A title insurance firm in Virginia is suing its bank after an eight-day cyber heist involving more than $2 million in thefts and more than $200,000 in losses last year. In an unusual twist, at least some of the Eastern European thieves involved in the attack have already been convicted and imprisoned for their roles in the crime.
Sometime before June 2010, crooks infected computers of Vienna, Va. based Global Title Services with the ZeuS Trojan, giving them direct access to the company’s network and online banking passwords at then-Chevy Chase Bank (now Capital One). On June 1, 2010, the thieves made their move, and began sending a series of unauthorized wire transfers to money mules, individuals who were hired to help launder the funds and relay them to crooks overseas.
The first three wires totaled more than $200,000. When Global Title’s owner Priya Aurora went to log in to her company’s accounts 15 minutes prior to the first fraudulent transfers went out, she found the account was locked: The site said the account was overdue for security updates.
When Aurora visited the bank local Chase branch to get assistance, she was told she needed to deal with the bank’s back office customer service. Between June 2 and June 8, the thieves would send out 15 more wires totaling nearly $1.8 million. The bank ultimately was able to reverse all but the first three fraudulent wires on June 1.
Capital One declined to comment for this story, citing the ongoing litigation.
Global Title is suing Capital One, alleging the bank failed to act in good faith and failed to implement commercially reasonable security procedures for its online banking clients. The lawsuit notes that at the time of the breach, Capital One’s online banking system used single-factor authentication; it allowed commercial clients to log in and to transfer millions of dollars using nothing more than a username and password.
“By operating a single factor identification online banking system, Capital One lefts its customers open to identity theft and failed to take sufficient safeguards to prevent unauthorized access to its client’s online banking accounts, including the ability to send wire transfers,” the company charged in its complaint.
Global Title also alleges that Capital One should have known that the transfers were fraudulent and unauthorized.
“Capital One was put on notice through Ms. Aurora’s phone call at 2:09 on June 1, 2010, and on subsequent calls that same day, that Global Title had no access to its online banking system,” the complaint states. “Accordingly, Capital One knew or should have known that any wire transfer that afternoon would be unauthorized.”
BUSY, BUSY MULES
Some of the fraudulent activity was tied to money mule activity that was busted up by federal prosecutors last year. Two wires totaling more than $234,000 were sent to Key Marius Import LLC, a company flagged by federal investigators as a fraudulent front for organized cyber thieves. In November 2010, Wisconsin police arrested two men who were wanted as part of a crackdown in late Sept. 2010 on so-called “J1” money mules who were in the United States on work/travel visas. According to an FBI press release from last fall, Key Marius and the commercial bank account attached to it were set up by one of those men, Dorin Codreanu, a Moldovan who pleaded guilty to conspiracy charges earlier this year.
Codreanu was sentenced to three years in prison, and ordered to pay restitution of more than $110,000 to his victims. The court judgment against him (PDF) states that the company Codreanu was ordered to pay restitution was not Global Title but a Dinkels Bakery; the remainder of the $110,000 restitution was to be paid to court services, Level One Bank and JP Morgan Chase.
Other companies that received large wire transfers may also have been fronts set up in advance of the attack. Key Marius Import LLC was established in April 2010, as were; Alvarez Here and Now, Inc. of Ontario, Calif, which received a fraudulent wire of $39,560 on June 2; Sharp and Bright Designs Inc. of Simi Valley, Calif., which was sent a bogus wire of $19,583 from Global Title on June 2; PWD Properties, incorporated in late January 2010 in Wilmington, Del., was sent a fraudulent wire of $28,582 on June 2.
Capital One was able to reverse all but the first three fraudulent wires ($119,500 to Key Marius, $39,560 to Alvarez Here and Now, and $48,698 to a Dwaine Peterson), leaving Global Title with a $207,758 loss. As a result, it was forced to take out a loan to make the required cash distributions from the firm’s escrow account.
UNCERTAIN LEGAL GROUND
Banks in the United States are supposed to adhere to online banking authentication guidance issued in 2005 by regulators at the Federal Financial Institutions Examination Council (FFIEC), but many institutions have been slow to comply with the guidelines.
Several victims of corporate account takeovers have sued their banks, claiming similar negligence, but with mixed results. In June 2011, a Michigan court held Comerica Bank liable for more than half a million dollars stolen in a 2009 cyber heist. Two months later, a district court judge in Maine ruled that banks which protect accounts with little more than passwords and secret questions are in compliance with the FFIEC’s security guidance.
Faced with an explosion of corporate account takeovers in the past two years, the FFIEC recently updated its guidance, which calls for “layered security programs” to deal with riskier commercial banking transactions, including methods for detecting transaction anomalies, the use of out-of-band verification, and enhanced customer awareness campaigns. Those requirements, which will inform the activities of bank security examiners, are set to take effect on Jan. 1, 2012.
Avivah Litan, a fraud analyst with Gartner Inc., said many banks are still out of compliance with the FFIEC’s older guidance.
“The new guidance isn’t that radical, and it basically re-affirms the previous guidelines and clarifies some points,” Litan said. “This case sounds like a clear violation of the FFIEC guidance, which says put controls in place that are commensurate with the risk, and many banks still aren’t doing that.”
Global Title is asking the court for a $500,000 judgment, plus pre- and post-judgment interest and attorney’s fees. Their legal challenged has cleared its first major set of procedural hurdles, and unless both parties settle before then, the case is scheduled to go to trial on April 10, 2012.
A copy of the company’s complaint is available here (PDF).
Update, 12:36 p.m. ET: Fixed the link to Global Title’s complaint filing.
Update, Nov. 15, 4:53 p.m. ET: Capital One provided the following statement in response to this article:
“Capital One’s authentication controls protecting our commercial platforms are compliant with the federal multifactor authentication guidance. These controls are the subject of annual risk assessments to ensure they remain appropriate in light of the threat environment. In the funds transfer realm, among the controls utilized are hard tokens and out-of-band confirmation of payment instructions.
As part of our broader security measures, Capital One provides security – and safe computing – related ‘best practice’ tips and recommendations to let our small business and commercial clients know what they can do to protect themselves and reduce their fraud risk.”
@Brian: That bottom pdf case link doesn’t look like the right case?
Cases like these are only just going to continue to be hairy grey areas for quite some time.
1. If Global Title Services (GTS) hadn’t been (arguably) negligent with their local systems and banking use, then perhaps none of this would have happened. That’s not to say this is all their fault, but there has to be acknowledgement of the contributing factors and the shared responsibility.
2. Sounds to me like the bank detected anomalous activities after the first three wires and locked out the account. Maybe I’m missing something there. Sure, more wires were sent out, and maybe that is a gap in the bank’s protections. But you do still have to balance stopping activity that *looks* suspicious versus stopping legitimate activity that is going to make your customers mad. There is no perfect threashold for that.
3. When GTS’ owner called in, did she specifically ask that all subsequent activity be stopped? From my reading, she only reported she couldn’t get into her online banking system. It would be bad practice for the bank to then assume all subsequent activity is to be blocked. For all they (customer service) know at the time, this one person may have a problem but someone else at the company may be fine and may be pushing valid transactions. I think this is a groundless piece of the lawsuit and a poor assumption by GTS.
4. All of this still has to keep in mind the issue of corporate banking fraud that is directed at the bank. If, as a business, I can wire money everywhere and then cry to the bank to get it all back because it’s fraudulent, and then remove myself from the business (or kill the business itself), we have a huge problem. A bank simply can’t protect against that on its own, which means there should always be an amount of effort put forth by both parties to secure transactions/access.
5. The bank certainly has an issue with poor authentication and checks/balances internally. But I’m not sure it is reasonable to expect immediate improvements in these systems, or bulletproof security.
Besides which, if these guidelines are not being met, why does it take incidents for consumers to start clamoring for guidelines to be met or exposure when someone is not? (This is indemic of all digital/corporate security, really.)
I have to agree with LonerVamp above that there has to be some liability with the Title company regarding their endpoints.
After that initial call to the bank there should have been some check and balances regarding the account lockout. If the account was locked out, I am certain that the bank could have unlocked the account in a matter of minutes and the Title compnay could have checked their account.
I say that also to say that I am glad that that the new FFIEC guidlines for January 1, 2012 will go into place. This will be good for the consumers and banks. If banks up their protection by using something like Trusteer that catches Zeus and other trojans on the initial connection to online banking, it will be good for all parties.
All parties have to have a watchful eye for criminal activities in today’s landscape. Thanks for another great article Brian!
That’s a lot of money to lose for a company that can’t afford IT security.
Ubuntu Live CDs (pack of five) US $8.00 🙂
Even less if you have an internet connection and go and buy your own Flashdrive or DVD! 😀
I fixed the link to the amended complaint in the story above. It is also here:
Just for clarification: Did the bank not have a mechanism like one-time passwords (via SMS or on a paper list) for verification of each transaction in place?
If so, this would be a very worrying sign. I can’t think of any bank here in Germany that hasn’t implemented the OTP (we call ’em TAN, “TransAction Number”) scheme for the last, say… 10 years. Still, phishers with full access to the victim’s browser rendering engine can break this method, but at least it is a bit harder than just sniffing username and password.
Should bank add layered security and fraud monitoring tolls to their systems? Yes they should because many of the fraud ACH and wire transfers can be stopped before they ever leave the bank. Should the bank be the only one responsible for detecting and preventing fraud? No the weakest point in the online transaction has been and always will be the end user. The bank can not force you to secure your system. Even with the new FFFIEC guidelines the problem will only continue to grow. With banks starting to add more layered security such as Trusterrs, Iron Key, VeriSign Security tokens, and fraud monitoring tools that build user profiles that compare payees to list of know fraud and out of normal activity will stop some of this. However just as I stated before, until the end user is required to improve there security this problem will only grow.
I agree. I’ve also published secure transaction appliance designs on this & Schneier’s blog. Even without such an appliance, the most reasonable thing to do is for the customers to use a dedicated PC for banking. Even a hardened Windows 7 netbook that was firewalled to only connect to the bank & the accounting PC (with simplified formats for exchanges) would defeat most of this stuff. If it can run OpenBSD or a Linux LiveCD, even better.
Although I usually advocate my secure designs, I contend this is a problem that can mostly be solved at the endpoint with a sub-$300 PC, a free to cheap OS, a configuration guide & some basic accounting checks. There’s simply no reason a general purpose, internet-connected work PC should be trusted with seven digits worth of assets when such a cheap alternative is available.
I have a different take on this…
Don’t consumers and businesses have an obligation to do due diligence in figuring out which bank they’ll use? There are other banks out there using multi-factor authentication – PNY and ING to name a couple. Shouldn’t the company bear at least half the responsibility for not switching to another bank that had 2- or multi-factor authentication already implemented?
IMHO, all online banking should be done via a Live CD, or at the very least be a patched notebook not joined to the domain with no ties to the company.
What is “Level One Bank”? It can not be “Capital One”?
I lay the primary blame at the feet of the title company. Security starts first at home. Had they had the mandatory protection of their data and systems, they never would have had the malware in the first place. Even if they somehow became infected, they should have been alerted immediately and corrected the problem at that moment.
No excuse for this whatsoever. I say let this be an expensive lesson to be learned by the title company and other companies that shirk their due diligence.
The irony is that this easily avoided issue happened to a company in the “risk management” industry. 😉
In previous similar posts, Brian Krebs has pointed out that current antivirus products don’t catch the Zeus trojan — but it’s been months now. Do any of the antivirus folks claim to block Zeus now? Or is the “security at home” just the $300 dedicated netbook(s) that the sadder-but-wiser title company (hopefully) has by now?
Its basically a sort of continual arms race: criminals compile or make malware such as Zeus which has a file signature that’s never been seen before and carries out actions in such a way as to avoid heuristic detection (which means AV programs guess that a process is malware based on actions it carries out). Malware instances are often encrypted so that each one has a different file signature. A file signature is a type of hash that uniquely applies to that file alone.
After some time period – which can be hours to months (or longer maybe, I don’t know) the file bearing the malware payload comes to the attention of security researchers or personnel at AV companies and it’s signature gets added to the AV products defintions. Now it can be detected and won’t be allowed to execute.
Criminals test their payloads against AV programs before infecting victims – “professional” criminals are unlikely to bother with anything that is detected by any one of the major AVs and just go ahead and make a new, undetectable variant.
I wonder how the customer, Global Title Services, remained locked out of the bank’s system, when the bad guys were able to log in and set up the wire transfers…it makes me wonder who got hacked…
I believe in previous instances the same malware that gave the criminals access to the victim’s account also put up a fake page when the victim tried to log in.
Someone please corrrect me: The victim’s PC is compromised, likely through email. Then, the next time the victim tries to log in, the malware intercepts the credentials and sends them to the criminal. The criminal is now successfully logged in and the malware serves up a page to the victim saying the bank’s system is undergoing maintenance or the account is locked out or something along those lines. This is why we occasionally see posters from Europe asking why American banks still don’t do transaction or batch authentication instead of just session.
What I find interesting is that she was locked out prior to the wire transfers…then to add insult to injury when she went down to the bank office they wouldn’t help her, but gave her the call this number spiel…
I think this is where the bank failed their part in this and should accept some blame. I’m sure they were more than willing to supply her with the loan she needed though.
As a *former* small business banking customer of Chevy Chase Bank, I can confirm with certainty that they knew about these rash of online break-ins prior to June 2010 and absolutely did not care.
When Krebs’ website was still rather new, and these articles started to appear, I printed them out and walked them over to my local Chevy Chase Bank branch. I insisted on getting a response to my security concerns, and was completely dismissed by the IT folks in the Chevy Chase back office.
I was horrified, especially when it became clear that they had no plans for anything beyond a simple username/password.
So they certainly can not claim ignorance – because I desperately tried to warn them years ago.
I am no longer a Chevy Chase / Capital one customer 😉
To add to my comment above….
Chevy Chase / Capital One DOES bear some responsibility, because when their customers approached them to ask about security concerns, they responded by saying “don’t worry, we have very strong encryption”. They did NOT say: “Hey, it’s a nasty world out there, make sure your local PC is protected”. Instead, they treated concerned customers like myself as if they were paranoid lunatics and belittled our concerns.