May 31, 2012

The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. It’s too bad the committee has already finalized its witness list: It likely would be shocked to hear the story of Tennessee Electric Company Inc., a firm that lost $328,000 earlier this month in an account takeover that defeated multiple security measures commonly used by commercial banks to stop cyber thieves.

Executives at the Kingsport, Tenn. based construction and maintenance contractor thought that the security procedures employed by their bank — one-time tokens and verbal approval for all transactions — would deter attackers. But they recently discovered how deftly today’s e-thieves can bypass such defenses.

The attack began sometime before May 9, when thieves stole the online banking credentials for Tennessee Electric, presumably with some type of malicious software such as the ZeuS Trojan. That morning, the company’s controller Jenni Smith logged into the firm’s account at the Web site of Tri-Summit Bank, entering her password and a one-time password generated by a key fob supplied by the bank. After Smith entered the information, however, her browser was redirected to a Web page stating that the bank’s site was down for maintenance and would be offline for about an hour.

But the thieves lurking on Smith’s PC intercepted that one-time password, used her connection to log on to the bank’s site, and redirected her browser to the fake maintenance page. Meanwhile, the attackers used that browser session to put through a batch of fraudulent payroll payments to at least 50 “money mules,” willing or unwitting individuals scattered throughout the United States who were recruited to help the crooks funnel the funds out of the country.

Greg R. Boehling, Tennessee Electric’s CEO, said Tri-Summit Bank was supposed to call the company to get approval before allowing automated clearing house (ACH) transfers, but that for some reason the bank dropped the ball in this case.

“No one at all called us, although [the bank has] been religious about this in the past, even to the point of getting approval for a $50 expense report payment via ACH,” Boehling said. “All of a sudden, this happens and we get nothing.”

Tennessee Electric did eventually get a call from the bank, but only after the bank had approved the fraudulent ACH batch.

“Hours after the batch went through, we got a call from the bank where they asked, “Oh by the way, did you approve this ACH batch?’, and we said, ‘Absolutely not!'” Boehling recalled.

So far, the firm and its bank have recovered about one-third of stolen funds, he said, adding that the FBI is investigating the incident and is examining Smith’s PC.

Tri-Summit could not be immediately reached for comment. Unfortunately for Tennessee Electric, the company — not the bank — is on the hook for the loss. Unlike consumers, who are largely protected against liability for cyber theft, companies that suffer cyber heists are legally responsible for the losses and have no such protection.

At 9:30 a.m. on Friday, June 1, the House Committee on Financial Services will hold a hearing entitled, “Cyber Threats to Capital Markets and Corporate Accounts.” Invited witnesses include executives and officials from The Depository Trust and Clearing Corporation, The Securities Industry and Financial Markets Association, NASDAQ, and the Coalition Against Online Banking Fraud, a group started by Jim Woodhill, the founder of Authentify.

Update: 9:48 a.m.: An earlier version of this story incorrectly identified the name of Tennessee Electric’s bank. The above copy has been corrected.

95 thoughts on “House Committee to Probe e-Banking Heists

  1. Chris Thomas

    Was Tennessee Electric using Trusteer Rapport? If so that’s worrying as that would mean that online banking safety is well nigh impossible. If not why not?

    Any online banking customer not using Trusteer Rapport (assuming they are Windows or Mac users) is not performing due diligence.

    Your blog is thoughtful, thought provoking and a most valuable awareness tool.

    1. Mike Angelinovich

      I believe that even Brian Kerbs felt that the Trusteer Rapport software has been and can be broken. What the Bank needed to have was a authentication solution that generates a credential that the user does not enter. Therefore, when the hacker stole the user’s entered credentials via a real-time Keylogger (Zeus) including the OTP code and then entered it from his PC immediatly, the hacker would not have had the user’s client generated credential and would not have been able to access that online bank account.

      1. JCitizen

        Hmm! Thats funny – I didn’t get that inference from that article Mike, or any subsequent article. As far as I know, no known crack has busted Trusteer. If you have a link; I’d be very obliging to you.

        Now if you mean Trusteer gets broken being installed on infected systems, or improperly installed, or installed with other incompatible kernel based solutions; then yes, you can easily break such a powerful solution, but then I’ve had the same experience with many other very powerful and useful kernel based solutions.

        1. Mike Angelinovich


          Trusteer’s product certainly raises the bar for malware writers, and forces them to deploy Rapport-specific attacks to plant malicious software on a user’s PC. Spanish security firm S21sec said recently it had confirmed in lab tests “that ZeuS cannot grab any data in a machine where this software is installed. Unfortunately, the ZeuS guys haven’t just been lazing around; in one of the latest samples of of the Trojan, we have seen how ZeuS, right after infecting a computer, downloads and executes a second file whose purpose is to render useless this software.”

          1. JCitizen

            Thank you, that is very usefull;

            Hopefully this ‘security firm’ doesn’t have any particular ax to grind. As with any security solution, one must not rely on any single one. There are many good behavioral heuristics built into several free products that can detect file manipulation – and those work at or near the kernel level too.

            I’d still say that with a good blended defense, using compatible utilities, the bad guys would have more headaches than the target user.

            1. GratefulCitizen

              You’re a fool to think that there is any software out on the market that is not crackable. It just isn’t possible. As technology improves, so do these Hacker criminals. It may take them a while to figure out how to get around something, but eventually they will. There is no such thing as secure money anymore. This is why the general public needs to raise their skepticism. Unfortunately we live in a world where people trust one another too easily. I see this happening all the time. Someone “trusts” someone so they lose their skepticism and then that other person will just bleed them dry. Eventually it will get caught, but often times it is too late and the money is either gone or has already been spent.

              Wake up people. There is no safe place to your money anymore. There is and always will be a way for people to steal money from your accounts. The safest thing you could is ship your money to mars, but then it wouldn’t be very liquid…

              1. JCitizen

                Who said anything was uncrackable? That is just the point. IT security is a fluid ever changing push pull between the criminals and the white hats. Just because I use a seat belt and drive defensively doesn’t mean I’m “safe”. But the odds are good enough to go on driving, and functioning in the IT business world(and the highways).

                Also – you have to weigh what you could lose against the cost of protecting it – strategy can change in an instant if this evaluation changes – and it does – constantly.

      2. Jay

        “an authentication solution that generates a credential that the user does not enter” “user’s client generated credential”

        What do you mean by this type of solutions? If this type of credentials is generated by a user’s client, can hackers or malware use the credentials by proxing traffic to servers?

        1. Mike Angelinovich

          The easiest way to describe this solution is that it was designed as a software version of a smart card authentication solution and then further enhanced. Neither a Hacker nor Malware can use the credential by proxing traffic to servers.
          Please visit:

  2. Moike

    So, the question is why didn’t the verbal ACH request come through on this one time? Did they DDOS the bank’s network at the same time to distract and disrupt normal procedure? Did they have control of one or more computers in the bank’s network? Did an insider at the bank assist?

    And why isn’t the bank taking responsibility for the loss when it dropped the ball for an established security procedure?

    1. matt

      they DDOS the victim Phone number so bank can’t reach the customer …

  3. Jerry Tylman

    The Bank should consider a new product called EFTGuard. EFTGuard would have provided Tennessee Electric with end point protection (which they did not have) and up to $500,000 in fraud loss protection if the control was subsequently beat.

    Customers insure tons of stuff, so why not the cash in their business checking account? Banks could offer this and earn a fee for the insurance or they can risk having Regulation E expanded into Business Banking. Their choice.

    1. JD

      Hmm, do you have any vested interest in this product yourself? I tend to think you do….

      1. Jerry Tylman

        JD, if there is a product that can transfer the risk for both the Bank and their Business Customer, why not get the word out? Bank’s can’t control what people do, that is why they require home owners insurance for mortgage customers and auto insurance if you have a car loan. Likewise they can’t control what is on your PC or Mobile Device, so why not provide some additional form of risk protection other than just more technology?

        1. JD

          I see it as you pimping your own product on someone’s blog. The product may have merit ( I don’t know if it does or does not), but just the way I perceive both of your responses.

          1. Jerry Tylman

            Sorry, I thought Brian and you guys might want to learn about a solution to this problem, not just read more conjecture. Bottom line is it’s the only product that provides business banking customers with fraud loss protection.
            Brian has written two articles in the past asking, “where is the Insurance Solution?”. Well, here is warranty based solution called EFTGuard. No different than someone like you saying, “switch to Linux or stop banking online”, except this one pays if you still get ripped off.

            1. Brian Fiori (AKA The Dean)

              I’d love to get a direct answer to this question: Do you have a vested interest in EFTGuard? A simple yes or no will suffice.

  4. Ryan Baker


    I work in the IT Dept for Citizens Tri-County Bank. We are headquartered in Dunlap, TN, about 60 miles NW of Chattanooga. We are not aware of another Citizens Tri-County Bank in TN. We do not have any branches in or near Kingsport, TN. If this story is in fact about us, our Executive Vice President would like to speak with you, Brian, about clearing up this misunderstanding. Please let me know how we can correspond.

    1. Ryan Baker


      Thanks for the quick follow up and the correction!

      1. Pjm

        You might want to change the tag on this article (still reads Citizens Tri-County).

  5. Ds

    I’d ber that the ACH approval call was not a formal security measure, but instead a courtesy measure that the company assumed would always be there. This is the only way I see the bank not being liable.

  6. Sam Sayen

    Brian, were you getting DOS’d again today?

    1. BrianKrebs Post author

      The DDoS has not stopped. My site has been under constant attack for nearly 7 days now.

      1. Sam Sayen

        Well on the plus side that must meen your reporting is pissing off the right people…

        1. Sam Sayen

          I don’t know how is, but I highly recommend cloudflare for dns.

      2. George GYEtYe

        Yet this is the first time in many days that I can “like-dislike”

        1. George G

          Sorry, the site suddenly went berserk, the name should have been as in this comment.
          Screen was running up and down for a while.

  7. JimV

    Presumably, the targeted computer’s OS was some flavor of Windows — eventually, it would be nice to know whether it was patched up-to-date when the intrusion occurred, what browser was in use and whether it was also patched up-to-date.

    Identification of the keylogging trojan would be good to know as well, and whether this was a known vulnerability among the industry or a zero-day event.

    Hope they can recover the remainder of their money, and the House committee ought to extend the hearing and add this bank’s officer to their list of witnesses.

    1. Sam Sayen

      I’ve seen a few, but more banks should hand out Ironkeys to commercial customers and teach them about using the virtual keyboard to thwart keylogging trojans. Wouldn’t stop a screen capture, but it’s a start. I’d be curious to see a breakdown on what malware was on her system as well. I’m guessing it is probably the same old crap and semi-outdated patches. People on windows should really be running MSSE and not just relying on McAfee or Symantec. Microsoft has really gotten their act together in that respect.

      1. BrianKrebs Post author

        Not a single one of these attacks I’ve written about took advantage of software vulnerabilities. They all tricked the user into running the malicious attachment. Perhaps in a few cases the malware was called by a nasty javascript snippet hidden in the PDF, but usually someone somewhere has to agree to run an executable file.

        1. Sam Sayen

          Yeah, why bother with a exploit when you can just put a pdf icon on an exe and someone will run it. Can’t patch ignorance.

          1. Terry Ritter

            @Sam Sayen: “why bother with a exploit when you can just put a pdf icon on an exe and someone will run it. Can’t patch ignorance.”

            I take your point, but I wonder just how many of us would be fooled by exactly that. Is it really ignorance, or just human error? Can’t fix humanity.

        2. JimV

          So, in each case there was no resident AV in operation that a) recognized the malware and b) intercepted the executable’s launch, or there was some AV resident but it failed in both steps?

          1. Moike

            >no resident AV in operation that a) recognized the malware

            The bad guys never release a new version of their malware until they have tested it to be sure that no current AV picks it up. They can Email it directly to the victim and sneak right in without tripping any alarms.

          2. BrianKrebs Post author

            JimV – From my vantage point, antivirus is next to worthless against these threats. Every single victim I’ve interviewed or written about was running AV. Guess how many had detections *before* they lost tens of thousands of dollars?

            Today’s threats are heavily “crypted,” before they’re sent out, meaning they are constantly scanned against dozens of antivirus tools and modified slightly until they are undetectable by most if not all AV products for a period of time that is increasingly *guaranteed* by the crypting service.

            1. Jerry Tylman

              Brian, you have written two articles in the past about the lack of an insurance solution in this space. Banks require that people with mortgages have home owners insurance, they require merchants to have data breech insurance, etc. so why not a requirement for businesses who want to bank online? Bank’s can’t control what gets downloaded onto a cusotmers desktop so why not have the customer insure against the risk? Jim Brune at Net Banker did a nice write up a month ago on a new product that we offer in this space. Check it out and let me know if you want to learn more. There are alternatives to don’t bank online.

              1. TJ

                Bad form! If you want to pimp your own product, pay the toll and buy an Ad.

  8. Fed Up Fed

    “Can’t patch ignorance.”

    You’re far kinder than I, sir. I.D.10-T is the tamest I would use.

    1. Flyguy

      Personally I would have used P.I.C.N.I.C.

      problem in chair not in computer.

  9. darb

    As someone who has inside info on this breach, I can confirm a few things. 1 – the piece of malware most likely responsible for the breach was a recent variant of the Gozi trojan. 2 – AV was installed and definitions were current, however it failed to detect this particular malware. It was NOT Symantec or McAfee (although I will agree that both suck) 3 – Windows updates and patches were up to date. Java was not. 4 – This was not a case of user negligence (opening a compromised PDF, email attachment, etc.) The user is not to blame in this case. I hope everyone will understand if I’m unable to disclose more info.

    1. na

      Not to be a dick… but considering java is the most commonly exploited service for drive-by attacks on web browsing in existence — Unless you are asking to get owned you should either remove java completely or make sure it is up to date.

    2. TJ

      Given all the security measures taken by the company and the bank, it’s quite obvious that everyone was aware of the threat. Why, oh Why, wasn’t the controller using a dedicated system for online banking??

      1. grumpy

        Yup. A dedicated system and policy-based routing allowing that system only access to the bank(s). Not guaranteed secure but the extra steps needed to defeat the security would severely increase the complexity of any attack. Until, of course, someone finds a way to do it automagically. 😉

    3. george

      Was it Windows7 or an older version ?
      (I’m still forced to WinXP on my work computer)

      1. JCitizen

        Not that it matters. These attacks are still possible even if you are using a brand new NT6 64bit Windows operating system, and on a standard account!

        The new bugs take advantage of the session, and survive by injecting into the startup folder upon reboot or shutdown/startup. Social engineering as per example in the article can result in anything literally being given permission to install on the system. Either way, you are pwned without a very well blended defense, and even then most folks find it easier to use LiveCDs on a dedicated device. This assuming you only need the browser to interact with the bank – otherwise – I see no reason someone couldn’t develop the(payroll or other) software as opensource based on say – the Mozilla or Chrome browser.

        If your stuck with Windows, there are still many rivets you can put in the armor.

    4. prairie_sailor

      You mention that Java was NOT up to date – what about Flash, Shockwave, and Reader or Acrobat as the case may be?

      1. Terry Ritter

        @prairie_sailor: “You mention that Java was NOT up to date – what about Flash, Shockwave, and Reader or Acrobat”

        What does it mean to demand a computer be “up to date” in every way or not be considered secure enough to use online? Can a “complete” (and, thus, final) update even exist? Every computer is out of date, but we still need computer security.

        If our security demands that we be perfect, we are not going to have much security. Less-brittle security options do exist. My advice: Do not use Microsoft Windows online, and consider migrating online transactions to a “thin client” diskless environment.

        1. Marc Harmon

          A ChromeBook or ChromeBox would be perfect for this, assuming the banks website works with the Chrome browser and that Windows-only software was not required.

        2. prairie_sailor

          I don’t think that security demands perfection but in my last job as a service technician at a major computer retailer every computer I saw that was infected had out of date Reader, Flash and Java installations. In nearly every case the user missed updating his software not by weeks but by months and in some cases – years. The excuse I would often get when I would mention the out of date software would be “I didn’t know what that was so I would just cancel it.”

          1. Terry Ritter

            @prairie_sailor: “every computer I saw that was infected had out of date Reader, Flash and Java installations.”

            It sounds to me like those computers were preselected as ones with infections anti-vi can detect. But what about the *other* computers, the ones which may *seem* uninfected, but may in fact *be* infected?

            Fixing computer infection may be possible when we can see it, because then we can work until we cannot see it anymore. Of course, if the infection is a bot, there is no way to know what the bot master may have done, so those things probably cannot be reversed. But we understand now that normal users and normal technicians on normal equipment cannot expect scans or any other means necessarily to detect infection anyway.

            Modern malware generally “encrypts” itself so scanning for particular “signatures” does not work. The most effective malware also hides really well and avoids giving itself away. Indeed, malware may bring in other, older friends, among which it is much easier to hide. It simply may not be possible to detect the best-hiding malware on normal systems. As a result, dealing with infection may demand techniques which do not require detection.

            We cannot expect to stop malware from getting in and running, or from breaking into the OS. So the main remaining tool we have is to somehow *prevent* infection. We thus need to stop malware from writing to the boot disk and changing the OS. A decade ago malware was adding files to the startup folder; now it may be changing actual instructions inside OS code. Instrumented systems could of course identify such changes, but on normal systems that is unlikely.

            I cannot bring myself to believe in an endless search for a correct “blend” of add-on software. Validating any such result would require the ability to detect infection, but if we could do that, we would not need the added software. We might think to reload a clean OS into a VM for each online session, but I can see a lot of ways for that to go wrong. Personally, I use Puppy Linux from DVD on a diskless system. Almost any other response seems very risky to me.

            1. JCitizen

              I hear what you’re saying Terry:

              I’m trying to get folks into the LiveCD route; or locked boot USB with same OS, but I’m not always the best salesman. So I try anything to delay the inevitable for SMBs – some of which not only refuse to go this route, but don’t have the money to buy a good instant drive image restore software solution.

              I can see why most IT security specialists would not want to bother building a truly blended defense, because of the licensing nightmare. But I work for small businesses or individuals who can use solutions outside the Enterprise market, or are eligible for free licenses. I used to run a honey pot lab at my last contract, but have found it unnecessary to test most solutions directly with malware. There are plenty of sites who video direct zero day testing, so there is no need to go there.

              As I use the same solutions most of my clients do, I usually find flaws before they do anyway, and can change course at the smallest whiff of trouble. This doesn’t happen very often, but can result in a big shakeup of strategy, hardware, or software before the smoke clears. I enjoy this kind of work, so it doesn’t bother me rattling the bushes looking for new information.

    5. AlphaCentauri

      It’s curious to see the way people are responding to the post that said the client wasn’t negligent. Not to equate the two crimes, but you see people responding the same way to rape victims. They ask a litany of questions about the details of the crime, oblivious to the fact that the victim isn’t ready to relive the experience any more times. Her friends really are looking for some reassurance that it won’t happen to them, that the victim did something or failed to do something, and that if they themselves are attentive to that detail, their world will still be safe.

      No matter how much your system is updated, there will always be an interval when the new 0-day exploit will not be detected and the vulnerability will not be patched. You’ve got very clever people creating malware and social engineering attacks, and a lot of financial motivation for them to find unanticipated ways to defeat security.

      1. JCitizen


        I still feel that if one has patch alert utilities to remind even the clueless user to keep up to date, and the other factors of a well blended defense; these incidents become more and more difficult for the attacker – and maintenance for the user(potential victim), get easier every day.

        Of course, there is also no substitute for training. At my last contract we vigorously trained our users on HIPAA requirements; and we tried to condense it into Keep It Simple Stupid bite sized chunks of information, and were very successful in preventing security breaches. They rapidly reduced to just one that year, to zero the next two.

  10. David

    Banks should require their business customers to use dedicated systems when conducting any online transactions. Dedicated meaning only for that purpose, no messaging and no web browsing whatsoever. And disable all USB ports. The cost of that pc will certainly be a lot less than the amount that was stolen. Unless of course the biz is penny wise and pound foolish and that is a popular mentality in the corporate world today.

    1. AlphaCentauri

      It’s not just about saving money. It’s about integrating applications, so you don’t have to rely on the accuracy of a human being retyping sums from the computer that does the accounting or the computer that is logged onto the account at the other bank. You lose a lot of the advantages of computerizing your banking and accounting when you have a computer that has no function other than to log into a single bank.

      1. prairie_sailor

        I agree – even if you set a policy – human nature is take the path of least resistance. If you set up a system that is either a “thin client” or dedicated. Staffers still will not see the harm in “checking” from a potentially infected computer. I think many businesses – esp their IT departments need to be more proactive about several things.

        1) Education at a user understandable level. I saw many courses while I was a Navy Reservist about phishing, and protecting information and most of those spent alot of time talking about policies and using alot of techical jargon. Very little of it delt with items that were actionable by the end user and an extensive list of policies is boring. Training should instead concentrate on what sort of things to look for and hammer home that the end user is the first and most important line of defense. If they are having periodic crashes or get a funny email message and don’t report it to IT the first line of defense fails.

        2) Get ALL of the software up to date.

        3) Make it a policy to periodically scan the computers with an offline malware scanner. Most of the major AV vendors have them such as Kaspesky and F-Secure. It might not catch all of the bots but it does strip away techniques that the bots use to hide from online utilities.

        1. JCitizen

          A good blended defense would entail many more factors than that, if you are stuck with Windows based software. Also if the “thin client” needs to connect to the network, the server/firewall/gateway for it could use white listing to focus only the sites that need be.

          If the dedicated device needs to have a hard drive at all; there are several ways to lock the drive and make it read only. This wouldn’t include external filing sources, of course, only the operating system image.

          Of course any Windows based software can run on a good VM.

          1. Terry Ritter

            @JCitizen: “there are several ways to lock the drive and make it read only.”

            Microsoft Windows itself apparently has (or had) the ability to write-enable or write-disable logical drives, but that is not a security solution. After the OS has been subverted and owned, software protections are useless.

            It used to be possible to gate or switch the electrical write pin to the physical drive itself, which is an absolute hardware guarantee, but I have not seen that for a decade or so. It would carry the same update problem as USB flash drives:

            I actually do have a couple of different USB flash drives with write-enable switches. But since browser updates are inevitable, we inevitably have to flip that switch. When we do, we have lost our hardware guarantee that we have not been infected. Since detecting an infection is unlikely, the hardware guarantee was the only security assurance we had, and we are forced to give it up.

            In contrast, one advantage of Puppy-style DVD updates is that nothing is invisibly replaced, but new files only added to a DVD archive. Each new addition can thus be distinguished, investigated and cancelled, if necessary. Of course, the basic anti-infection advantage is that after the boot load, the DVD can be removed from the drive.

            “any Windows based software can run on a good VM.”

            Well, yes, but the largest malware advantage is still to use anything but Microsoft Windows online. While there may be ample motive to find some way to run Windows, if malware gets in, it will run. At that point, we have only the general assurance that the VM really is as secure as it is supposed to be. And since we cannot guarantee to detect infections, we cannot know when that assurance fails.

            Beyond that, a VM is complex software, and inevitably adds its own usage issues and security flaws to the underlying OS. To get a malware anti-infection advantage, one does need to re-load the OS into the VM on each session. That seems much like a DVD-load system, but notably without hardware anti-infection guarantees. Since we are unlikely to detect infection, those guarantees are all we really have, unless all this happens on a system without a writable drive.

            1. JCitizen

              There are solutions superior to the old Steady State Microsoft product. I’m not a shill, so I will not list them; but our local college has not had a software security problem in ten years because of using such solutions. With all the sloppy practices of the students and local script kiddies, this is saying something significant there – IMO.

              As for flipping the switch, I’m sure your aware that a simple reboot should clear the CPU and anything (with the exception of a hardware flash) that was resident on the previous session. Even in the case of a firmware breach, these solutions will definitely cause catastrophic failure. I don’t consider a software failure a breach of security, only a repair headache. Backups can always save that situation, providing you don’t reintroduce the malware again. I’ve had to reflash many a bios, and disk drive controller, and do a drive geometry diagnostic repair, for clients that just can’t afford to trash their hardware and start over.

              I agree with everything else you are saying of course. I feel it is my job to make the mission of the attacker more miserable everyday; and that is my prime goal. I still feel I can do this fairly easily.

              1. Terry Ritter

                @JCitizen: “There are solutions superior to the old Steady State Microsoft product. I’m not a shill, so I will not list them; but our local college has not had a software security problem in ten years because of using such solutions.”

                Gosh, it sure would be nice if somebody who actually knew what to do would spell that out in detail for those who need help.

                Experience is great, but from the era before modern malware, not very applicable. Since modern malware generally cannot be found by anti-vi, even protected systems may have bots and we could not know. Unless, of course, special techniques are used to prevent infection, but then those techniques would have to work.

                “As for flipping the switch, I’m sure your aware that a simple reboot should clear the CPU and anything (with the exception of a hardware flash) that was resident on the previous session.”

                As a former microprocessor chip design engineer, I *am* “aware” of reboot, but we *all* know this: *If* normal systems had the ability to “clear” malware on reboot, *then* everybody could just reboot before banking online and we would not have the problems we have today. So, in fact we *all* know that normal systems do *not* “clear” malware on reboot. Normal systems just reboot to whatever the boot drive contains.

                On normal systems, malware trivially infects the boot drive, which is then *not* “cleared” by reboot, and that is how the infection continues. Using a flash drive is no different, because it is just as trivial to infect, as soon as any write-enable switch is flipped to allow an update. My personal systems do clear malware upon reboot, but only because they have no writable drive to be infected and instead boot Puppy Linux from DVD.

                Because anti-vi scanning cannot be trusted to find malware, it is only to be expected that normal systems will accumulate malware and their users will not know. Normal systems thus cannot be trusted, even those with up-to-date patches and anti-vi, and, yes, even “dedicated” systems.

                1. JCitizen

                  Thanks for the rep; Terry:

                  There are several free solutions, and one good paid solution, that can detect that startup folder injection, that I think you are talking about – are there other survival schemes for modern malware? Even CCleaner will dump startup\temp files before rebooting, if the user does their maintenance. I’ve not had trouble convincing them of this, after a short explanation.

                  Also quite a few solutions that run at or near the kernel layer that help foil or otherwise obfuscate the mission of the malware. If an attacker has to deal with all of them, I’d think this would be pretty obvious – it has been for my clients anyway. They always know when pwn attempts are happening – so far.

          2. AlphaCentauri

            I’m sure the Iranians thought they were safe having computers not connected to the network at all. If the stakes are high enough, malware creators can be very creative.

            1. JCitizen

              For sure! I bet they glued shut every USB port not in use from now on! I know a lot of Army units that do this now, for commercial grade hardware, that is. I’ll never forget the first “sneaker net” virus I witnessed in the field, which permanently crashed our SASS computer(1989). It arrived from supply headquarters on a floppy disk. We had to do the rest of the field exercise manually.

              I bet someone at Ft. Lee got burned on that one.

    2. Terry Ritter

      @David: “Banks should require their business customers to use dedicated systems”

      Although I have heard that many times, I still do not understand why: Exactly which part of a dedicated system prevents it from being subverted?

      Sure, if a system does nothing and goes nowhere it is unlikely to be infected. But can we imagine a business system without email? Can we imagine users refusing a managerial order to just check a site on that machine? That is the reality.

      With infection, all it takes is one human error at some unknown time in the past to make a machine insecure. Antivirus scans will not find a lurking bot. Absent indication, we naturally assume we are not infected. Then we use that machine and encounter disaster. In my view, a dedicated machine cannot be trusted any more than any other.

      Those who want best security need to be looking at a “thin client” system with no hard drive and loading the OS from DVD, since that actually does address infection.

      Or instead of a dedicated machine, at least use something other than Microsoft Windows online.

  11. Chris Thomas

    The financial institutions listed below urge their customers to use Trusteer Rapport. This software probably would have saved Tennessee Electric a lot of money.

    Shame that Tri-Summit did not seem to be aware of Trusteer Rapport or maybe it was aware but chose to ignore it?

    What is good enough for HSBC is good enough for me. I wouldn’t dream of banking online without Rapport locking down my web browser to prevent malware from doing its evil work.

    I am a disciple of what those clever guys in Tel Aviv are doing to protect those who would do their banking online.

    Alliance Bank of AZ
    Alliance & Leicester
    Alta Alliance Bank
    Amegy Bank
    American State Bank
    Auto Trader UK
    Bangor Savings Bank
    Bank of America
    Bank of Cyprus UK
    Bank of Montreal
    Bank of Nevada
    Bank of the West
    Bank of Valletta
    Bankers Trust
    BBVA Compass
    BMO Harris Bank
    BOK Financial
    Busey Bank
    Cadence Bank
    Cambridge Savings Bank
    Cape Bank
    Cape Cod 5
    Capital Bank
    Capital City Bank
    Carolina First Bank
    CenterState Bank
    Central Bank KY
    Central Bank UT
    Charter One
    Citizens Bank
    Clydesdale Bank
    CNB Bank
    CoBiz Financial
    Commerce Bank WA
    Co-Operative Bank
    CoVantage Credit Union
    Coventry Building Society
    East West Bank
    Eastern Bank
    Enterprise Bank
    Exchange Bank
    F&M Bank
    FMB FL
    Fifth Third Bank
    first direct
    First Independent NV
    First Republic Bank
    First United Bank
    Grandpoint Bank
    Hancock Bank
    Huntington National Bank
    IBC Bank
    ING DIRECT Canada
    M&F Bank
    Mahopac National Bank
    Martin FCU
    Mechanics Bank
    Mercantile Bank
    Mercantile Bank MI
    Merchants Bank
    Merrill Lynch
    Metro Bank
    Mid-Atlantic Corporate
    National Bank of Arizona
    NBC Bank
    Nevada State Bank
    N&P Building Society
    OceanFirst Bank
    Old National Bank
    OnVista Bank
    Peoples Bank OH,WV,KY
    Peoples Bank (MO)
    President’s Choice Financial
    RBS Citizens
    Renasant Bank
    Republic Bank
    Riverview Community Bank
    Rockland Trust
    Royal Banks of Missouri
    Santander Chile
    Santander Rio
    Scotiabank Mexico
    Societe Generale
    Somerset Hills Bank
    Southwest Bank
    Standard Bank
    State Bank & Trust
    TCB Phila
    The Bank of Castille
    The Royal Bank of Scotland
    Tompkins Trust
    Torrey Pines Bank
    Tropical FCU
    Ulster Bank
    United Bank
    Utah Community Bank
    Valley National
    Vectra Bank
    Westfield Bank
    Xceed FCU
    Yorkshire Bank
    Zions Bank

    1. MrUnFixit-Maybe

      Chris Thomas: If you’re going to advertise your product here, don’t shove it in our face. We don’t want to start to hate your product just because you are obnoxiously commandeering somebody else’s blog. Why not start your own – surely you have blog space on your employers website?

      Didn’t Brian review Trusteer a while back and found it ‘light weight’ and people commenting seemed to agree it made their system unstable?

      1. JCitizen

        Trusteer is only one rivet in the armor of a well blended defense. You can build a very good defense without it too. However, if you are a business, and the bank is pushing Rapport to your client side, you would have little choice but to use it. Many of my clients are in just that situation.

        I’ve not had any trouble with it at my bank for a long time. The trouble I did have was my fault from the beginning.

      2. Chris Thomas

        It’s not my software. I have no connection with Trusteer. I just use it and have installed it with no problems on Windows XP, Vista and 7 systems for friends. I built those systems and they all run either AVG or Avast free anti-virus and Outpost Firewall. None run Firefox. Vista and 7 systems all run IE9.

        Consquently I was a bit surprised (but not too surprised) to read of the problems of other people who use it. My gripes with Rapport are fairly trivial: it slightly slows the XP Pro system running on my modest hardware and Google Chrome version changes cause it not to work with Chrome until Rapport catches up with Chrome’s updated API.

        If I was running a business, I would set up a system for the sole function of performing banking transactions. Better still, I would site my office next to the bank and do things by paper. Until USB quill pens come into use that is.

  12. Beck

    “Everything we see has some hidden message. A lot of awful messages are coming in under the radar – subliminal consumer messages, all kinds of politically incorrect messages…”
    —- Harold Ramis


    “RFID in School Shirts must be trial run”

    The trial runs began a LONG time ago!

    We’re way past that process.

    Now we’re in the portion of the game where they will try and BRAINWASH us into accepting these things because not everyone BROADCASTS themselves on and offline, so RFID tracking will NEED to be EVERYWHERE, eventually.

    RFID is employed in MANY areas of society. RFID is used to TRACK their livestock (humans) in:

    * 1. A lot of BANK’s ATM & DEBIT cards (easily cloned and tracked)
    * 2. Subway, rail, bus, other mass transit passes (all of your daily
    activities, where you go, are being recorded in many ways)
    * 3. A lot of RETAIL stores’ goods
    * 4. Corporate slaves (in badges, tags, etc)

    and many more ways!

    Search the web about RFID and look at the pictures of various RFID devices, they’re not all the same in form or function! When you see how tiny some of them are, you’ll be amazed! Search for GPS tracking and devices, too along with the more obscured:

    – FM Fingerprinting &
    – Writeprint

    tracking methods! Let’s not forget the LIQUIDS at their disposal which can be sprayed on you and/or your devices/clothing and TRACKED, similar to STASI methods of tracking their livestock (humans).

    Visit David Icke’s and Prison Planet’s discussion forums and VC’s discussion forums and READ the threads about RFID and electronic tagging, PARTICIPATE in discussions. SHARE what you know with others!

    These TRACKING technologies, on and off the net are being THROWN at us by the MEDIA, just as cigarettes and alcohol have and continue to be, though the former less than they used to. The effort to get you to join FACEBOOK and TWITTER, for example, is EVERYWHERE.

    Maybe, you think, you’ll join FACEBOOK or TWITTER with an innocent reason, in part perhaps because your family, friends, business parters, college ties want or need you. Then it’ll start with one photo of yourself or you in a group, then another, then another, and pretty soon you are telling STRANGERS as far away as NIGERIA with scammers reading and archiving your PERSONAL LIFE and many of these CRIMINALS have the MEANS and MOTIVES to use it how they please.

    One family was astonished to discover a photo of theirs was being used in an ADVERTISEMENT (on one of those BILLBOARDS you pass by on the road) in ANOTHER COUNTRY! There are other stories. I’ve witnessed people posting their photo in social networking sites, only to have others who dis/like them COPY the photo and use it for THEIR photo! It’s a complete mess.

    The whole GAME stretches much farther than the simple RFID device(s), but how far are you willing to READ about these types of instrusive technologies? If you’ve heard, Wikileaks exposed corporations selling SPYWARE in software and hardware form to GOVERNMENTS!

    You have to wonder, “Will my anti-malware program actually DISCOVER government controlled malware? Or has it been WHITELISTED? or obscured to the point where it cannot be detected? Does it carve a nest for itself in your hardware devices’ FIRMWARE, what about your BIOS?

    Has your graphics card been poisoned, too?” No anti virus programs scan your FIRMWARE on your devices, especially not your ROUTERS which often contain commercially rubber stamped approval of BACKDOORS for certain organizations which hackers may be exploiting right now! Search on the web for CISCO routers and BACKDOORS. That is one of many examples.

    Some struggle for privacy, some argue about it, some take preventitive measures, but those who are wise know:

    Privacy is DEAD. You’ve just never seen the tombstone.

    1. MrUnFixit-Maybe

      Sadly, even my puppy has one of these RFID chips implanted, but how come it won’t bring him home before the pound grabs him and I have to bail him out?

      My puppy has ABSOLUTE trust in me – no paranoia whatsoever. Did I do something wrong to have the chip implanted in him?

      1. JCitizen

        HA! Very funny MUF-M!! Just don’t put a tin foil hat on that puppy! It will just improve the signal! 😀 !

  13. Phoenix

    The subject hearing was held by the Capital Markets … subcommitee of the house Financial Services commitee and there is an archived video available for viewing on One of the witnesses said that AV software stopped working 5 years ago; current malware is beyond detection. I thought that was notable.

    1. JCitizen

      Pretty much everywhere I hang out; IT professionals have declared signature based AV/AM solutions as obsolete. But they are still put to good use as a janitor service, to cleanup after the fact.

      However – this does not mean there are not useful new advances in behavioral heuristics in solutions that work at or near the kernel level of the operating system, so malware manipulation is greatly reduced. Even where malware would possible manipulate such solutions, the blended defense would either result in an alert from another solution, the behavior successfully blocked, a BSOD, or other obvious system instability. Any one of those factors would alert someone with the least observational powers.

      I would therefore disagree that new malware would not be detectable in all such circumstances. There are several good videos on YouTube of professionals testing zero day threats of such solutions. There are also many amateurs doing the same thing – though – so one must filter out the beginners here.

  14. certdoctor

    Love to see some proactive articles: Ideas about solutions. Whether it be banks sharing liability via legislation changes an stepping more up to the plate or anything else on the horizon. Great work as always thought BK.

    1. Mike Angelinovich

      “OHVA’s SoundPass is a cutting edge solution. We feel it offers our members the highest level of security available.”
      – David Gray, Manager, Electronic Services, Anheuser-Busch Employees’ Credit Union and Division

      1. andy1

        what’s up with the ads for “cutting edge solution[s]” ? Don’t want to be left out since everyone else is doing it too!?

      2. TJ

        Shocking! I found a press release with Mike Angelinovich listed as the OHVA contact.

        1. AlphaCentauri

          Anyone else getting the feeling that Google’s Penguin is changing the rules of SEO optimization?

          1. JCitizen

            I’m way past getting that feeling. It is hurting the results in their searches so bad, I now use many other engines, and switch hit between them for results. Didn’t I hear that someone has one search window that uses several search solutions, all in one session?

            I’ve been blowing taps for Scroogle for some time now.

            1. AlphaCentauri

              No, I meant Google’s new algorithm has caused a lot of spammy pages to drop out of the search results. When a spammer tries to post on a forum I moderate, I used to be able to delete the comment yet find multiple identical ones in less aggressively moderated forums to use as examples of forum spamming when I gave them bad WOT ratings. Now it’s very difficult to find them. So if Google has changed the rules, the spammers have to find something else to do to boost their search engine ranking.

              1. JCitizen


                Sorry I didn’t see that clearly; my bad!

                That is encouraging news! 🙂

  15. Prudence

    But where this thief find the people for money mules?

    1. Infosec Geek

      money mules are easily recruited from the ranks of the unemployed but desperate to work.

      contrary to the mythos of the 1% being unemployed does not mean one is lazy; it merely means there are not enough jobs to go around. Go on Craigslist or open the spam folder and you’ll find plenty of ads for online gigs that are obvious scams.

      It wouldn’t surprise me to learn that the next development will be automating the money mule function, so that the overseas payments can be scripted from a compromised end user computer as the intermediary. Might already be happening but nobody has looked for/found it.

        1. Elizaneth

          I read the article but I don’t understand how they cash out the money from prepaid card?

          1. EFTDADDY

            Once the cards are funded, they go to Western Union or Moneygram online or in person and move the funds out of the country.

            1. Elizaneth

              Yes but need to have the prepaid card in hand right? and to have the prepaid card need to by delivery on the thief address.

              1. EFTDADDY

                Yes you do need them in hand for store visits but the card is either a skimmed version or in the name of a stolen identity and the actual user can’t be identified. The downside for hackers on cards is there is typically a daily limit associated and if the entities that were defrauded can act quickly enough the card issuers can be notified and a portion of the funds can be recovered. Funds deposited to DD and SV accounts are gone before anyone realizes anything is wrong.

                1. Leavit

                  Why Kreb not write more info about this?

  16. cherry

    The US House of Representatives are to hold a hearing. Is this so they can generate a report, either that slapdowns customers for weak security, or stabs banks for weak authentication, that is then ignored/voted down in one of the houses for partisan reasons depending on which way the report goes? Oh, or even if it gets to the legislative stage, perhaps both sides will say “banks can’t afford this in the GFC blah blah blah” or vice versa with business.

    Whatever happens, I strongly suspect it would/will be unpopular with someone. Do they have the guts to do anything about this situation? I doubt it based on past experience. There are obvious other reforms regarding credit cards and the flow of money to rogue pharmacies that Congress does not have the balls to touch.

    US politicans are thoroughly reactive at present and locked into petty squabbling, US businesses will get no joy from their administrators and should go and protect themselves.

Comments are closed.