Escrow Co. Sues Bank Over $440K Cyber Theft — Krebs on Security.
The Choice Escrow and Land Title escrow company had $440,000 stolen from its bank account in one fraudulent online transaction. Choice Escrow is suing the bank – BancorpSouth, Inc of Tupulow, Miss.
The fraudulent transaction was to a corporate account payee in Cyprus.
Technically the bank is not responsible for commercial account losses unless reported within 48 hours of the transaction. However Choice Escrow is suing on the basis that BancorpSouth did not provide the two-factor authentication required by the Federal Financial Institutions Examination Council (FFIEC).
Even if that were true, two-factor authentication is no longer enough to thwart online banking fraud. The problem is if the end user’s computer is compromised with a “man-in-the-browser” trojan like Zeus, once the authentication process is completed, the illicit transactions are performed while the end user is logged on!!
Think of it this way. No number of locks on your front door will stop a bad guy from walking into your house right behind you after you have opened the door.
We have partnered with Becrypt, who provides a “Trusted Client” solution which (1) resides on an encrypted USB stick which you boot from, or (2) resides on a dedicated PC which you use only for banking.
Ukraine Detains 5 Individuals Tied to $70 Million in U.S. eBanking Heists — Krebs on Security.
Authorities in Ukraine this week detained five individuals believed to be the masterminds behind sophisticated cyber thefts that siphoned $70 million – out of an attempted $220 million — from hundreds of U.S.-based small to mid-sized businesses over the last 18 months, the FBI said Friday.
At a press briefing on “Operation Trident Breach,” FBI officials described the Ukrainian suspects as the “coders and exploiters” behind a series of online banking heists that have led to an increasing number of disputes and lawsuits between U.S. banks and the victim businesses that are usually left holding the bag.
This is an excellent article by Brian Krebs detailing the latest in a series of arrests related to electronic funds transfer fraud.
In another article Brian Krebs details a specific incident where hackers stole $600,000 from the town of Brigantine, NJ.
No business should be using the “general purpose” computer for electronic funds transfer transactions. As I said in my last post, either use a dedicated computer or an encrypted bootable USB stick like the one we offer from Becrypt.
Bill would protect towns, schools from cybertheft losses – Computerworld.
Sen. Charles Schumer (D-N.Y.) has introduced a bill that would protect municipalities and school districts against financial losses resulting from certain types of cybertheft.
Under the proposed bill, cities, towns and school districts would not be held liable for losses tied to online account takeovers and fraudulent electronic funds transfers initiated by cyberthieves, as long as the theft is reported in a timely manner.
It is the same sort of protection that consumers have under the Electronic Fund Transfer Act, which caps consumer liability for an unauthorized EFT at $50. Schumer’s bill (S. 3898) would modify portions of the EFTA to offer the same protection to schools and municipalities.
The idea of moving the liability electronic funds transfer fraud from the bank account holder to the bank will force banks to implement better protection measures.
In our opinion, there are only two ways online account holders can protect themselves from online bank fraud: (1) use a dedicated computer for online bank transactions, (2) use a dedicated encrypted bootable USB stick. Using just a separate browser, even in a separate virtual machine is not good enough.
If a dedicated computer is not feasible, we at Cymbel recommend Becrypt‘s Trusted Client solution.