Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M (krebsonsecurity.com)

Posted by msmash on from the fool-me-once,-fool-me-twice dept.

Brian Krebs reports: Hackers used phishing emails to break into a Virginia bank in two separate cyber intrusions over an eight-month period, making off with more than $2.4 million total. Now the financial institution is suing its insurance provider for refusing to fully cover the losses. According to a lawsuit filed last month in the Western District of Virginia, the first heist took place in late May 2016, after an employee at The National Bank of Blacksburg fell victim to a targeted phishing email. The email allowed the intruders to install malware on the victim's PC and to compromise a second computer at the bank that had access to the STAR Network, a system run by financial industry giant First Data that the bank uses to handle debit card transactions for customers. That second computer had the ability to manage National Bank customer accounts and their use of ATMs and bank cards.

12 of 70 comments (clear)

  1. And what's worse... by magusxxx · · Score: 4, Funny

    ...the clerk never got that $100 Applebee's gift card.

    --
    Care killed the cat, but satisfaction brought it back.
  2. This is the new reality of banking security by Aurelfell · · Score: 5, Interesting

    It's no longer about preventing attacks from happening, but accepting that they are going to happen and hardening systems to minimize or eliminate theft and damage when they do. This might seem obvious to a lot of people in the tech industry, but it represents a major paradigm shift for banking.

    1. Re:This is the new reality of banking security by Rick+Schumann · · Score: 3, Insightful

      It's no longer about preventing attacks from happening, but accepting that they are going to happen

      Bullshit. There's a word for what you're talking about: surrender. In 2018 people should be smarter and systems should be more secure, but for some reason they're not. This needs to be FIXED. Throwing up your hands and saying "Oh well, guess that's just the way it is!" is cowardly and idiotic in the extreme. If what you're saying was actually true then the only course of action anyone with an average IQ or above could logically take would be to pull all their money out of all accounts and keep it at home in a safe buried in the ground, or at least stashed in a safety deposit box at a bank, or similar hardened secure facility, and pay cash for everything, forever. Banks would fold, e-commerce would dry up and die, as we functionally went back to no later than the 1950's. It's bad enough that I see how many breaches of financial systems there are all the time and have had to personally resort to paying cash for everything I do in person (to reduce my overall exposure to risk) but to just give up is nonsense. We have to do better, we have to fix the security problems.

    2. Re: This is the new reality of banking security by nitehawk214 · · Score: 2

      Exactly. Banks are lax on security because it isn't their money, and insurance will cover it. It's the same reason they are lax on investing and loans. Somebody will bail them out.

      If we started holding banks feet to the fire, this shit would end.

      Now I do have some sympathy for the banks. Security costs money, and consumers shop for banking products almost soley on fees and rates. Having a "security" fee on a bank statement just won't fly.

      Perhaps we can have security audit checks as a public record and something banks can advertise.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
  3. Re:Insurance didn't protect them by xxxJonBoyxxx · · Score: 4, Insightful

    I think they just found out that "cybersecurity insurance" is a joke: one missing patch or badly configured machine and your insurer will deny you. Remember, these are that same folks that manage medical insurance - you sure you want a bunch of "claim denied" messages when your IT systems go t**s up?

  4. Twice?!?! by Major+Blud · · Score: 4, Insightful

    Now the financial institution is suing its insurance provider for refusing to fully cover the losses.

    Hack me once, shame on you, hack me twice, shame on me?

    Seriously, 8 months passed between the phishing incidents. That's plenty enough time to do a security audit and train your staff, and the insurance company knows that.

    --
    If you post as Anonymous Coward, don't expect a reply.
  5. Physically Segment Your Networks by Luthair · · Score: 2

    Sony, Home Depot, and a number of others have been compromised because they failed to separate what should be secure systems from the rest of their infrastructure. This behaviour is blatantly negligent.

  6. Wait a bit more by hcs_$reboot · · Score: 2

    Things always go in threes.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  7. Security company working with insurance here. Fire by raymorris · · Score: 5, Interesting

    You may have had experience related to insurance and the fire code. Someone may have walked through your office building doing a fire inspection, looking for things like power strips plugged into other power strips, which are in turn plugged into another power strip. That fire inspection was likely done for insurance reasons. The insurance companies created the National Fire Protection Association, which writes the fire codes, and also created Underwriters Laboratories (UL), which does fire testing and allows it's logo to be put on tested products. You've certainly seen products that are UL listed, UL registered, and UL certified. These are some of the ways that insurance companies encourage fire safety.

    If you don't comply with fire code, if you're using electrical appliances that aren't UL listed or better, the insurance company will start taking actions that encourage safety compliance. That can range from simply issuing a recommendation to raising your rates until you comply, and even saying "if this problem isn't fixed within three months, we will no longer cover you for electrical fires". The insurance company analyzes the risks and sets rates and other conditions appropriate for the level of risk.

    My company, which does cybersecurity, is working with insurance companies to rate cyber risk the same way the rate fire risk. A company's rates will depend on what safeguards they have in place. Take Windows updates for example. If you roll out all Windows updates within 24 hours of release, you'll get the best rate. Roll them out within 2 weeks and you'll get a middle rate. Have XP servers exposed to the internet? The insurance company will probably give you 60 days to fix that, or you're no longer covered for certain things. It's not an all or nothing thing. We deliver a big report, it can be over 100 pages. Each thing in the report can increase or decrease the rate they pay for insurance, or cause the insurance company to not cover certain things until they get fixed.

    Here they had a huge loss due to phishing. When paying out that first phishing claim, the insurance company probably said "we don't want this to happen again. In order to be covered for future phishing, you need to reduce your risk by doing x, y, and z". Sure enough 8 months later, another huge loss due to phishing. The bank probably didn't put proper measures in place to mitigate the risk.

    One way to reduce phishing risk is for corporate security to send out a "phishing" email about once per month. Employees who click the link see a page reminding them about phishing. Employees who click the "report this email" button in Outlook get a smiley acknowledgement that they did the right thing.

  8. Illiterate IT People by chill · · Score: 3, Insightful

    Part of the problem, if judging by the existing 41 comments here on Slashdot, is IT people either *can't* or *won't* read. All y'all are bitching about an insurance company denying the claim, etc.

    They didn't deny the claim! There are *two* policy riders possibly that cover situation and the insurance company is claiming the one with the $250,000 cap is the one that applies -- so paid that one.

    It is an interesting *legal* situation, but totally not at all what the slashmob is whining about.

    --
    Learning HOW to think is more important than learning WHAT to think.
  9. Better: Stop using MS products by Kludge · · Score: 2

    FTFA: "the 2017 breach was embedded in a booby-trapped Microsoft Word document."
    Unfortunately most people are too dumb to dump MS, and crackers will continue to win.

  10. Re:Insurance didn't protect them by bws111 · · Score: 4, Interesting

    This case has nothing to do with claims being denied. The bank has two types of coverage. The first is for 'computer and electronic fraud'. The coverage on that is $8M. That coverage explicitly EXCLUDES 'loses due to purported use of cards to obtain funds or credit'. It also explicity EXCLUDES 'loses from automatic mechanical devices which ... disburse money ...'.

    The second coverage they have is for 'debit card/ATM fraud'. The coverage on that is $250K.

    So what happened? The thieves, by phishing, got access to the computers and changed PINs, disabled fraud protection and daily limits, etc. They did not steal any money (wire transfers, etc). Then they went to 'hundreds of ATMs' and used fraudulent cards to get money.

    So which coverage applies? The insurance company says it was card/ATM fraud, here's your $250K. The bank says if it wasn't for the computer fraud there would have been no ATM fraud, so the higher coverage should apply.

    Interesting legal question, but hardly indicative that 'cybersecurity insurance is a joke'.