July 19, 2011

Organized cyber thieves stole more than $28,000 from a small New England town last week. The case once again highlights the mismatch between the sophistication of today’s attackers and the weak security measures protecting many commercial online banking accounts.

On July 11, 2011, I alerted the town controller of Eliot, Maine that its accounts were probably being raided by computer crooks in Eastern Europe. I had heard from a “money mule,” an individual who was recruited through a work-at-home job scam to help the thieves launder money. He had misgivings about a job he had just completed for his employer. The job involved helping to move almost $5,000 from one of his employer’s “clients” to individuals in Ukraine. The receipt his employer emailed to him along with the money transfer said the client was “Town of Eliot, Ma.”

Norma Jean Spinney, the town controller, said she immediately alerted the town’s financial institution, TD Bank, but the bank couldn’t find any unusual transactions. Spinney said that three days later she received a call from TD Bank, notifying the town of a suspicious batch of payroll direct deposits totaling more than $28,000. TD Bank may have had a chance to stop this robbery, but apparently they dropped the ball.

Nevertheless, the town is not likely to see the stolen money again. Unlike consumers, organizations are not protected against online banking losses from cyber fraud. What’s more, a forensic analysis by a local IT firm showed that Spinney’s PC was infected with at least two banking Trojans at the time of the heist.

TD Bank spokeswoman Jennifer Morneau declined to discuss the incident, citing customer confidentiality policies.

Spinney said TD Bank required a user name and password, and the answer to least one “challenge question” when logging in to the town’s account.

New guidelines issued by banking regulators last month state that challenge questions are not adequate to protect corporate online-banking accounts from today’s cyber thieves. Unfortunately, many banks continue to rely on existing methods of authenticating customers: Bank examiners won’t start measuring how banking institutions conform with the recommendations until Jan. 2012.

If you’re responsible for a commercial bank account and you’re accessing the account online, the safest way to do so is to use a non-Windows computer such as a Mac, or a Live CD version of Linux. The bad guys may begin to write banking Trojans to help them rob organizations using other computing platforms, but all of the attacks I’ve written about to date involved malware that will not run on anything but a Windows PC. For those who must use Windows, accessing your accounts through a dedicated PC that is only used for that purpose is another alternative, if you access your accounts by using only that dedicated machine and never through any other.

If your bank allows it (and most do), consider taking advantage of anti-fraud mechanisms like Positive Pay, and requiring that more than one person must sign off on all accounting transactions.

The new guidelines include many recommendations for improving online-banking security. Bank customers should review them and compare them to their bank’s present security. A bank that provides adequate protection will not wait until 2012 to implement the enhanced measures.

26 thoughts on “eBanking Theft Costs Town of Eliot, Me. $28k

  1. Russ

    I think it’s time to start recommending the use of Chromebooks for online banking. While phishing is still an exposure, the Chromebook should protect you from keyloggers, viruses, Trojans and similar installed malware.

    Comments Brian?

  2. Oper207

    Nice work brian , you ever sleep bro. 🙂

  3. TheGeezer

    Déja vu all over again!

    Maybe the town tried to save money by not hiring an IT person who could have told them that no number of passwords or challenge questions will protect a computer owned by a trojan.

    They are lucky they only got hit for 28K. At least the money mule was alert enough to question a transfer to Ukraine, which it appears is the most common destination.

    Two trojans on her machine!! Does she allow her kids to play on her computer when she’s not using it?! Your frequent advice about using a “dedicated PC” would have prevented this. but I doubt she would have taken it.

    1. Dave

      >Maybe the town tried to save money by not hiring an IT person who could have told them that no
      >number of passwords or challenge questions will protect a computer owned by a trojan.

      It wasn’t the town’s fault, it was totally, completely the bank’s fault. It doesn’t matter who you have as your IT person, if your bank only allows mickey-mouse authentication then there’s nothing you can do. I am continually astounded at the more or less useless (against any kind of modern computer fraud) “authentication” that US banks continue to foist on their customers. Still, courts have said it’s adequate, so I guess it’s not their problem.

    1. jim

      Why wouldn’t the controller review their own account? They are best positioned to identify unusual transactions. Secondarily, contributors are consistently citing a difference in the security measures taken by large banks vs small banks. There are no real facts to support that position. Also – TD Bank is a large bank. Where was Western Union here? They were certainly in a position to stop the money from going to Ukraine- it’s not like it would be the 1st time they’ve been used for it.

      1. timeless

        Reviewing an account isn’t actually a good measure on its own.

        If your computer is clean and you only use your computer, then it can catch the case where your credit card information was stolen somehow and used in Canada (a relative experienced this and flagged it).

        If your computer is dirty, then any attempt to verify the information about your account can be thwarted by the evil processes on your computer actively removing their actions from transaction logs. — The technology to do this is definitely available in principle, although I don’t think Brian has written about automated implementations (the general code to do this is actually pretty trivial, and given that the attacks that have been described do have templates for the various target financial institutions, they could certainly also include templates/scripts to handle activity viewers).

        If your computer starts out clean and you make X clean transactions and then it gets dirty and you make an additional single check to verify your account statement, your non-transaction has now left your entire account vulnerable. You haven’t protected yourself from an attack….

        I should probably take a moment to note that Western Union isn’t used exclusively for evil purposes…. I just returned from a trip to Paris where I received money via Western Union (my wallet didn’t manage to make my flight, and I needed money, so Discover Card wired me money which I retrieved using my Passport as ID). I was actually very happy with Discover, I suspended my account which means that in person transactions won’t work, and I get email for any “large” transactions (threshold controlled by me), so I got an email informing me of my Emergency transaction.

  4. Jason

    TD bank sounded like the same name of one of our banks in Canada. Unlike the American banking system, Canada has only a small number of chartered banks (I think 5 or 6 in total). Sure enough, TD Bank in the US is a subsidiary of TD Canada Trust in Canada (TD is short for Toronto Dominion and merged with Canada Trust, a trust company a number of years ago).

    I would’ve expected with far less competition in Canada, that the banks would be big enough (even with 10x less population) to have developed proper security systems for these kinds of transactions. Evidently not. That makes me think that businesses using Canadian banking may also be in danger unless our security regulations regarding banks are better.

    1. timeless

      TD is an “interesting” Bank. I have accounts w/ TD US and TD CA. They recently opened a system to enable customers to send money between their own accounts across the CA-US border. But the system is hobbled (possibly by privacy/banking laws) so they can’t actually see any information about the other account, so while in theory you’re only supposed to send money to an account you own, you could actually send it to any other TD Bank account on the other side of the border.

      I think that in general the US side of TD is actually friendlier/nicer than the CA side (it bought out Commerce Bank — http://en.wikipedia.org/wiki/Commerce_Bancorp — which has amazing hours and service — TD’s is similar but I believe slightly shorter).

      Sadly, some things we complain about in the US (See Chase bank requiring 5000$ minimum monthly balances) aren’t so uncommon in CA banks (including TD, although to be fair, that’s for its premiere account).

      As you noted, CA really only has a handful of banks. And people have told me they all pretty much suck (which seems like a pretty good summary).

      The other CA bank I’ve dealt with is Bank of Montreal (BMO). And they’re clever. I asked them to send me a Credit Card (to Paris). It arrived 4 days after my request (to be fair, that first day was Monday Night, and it arrived 5 minutes before Noon on Friday) — that was at least one day late. It arrived with a sticker saying something like “please activate immediately by calling this number: …”. The number it listed was *not* open 24-7. …

  5. JimV

    Just curious –was the bank staff using IE as their browser interface?

  6. Oper207

    Brian , if ya can it would be very interesting of what a.v , antimalware products they where using . And to include who was responsible to update those products .

  7. Kevin

    Would it not be possible for law enforcement to start answering calls for mules (however that works) and try to stop these attacks when they happen, or at least try to get info on those down the line?

    1. timeless

      It isn’t impossible. But it would require law enforcement not to be understaffed, not to be underfunded nor overstretched. Oh, and they’d also need a crash course on what they’re doing.

      I think the FBI or Secret Service have at times actually provided similar courses to Local LEOs.

      It also isn’t as simple as one step. You have to make arrangements to follow the money and such. Local LEOs don’t tend to have useful contacts in the Ukraine or other places where the money ends up.

      For some sense of how complicated it is to get enough ducks in a row, you might consider http://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg_%28book%29 or the NOVA episode http://www.imdb.com/title/tt0308449/ from memory it took months to establish the ties necessary to trace the connections. Money connections might or might not be easier, but if you need search warrants then you can’t expect things to be simple… (and note, you don’t really want countries not to protect rights in the form of allowing random searches without judicial oversight).

  8. Supermicr

    Do not get me wrong, I feel terrible for the loss these Business’s have had due to Crimeware. It’s very easy to blame the Financial Institutions, I read it in the response’s to each incident. I work for one of those Financial Institutions. I cannot speak for all Banks, but our Bank has had “5” vulnerability test performed in the last 16 months. These tests were performed by 3 different outside firms, internal and external penetration tests. None of the results brought any concern or attention to vulnerabilities in our information security procedures. The Website uses multi factor authentication, tokens and SSL Certificates. The Bank has sent the customers check lists to keep PC’s safe and secure when using Internet Banking. But with all the security controls in place, it is very hard to keep the criminals out when Suzy Q. Clerk gives them the keys to the vault.
    We had one incident that resulted in a loss to the Customer and the Bank. The incident occurred prior to the implementation of Secure Tokens. Reading the incidents of computers being compromised, we are still not convinced that Tokens are the answer. Risk Management and IT started to focus on the ACH Application and standard operating procedures. In fact we went “Old School” by enforcing prenotifications. Any new or changed transaction will enforce the entry to a prenote. If the customer changes the account number, transit routing, or a new entry the rule is enforced, the only exception is the dollar amount. Prenotes are set for 100 days in advance of the live entry. All customer payrolls are set up on a schedule; any submissions outside the schedule are suspended. Dollar limits have been set for each customer, which include transaction, batch, file, and monthly limits. The only way the customer can override these exceptions is by calling the Bank and having our ACH administrator make the changes.
    Since the implementation of these controls, we have foiled 4 separate hacking attempts. One of our customers called stating that all the entries in their payroll had zero dollar amounts and they had not made any changes, we investigated the logs. We found where the criminals had added, deleted, and changed entries. The criminals even tried to change the entries back to the original accounts and transit routing. After about 45 minutes of frustration, they logged off.
    Each of these customers workstations were infected with some type of Trojan. All vaguely remember some email message that they are not sure if they clicked on the links or responded in anyway.
    Financial Institutions need to focus on the applications such as ACH, Wire Transfers, and Internet Banking. Implement Fraud Detection with check and balances to determine what activity is normal and abnormal.

    1. Yar

      This is very similar to the type of security the FI I work for has implemented. We are also looking at hardening the users’ browser through implementation of virtual browsers (a la ironkey) or through the use of trusteer’s rapport solution, or we may utilize both.

      We also are expanding our ACH security by utilizing risk management sofwater which analyzes patterns in the originator’s transactions and looks for anomalies such as account and R/T # changes, payee name changes, and significant amount changes, any of which could suspend the transaction for verification prior to processing.

      We also have implemented further out-of-band verifications on wires, utilizing unique verbal passcodes for all repetetive wire customers so we can request that information from them during wire verification.

      Still, there will be close calls and problems. I still maintain that the goal is not to make it impossible for hackers to target your customers. The goal is to make it hard enough to target your customers that they go elsewhere.

      1. Oper207

        The ironkey trusted access is the best out .

        1. All Most hacked

          ‘Major attempt to hack into my TD Bank Account which was thwarted by an alert teller. I have been advised by my IT guy that the Ironkey thumb drive was hack proof. Is that true? I have had my computers “scrubbed” and contemplating using the Ironkey to protect me for my on-line banking accounts (which have been shut down until I decide otherwise). Sooooooo, how secure will I really be? Will it stop phishing and other sly attempts. I use 12+ intensely difficult passwords.

    2. grumpy

      I like what Supermicr describes. Layers of security. It’s good to see that at least one bank is taking their job seriously.

      A layer is needed on the client and sure, a dedicated machine and a Live-[OtherOS] (*) will be slightly better, but then there’s Man In The Middle and replay attacks to consider. Are all points between the user and the account secure? I thought not… 😉

      One time pads, in whatever form, should be mandatory. It’s just been introduced on a national scale here in .dk and it seems to work out alright. There’s been the usual teething trouble as with any large project but only a small minority of users have been impacted. Personally, I like the design and execution. KISS. It has to be to get ordinary people to use it.

      *: Mac? I wouldn’t bank on it (pun intended).


  9. AlphaCentauri

    Not to diminish Brian’s considerable contributions to bringing these risks to public awareness, but why should a mule have to call him to stop a scam in progress? There ought to be a hotline number posted at every bank and Western Union location. It should also be advertised in public service ads on daytime TV, to reach the unemployed who are the ones most likely to be recruited as mules. And there should be an emergency task force that can shut down/reverse concurrent ACH transfers before other mules can withdraw them. For that matter, once the other bank accounts that received funds have been identified, the closest Western Union offices to those banks should get a fax of a poster with the name and perhaps photo of any mule who may be arriving there to wire funds — like an Amber alert for cash. Brian’s good, but it’s a bit much to expect him to be intervening in a scam in progress.

    If I were in the management of Western Union and wanted to do something about the fact that the firm’s name is becoming synonymous with defraudment schemes, I might consider having my company underwrite the emergency response team and having it help enlist banks to participate.

    1. timeless

      As a regular reader of Brian’s blog, I’ve also thought of Western Union as synonymous with this type of fraud. Until I used it in an emergency last week to receive money while traveling. (This is including my visit in Finland.)

      I don’t really know what Western Unions look like in the US, but the equivalent I saw in Paris — https://www.labanquepostale.fr/ — wasn’t organized in a way that I’d actually be able to spot or understand or want to read anything.

      The form I needed was on a wall very far from the wall everyone else was using. The fields it had didn’t really match what I was instructed to provide.

      Generally anyone going into one of these places is in a hurry. In my case there were people in front of me and people behind me, and they were all in a hurry and would definitely get annoyed if I delayed more than necessary.

      That alone makes it hard to provide notices warning people of such things.

      And your sender or recipient always provides you with “helpful” and careful instructions to ensure you know what to do so you won’t get confused/frustrated/distracted. Which means they’d be able to tell you to overlook the fraud bit or to check the box or to assure you that what you’re doing isn’t risky…

      Plus in the case of La Banque Postale, every surface had text (in French, but, it was France…) and there was no reason you were going to stop and read all of it.

      My memory of Western Union in Finland was different, it was cleaner (less clutter / text), and iirc it even had warnings about fraud and ensuring that you knew your recipient or something. — I visited with a friend who was sending money to his family in Pakistan.

  10. Barry

    I have commercial and personal accounts at BofA and use their SafePass technology. We rarely create new payees. Is it better to configure SafePass to require 2 factor authentication at each login or only when adding a new computer and adding new payees? FWIW, my Windows XP PC runs SteadyState and reboots nightly. I also have Trusteer Raport installed. never had a virus or spyware.

  11. Francis Turner

    I have no idea about TD bank, but the advice to use a linux liveCD may not work. I do know that some banks get all upset if you present them with a browser string that doesn’t look like Windows (or maybe a Mac). And typically they get upset with browsers like SeaMonkey or Opera or other minority sorts.

    1. MadVirgo

      Well, my credit union, SECU, seems to have no issues with my browser being run from an Ubuntu 11.04 machine, but as you pretty much stated, ‘YMMV’. I like what Supermicr, AlphaCentauri,and Yar posted–right now, educating the public about ‘work at home’ schemes, via some nationwide PSA, plus the many layers of authentication for ACH transfers, and getting Western Union AND MoneyGram(they’ll just go from one to the other when the heat is turned up)to have a hotline that will allow them to ‘Amber Alert’–as Yar put it–when a transaction is detected, would be a great,few steps to tackling this issue. Somehow, though, I fear that some pundit would complain that this was another ‘socialist’ tendency that will bring the USA down the path of Big Brother, or some blather like that…

      1. AlphaCentauri

        I’m sure some people would consider it no one’s business but their own if their bank account is being emptied. So banks would either choose to participate or not, and they can advertise their participation or lack thereof to attract depositors who do or don’t want that kind of protection. I have a feeling that even people who object to the general idea of some new Big-Brotherish (megafraternal?) system would still prefer to have their own money in a bank that provides that protection, but then no one ever went broke underestimating the intelligence of the public, as they say.

  12. David4705

    Brian, you have previously been a great advocate for using a live CD distro of Linux to do online banking, as a way to avoid the problems illustrated by the fraud on the town in Maine. What do you think of the Live CD distro available from the Department of Defense, recently discussed in Lifehacker:

    First of all, is it legitimate? And second, is it better?

    That the DOD is giving its imprimatur to this method of security should help persuade small business and small governmental entities that this is a viable option.

Comments are closed.