isn’t so much to update.

          On Disc sells USB drives with the latest version on board, and it has several browsers to choose from, and a complete range of word-processors, spread sheets, and image editors. This way you know you are getting a reliable copy of the OS, and no checksum is necessary.

  5. TE

    To add to my previous post:

    Why don’t the banks’ web servers detect that you are running Windows, and disable all ACH and wire transfers? You would still be able to check your balances and transfer between your accounts, but not transfer out. Retail customers could set up trusted ACH payees for online bill paying in person at a branch, or would at least have to verify new payees over the phone. Business customers would be strongly encouraged to use a dedicated machine running “banking Linux” if they want to be able to initiate random wire transfers. Most importantly, all customers should have the option to disable all wire transfers, or require phone confirmation, on their accounts. Default enabled is not a good policy.

    1. Ben

      You can’t tell customers that they are not allowed to use Windows if they use these products. You will lose those customers.

      It is very difficult to balance necessary security with customer convenience. While banks want to offer the services customers want, there is only so much banks can do to force customers to follow best practices.

      Restricting online access to only non-Windows PCs wouldn’t really solve anything if the customer’s network is not secure, and there is no one solution to network security.

      Educating customers about best practices and cultivating an environment and culture of cooperation between banks and customers is vital, but banks have to bevery careful not to do so in a way that makes them liable for the customer’s behavior. In our litigious society, it has to be either the customer or the bank’s fault. There is no middle ground. If the bank makes too many explicit recommendations to their customer, and leaves out the one thing that could have saved that customer, then the bank would be seen as liable for omitting it. If the bank doesn’t do enough towards education and the customer falls vicitim to fraud, it could be said the bank did not do enough to protect that customer.

      The fact is that banks need to be up front and honest about the risks of Online Access, especially when it comes to Treasury Management (ACH, Wires, etc.), but that they can’t dictate what security measures to take. If they do, then if they miss the recommendation, they can be held responsible.

      It’s a tough spot for customers when fraud strikes, but it’s easy to try and blame the banks even if it really isn’t their fault. Smart Financial Institutions have put in place several overlapping layers of security on their side, but if there’s no dual-control on payments, then all it takes is one hole on the user side to compromise the whole system.

      It’s good to throw ideas out and see if they stick, but considering how much of the small to medium businesses operate on PC’s, and how many of them are resistant to change, you would only be lowering your market share to restrict them to non-windows machines.

      1. Terry Ritter

        “Restricting online access to only non-Windows PCs wouldn’t really solve anything if the customer’s network is not secure,”

        I disagree.

        The issue here is a bot in the computer which is in active communication with the bank. Once that computer establishes an SSL link, communications are secure and encrypted between that particular computer and bank. Network insecurity does not seem to be an issue.

        The insecurity is the bot itself, and almost all bots are designed to work only in Microsoft Windows. At least for now, simply avoiding the use of Windows on line avoids most bots. It makes a lot of sense for a bank to prevent dangerous account actions which are ordered from an online Windows machine.

        “It’s good to throw ideas out and see if they stick, but considering how much of the small to medium businesses operate on PC’s, and how many of them are resistant to change, you would only be lowering your market share to restrict them to non-windows machines.”

        No, not “only” lowering market share. One would *also* be solving the problem.

        Banks are not stepping up to make their business customers whole, actions which already risk market share. In doing that, banks must see these losses as a serious problem worth that risk, which means it also may be worth actually solving.

        Not allowing dangerous account actions from Windows machines sounds like a very good start.

        Or maybe Microsoft will step up to make their customers whole.

        1. xAdmin

          All these proposals to use other operating systems or ban Windows is just throwing the baby out with the bathwater.

          Besides, I can’t believe anyone can seriously propose any organization ban a particular OS in order to use their website! Do we really want to go down that road? What happened to personal choice and personal responsibility?

          1. AlphaCentauri

            “Besides, I can’t believe anyone can seriously propose any organization ban a particular OS in order to use their website! ”

            The many corporate websites that only function with Internet Explorer (and perhaps only work with IE7 or less) don’t seem to have a problem with imposing their preference on their visitors.

            Are there any websites that only work with non-IE browsers?

      2. Terry Ritter

        “you would only be lowering your market share to restrict them to non-windows machines.”

        Banks are already endangering their market share, simply by resisting making their customers whole. Apparently the losses are sufficiently painful to take that risk. Perhaps additional pain will provide a motive to actually solve the problem.

        The problem is a hidden bot in the customer computer, which the bank cannot detect or kill. So the bank is not responsible. But the customer also cannot detect the bot, so they are not responsible either! The only responsible course is to avoid Microsoft Windows online, and a reasonable way to do that is for the Bank to prevent dangerous online transactions from Windows computers.

        Or Microsoft could make their customers whole.

        1. Ben

          “Banks are already endangering their market share, simply by resisting making their customers whole. Apparently the losses are sufficiently painful to take that risk. Perhaps additional pain will provide a motive to actually solve the problem.”

          Actually, it isn’t that each loss is too great, but the potential for loss is too great. Eating the loss for one or two fraud transactions would not only cost the bank the funds compromised, but would also ensure that their customers continue to do two things:

          1) Not properly protect their systems from threats
          2) Expect the Financial Institution to cover all losses.

          By not drawing a line in the sand and forcing customers to take responsibility for their (in)actions, banks would essentially be saying, “Don’t bother protecting yourself from loss. We’ll pay for any fraud that comes your way.”

          In addition, if you assume that customers who are compromised are more likely to be the customers who are not properly securing their systems, then losing them as customers may not be such a bad thing. Granted, not all customers who experience fraud are opening random attachments or saving their passwords on their PC’s, but a customer who visits a site which plants a bot will most likely visit that same site again and again.

          There are very good reasons banks don’t cover losses like this for businesses, and most of them do not involve the direct cost of covering the loss. Most of them involve the risk of potential future losses.

    2. R

      Requiring customers to go to a bank branch in person to initiate ACH or wire transfers is completely unworkable for many customers. I would have to change banks. I am a retired American living in SE Asia. I bank at a major U.S. bank and totally depend on ACH and wire transfers to manage my affairs. It does scare me that I can wire large sums entirely online. I use Windows, but NEVER for banking. I use my old Mac. As an individual, I feel that I am protected in case of loss with my bank but what about mutual fund companies? That scares me so much that I don’t like to access my mutual funds accounts online at all! Any reports on mutual fund online fraud?

      1. timeless

        I wonder which browser you’re using on your old mac. Unlike Windows, browser support for old Mac operating systems tends to fade fairly quickly.

        I believe the latest Safari for 10.4 is 4.1 (which is probably roughly close to end of life, as Safari 5 was released for 10.5/10.6).

        Firefox 2.x is the last version to support 10.3.9 and it’s already end of lifed. Or, Firefox 3.x should run on 10.4+, but it’s possible (likely?) that Firefox 4 will not run on 10.4.

        I’m not sure which versions of OS X are supported by Opera.

        I believe Chrome requires 10.5+.

    3. prairie_sailor

      Reguardless of the security pros and cons of requiring this the banks web servers CAN’T do this because the only way to detect what web browser/OS is visting your website is contained in the header of the HTTP request packet sent from the browser. This is simple text and can be altered or stripped of entirely. If I’m not mistaken Firefox and Opera and maybe IE 8 have this built in. And if not there are plenty of “privacy utilities” that can do that for you. The information about what web browser and OS the visitor is using is there but one of the first things they teach in any web development class that covers it’s existance is that it is not to be relied upon because it can be altered or removed.

      1. Terry Ritter

        “the only way to detect what web browser/OS is visting your website is contained in the header of the HTTP request packet sent from the browser. This is simple text and can be altered or stripped of entirely.”

        Good point!

        Malware might force a simple text indicator away from Microsoft Windows to something else. But it could not force a cryptographic authentication of that text or other identifier as created by the Bank.

        Some JavaScript code probably should be able to distinguish Windows from non-WIndows, although the ability to perform that function in a machine with a bot would be an issue eventually. The bank would sign any non-Windows result, and save it in a cookie. Malware could not produce an authenticated different cookie, and if it erased the cookie, the Bank would assume Windows.

        Allowing fairly innocuous online account access from Windows machines must have a better chance of success than disallowing all access, which had been my previous position.

        Thanks for your insight!

  6. Louis Leahy

    I have solved the problem of credential breaches with a programme to verify users access on network servers. It can be retrofitted to existing systems and will stop banks users accounts being hacked.

    1. Matt

      Good to hear Louis – can you please get a better mousetrap and world hunger solved by the end of the week?

      Seriously, can you share more details on your program?

      1. Louis Leahy

        You’re a very arrogant person surely if you are so intelligent you can do a simple search engine lookup to find out more.
        If I discuss too much about my product in this forum it gets blocked so don’t blame me for that talk to the publisher I know because I have talked to other product owners.
        It doesn’t say much for this forum when a comment from me regarding a solution gets denigrated while negative irrelevant comments from a bully like you are celebrated.

  7. MNB

    Why cant the bank simply have a couple of confidential number and send a text message for each transaction (amount > set margin) so at least the large chunk of transfer is checked again from the customer. if they find it dubious they can block it immediately.

    1. timeless

      The problem with such systems is that they have to allow you a way to change your information [online], so all an attacker needs to do is change the phone number/sms number/email address to one they control, and then do the transactions.

      I believe you’ll find articles in krebsonsecurity.com which indicate that some of these systems have already been defeated (at least email address variants, although iirc also phone call variants).

  8. Peter McLeod

    Hi Brian,
    I’m giving your website a hit just about every day now.
    When you were at the Washington Post you wrote about having a dedicated computer for online banking and a reader wrote commenting that it would be “a non starter in this economy” [Upper Marlboro, Md.: Friday, October 9, 2009; 11:00 AM ]
    Since I can’t for the life of me burn a live ISO disc, and no Linux disc will recognize my modem [I’m still on dial up] I’ve tried the next best thing – I turn my beast into a “temporary dedicated online banking computer”. I save stuff to an external drive, [mostly emails and your articles] totally nuke the C: drive, re-install Vista Ultimate and absolutely nothing else except the latest version of Firefox, do the banking [mostly bill paying] and then dis-connect and re-install everything else.
    The whole exercise takes about fourty five minutes tops, about once a month.
    It must seem like paranoid overkill and probably is but it works and I never need to de-frag.
    I also get an automatic confirmation email from my bank [if you did not authorize this transaction please phone etc]
    I guess this is not practical for most people but these days you are reporting stuff that must be turning some peoples’ lives into a nightmare.
    Upper Marlboro, Md also wrote “if the trojan infects a national bank, a home user can become a victim even if s/he does everything required for safe computing.”
    That does not seem to be a problem for banks in Australia as yet but it’s probably only a matter of time.
    All kindest regards
    Peter in Sydney, New South Wales.

    P.S. Brian what is ISO anyway? I’ve Googled it and still can’t find a definition that means something.

    1. Terry Ritter

      “P.S. Brian what is ISO anyway? I’ve Googled it and still can’t find a definition that means something.”

      In this case, ISO is just short for the ISO 9660 standard for a CD file system. An .iso file is just a drive-image, and is generally used to make a bootable disk which will load an OS from CD or DVD.

      When we burn normal data files to a CD, the burn software must create a new file structure in which to place the new files. But an .iso already has a file structure, with files already in place, and so should not be burned as a normal file. Logically, an .iso is simpler to burn than normal files, but software can make everything seem complex.

      The Puppy Linux download page recommends BurnCDCC:

      http://www.terabyteunlimited.com/utilities.html

      and also ImgBurn:

      http://www.imgburn.com/

      1. Peter Mcleod

        Thank you Terry, its a little clearer to me and I appreciate the time you took to explain it, although I’ll probably stick with the method I outlined in my original blog. Its worked for me and I guess is as secure as anything these days – but the ingenuity of online scams now is breathtaking.
        Regards
        Peter in Sydney, New South Wales

    2. timeless

      Having reinstalled Vista on 4 or 5 computers in the last couple of months, I worry about your approach. Vista SP0 was end of lifed in April. Starting with a computer running Vista SP0 (which is all I ever see), it takes me well over 45 minutes to manually download SP1, manually install it, and then install SP2. Until SP2 is installed I’m relatively confident that the computer I’m using is vulnerable to *something*. Note that I don’t own Vista, I’m doing this for other people w/ their original install media. If I owned Vista, I’d probably construct a slip streamed SP2 DVD and rely on that. For information about slip streaming: (yes the article is for XP …). Note that if you’re in the US you can probably get your vendor to give you updated install media. The last visitor I had brought a laptop from the US and wasn’t really in a position to wait for someone from the US to ship such media overseas. At this point, if someone is desperate, I’m more likely to walk to a local store and buy Windows 7 — if I’m lucky the store version includes SP1 (I’m probably not lucky) — and install that.

  9. Demenynx

    ISO could either be a CD-Disk Image. Is is a file which contains a whole CD and therefore a complete Linux Live CD. Or it could th the “international standard organsiation”, but I guess it is the first one.

    I am from Germany and most banks here give out so called “TAN Lists”. I got like 100 6-digit numbers on there and for every transaction I have to enter one. So to transfer money, I will be asked to enter the 85th TAN. Once all are used, I will get a new list.

    So even if my password would become known to a thief, they could not transfer money, because they do not have that list.

    Is the same done in the US, or do you just have a password?

    1. Matt

      Unfortunately the TAN list system provides no mechanism for transaction authentication. In short the trojans dont need to intercept the TAN OTP passwords as they just hijack your browser and go from there using the TAN’s you provide. In some way its a false sense of security but of course far better than just a username and password which it seems some banks are still using.

  10. swhx7

    If cyber-security insurance for businesses becomes common, the “Windows vs. other OS” issue will take care of itself. Insurance companies are empirical about such things: they will look at real-world results, and if it turns out that most of the losses involve Windows and another OS would reduce losses, then they will start requiring that the insured businesses start using non-Windows OS’s to avoid higher rates.

    1. BrianKrebs Post author

      This is a really interesting point. So if I understand your argument correctly, the insurance company might give you a discount, lower your deductible, or give you a better rate if you agree to only access your company’s accounts from an isolated, non-Windows computer? I could see how the bean counters could latch onto this concept as a measure of risk.

      Thanks for your comment.

      1. wiredog

        Bruce Schneier made this point about insurance several years ago, BTW. May even be in “Beyond Fear”.

      2. timeless

        I could see the insurance company *providing* the computer and saying “you must use this one”.

        I worked for a company whose product price was high enough that we considered tossing in a box to run it on. We hadn’t done it when I left the company, but for a business charging >10,000 USD annually (the insurance value you mentioned in your article), including a 2,000 USD computer isn’t really a big deal. It simplifies troubleshooting, tech support and reduces variables.

  11. What About

    Answer to the above comment about losing market share –
    What about if the bank offers it’s business customers an option; use a bank supplied, hardened Linux based netbook for online banking and the bank will make good any losses found to occur from that machine; or, the customer can use their own (Window based) machines for online banking and NOT get any reimbursement for losses that may occur.
    Customer’s choice.

    1. Matt

      One reason banks will never do that is the complexity of the notebooks would require the bank to run a full time technical support team to manage drivers, plugging it in, connecting to the internet etc. Even the support costs required to manage single button OTP token is exorbitant.

      1. Ben

        While I agree this would help at first, I also think the cost would outweigh the benefit. Hardware, configuration, and support would be a very pricey insuranc epolicy considering that this security would only last as long as fraudsters weren’t targeting these netbooks, users only used them on secure networks, and users only used them as agreed (no browsing, email, etc.)

        While I do not disagree that it would help, I think that the real friend of banks and business owners is education. Banks should do more to educate their customers regarding the risks and help them to utilize security services to their fullest extent. For instance, if an FI has the ability to limit users to specific IP addresses, but only tells a few of their customers about it, they are losing out on a powerful tool. (Yes, I am aware there are ways around this, but it is only one complementay layer.)

      2. AlphaCentauri

        “One reason banks will never do that is the complexity of the notebooks would require the bank to run a full time technical support team to manage drivers, plugging it in, connecting to the internet etc. ”

        And I can totally imagine scammers convincing users to “jailbreak” their bank-supplied netbooks to play cool games at work. Sometimes the entity bearing the risk of loss (the employer) isn’t the one spending all day with control of the hardware. Every employee thinks he/she is savvy enough to get away with goofing off on company time and equipment. There’s plenty of precedent for time-wasting downloads being used as vectors for trojans.

  12. James

    “Had they succeeded in putting those through, we and the bank would have been looking at losses of more than $750,000.”

    —-

    I loved this. I have an idea it’s yet to be decided who’s looking at those losses, though the company would most certainly like to have the bank as a partner.

  13. Interested Joe

    Let’s be clear as to what is going on here. There are criminals that have well developed tools and processes to steal online banking credentials from unsuspecting users at small and median sized businesses. It’s happening everyday. In this case the company’s internal network was compromised. When the criminal used those credentials to to access the bank accounts of this company. The bank allowed the transactions to be process because the request came from an authenticated user.

    While pointing fingers and assigning blame is not productive; certain responsibilities are assumed. The bank has the responsibility to use reasonable security measures to protect the integrity of its systems and the company has the responsibility to secure its authentication keys (username/password/token/PC/whatever). Bottomline if the keys had not compromised the criminals would not have had the access to the accounts.

    No doubt banks need to continue to enhance their security measures as the threat landscape changes but company’s also need to take responsibility for their own security and educate their employees; many small/medium businesses do not take this seriously.

    1. Fred

      Joe,

      I’ve got to echo your comments here. I’m an independent IT consultant and I’ve worked with SMBs for nearly 20 years. Unless the owner or principle has an interest in technology there is little they do to secure their computing environment. Why? It’s simple, security can be inconvenient, they see no return on that investment. There is also complacent ignorance that the Bank will protect them. The CFO at this company said it herself, we had. Trojan and it may have been there for months. It was the Trojan that captured the the users login credentials. I can just about guarantee that all the users in the company have admin level privileges, giving whatever trojan they got full access to everything. It’s easy to blame the bank, who likes banks these days? But companies need to wake up and take responsibility cornfield own environments. Banks need to make sure they educate their customers on the risks if Internet banking.

  14. Tom Cross

    Another rehash of the same issues – liveCD, Linux, better authentication, Mac, etc. – all after the fact.

    This issue continues to surface because of user’s complacency about security. Complacency created by assumptions/beliefs. In most cases, these usually fall into one of several categories:

    “I’m protected by (AV, firewall, consultant, security device, whatever).”

    “Security is not my responsibility (see above)”

    “Internet Explorer is safe to use.”

    “Friends/family wouldn’t send me a virus.”

    Security experts have stated that, as long as a human can touch the keyboard, no software can protect 100%. Users don’t want to be bothered by security issues so they rely on passive protection provided by (see above).

    AV programs love to brag about their detection rates of known viruses. What about the 55,000/day unknown malware detected in 2009?

    The issue is not what the AV can detect but what it cannot detect. This renders the AV useless.

    But as long as the user believes security is handled by something or someone else, they have no incentive to practice active prevention.

    Active prevention would require a corporate computer use policy and user education in what programs to use for web, pdf and other applications known to be exploited. But this also implies that there is some level of IT staff helping users with the use of active prevention.

    Unfortunately, most SMBs don’t have IT staff and rely on external security – usually passive (AV, etc.) – rather than enforcing restrictions on use of exploitable applications.

    Active protection is identifying and mitigating the infectious vectors used to compromise systems rather than relying on some passive, signature-based system to stop them.

    -Automatic execution of javascript by browser
    -PDF docs on websites
    -Infectious links in spam/FB/forwarded email
    -Downloaded utilities (drivers, registry)
    -Free games (duh!)
    -Free music (P2P – Limewire, etc.)

    For my customers, I first educate them about the limitations of the AV program (versus the marketing hype) and then teach them to:

    Block javascript (Firefox w/NoSript)
    Clean internet cache/temp files (CCleaner) daily
    Use alternate PDF reader (Foxit)
    Use AV prescriptively vs. preventatively

    This is such a problem now that the internet cretins have figured out how to rob banks. The size of the prize dictates the effort needed to get there. Hacking user’s assumptions is one of the easiest.

    1. Rick

      Peter Garrett called this ‘someone else to blame’. He’s from Down Under so the attitude must be rather prevalent.

      But the solution suggested is too gargantuan. It won’t ever work. The solution is to protect users so they’re never in the loop.

  15. Phil

    Even with demand, well-defined requirements and numerous loss examples against which underwriting can evaluate risk, the rate of change and escalation in loss scenarios is making the actuarial analysis very difficult. Financial institutions and e-tailers have been the hardest hit with loss averages rising beyond $100,000. Insurers will be forced into (re)evaluating the terms of this coverage and the overall profitability of CyberRisk product lines. Similar to Terrorism coverage, the risks to insurers are great, but unlike Terrorism events, cybercrime is common and increasing in frequency and severity. Even with a broad distribution of risk and re-insurance participation, these policies seem less and less attractive from an underwriting perspective.
    How will business address this growing risk?

  16. Rick

    Damn, what a meticulously researched and written article! This is what journalism is all about. So little of it is seen anymore. I’d also suggest that anyone holding other people’s ‘capital’ be insured and that their staff be insured as well. This might help set new standards.

Comments are closed.