Calif. Co. Sues Bank Over $465k eBanking Heist — Krebs on Security

Calif. Co. Sues Bank Over $465k eBanking Heist — Krebs on Security.

Village View Escrow is suing Professional Business Bank for losses of $465,000 resulting from “26 consecutive fraudulent wire transfers to 20 individuals around the world who had no legitimate business with the firm.

The precedent is the Experi-Metal case against Comerica.

Charisse Castagnoli, an independent security consultant and adjunct professor at the John Marshall Law School, said the Village View lawsuit relies on similar claims made by Experi-Metal, arguing that its financial institution failed to act in good faith and that its online banking security procedures were not commercially reasonable.

Experi-Metal vs. Comerica Case Heads to Trial — Krebs on Security

Experi-Metal vs. Comerica Case Heads to Trial — Krebs on Security.

Detailed update on the upcoming Experi-Metal vs. Comerica trial. In brief, Experi-Metal is suing its bank, Comerica, for money ($560,000) it lost due to fraudulent wire transfers that resulted from a security breach.

The bank, Comerica, claims the fault of the lost money is entirely with Experi-Metal, while Experi-Metal claims that Comerica should have realized that a large number of wire transfer requests within a few hours was suspicious, especially considering it had only done two wire transfers in the two years prior to this incident.

Businesses do not enjoy the same legal protections afforded to consumer banking customers hit by cyber thieves, and most organizations will be held responsible for any losses due to phishing or account takeovers. But a rash of these attacks that has netted thieves more than $70 million over the last few years has caused some victim businesses and their lawyers to look for ways to hold banks more accountable, by pointing out ways in which the banks may not be living up to the somewhat nebulous state legal standards that govern commercial banking activities.

This case and other similar ones are putting pressure on small and mid-size banks, and the outsourcers who provide transaction processing services to them, to strengthen their security posture.

… more banks could and should offer the kind of technology employed by the major credit card networks, which try to build profiles of customer activity and then alert the customer or the issuing bank of any suspicious or unusual activity. But she said a large percentage of banks outsource the day-to-day customer transactions to third-party service providers, most of whom do not currently offer services that would conduct that transaction analysis.

When the costs of improving security posture are lower than the risk-weighted costs due to a breach, then these banks will move. I not mean to appear overly cynical here. It’s the banks’ fiduciary responsibility to move only when the risk analysis scale tips in favor of improving security. That’s what makes this trial so interesting.

Escrow Co. Sues Bank Over $440K Cyber Theft — Krebs on Security

Escrow Co. Sues Bank Over $440K Cyber Theft — Krebs on Security.

The Choice Escrow and Land Title escrow company had $440,000 stolen from its bank account in one fraudulent online transaction. Choice Escrow is suing the bank – BancorpSouth, Inc of Tupulow, Miss.

The fraudulent transaction was to a corporate account payee in Cyprus.

Technically the bank is not responsible for commercial account losses unless reported within 48 hours of the transaction. However Choice Escrow is suing on the basis that BancorpSouth did not provide the two-factor authentication required by the Federal Financial Institutions Examination Council (FFIEC).

Even if that were true, two-factor authentication is no longer enough to thwart online banking fraud. The problem is if the end user’s computer is compromised with a “man-in-the-browser” trojan like Zeus, once the authentication process is completed, the illicit transactions are performed while the end user is logged on!!

Think of it this way. No number of locks on your front door will stop a bad guy from walking into your house right behind you after you have opened the door.

We have partnered with Becrypt, who provides a “Trusted Client” solution which (1) resides on an encrypted USB stick which you boot from, or (2) resides on a dedicated PC which you use only for banking.

SpyEye v. ZeuS Rivalry Ends in Quiet Merger — Krebs on Security

SpyEye v. ZeuS Rivalry Ends in Quiet Merger — Krebs on Security.

Brian Krebs today is providing an update on banking Trojan activity. While ZeuS has been in the public eye, another banking Trojan SpyEye seems to be ascending.

In the last several years, it is estimated that the ZeuS Trojan enabled the theft of more than $70 million from nearly 400 organizations.

Ukraine Detains 5 Individuals Tied to $70 Million in U.S. eBanking Heists — Krebs on Security

Ukraine Detains 5 Individuals Tied to $70 Million in U.S. eBanking Heists — Krebs on Security.

Authorities in Ukraine this week detained five individuals believed to be the masterminds behind sophisticated cyber thefts that siphoned $70 million – out of an attempted $220 million — from hundreds of U.S.-based small to mid-sized businesses over the last 18 months, the FBI said Friday.

At a press briefing on “Operation Trident Breach,” FBI officials described the Ukrainian suspects as the “coders and exploiters” behind a series of online banking heists that have led to an increasing number of disputes and lawsuits between U.S. banks and the victim businesses that are usually left holding the bag.

This is an excellent article by Brian Krebs detailing the latest in a series of arrests related to electronic funds transfer fraud.

In another article Brian Krebs details a specific incident where hackers stole $600,000 from the town of Brigantine, NJ.

No business should be using the “general purpose” computer for electronic funds transfer transactions. As I said in my last post, either use a dedicated computer or an encrypted bootable USB stick like the one we offer from Becrypt.

Bill would protect towns, schools from cybertheft losses – Computerworld

Bill would protect towns, schools from cybertheft losses – Computerworld.

Sen. Charles Schumer (D-N.Y.) has introduced a bill that would protect municipalities and school districts against financial losses resulting from certain types of cybertheft.

Under the proposed bill, cities, towns and school districts would not be held liable for losses tied to online account takeovers and fraudulent electronic funds transfers initiated by cyberthieves, as long as the theft is reported in a timely manner.

It is the same sort of protection that consumers have under the Electronic Fund Transfer Act, which caps consumer liability for an unauthorized EFT at $50. Schumer’s bill (S. 3898) would modify portions of the EFTA to offer the same protection to schools and municipalities.

The idea of moving the liability electronic funds transfer fraud from the bank account holder to the bank will force banks to implement better protection measures.

In our opinion, there are only two ways online account holders can protect themselves from online bank fraud: (1) use a dedicated computer for online bank transactions, (2) use a dedicated encrypted bootable USB stick. Using just a separate browser, even in a separate virtual machine is not good enough.

If a dedicated computer is not feasible, we at Cymbel recommend Becrypt‘s Trusted Client solution.