Heist once again highlights e-banking vulnerabilities

The chief financial officer of a Missouri firm discovered that cyber thieves had withdrawn $180,000 from the company's bank accounts overnight described it as "a helluva wake-up call" to security blogger Brian Krebs.

But that loss might have been avoided if the company, Primary Systems, had paid better attention to the risks of electronic banking. The warnings, and examples, of cyberheists in the hundreds of thousands -- and even millions of dollars -- have been around for years.

Krebs reported this week that the company became a victim of "a single virus-laden email that an employee clicked on [that] let the attackers open a digital backdoor, exposing security weaknesses that unfortunately persist between many banks and their corporate customers."

In this case, a payroll batch worth about $180,000 was drawn from Primary Systems' bank accounts, paid to "money mules" and eventually sent to recipients in Ukraine.

The transactions were irregular -- highly irregular. They took place on a Tuesday, while the company had always processed its payroll on Friday mornings. They called for payments of between $5,000 and $9,000 to 26 people in almost that many different states who had never had any prior connection to the firm and who were added to the Primary Systems payroll that day.

But, even though it was six times the normal payroll, the total came in below the $200,000 threshold that would have triggered a call from the bank to get permission for the payouts.

None of this is new to electronic banking. One of the more prominent cases dates to May 2009 in Sanford, Maine, where Patco Construction, a small property development and contractor discovered that its banker, Ocean Bank (later acquired by People's United Bank), had authorized six fraudulent withdrawals totaling $588,851, even after the bank's security system had flagged each transaction as high-risk. The bank was able to block or recover $243,406 of that total.

That incident led to a lawsuit against the bank that is reportedly headed for a negotiated settlement at the prodding of a federal Appeals Court judge. But it illustrated the same risks as the theft from Primary Systems -- ones that all businesses conducting electronic banking should be aware of.

First, a business is not protected at the same level as an individual. Different laws govern each. A bank has to reimburse an individual customer for losses due to fraudulent transactions, as long as the fraud is reported promptly. For commercial customers, a bank must simply have a security system that is "commercially reasonable," and electronic transactions must be made in "good faith."

In virtually all cases, that means the customer is on the hook for losses. So it has more of a default obligation to provide its own security by monitoring its accounts.

Joram Borenstein, senior director of global product marketing at NICE Actimize, said there is anecdotal evidence that one response to this is some small companies are "misleading their own financial institution" by registering accounts as consumer accounts instead of ones designed for small businesses.

"While it's an outright lie to the bank, they are hoping that in a case of money being stolen, they will be protected from financial loss," he said.

[See related: Largest banks under constant cyberattack, feds say]

Borenstein doesn't recommend that approach, of course. He and other experts say commercial bank customers need to remember that conventional security measures like firewalls and antivirus software are not enough. Thieves simply have to spoof an employee to get inside the firewall.

Educating employees is not enough either, said George Tubin, senior security strategist for Trusteer. "It goes to show that the battle of educating users on what they should and shouldn't do is lost. People are going to keep opening things they shouldn't," he said.

Most banks now offer heightened security services. Enterprise Bank offered Positive Pay, which verifies the validity of checks. Primary Systems did not start using Positive Pay until after the theft.

Banks should also make sure they are in compliance with the Federal Financial Institutions Examination Council's (FFIEC) mandatory guidelines. Among them are that a bank impose multi-factor authentication, that it use layered security and also that it develop a risk profile of each of its customers so its system will be able to tell more readily if transactions may be fraudulent.

Borenstein said commercial customers should "dedicate a work station or thumb drive or other 'locked-down' machine" for all bank transactions -- another measure Primary Systems took after the theft.

Tubin said he believes banks should be more forceful about telling commercial customers about their liability. While virtually all banks include that in account documents, "people just don't read all the documents, just like nobody reads every sentence of their mortgage."

"Most small businesses just don't get that they're vulnerable to this type of fraud," Tubin said. "But if they were told directly, then they might buy added security services the banks is offering."

Read more about access control in CSOonline's Access Control section.

Join the CSO newsletter!

Error: Please check your email address.

Tags managementIdentity & Access | Access ControlNetworkingsecurityAccess control and authenticationbank securityaccess controlIdentity & Access

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place