WatchPoint Security Blog

Banks Say “TOO BAD” when Hackers Steal MILLIONS from Business Accounts

Written by Chris Hartwig | December 09, 2015

It might be surprising to hear, but consumers have better protection against cyber fraud than business customers. Your bank’s liability to your business account being compromised is severely limited and in most cases the onus for the heist is placed on the business itself. If a wire transfer is initiated against a business account for $20,000, the bank will process the transaction and wash their hands of it, if it is later found to be fraudulent. Let’s highlight some examples and determine what can be done to protect your business account from a cyberheist.

“Technically, the crime wasn’t committed against us, (the bank) it was committed against you.” - Bank Representitive 

In 2013, a cyberheist of $197,000 occurred where most of the money was recovered after allegedly paying Chinese authorities a carton of cigarettes and a cash bounty. The victim in this cyberheist obtained an attorney with a reputation of winning legal settlements against banks because the banks haven’t done enough to protect their customers from cyberheists.

The attack was simple yet sophisticated. On December 24th, 2013 the accountant logged onto their bank’s portal to make a deposit. After typing in the username and password, the accountant was redirected to a webpage explaining that the bank’s site was having technical difficulties and asked the accountant to provide a one-time token to validate the request.

What the accountant didn’t know is that hackers had previously infected the accounting PC with a password-stealing Trojan horse program that took control of the web browser. Immediately after the accountant supplied the token, the hackers used the hijacked web browser session to initiate a fraudulent wire transaction of $197,000 to a company in Harbin, which is a city in China. China is a big state sponsor of cyber espionage, and criminal terrorist organizations are right behind them.

The Chinese Bribe – Cash and a Carton of Smokes

When the victim company discovered the fraudulent transaction, a discussion was initiated with the bank rep who let the victim know there was nothing the bank could do about the transaction because “technically, the crime wasn’t committed against us, (the bank) it was committed against you.”

The local Harbin police were initially reluctant to help until the company owner was able to leverage the support of an associate who had a cousin living in China who was a lawyer and offered to assist. Chinese authorities eventually accepted a local police report but what really sealed the deal was when the lawyer met with the Harbin police and offered a gift-wrapped box of cigarettes and a promise to cut them in on a percentage of the money if the funds were recovered.

Two days later the funds were recovered. The business owner went home with $166,000 and the Chinese policemen received $34,000 and a carton of cigarettes for their efforts. Other businesses have not been as fortunate. What we are seeing today is a banking industry that will not take responsibility for or reimburse its customers when their accounts are breached and money stolen by foreign cyber criminals. The banks are adopting an approach that puts the responsibility on the business owner to secure their systems and transactions, and if a business is duped into a similar scheme as the company mentioned, the banks are refusing to compensate because “the customer should have done more to protect the account credentials.”

 

I was in a meeting, but my PC approved millions in wire transactions!

In 2009 Valiena Allison, chief executive office of Sterling Heights, Michigan-based Experi-Metal Inc., was the victim of a major cyberheist. Allison received a call from her bank regarding a wire transfer from her company’s website. Allison had not approved the transaction, but her computer had. As she was speaking with the bank representative on the phone, Allison discovered her company computer was approving other transactions as well. Allison was unable to stop the cyberhiest as it happened and by the end of the day $5.2 million dollars had been lifted from the company account leaving a balance of only $561,000. When Allison turned to her bank, a branch of Comerica Inc., to help recover the money, Allison was told the loss was Experi-Metal’s fault because it had allowed Allison’s computer to be infected by the hackers.

According to Don Jackson, a security expert at Dell SecureWorks cybercriminals are stealing as much as $1 billion a year in increments of a few thousand to a few million dollars per theft from small to mid-sized bank accounts in the U.S. and Europe. Account holders are always the biggest losers in these cyberheists.

Green Ford Sales – Green Stolen

On November 1st, 2010 cyber thieves hacked into Green Ford’s network and used readily available hacking tools to siphon $63,000 using keystroke logging software. The hackers were able to record the web address in addition to the username and password information required to access the account. The hackers then took remote control of a compromised computer system and used it to access the account. In this attack, it’s not just the bank account that is vulnerable. The customer records maintained by Green Ford Sales were also exposed, and that is a real problem for a business that has a legal responsibility to protect customer data. Dealers could face penalties for legal violations and civil suits for failing to protect their customers Personally Identifiable Information (PII).

Consumer vs. Business Regulations

Consumers who bank online in the U.S. are protected by Regulation E, which basically says that a consumer’s responsibility will not exceed $50 if the consumer notifies the bank within two business days after learning of the loss or theft of the access device (computer, tablet, phone, etc.). Even if timely notice isn’t given the consumer is only responsible for unauthorized transactions that occurred after the close of two business days and before notifying the bank.

Businesses, however, do not enjoy such protection. Businesses have to abide by the Uniform Commercial Code (UCC), which states that a payment order received by the bank is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.” You may have to reread that sentence a few times to understand, but it’s important that you do. This basically states that whether you authorize it or not, if a payment request comes through to the bank, they are going to pay it unless you have a written agreement restricting acceptance of payment orders issued in your name. As long as it came through a reasonably secure channel, no further questions will be asked, and the order will be processed.

Protect Your Business

Cyber Liability Insurance Policy: A cyber liability insurance policy is a good start to protecting your losses if a breach occurs. Be aware, however that there are several pitfalls in getting a cyber liability insurance policy that you need to work through to make sure your insurance company doesn’t deny your claim. Insurance companies are just as diligent as the banks in examining claims. Insurance carriers are carefully scrutinizing the statements made during the policy application through the period of coverage to determine if inaccurate representations were made or if the agreed upon security practices were not followed. If it’s determined that the insured didn’t follow the security practices as stated, the claim will likely be denied, putting the insured on the hook for the full damages of the security breach. It is crucial that the cyber liability policy covers the full suite of actions a business will need to take in the event of an attack. Not only is a data breach expensive but companies have the responsibility to navigate 47 different state notification laws, notify customers of the breach, pay for credit monitoring for those affected, hire forensic investigators, repair systems and prepare for lawsuits.

Employee Education: Your first line of defense is always your employees. You need to educate your employees about the methods hackers use to infiltrate a company’s network. Here are just a few to start talking with your employees about today.

Phishing: is a technique where a hacker attempts to acquire sensitive information, usernames, passwords, and credit card information, often for malicious reasons by masquerading as a known and trusted entity in an email message. Train your employees not to open any email unless they know the sender and let them know they should never give out their user credentials or sensitive information like social security numbers or credit card information in an email or on websites.

Social Engineering: is a technique where a hacker attempts to manipulate an employee into performing actions or divulging confidential information. This attack typically happens over the phone where a hacker attempts to gain the trust of an employee and manipulates them to gain access to sensitive information like passwords or bank account information.

Malvertising: is a technique where malicious or malware-laden advertisements are injected into legitimate online advertising networks and web pages. Per Wikipedia, Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'." The best defense here is to avoid clicking ads entirely.

Ransomware: is a type of malware that restricts access to a computer system it infects and then demands that the user pays a hefty ransom to the operators of the malware to remove the restriction. Cryptowall is a very common piece of ransomware that incorporates a phishing attack through email to install malicious software on your network. The software goes through all the shared folders on a machine and encrypts all the data. A ransom note is left behind for each file that gives instructions to pay a ransom to have the data decrypted.

Bit9 + Carbon Black: Antivirus is less than 47% effective and cannot detect zero-day attacks (an attack that exploits a hole in software that is unknown by the vendor). A firewall is also only somewhat effective because it cannot protect against any of the attacks mentioned above. A firewall only protects you from internet-initiated connections – the type that other computers on the internet try to make to you. It doesn’t protect you from connections your users initiate. You need a solution like Bit9 + Carbon Black that incorporates end point protection for all your devices. It’s important to keep your systems patched and install all critical security updates as they are released. Also, Bit9 + Carbon Black gives you the ability to detect an attack as it occurs and respond by isolating the infected PC until the threat has been removed.

WatchPoint Data Forensic Experts: Even the best tools are useless unless you have experts who know how to use them. At WatchPoint Data, we have the tools needed to prevent your PC from getting malware, tools to detect threats in real time 24/7 and forensic experts to respond to the threats immediately.

You need a partner like WatchPoint Data, with the expertise and state of the art products including Bit9 + Carbon Black to protect your customers’ and company’s vulnerable information and intellectual data. You cannot rely on the banks or the insurance companies to protect your losses after a breach; you have a responsibility to secure your network and data. There is no better partner equipped to help you deal with the cyber threats of the 21st century than WatchPoint Data.

With WatchPoint's Security Solution you will:

      Know someone is securing your business.

      Have true visibility into your digital assets.

      Have a support staff dedicated to safeguarding your network.