July 14, 2010

When cyber crooks stole nearly $35,000 this year from Brookeland Fresh Water Supply District in East Texas, the theft nearly drained the utility’s financial reserves. Fortunately for the 1,300 homes and businesses it serves, Brookeland had purchased cyber security insurance, and now appears on track to recoup all of the unrecovered funds in exchange for a $500 deductible.

As this attack and a related case study I wrote about last month show, cyber theft insurance can be a reasonable and effective investment in an era when ultra-sophisticated cyber thieves increasingly are defeating the security that surrounds many commercial online banking accounts.

The attack on Brookeland’s Internet banking account began on Friday, April 9, about the time that General Manager Trey Daywood had authorized the utility’s payroll transfer — just a half hour before the 2 p.m. the bank’s cutoff time. A few minutes later, unidentified hackers went in and deleted Daywood’s payroll batch and set up their own payroll, sending sub-$10,000 payments to seven individuals across the United States who were recruited to help launder the money through work-at-home job scams.

Daywood soon heard from his financial institution, Texas based First National Bank, which thought the $34,038 amount was quite a bit higher than the organization’s regular payroll total. But the bank only called after it had finished processing the fraudulent transfers, and most of the unauthorized payments still were sent out the following Monday.

“It was only after I signed affidavits of forgery and had them notarized that our financial institution began the process of trying to retrieve the money,” Daywood said. “It was very clear from the beginning that their attitude was, ‘Hey, it’s not our problem.’  Which was professionally disappointing to me.”

I contacted First National multiple times for a comment on this story, but have yet to hear back from them. I will update this story if that changes.

Financial institutions are required to use “commercially reasonable” security measures to deter fraudulent attacks, but experts say just how far banks need to go for their security to be considered reasonable is a standard that is ill-defined, and is likely to be decided by several ongoing lawsuits filed in state courts. Banking regulators also encourage institutions to use so-called “multi-factor authentication,” or a user name and password in addition to some other type of authentication mechanism. However, according to Daywood, First National Bank allowed commercial customers to access their accounts online with nothing more than a user name and password.

When consumers lose money due to cyber fraud, retail banks are required by law to refund the money — provided the victim doesn’t wait too long in reporting the unauthorized charges. Commercial banks, however, are under no such obligation, although they usually will work with the victim customer to try to reverse as many of the fraudulent transfers as possible.

According to Brookeland, First National Bank managed to reverse a little less than half of the bogus transfers — $15,338 to be precise.

Daywood said the attackers also evaded procedural security measures the company put in place to ensure that two employees signed off on every transaction. Prior to the attack, another Brookeland employee was responsible for initiating payments — including payroll batches — but that employee had no authority to approve the transactions.

“They went in and changed the authority of that employee to make it possible for her to create and initiate the fraudulent batch under her login name,” Daywood said. “It’s a mystery as to how they could do that, because I am supposed to be the only one who has authority to do that through my admin account.”

Daywood said he expects Brookeland will recover the remaining lost funds through its insurance program. But he said the incident has consumed most of his time for the past several months.

“I’ve lived, breathed, ate and slept this since it happened,” Daywood said. “You’re looking at hundreds of hours of research, on and on.”

Further reading:

The Case for Cybersecurity Insurance, Part I

Avoid Windows Malware: Bank on a Live CD

E-banking on a Locked Down (non-Microsoft) PC

Target: Small Businesses


29 thoughts on “The Case for Cybersecurity Insurance, Part II

  1. Tom D

    While this may not be reasonable, if possible I would change the bank I run my payroll through if I felt that the attitude presented was ‘not my problem’. Using your economic power (especially if you are otherwise stable during this poor economy) is a great way to send messages to all the corporate banks that while you were the one that got attacked, they need to assist you since they have better tools to identify issues like this.

    I recall being asked (personally, on a non-commercial account) if I wanted my account to not flag fraud cases due to frequent international travel to different locations. I recall responding with ‘no, I prefer to have to call and know that this can be resolved than to loosing my money’. Why couldn’t the bank take this attitude and call prior to issuing the checks for suspicious behaviour?

  2. emv x man

    If I was a client of First National Bank I’d be taking action to ensure I wasn’t – they thought it was odd but processed it anyway – and then compounded a low opinion of them by not seeing it as their problem.
    Nobody needs a bank like that.

    1. Ben

      Amen, sir. As a banker, I say if you do not feel secure with your bank, vote with your wallet. ALL OF IT. Move all of your money to a bank which you feel will not only work hard to protect your account and will communicate with you, but will also be willing to work with you in the event of fraud to help you recover funds.

      At my bank, we have had some ACH and Wire Fraud cases, but we make it clear to our customers that we will do everything we can to help them recover funds as soon as we know it has happened. A quick reaction, especially in ACH, can mean the difference between total loss and successfully recovering some or all of the funds.

      Communication is vital, as well. We are currently putting together a security seminar for our ACH and Wire customers to help them protect the end-user computers. We understand that part of our responsibility to our customers is helping them to protect their own account. Our seminar will feature a local network security specialist who will come in and speak with them for 40 minutes. After that, we’ll explain what services we have available for our customers which they may not be aware of. We’ll work with the security specialist to help him include everything without getting to in-depth, and we’ll stress adding layers of security, such as IP whitelists, Time Restrictions, dedicated computers for online banking, security tokens, and out-of-band and dual control requirements on transactions.

      Our goal is not necessarily to eliminate the customers’ fraud risk, as that is impossible, but we would like to make it hard enough on fraudsters that they seek their quarry elsewhere.

  3. Carl

    I know that Brian tried to get the bank to comment and they were evidently not cooperative, but something about this story does not add up. The bank caught the suspicious activity and notified the client but didn’t do anything about it when the client said it was bad? That does not make sense.

    I imagine the client took too long to respond to the bank’s inquiry, and the bank could not unilaterally stop the instructions which were received from an authenticated, not known to be compromised, user.

    I think it is impressive that the bank caught the fact that the activity was unusual, and I believe we do not have the whole story, but I guess the point is that cyber insurance is good for people who do not have time to address their own security requirements.

    1. d

      Oh Carl,

      Do you work for this bank? If you’re in a major U.S. city and you need to find a location that’s in a poorly lit area of town, would you still walk there? Or do you need to have the police tell you its dangerous while you are walking. Or would a bottle upside the head do it for you? If they identified the transactions as suspicious they should have stopped the process. The bank should have place the transactions on hold until they spoke with Mr. Daywood, regardless if he called back that day or a week from then. I am not holding my breathe for a response from First National Bank, you shouldn’t either.

      1. Carl

        D,

        No I don’t work there – I am sure of that. My only point is that we really do not know any of the facts, and it is amazing the conclusions people are willing to jump to without the facts. All we have is the victim’s sorry story. Victims are notoriously unreliable as to facts, and are especially eager to blame anyone else for their inappropriate security activities. I am not defending banks either. My point is only that the facts are clearly absent here.

        1. Jane

          Two assertions we do have are “the bank only called after it had finished processing the fraudulent transfers” and “It was only after I signed affidavits of forgery and had them notarized that our financial institution began the process of trying to retrieve the money”

          Now these may be bold-faced lies rather than facts, but if they are true I can say with certaintyI would never do business with this bank. Contrast notarized affidavits with the steps necessary for a non-business customer to respond to fraudulent credit card charges.

          It’s odd to me that a company aware enough of the risks to find and pay for insurance would not also find out about its bank’s procedures for such cases in advance.

          1. brian krebs

            @Jane- I meant to include this detail in the story, but Daywood said the insurance was offered as part of a package offered by insurance provider AIA to government entities and state utilities. I don’t think they specifically sought out cybersecurity insurance; rather, it was part of the bundle.

          2. Ben

            “It was only after I signed affidavits of forgery and had them notarized that our financial institution began the process of trying to retrieve the money”

            This alone shows that the victim couldn’t have been too slow to react, since they were able to recover some funds. If he had time to sign the affidavit before they took action and they still successfully recovered almost half the funds, the customer must not have been too slow about it. If you don’t jump on them right away, it can be impossible to recover any of the funds from an ACH transaction.

            Still, the bank should have erred ont he side of caution. If you see something odd in an ACH transaction, you should hold it until you can be 100% certain it’s not fraud, even if you have to call the customer to find out.

  4. TJ

    After reading the story about Consumer Reports giving the iPhone 4 a “Not Recommended” rating due to antenna related reception problems, I thought – wouldn’t it be great if Consumer Reports gave banks with poor or inadequate security measures that only facilitate these fraudulent attacks (such as First National Bank) a “Not Recommended” rating.

    I bet that would get the banks attention. Because nobody wants a bad Consumer Reports rating. Just look at how quickly Apple’s stock dropped after the CR report.

  5. KathyB

    As someone who works in I.T. for a community based bank and a recent subscriber to Brian’s exception blog, I have been working with our Operations department with a focus on ZeuS and bank wires.

    I was elated to learn that no wire transfer goes out automatically from my bank. There is a person in the middle inputting the request. Last week one of our Ops clerks picked up some questionable wire transfer requests from a small business customer’s account. She got on the phone and customer said they did not authorizing the wire transfer. The customer was found to be infected with ZeuS. I passed along information to the customer about this blog and Terry Ritter’s web site. Ritter’s document about PC security and banking is exceptional and something all banks should pass along to customers.

    I’m working to hopefully implement a Live CD program for our customers as well as having an off-network PC available to our Ops Dept. when researching possible fraudulent charges on customer debit cards. They will only have internet access to research. I really don’t want our Windows PCs vulnerable researching possible rogue web sites.

    When speaking to the senior VP of Ops last week I found out that although our Ops Dept. has a 100% success rate with catching fraudulent wire transfers, we recognize that we also need to help our customers bank safely online. To me the only way to achieve this is via a Live CD. I’m excited to be working on a project like this since our customers need protecting.

    I sincerely wish First National Bank had their customer’s best interest in mind. A simple phone call could have possibly stopped the $35K loss.

    Thank you Brian for all your hard work. The information you provide is invaluable to not only small business owners but to those of us in banking & finance I.T.

    1. Matt from CT

      Kathy,

      Out of curiousity…do you guys keep a running tally of how much you’ve saved customers in fraudulent transfers caught before they were executed?

      Might be a neat marketing tool for your bank if nothing else.

      1. KathyB

        Excellent and curious question Matt…thank you! I will ask our Sr. VP of Operations. I was discussing with my manager yesterday a marketing angle for the bank regarding how we take their online security very seriously.

        The example in my original post resulted in $25K not being wired.

      1. Ben

        @Terry,

        I’m looking forward to reading these articles completely. I enjoyed the Q&A online. Your suggestions are all very solid for users to follow if they are willing to go the extra mile for security. While I agree that your suggestions will improve a customer’s security very well, the only difficulty I have is in the bank’s ability to convince customers that these steps are necessary.

        As a banker, however, it’s hard to imagine that we’d be able to push this out on any grand scale without getting serious resistance from customers. Not to mention that, even after going through the trouble of setting it up, many customers would still have a “sudden need” and end up logging in from their windows PC at home on their day off and destroying the effort.

        1. Terry Ritter

          Hi Ben!

          I do not know what to tell you. The technical Internet system has security flaws at all levels: network design, user hardware and software. Customers should be able to buy a computing box and use it in safety, but that is not our reality. Currently, banks are affected, but have little control.

          Having looked at this in some depth, I see no quick fix for the system, but at least there is a fix for customers, and it is free. Those companies who would spend money on computer training should concentrate on the skills to run a Linux LiveCD when online. Maybe completing a 4 hour bank course with a LiveCD handout would lower fees or improve security response.

          Banks could publish their actual damages from malware, and use that as a justification for improving security. Customers who use Microsoft Windows for banking probably deserve increased fees. I do not know how a bank could identify, technically and online, which OS is in use. But maybe they only need a customer *agreement* to use a LiveCD, and then a follow up after a loss to identify the real problem.

          Some way should be found to make hardware and software vendors take the malware situation more seriously. It is not clear that competition can do that, since buyers do not get interested in security until they get in trouble, but perhaps a class action lawsuit could.

          1. KathyB

            @Terry…thank you for the link to the new banking malware article. I will share it with our Sr. VP of Operations after I peruse it. I also want to thank you for publishing such excellent information on your web site. In my opinion it is perfect for the small business owner or anyone who wants to protect themselves while banking online. You don’t need to be an I.T. guru to follow these simple instructions.

            Today I had another one-on-one with said Sr. VP and learned that to date our bank has never paid one fraudulent wire transfer in spite of several attempts by e-banking robbers. Our customers (consumer and commercial) cannot change their contact information online. It must be done in person. I’m not saying our systems are foolproof, however, we have some layers in place to protect our customers that several banks do not have.

            As a financial institution we can only do so much, however, I sincerely believe our customers deserve to be the recipient of our knowledge. The knowledge shared by experts such as Terry and Brian make it so our customers are good hands provided they follow through on suggestion and recommendations, i.e. banking via Live CD.

    2. Helly

      Very informative post, thanks for sharing your experiences. If you do go ahead with a LiveCD program four your customers, it would be great to hear what your experience and implementation is like. Sounds like you all are willing to trailblaze a bit, your experiences could be a valuable resource for other organizations. Or an example to help motivate some of these other banks!

      -Helly

  6. gary

    I don’t see how a cyberinsurance business model will be financially sustainable unless PCI DSS style compliance requirements are associated with it.

    1. wiredog

      Why not? The insurance companies can set their own “best practices” standards, just like Underwriters Laboratories or the IIHS. If your bank meets the standards your rates are lower. If it doesn’t the rates are higher. Works quite well for products getting the “UL” label.

  7. Stardance

    It does not surprise me if, in fact, First National Bank or any other bank detects a potentially fraudulent transaction(s) but allows them to be effected regardless. A year ago, I received an “alert” from our bank that a large debit card charge (payment) was pending and another alert, timestamped 2 minutes later, that the debit charge had actually been made from our bank account. I telephoned the security department immediately to tell them that the charge was not authorized. They said that there was nothing that they could do “until the transaction posts”, that is, until the money had actually been withdrawn from our account and sent to the merchant(s) who charged the debit card. I don’t know whether the bank recovered the money from the merchant(s) account, but they did eventually return it to our account. (I had to complete an affidavit and have it notarized, then faxed it to the bank’s “claims” department.)

  8. John Burnett

    Brian — Just one clarification. You say that commercial banks don’t offer the protection afforded to consumers. That’s not quite accurate. The protection you refer to is the Electronic Fund Transfer Act and Federal Reserve Regulation E, and it protects consumer accounts at any financial institution, retail or commercial, bank or credit union. It’s the nature and ownership of the account that qualifies for protection, not the nature of the financial institution (although I will agree that some banks are more likely to step up on this issue than others).

    1. Brian Krebs

      Sounds like a distinction without a difference, John. I think it’s pretty clear that I’m drawing a line between how consumer account and business accounts are treated differently.

      We can talk about UCC4 and the FFIEC’s “guidelines” all day but those are very squishy areas that from what I can tell don’t have a whole lot of consistency of meaning.

      However, people understand the concept of Regulation E — that which protects consumers from losses due to fraud against their accounts. The only distinction I’m trying to make crystal clear for readers is that if you’re a business owner, these *legal* protections afforded to consumers do not cover you and you really are at the mercy of the bank.

  9. AlphaCentauri

    I worry that with a novel insurance product like cybersecurity insurance, companies will deny claims for exactly the sorts of things that their customers had in mind when they bought the insurance.

    It’s not hard to imagine a clause excluding losses that result from company insiders acting in cooperation with the cyberthieves. But that could be interpreted to apply to losses due to trojan infections acquired from email attachments, since the infection couldn’t have occurred unless an employee clicked on the attachment.

    Things like health insurance are familiar and highly regulated, but when you go out to buy something like this, who would advise you? What case law would tell you how clauses in the policy will be interpreted?

    I think of the early purchasers of long term care insurance who wanted to make sure they had care if they developed Alzheimers Disease, then found their insurers denied their claims because there was a clause excluding coverage for “mental illness.”

  10. Rick

    A great idea again. But I think if underwriters cover this type of cost then they will hire their own experts to see where the greatest risks lie. And in such case they’ll probably come to the same conclusions as Google. Meaning – for example – higher (or even prohibitive) rates for Windows systems. Not that that’s a bad thing of course. But the idea is great. The question is who will insure and what requirements they will arrive at.

  11. AlphaCentauri

    There’s nothing spammers won’t exploit. I just got a phishing spam that claims there were unauthorized ACH transfers from my bank account, with a link to a download of ZeuS.

    So not only do you get infected as a result of being properly concerned about unauthorized transfers, you become less likely to take any real notifications seriously in the midst of the flurry of fake ones.

  12. Larry

    As an IT security guy I have to ask:
    What about the company computers, it seems likely there was a Trojan on the manager’s computer that lead to all the trouble.

Comments are closed.