Part 2

There's no Hurricane Katrina fund, no 9/11 trust for business banking victims. Instead of the sudden shocking yet galvanizing crash of a jet into a building, this malware-based attack comes as a slow, stealthy shadow creeping into the already bleak landscape of the jobless.

If a business owner lost their funds overnight, I imagine it might go something like:

  • Day one: Shock. Could this really be happening?
  • Day two: Fight the bank. And lose. Again, is this really happening?
  • Day three: Find a new job so your family can sustain itself. And good luck with that task if you were part of the IT team who missed the malware which stole the banking funds!

Brian Krebs has interviewed many victims whose stories are similar:

Since the incident, [Michelle Marsico] has had to take out a $395,000 loan at 12 percent to cover the loss (she managed to get $70,000 in wires reversed).

“I'm working for nothing right now, and can't afford to pay myself,” Marisco / [Marsico] said in a phone interview.

Without small business providing new job growth it's arguably a nuclear winter for our economy.

This must stop

  1. Business owners are completely in the dark about this threat.
  2. The critical priority must become identifying the threat of cybercrimes that soul-kill our communities: FinCEN and other aggregators of financial crime reporting need to step it up and show the data more transparently.
  3. There are no laws which require protection for payroll accounts and the ABA, after saying how safe online banking has been for years now doesn't seem to want to budge from their position of the business' sole responsibility for compromise.

A recent interview was held with American Banking Association Vice President and Senior Advisor of Risk Management Policy Doug Johnson who, after agreeing that the threat of corporate account takeover was “very large”, pushes responsibility right back at the business, not with the banking community for prevention and risk.

“Banks have a tremendous responsibility to protect their small businesses and municipal customers just as they have that responsibility to protect their retail customers.

But the retail customer protections of Reg E would essentially absolve the small businesses of any responsibility or liability for not properly protecting themselves, and you can certainly appreciate that in a community bank market it is very difficult for a financial institution, through no fault of its own, to really make a corporate customer whole for a loss which could be upwards toward a half of million dollars.

And there would be less incentive on the part of the corporate customer to protect themselves if they knew that they were going to be made whole in that fashion, even if they didn't protect themselves.”

Five years ago, Doug Johnson was saying something very different:

"Online banking is safe and getting safer," says Doug Johnson, senior policy analyst at the American Bankers Association.” (USA Today, 2005)

2009 APWG Thought Leader Dr. Laura Mather states that dual control for small business accounts is a good practice for businesses to follow since it raises the bar for criminals, however she feels that it is unlikely that all businesses will implement dual controls and worse, that the tactic has a limited shelf life against faster cybercriminals.

“Banks should be educating their business customers to use this technique,” Dr. Mather adds, “and possibly implement measures that enforce the requirements for dual control. The next obvious step for cybercriminals will be multiple infections within a business such that the criminal has access to both of the dual control accounts.”

“As for the ABA party line – I think with the litigation that is moving forward there will soon be legislation around the SMB accounts. Of course, when that happens, all banking organizations will likely have to change their stance on these issues.”

Her words are prophetic: I found a story about the banking trojan compromise of the ABA-recommended dual control method right in our own SoCal backyard which Brian Krebs wrote about a few weeks ago:

http://krebsonsecurity.com/2010/06/e-banking-bandits-stole-465000-from-calif-escrow-firm/

“Owner Michelle Marisco said her financial institution at the time — Professional Business Bank of Pasadena, Calif. – normally notified her by email each time a new wire was sent out of the company's escrow account. But the attackers apparently disabled that feature before initiating the fraudulent wires.”

“The thieves also defeated another anti-fraud measure: A requirement that two employees sign off on any wire requests. Marisco said that a few days before the theft, she opened an email informing her that a UPS package she had been sent was lost, and urging her to open the attached invoice. Nothing happened when she opened the attached file, so she forwarded it on to her assistant who also tried to view it. The invoice was in fact a trojan horse program that let the thieves break in and set up shop and plant a password-stealing virus on both Marisco's computer and the PC belonging to her assistant, the second person needed to approve transfers.”

Steps you can take:

In keeping with how to protect yourselves and your business here are the top things to do today to harden your business target:

  1. Update your endpoint malware protection and ensure you have an antispam solution which will block phishing attacks which use spam tactics to reach their victims.
  2. Plan and complete a US-CERT risk assessment,
  3. Plan to audit your business accounts DAILY from a secure computer. Don't rely too heavily on email alerts – the latest malware disables them.
  4. Raise awareness in your own back yard. Start the discussion.

One final step would be to sit down and have a formal review with your bank of the responsibilities involved with an account hijacking and quite frankly, if you don't like what you hear, vote with your feet and consider changing your approach to online banking or changing your bank.

We're still on the search for definative bank account hijacking statistics. Once we get them, you'll be the first to know.