Computer crooks stole at least $139,000 from the town coffers of Pittsford, New York this week. The theft is the latest reminder of the widening gap between the sophistication of organized cyber thieves and the increasingly ineffective security measures employed by many financial institutions across the United States.
The attack began on or around June 1, 2011, when someone logged into the online commercial banking account of the Town of Pittsford, a municipality of 25,000 not far from Rochester, N.Y. The thieves initiated a small batch of automated clearing house (ACH) transfers to several money mules, willing or unwitting individuals in the U.S.A. who had been recruited by the attackers prior to the theft. The mules pulled the money out of their bank accounts in cash and wired it to individuals in Saint Petersburg, Russia and Kiev, Ukraine via transfer services Western Union and Moneygram.
Over the next four business days, the thieves initiated another three fraudulent batch payments to money mules. Some transfers went to money mules who owned businesses, such as a $14,750 payment to Mission Viejo, Calif. based Art Snyder Software. Most money mules were sent payments of less than $5,000.
Pittsford town supervisor William Carpenter said the FBI is investigating the incident, and that many of the details of how the attackers got in remain unclear. He said the FBI told him the thieves most likely stole the town’s online banking password using a banking Trojan. He added that the town has recovered just $4,800 of the stolen funds, the proceeds of a single transfer. I left a message with the FBI field office in New York but haven’t yet heard back.
“We have good firewalls and anti-virus software, and we weren’t at all lax in our security systems,” Carpenter said. “We thought we were pretty secure.”
Carpenter said the fraud went undetected for days. He said the town normally does its direct deposit payroll bi-weekly on Wednesdays, and that the first fraudulent transfers happened during a non-payroll week.
The attack happened shortly after Pittsford opened an account with Canandaigua National Bank & Trust (CNB), a regional institution based in Canandaigua, N.Y. Carpenter said that prior to banking at Canandaigua, the town held its online accounts at a different bank, where all transactions had to be approved by at least two town officials. But he said the town hadn’t yet established these dual controls over their account at Canandaigua at the time of the fraud.
Carpenter said he was not fully versed in the security mechanisms in place for the bank’s commercial customers, but a review of the security procedures displayed on Canandaigua’s Web site indicate that they include a user name, password, a set of security questions. Customers also have the option of registering their computers, which involves downloading a CNB certificate or cookie. According to the bank’s site, “when you log in from a registered computer you are not required to answer a security question to complete the process.”
CNB spokesman Steve Martin declined to respond to any specific questions about the incident, but he confirmed the information about the bank’s authentication procedures.
The question of how far commercial banks should go to authenticate their customers was the subject of a court battle I wrote about earlier this week. The lawsuit was brought by a Maine construction firm that lost $345,000 in May 2009 when thieves used the ZeuS Trojan to steal the company’s online banking credentials and defeat their bank’s online security measures, which were eerily similar to CNB’s: passwords, secret questions and registered computers. That case also involved a series of fraudulent transfers that took place over the course of a week. A magistrate in that case issued a recommended decision earlier this month that said the bank’s security measures were sufficient to meet federal guidelines on ebanking authentication.
The proliferation of commercial banking thefts involving the ZeuS Trojan and other sophisticated attack tools underscores the asymmetry between the attackers and defenders. As I have detailed in more than 75 stories on this topic, ZeuS allows attackers to manipulate the victim’s browser and to log in to the victim’s bank account using the victim’s own PC, effectively negating any security that a device fingerprint or registered computer may provide.
Unfortunately, these attacks will continue; I’ve been in touch with three other organizations in the past week that have experienced losses from ebanking thefts but have asked not to be named. There are millions of towns, cities, nonprofits, churches and small businesses that remain dangerously exposed to this type of attack, and far too many banks that are not doing enough to educate their customers about the threat and to implement systems capable of detecting the attacks when they occur.