November 23, 2010

An escrow firm in Missouri is suing its bank to recover $440,000 that organized cyber thieves stole in an online robbery earlier this year, claiming the bank’s reliance on passwords to secure high-dollar transactions failed to measure up to federal e-banking security guidelines.

The attack against Springfield, Mo. based title insurance provider Choice Escrow and Land Title LLC began late in the afternoon on St. Patrick’s Day, when hackers who had stolen the firm’s online banking ID and password used the information to make a single unauthorized wire transfer for $440,000 to a corporate bank account in Cyprus.

The following day, when Choice Escrow received a notice about the transfer from its financial institution — Tupelo, Miss. based BancorpSouth Inc. — it contacted the bank to dispute the transfer. But by the close of business on March 18, the bank was distancing itself from the incident and its customer, said Jim A. Payne, director of business development for Choice Escrow.

“They said, ‘We’re going to get back to you, we’re working on it’,” Payne said. “What they really were doing is contacting their legal department and figuring out what they were going to say to us. It took them until 5 p.m. to call us back, and they basically said, ‘Sorry, we can’t help you. This is your responsibility.'”

A spokesman for BancorpSouth declined to discuss the bank’s security measures or the specifics of this case, saying the institution does not comment on ongoing litigation.

According to documents filed today with the Circuit Court of Greene County, Mo., BancorpSouth’s most secure option for Internet-based authentication requires the customer to have one user ID and password to approve a wire transfer and another user ID and password to release the same wire transfer. The other option — if the customer waives or does not choose dual control — requires one user ID and password to both approve and release a wire transfer.

Choice Escrow’s lawyers argue that because BancorpSouth allowed wire or funds transfers using two options which were both password-based, its commercial online banking security procedures fell short of 2005 guidance from the Federal Financial Institutions Examination Council (FFIEC), which warned that single-factor authentication as the only control mechanism is inadequate for high-risk transactions involving the movement of funds to other parties.

“BancorpSouth should have, and could have, offered a commercially reasonable multifactor authentication method, since it had ample time (more than four years, October 2005 to March 2010) and knowledge of the need and requirement to provide its customers with secure authentication methods, as evidenced from the numerous documents it received, and/or knew about or should have known about, from the FFIEC and FDIC,” the complaint charges.

The amount of the fraudulent transfer was for approximately $90,000 more than Choice Escrow actually had in its operating account on the day of the incident. Since the attack, the company has had to take out a loan to replace the money, which it was holding on behalf of its real estate clients.

“We’re a title company and we had less than 48 hours to replace the money or shut down,” Payne said. “After about 30 days, we converted the amount to a permanent loan that runs over 10 years at $4,300 a month. There’s a lot of pucker factor going on there.”

The attack is the latest reminder that small businesses should assume that they are completely responsible for the security of their online transactions: Businesses do not enjoy the same legal protections afforded to consumers, and thus are responsible for any losses due to cyber theft or fraud.

Elaine Dodd, vice president of the fraud division for the Oklahoma Bankers Association, said financial institutions are playing catch-up on security, but that they’re also worried about assuming too much liability for these incidents.

“The banks I’m talking to are saying, ‘Hey, we’re trying, but a lot of this comes down to customers getting a virus on their computers’,” Dodd said.

I’ve been doing quite a bit of public speaking on this issue this year, and the message I try to get across to the bankers in the audience is this: Any security or authentication mechanism that does not start with the assumption that the customer’s system is already compromised by malicious software does not have a prayer of defeating today’s malicious attacks.

Unfortunately, the advice is the same to small business owners: The wisest approach is to behave as if your general-purpose computer systems already are compromised by password-stealing malicious software. The cheapest and probably most formidable approach involves the use of a free Live CD, a version of Linux that boots from a CD-Rom. I describe how to do this in detail at this Washington Post article from last year.

Alternatively, businesses may opt to bank solely from a dedicated PC — one that is not used for anything other than accessing the bank’s Web site — such as a netbook that lives in a drawer unless it is being updated or used to access the corporate accounts. This may sound extreme, but the integrity of this approach increases significantly if the dedicated computer is a non-Windows machine, because all of the malicious software used in the attacks I’ve written about to date simply won’t run on anything but Microsoft Windows.

The attack on Choice Escrow came during a month in which hackers seemed to hit a large number of escrow firms, almost as if they were paging through a business directory of escrow companies and picking targets at random. In that month, I communicated with several other escrow firms that were similarly hit, but have chosen not go public with the breaches — mainly out of concern that their competitors will exploit the news to frighten or siphon away customers.

One exception was Redondo Beach, Calif. based Village View Escrow Inc., which lost $465,000 in March when hackers who had stolen the company’s online banking password with the help of the ZeuS Trojan sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm. Village View’s bank recovered about $70,000 of the money, but the firm’s owner was forced to take out a $395,000 loan at 12 percent to cover the loss — which was all money that belonged to her clients.

In October, authorities in the United States, U.K. and Ukraine rounded up dozens of individuals thought be responsible for a huge percentage of these commercial account takeovers, although it’s unclear whether the fraudsters responsible for the attack on Choice Escrow have been apprehended. According to the FBI, organized thieves have attempted to steal more than $220 million from small to mid-sized organizations in recent years, and have succeeded in making off with more than $70 million.


61 thoughts on “Escrow Co. Sues Bank Over $440K Cyber Theft

  1. oper207

    when hackers who had stolen the firm’s online banking ID and password used the information to make a single unauthorized wire transfer for $440,000 to a corporate bank account in Cyprus.

    Oh kno’s how that happened , I only wonder ?

    Brian well researched and written , I say nothing more .

  2. Andy

    What I don’t understand is why the bank allowed the transfer to go ahead when the payment was for approx $90,000 more than was in the company’s operating account. Perhaps the company has more in other accounts or it was something the bank would allow.

    I think the bank is trying really hard to get out of this one and I think they should pay up. Why? Because the transfer was for more than was in the company’s operating account, so it cleared their account out and also because it was a single, huge transfer and finally because it was to a company outside the USA.

    Surely all the banks should have rules governing these type of transactions? Certainly someone at the bank should have questioned this transaction. It should have had alarm bells ringing at the bank, simply because of the amount.

    Perhaps the criminals behind all this have found the banks to be a pushover when their customers try and get their money back, so they are pushing the limits.

    Brian, your research and articles are excellent but this type of article needs to reach all businesses and banks, preferably as quick as possible. Could the Washington Post help? Even if it was just a news article on this article by yourself (terrible English!) it may help.

    Otherwise it may take an attack on a very big firm, or even a government department to get the ball rolling faster and changes to legislation made.

    I wish Choice Escrow all the best in winning and getting their money back from the bank.

    1. Security Admin

      The fact of the matter is, the business is responsible for their credentials to the online bamking portal, not the institution. If you lose the keys to your car and someone steals the car using your keys, can you sue the dealership that sold it to you because there is only one form of “authentication” to utilize the vehicle. I realize it is fashionable to beat up on financial institutions, but let’s use a little common sense here.

  3. AlphaCentauri

    If they’re systematically attacking escrow companies — that have large amounts of cash held on behalf of other parties — should we assume that banks themselves are being victimized, but keeping it to themselves?

    1. KFritz

      Not a chance AC. Banks are the US’s most transparent institutions. (-; (-; (-;

  4. Terry Ritter

    I have recently completed a new article detailing how to get and use free Puppy Linux from DVD to help make online banking secure:

    “Online Security with Puppy 5”
    http://www.ciphersbyritter.com/COMPSEC/ONLSECP5.HTM

    Some people may dismiss this as not solving their problem, and they may be right. Unfortunately, some problems have no solution, and there simply may be no better computer solution, no matter how much one pays for add-on stuff. The next best alternative may be the bank drive-thru.

    The issue of who is responsible for bank losses is the subject of an earlier article:

    “The Banking Malware Mess”
    http://www.ciphersbyritter.com/COMPSEC/BANKMALW.HTM

    Our problem is malware infection in the customer computer. Infection causes malware to be restarted on every session. If we could detect infection, we could avoid using that computer and get it fixed. If the bank could detect infection, they could warn us and stop the transaction. But *nothing* currently *guarantees* to *detect* infection.

    There is a way to *prevent* infection, and that is to boot from CD/DVD, which brings us back to Puppy Linux again.

    1. DanL

      Terry,
      Great Idea, but your November 2010 article is just the same idea as Brian’s October 2009 article. Brian’s article from Washington Post is superior for several reasons.
      1. It is Easier to read
      2. It has screenshots to facilitate actually implementing the solution.
      3. Brian advocates using a much more widely available and supported flavor of Linux, Ubuntu.

      1. Terry Ritter

        “Great Idea, but your November 2010 article is just the same idea as Brian’s October 2009 article. Brian’s article from Washington Post is superior for several reasons.
        1. It is Easier to read
        2. It has screenshots to facilitate actually implementing the solution.
        3. Brian advocates using a much more widely available and supported flavor of Linux, Ubuntu.”

        “the same idea”? People have been writing about using a LiveCD for banking since at least 2007. And since when is not being first considered a defeat? Lots of people still do not know they can use Puppy.

        My article actually is an update of the Puppy part of one of my articles from last year. As Puppy moved on, the description got stale and had to be updated. It is hard to imagine how Puppy possibly could be any more “widely available” since it is a free online download.

        Most of my article is not about reading, but about the step-by-step process of bringing up Puppy. My goal was to be as detailed as possible, so that someone who knew almost nothing about computing could have a chance of doing it on their own. Provided, of course, they could follow directions. Maybe that was a bad choice.

        Screen shots could be helpful, but also trouble in a distribution that changes every few months. And the resulting document would be a collection of files, rather than just a single HTML, which is OK from my web page, but less OK when downloaded. Again, maybe a bad choice. I encourage anyone to use any resource they find helpful.

        As for Ubuntu, most people will install it on a hard drive, and that is a potential problem because boot data on a hard drive can be infected, even in Linux.

        Puppy has a big advantage because it can collect changed files and burn them to a new DVD “session.” On later bootup, only the new files are loaded. That allows Puppy to save browser, add-on and configuration updates without burning a whole new DVD every couple of weeks or so.

        It is easy to criticize Puppy, and for that matter, any Linux distribution. Lots of things could be better, but it works well for secure browsing (and I am using it now). Today it seems like the best solution. Tomorrow? Maybe not.

  5. MJF

    Brian,
    Thanks for this article. Some comments:
    1. The Bank has not put in place proper authentication and authorization methods, so they are “guilty”;
    2. Live CDs or dedicated PCs are not true solutions for every day use;
    3. Only the combine use of “out-of-band” authorization mechanisms and risk rules engine can avoid most of these attacks;
    4. The banks must invest more in educate his customers;
    5. …and customers must also have a more safe internet usage.

    1. helly

      I agree with your comments, with the exception of number four. I have found it impossible and extremely difficult in practice to educate small businesses on this type of threat. Even directing them to this website and showing them nearly identical companies that fell victim to this fraud doesn’t motivate them.

      I don’t know why there is a “not my problem” attitude with small businesses, but I consistently find they willfully ignore this advice. I don’t know what the solution is to educate small businesses properly and get them interested in their own security.

      Banks definitely need better controls in place, but its the solution the people problem that I find the most challenging.

    2. N3UJJ

      Just a question…..
      How would have felt if this business had your credit card or bank info on file and it was stolen?
      Companies MUST do “Best Effort” to protect their assets, and their customers data.
      No system or company that is on the Internet is 100% protected, but “Best Effort” will protect most businesses.

  6. Mark

    One thing I guess I could do as a consumer (besides normal security precautions) would be to advise my banks or brokerages to not authorize any wire transfers. I’ve only used them a few times ever and I could re-authorize them if I really needed it.
    Great blog, very informative if not a little bit disturbing.
    Regards
    Mark

  7. emv co man

    Banks will only invest in solutions when they face losses, whilst the losses are their customers they won’t do a thing.
    Let’s hope Choice Escrow are successful.

    1. Jane

      Completely true. There’s a good reason these articles aren’t about business credit card accounts.

  8. Sam

    If banks were really interested in improving security, they could implement real-time email or text alerts when electronic money withdrawals take place. The infrastructure is already in place and businesses would set the withdrawal amount that triggers the alert. One former bank offered this before getting taken over & the new bank’s management decided to discontinue it without any explanation but kept deposit alerts in place. Given the choice, my guess is most bank customers would prefer to know when money is withdrawn over when it is deposited.

  9. Mike

    Two factor authentication. WHY are US banks so far behind the rest of the world in this area?

    1. Terry Ritter

      “Two factor authentication. WHY are US banks so far behind the rest of the world in this area?”

      Technically speaking, 2-factor is completely defeated by bots, and bots are the problem.

      Forcing banks to do something which provides only the illusion of improved of safety seems like one of the worst possible faces of government and law.

      1. KFritz

        A while back, BK posted a map showing the distribution of these sorts of attacks. As I recall, they were concentrated in the US. Doesn’t this suggest that whatever the European banks are doing has some sort of deterrent effect?

  10. AlphaCentauri

    Businesses are limited in their ability to restrict transactions because the zeusbotters are taking advantage of the same mechanism used when employees are paid by direct deposit when the employee and the business use different banks.

    And the question I still have is whether accounting software like Quicken will work if I boot with a live CD. When I do my home banking, I don’t go to a website and manually enter each banking transaction. Quicken logs into the bank and uploads/downloads them, then enters them into the appropriate account ledgers. I would suspect businesses want to do the same, both for efficiency and for accuracy. There’s no reason an accounting program couldn’t be created to use the same datafiles and have both a Windows and a Linux version in the same product, but have any companies created one?

    1. Jane

      Yes, that software exists, and two of them were present on my free install of KUbuntu. I believe “KMyMoney” (kmymoney2.sourceforge.net) and “GnuCash” (www.gnucash.org) were supposed to be similar to Microsoft Money and Quicken.

      Probably a very bad idea, but I started using Mint.com instead about a year ago. Obviously not a real choice for businesses.

  11. Moike

    I wonder if BancorpSouth charged them a $35 overdraft fee due to insufficient funds? (Or, is it a $350 overdraft fee because of the large amount?)

  12. N3UJJ

    Businesses also need to be responsible, about a year ago I was called to look at a problem at a pension management company.
    Every single computer had outdated antivirus, their server was Novell 4.1 (with no updates in 5 years or more). The tape backup system had failed 2 years prior.
    No firewall, and every computer had full internet access.
    I could go on and on, but I sat down with the owner and explained the issues, and what he needed to do to protect himself and his customers.
    He told me that the “VIRUS SCARE TACTICS” were a bunch of bull to make money for Microsoft (according to him).
    All he wanted fixed was the broken workstation.
    If what happened in Brian’s article happened to the this business, I’m sure the owner would scream “IT’S THE BANKS FAULT”

    1. Tom Cross

      I’ve seen this same attitude from some of my business customers. One of them is a law office specializing in wills and probate. Rootkits on every machine but because the infection has not affected their work flow, they have no interest in knowing about problems unseen.

      1. Terry Ritter

        Although we usually discuss banking issues on this blog, it is good to remember that banking thefts are just one manifestation of the bot infection problem. Once a bot is in place, the remote master generally has more power than any authorized user. All user ID’s and passwords become available, which also exposes the full contents of those online accounts. Any and all local or online documents can be uploaded to the botmaster, including all email and computer faxes, and botmasters can CHANGE anything in any document they want. That should make for some interesting legal cases.

        The real problem is that our equipment can be infected, and then, we cannot necessarily detect that infection. Even if we do, we are beyond any form of “removal” but instead must re-install the OS or recover an uninfected image. All of this goes back to equipment limitations, yet we see hardly any blame attach to Microsoft and Intel. Because bot infections exploit fundamental hardware design and basic OS issues, we cannot expect a software patch to solve the problem.

      2. InfoSec Pro

        @Tom Cross, “I’ve seen this same attitude from some of my business customers. One of them is a law office specializing in wills and probate. Rootkits on every machine but because the infection has not affected their work flow, they have no interest in knowing about problems unseen.”

        Wonder how many estate beneficiaries, executors, etc. have been compromised without even knowing it because this firm has willfully turned a blind eye to violation of a fundamental legal canon regarding attorney:client confidentiality?

        Trace one breach back to them and they are not only out of business, probably disbarred, they are also liable for some pretty juicy damage suits.

        They owe their clients a duty to be diligent in protecting the information on their systems. This sounds like a very egregious dereliction of duty on their part!

    2. KFritz

      So, based on your experience, readers are to infer that the 6-figure thefts BK’s been covering for the last 2 years are primarily the responsibility of the banks’ customers and less the responsibility of the banks?
      Are you a consultant to the banking industry?

      1. JBV

        If you do your banking in person instead of online, it is not the bank’s responsibility to safely escort you and your money from your business to the bank office. If you get robbed along the way, why should the bank be held responsible?

        Commercial liability insurance is available for both personal and electronic theft – that’s what businesses need right now. If insurance companies have large enough losses from online banking, they are the ones who will put enough pressure on the businesses and banks to improve security. (And, no, I don’t work for either the banking or insurance industry.)

        1. KFritz

          If they follow me into the bank lobby and hold me up during a transaction using the bank’s accounting software and the bank guard’s handgun, they’d be liable. Better analogy.

          1. Terry Ritter

            “If they follow me into the bank lobby and hold me up during a transaction using the bank’s accounting software and the bank guard’s handgun, they’d be liable. Better analogy.”

            No, the better analogy would be that a thief follows you into your own home and there holds you up. The problem is the bot inside the customer computer, not the bank computer.

          2. KFritz

            So, the bank is an innocent bystander? They urge businesses to adopt online banking, don’t provide an environment as risk free as paper or phone banking, don’t warn the customers severely about the risks involved. Something goes wrong and the whole mess is the customer’s fault.
            Is this how you do business? If so, please list some pertinent information, so people are forewarned!

          3. KFritz

            To clarify, the thefts can’t happen without the framework of the banks online services. Analogy fail.

          4. Terry Ritter

            “So, the bank is an innocent bystander? They urge businesses to adopt online banking, don’t provide an environment as risk free as paper or phone banking, don’t warn the customers severely about the risks involved. Something goes wrong and the whole mess is the customer’s fault.”

            My clear position is that *customer equipment* is at fault. For some reason, nobody here thinks of taking Microsoft to court to recover losses due to software which may not be “suitable for the anticipated use” of online banking. To maintain the current experience, new hardware is needed, as well as modified OS software to use it and a special support process to update the software.

            Naturally, if banks advertise that their customers will not lose money online, they should be held to that in court. That is already true by law for personal accounts, just not business accounts. To avoid the courts, I suggest that business customers seriously consider banking at the drive-thru.

            The banks may imagine that when the losses get bad enough, they will just buy some expensive software and their problems will be solved. Surely those security guys with all the costly products must know how to do something, right? Wrong.

            There probably can be no bank-side solution to secure online banking when there is a malware bot in the customer computer. And currently there is no way to guarantee detecting such a bot, either by the bank or the customer. But the bank *can* and *should* seek to mitigate attempted thefts with “notifications and anomaly analysis” (thanks, Jane).

            The bank might require online banking customers to agree to do things differently if they want their money restored after an online theft. For example, the bank might require customers to agree to not use Microsoft Windows online. Or the customer could use a LiveCD/DVD. And there would be a technical investigation after the incident to verify that the customer was doing as agreed.

            Requiring customers to actually do something pro-active sounds too intrusive and outrageous for anyone to consider. Their beloved Windows point-of-sale applications would no longer work, which is an admitted problem. So, basically, everyone wants a solution which does not change anything.

            Which would be what, exactly?

  13. xAdmin

    Frankly, I think these companies that have been compromised are just trying to shift the blame to anyone other than themselves!

    I’ve never understood the expectation that the bank should be responsible for other people’s computer security. In every one of these cases, it has been the end users computer, not the bank’s system that has been compromised allowing the theft.

    So, instead of holding end users responsible, we shift all the focus to the bank and their authentication system as the problem? We’re coming at this from the wrong perspective! The solution is simple! Secure the weakest link (the end point), don’t allow your systems, in particular ones that are used to access your bank account, to get compromised! Whether that’s via a dedicated system, a LiveCD, or by learning how to lock down a system (yes even a Windows system).

    1. BrianKrebs Post author

      I’ve tried to focus less on the blame issues than on what can be done about it. The breach story gets peoples’ attention; the how-to part is I think the most important: Until the law changes or banks start adopting stronger authentication or transaction monitoring across the board, commercial customers need to assume complete responsibility for the security of their online banking.

      I hope that is clear from the above story.

      1. TJ

        Brian – I absolutely agree with your comment regarding current law and how business customers should react to it. On the other hand, I think banks who boldly proclaim the security of their online banking apparatus in an effort to draw in more online banking customers should receive absolutely zero leniency from a jury when that security apparatus falls prey to extremely well known malware such as the ZeuS trojan. Here’s an example:

        https://www.bankofamerica.com/privacy/Control.do?body=overview

        “Strong Security. Exceptional Protection”

        “We’ll help you protect your accounts and identity”

        “You can feel confident using our services anywhere and anytime with Bank of America’s comprehensive security protection. Learn how we help stop fraud and identity theft, how you can report fraud, and how we’ll work with you to quickly resolve issues.”

        1. hhhobbit

          The link may be the real thing. My PAC filter with these two rules in it allowed me through to what is hopefully the REAL Bank of America:

          GoodDomains[i++] = “bankofamerica.com”;
          // many intervening rules
          BadHostParts[i++] = “bankofamerica”;

          I can assure you if I observed just one to two phish with “bankofamerica” in the URL that may drive the Bad rule into the URL level (that CAN cause FPs!). That doesn’t mean there aren’t any at the URL level. It is just that I haven’t saw them at PhishTank.

          The problem as Brian is pointing out is that too few people understand the issues. For right now there is a disconnect. Most people seem to be blessed with the stupid factor to the nth degree. When Microsoft Windows machines aren’t thrashing and having all kinds of bad behaviors people mistakenly believe that is proof that they are not infected. Most current malware is very unobtrusive. And with switches having replaced hubs it is also almot impossible to detect problems via network analysis. The legislation is hopelessly out of date. It was written in a time when most businesses were supposed to have people to handle this for them. Maybe what is needed to drive the issue home is to provide some measure of protection to small businesses that will submit to certified inspectors and keep it up to date with recertification every few months. Then drop the protection for individuals. With enough people losing their life savings with PCs running MS Windows with no AV software on it maybe the understanding of how bad the problem has become would percolate deep into people’s consciousness. No, that is too much to ask for.

    2. Terry Ritter

      “Secure the weakest link (the end point), don’t allow your systems, in particular ones that are used to access your bank account, to get compromised!”

      That position would make more sense if and when customers have some way to know whether their system has been compromised or not. But no such way exists.

      In an automobile, if you do not know your brakes are out, you are going to drive that car. After the accident, is the driver or owner responsible for not having known the brakes were out? Who pays?

      1. Robin

        “In an automobile, if you do not know your brakes are out, you are going to drive that car. After the accident, is the driver or owner responsible for not having known the brakes were out? Who pays?”

        Aren’t they responsible for maintaining the car in an appropriate manner, providing routine maintenance, and contacting the repair shop at the first sign of a problem? Or do you wait UNTIL the brakes go out and then say that you could not anticipate that there might have ever been a problem with the brakes??

        1. Terry Ritter

          “Aren’t they responsible for maintaining the car in an appropriate manner, providing routine maintenance, and contacting the repair shop at the first sign of a problem?”

          If there is a sign of a problem, that is one thing. But in a computer little things are always changing, and there may be no clear sign of trouble at all. In fact, even the “crash” itself (the exploited infection) generally must be interpreted from the consequences. How can we hold someone responsible for something they cannot see and so cannot even know to fix?

          Should we not demand that owners install antivirus software? Fine, but that gets us nowhere. Scanners simply cannot find every possible malware. Is exposing some malware better than doing nothing at all? Sure, but that is still not good enough for trusting a computer. And how can we trust online banking if we cannot trust the computer we use for it?

          If our basic problem is that our equipment can be infected, surely our next problem is that we cannot detect those infections. Nothing exists which can certify a computer as clean for online banking. Thus the push toward the LiveCD boot format which is “difficult or impossible” to infect.

          Most people are not happy with a LiveCD or with leaving Microsoft Windows. However, there is absolutely no indication that new technology will somehow swoop down and save the day. In terms of real technical solutions we may already have all we are going to get. Because business losses are not being recovered, I suggest that small businesses seriously consider moving back to drive-thru banking.

    3. Jane

      Username-password constitutes “reasonable” security for my free webmail account — not my bank account.

      Users have the ability to learn how to secure their end in the same way Terry’s driver has the option to learn to check his brake line etc. before getting into his car.

      ONLY the bank has the ability to offer notifications and anomaly analysis similar to those already in use by credit card companies.

  14. Ted Hansen

    While I do not have a lot of sympathy for the banks on this, the situation is not as black and white as it appears.

    I worked for a major bank in their cash management area and had several accounts that were heavy wire transfer users. You knew that some of them would overdraw their accounts but get money in to cover. It could be the case that the title company had a similar arrangement, and 999 times out of 1,000 a deposit would cover an overdraft.

    Sometimes a bank will make a decision based on an attempt to maintain good relations with an excellent customer. Clearly this event was different but before I keelhaul the bankers I want to know all about their relationship with the customer. It also seems to me that an escrow transaction of $440k is not necessarily unusual.

    If we have software monitoring consumer card use that will flag an unusual transaction for tens or hundreds of dollars, we sure can do the same for some of these transactions, but the devil is still in the details.

  15. oper207

    Here’s one for everyone to look at , now go back to your bank and ask for a true copy of the contract/agreement you signed to use there ebanking system . Now I can sit here a start a fire fight on ebanking not my forum . In most case’s I have seen it all comes down to this THE END USER WAS AT FAULT and these day’s it very easy to prove .

    1. Terry Ritter

      “In most case’s I have seen it all comes down to this THE END USER WAS AT FAULT and these day’s it very easy to prove .”

      I recommend that small businesses seriously consider using the bank drive-thru. Not all businesses can do that, nor would many want to, unless they knew about the risk and potential cost of the alternative. But are banks going to be happy about customers moving from online banking to the drive-thru?

      1. oper207

        I’m sure in due time ebanking will be more secure from parasites .

        1. hhhobbit

          “I’m sure in due time ebanking will be more secure from parasites .” This is precisely the attitude that needs to be stamped out. We don’t have any due time. What you are really saying is that for now your good luck is sufficient and these people’s bad luck is just completely their fault. May your machine be smitten by a bot from which it will never recover.

      2. Bob

        One other poster commented that as long as the customer is responsible for the losses, the banks will not provide more security than they currently do.

        Using the drive-through/teller, AND mentioning each time why you are using the more expensive method may cause the bank to reconsider enhancing the security of the on-line banking experience. This would only work if a vast majority of small/medium business owners would do this. A low quantity of account holders using this method would not be sufficient to cause the bank (as a corporate entity) any grief. The individual branch would absorb the increased expenses of added personnel.

        And, the business owners would need to disable ALL of their on-line banking activities, including payroll operations. Payroll, which has been targeted in several instances, would be the biggest problem.

        Out of ordinary transactions (new vendors, amounts greater than an approved value, new employees) would need some sort of secondary authorization (out of band).

  16. J B Tait

    If Blizzard (World of Warcraft) can provide an authenticator for $6.50 to protect virtual assets that can be restored after a hack, why is this not a standard offer from banks and credit card companies?

    1. Jane

      A little off topic: Square Enix (Final Fantasy) charged me $10 for mine! Oh well, at least I got additional inventory spaces too…

      My guess is that if banks want to charge you $10/month to continue sending you paper statements in the mail, then $6.50 must seem like too much to spend when they’re getting away without it.

    2. helly

      Is the authenticator you refer to the vasco key fob token ( I think that is what blizz is using)? If so, those are easily compromised by malware and do not secure the authentication process. And for a large number of banks it is indeed a standard offer for commercial customers. But against sophisticated banking malware it is not an effective safe guard.

  17. Rob

    Has anyone looked at the escrow companies compromised more carefully? Did they all attend a conference or series of conferences in common?

    I have always thought that handing out infected swag (think free memory sticks with zeus) at conferences would be more effective than the email route. If you knew where most of the attendees stayed you could just intercept their wifi traffic without the cost of registering for the conference itself. Bad guys could target specific industries like title/escrow or specific functions like corporate treasury.

    I fear we will find out this has or is happening as the crackdown on spam becomes more effective. And given the continued lack of awareness in general…

  18. Jason

    Banks are fundamentally built on one thing: Trust. The US government helps build that trust through programs like the FDIC and by having FFIEC audits, etc however is that enough? Should there be more regulatory pressure or does our community put pressure on banks by educating customers not only what they need to do to stay safe, but also by informing them of what controls to demand of their banks. If you can’t trust your bank, then it is time to switch banks. If you are a bank, it is time to seriously evaluate your service offerings and implement controls commensurate with the level of trust your customers place in you.

    1. Terry Ritter

      “Banks are fundamentally built on one thing: Trust.”

      That really is a significant insight, and it has some surprising implications:

      What does it mean to “trust” a bank when the problem is in the customer computer? How is it possible to “trust” a bank for something they cannot control?

      If the bank always made the customer whole, that might be a form of trust, but we already know that does not happen for business accounts.

      The simple prescriptions generally offered for keeping computers safe, such as user education or anti-virus software or dedicated banking computers, cannot be trusted to maintain or recover a malware-free environment. How can anyone “trust” online banking, when nothing the bank suggests doing could be trusted to stop a malware bot?

  19. Robin

    Maybe instead of looking for the bank that may provide you the lowest fees, you should shop around and find a bank that is stronger in areas that you may rely on frequently, such as online banking. Reviewing policies and practices may be tedious, but I’m sure it’s less tedious than dealing with the aftermath of a compromise.

    On another note, all the notification systems in the world mean nothing if the end user chooses not to utilize them. Consumers need to realize that securing their online banking access is as important as securing any other means of accessing their money, i.e checks, endorsement stamps, facsimile signature stamps, access cards. We may lock up our checkbook at night in a desk drawer, but can’t lock down our internet connection day to day to help prevent cybertheft until it hits us personally.

    Although this may not be a popular opinion, ultimately the end user is the ONLY ONE that controls what may or may not be on their computer. The end user is the ONLY ONE that “invited” the infection, no matter how well it was disguised. Yes, criminals can be clever, and yes, banks should be recognizing some of these transactions as out of the norm, but until users wise up to the fact that almost everything on the internet or in email should be viewed as suspect, these incidents will continue to occur. Show me the bank website that actually caused the infection on the end user’s system, and then I’ll agree a bit more with some of these postings.

    1. oper207

      The end user is the ONLY ONE that “invited” the infection, no matter how well it was disguised

      “TRUE”

      Show me the bank website that actually caused the infection on the end user’s system,

      “VERY RARE” But also true.

      1. hhhobbit

        First, this is also a reply to Robin. Recently both msn and doubleclick ad servers were infecting people’s machines. I have given up ever clicking on one bank’s entreaties in my email to use online banking because every time I clicked on their links in the past (they were valid – they were not phish) I couldn’t even get through to the bank because my filters blocked the in between tracker they were using! Banks can and do use many ROI techniques that can lead to problems in and of themselves. I had to delete one PAC filter rule blocking malware because VisaVerify uses akamai directly and I finally had to give akamai a white-list status. The hackers were using those slam-bam Akamai installers that asked no questions. If you are using XP with SP3 and later you will probably be okay. I am still not happy about it but there is nothing I can do about it. I sure do wish VisaVerify and banks would use the time proven double alias technique. They alias their name to an akamai server that akamai can alias to which ever particular server they want to use at that moment. When you see akamai hosts used directly you don’t know whether you are going to your bank or not. I don’t care if all that is at akamai are some filler images and text! When I see banks using an akamai server directly I get the feeling I am standing on quick-sand that is about ready to give way underneath me. Now if you never got infected, good for you. I would never have been infected by these doubleclick and msn ad server infections because I block these ad servers and I also use Linux. I also don’t use online banking if I can help it. Did you block these ad servers? Will they get infected again? I suggest you use Firefox with ABP installed and use their URL panel occasionally. You would be amazed at what is coming at you. Now that these third parties have joined the fray with infected ad server hosts Pandora’s box has been opened. But when you have this shaky situation under you and most banks have them don’t be so fast to lay the blame. There is more than enough blame to go around and some of it needs to be aimed squarely at Microsoft. Why are VisaVerify and banks using akamai host names directly? I don’t know and I don’t like it. The banks may get mad at me visiting them personally but that is what I will continue to do. That and Brian’s other solution of using a Linux LiveCD for people who must use Windows for their business are the only things I consider to be safe enough. He also considers a special purpose Windows banking machine a viable solution. I don’t. The temptation to use that machine for other purposes and randomly being infected by some ad server or other host (I go through over a thousand normal hosts a month coming and going with malware injectors getting stabbed into their pages) for even the hosts they identify as “safe” is just too high of a risk now.

        What is the reality? Most people believe that Windows XP with only SP1 and running either out of date AV software or no AV software at all are good enough. If you never hit the malware that IS good enough. If you hit the malware with that configuration? Most small business people are better than that. If one of my banks flags me going over my limits one month for my rent payment because a little more was spent for gas for heat, the banks should be able to provide at least some of that protection I receive to small businesses. I get a warning. Small businesses get nothing.

        Oh, one of those hosts that got malware injectors stuck in their pages was a web site that was a major CISSP training and certifier for a country. They had the malware stuck in their web server for about two months. Get the picture? I don’t know if I have them removed or not yet from my blocking hosts file. I am still wading through 800+ potential removals. The situation has also been getting progressively worse, not better.

  20. Silemess

    A terrible thing to contemplate in this modern age of instant satisfaction, but what if wire transfers and/or large quantities of money moving had a necessary business day attached to them?

    If transactions triggered a holding period, then the owner would have the chance to see what’s held up in the queue and then initiate the cancel/stop process.

    Ideally, the bank makes the phone call to talk person to person about an account. If there’s a new phone # on the account, then they still call the old phone # to confirm or require that someone has to arrive in person with ID to confirm the change. White-listed transactions can only be created in person, though they can then be used online.

    The problem with the holding period is the necessary paranoia that it maintains, as a person has to check the account daily at least 6 days out of the week. The phone method means that the banks have to invest man-hours into actually contacting customers.

    Until we’re ready to pay more or do more for security, we’re stuck with what we have. If we make the banks do it for us, we’ll wind up paying more as they will want to recover their costs (the rewards are that they keep the money they have, not that they earn more money).

  21. Mark Kelly

    The company is jointly liable but the bank is clearly as much in the wrong here and did not act in the best interests of their client.

    No way they should have authorized a huge transaction like this that was both over the balance, atypical and to a foreign destination like that. I am hopeful a sympathetic jury awards restitution and then small businesses will not have to bear all of the losses when banks are not even trying to help them (as in this case it sounds)

Comments are closed.