PC Invader Costs a Kentucky County $415,000

plover recommends a detailed account by Brian Krebs in the Washington Post's Security Fix column of a complex hack and con job resulting in the theft of $415,000 from Bullitt County, Kentucky. "The crooks were aided by more than two dozen co-conspirators in the United States, as well as a strain of malicious software capable of defeating online security measures put in place by many banks. ...the trouble began on June 22, when someone started making unauthorized wire transfers of $10,000 or less from the county's payroll to accounts belonging to at least 25 individuals around the country... [T]he criminals stole the money using a custom variant of a keystroke logging Trojan known as 'Zeus' (a.k.a. 'Zbot') that included two new features. The first is that stolen credentials are sent immediately via instant message to the attackers. But the second, more interesting feature of this malware... is that it creates a direct connection between the infected Microsoft Windows system and the attackers, allowing the bad guys to log in to the victim's bank account using the victim's own Internet connection."

Re:Bank hold some responsibility

[plover]

My wife has long had to transfer money between various commercial accounts at her jobs. As far back as I can remember, the banks issued her RSA tokens which were required to authorize the transfers.

I can't imagine a commercial bank NOT using a secure crypto system with an air gap. If the county is concerned about two authorizations, so much the better: issue the judge his own token.

Even that could be compromised by a hacker who owned the treasurer's computer, but it would have been almost impossible to run the scam 500 times in a few days like this guy did.