Bank Fraud: It’s Not Personal, Just Business
24 06, 14 Filed in: Blog Posts | Bylines
As published in Wall Street and Technology:
Less publicized (but nonetheless costly) incidents of fraud, questions of liability, and mixed success in court complicate the allocation of security resources.
High-profile breaches of consumer data have been in the news lately, with Neiman Marcus, Michael's, and Target each losing hundreds of thousands to millions of payment card details. As of last week it looks as if we will be able to add P.F. Chang’s to that list as well.
Much of the media coverage of these events has revolved around the impact on consumers and what consumers should do to protect themselves, but the reality of these breaches is that the consumers are the least likely to be affected: Federal law limits liability for fraudulent credit or debit card purchases to $50 in most cases (with the condition that the loss or theft of the card is reported promptly in the case of debit cards). The real impact of these breaches has been on the companies that have been compromised. Target reported $61 million in total breach expenses during the quarter of the breach, and this number is sure to grow as time goes on.
There is another type of financial fraud that is hitting companies as well: wire transfer fraud. This type of fraud costs approximately $1 billion per year but generally doesn’t get the media coverage we have seen with recent personal information breaches, perhaps because it doesn’t involve millions of individuals’ payment card numbers or because breach notifications usually aren’t required if a consumer’s personal information isn’t lost.
The ploy is fairly simple, an attacker gains access to a commercial bank account, wires as much money as possible to another bank account, and withdraws the stolen money before the unauthorized transfer is noticed. Often the recipient bank accounts and withdrawals are handled by unwitting “mules” who answer the “Work From Home!” ads that seem to be plastered all over the Internet and on telephone poles across the country. The mules believe they are working for a legitimate company handling office finances when in reality they are withdrawing the stolen money and forwarding it to the overseas (usually somewhere in Eastern Europe) masterminds behind the scheme.
Unlike personal consumer bank accounts, which fall under FDIC regulations and have the same federal liability limits as debit cards ($50 if the bank is notified within 2 days and $500 if the bank is notified within 60 days), there is essentially unlimited liability for commercial bank accounts. It is entirely possible for an entire bank account to be cleaned out in a matter of hours. In 2009 Experi-Metal Inc., a Michigan based company, had $5.2 million wired out of its account at Comerica in a single day. The bank was able to recover most of the money because the transactions had been detected by fraud-alerting algorithms, but Experi-Metal was still left short by $561,000.
Experi-Metal’s story is fairly typical, most victims are left with losses in excess of $100,000. This seems like a pittance compared to the Target losses, but it could be a devastating blow for a small or midsized business with a much smaller revenue stream than the $21.5 billion Target reported during the same quarter as the recent breach. These attacks are happening regularly, and they aren’t just targeting businesses: Public schools, libraries, universities, and non-profits have all been victimized in this manner.
Most banks accept no liability for the missing money, because the breaches are occurring on the customer’s computer systems, not the bank's. These can range from a simple phishing attack in which an email purporting to be from the bank attempts to trick an unwitting user into directly revealing his or her banking passwords to complex botnets made up of malware-infected computers around the world waiting to capture these credentials.
Law enforcement does try to break up these fraud networks when they can, but it can take years. With many of the perpetrators targeting US businesses but operating out of foreign countries, it can be difficult for US law enforcement to find the masterminds behind the operation and get the quick cooperation they would need to effect any meaningful arrests. Businesses certainly shouldn’t hold out any hope that these modern-day bank robbers will be caught and their money returned.
Some businesses have tried to fight back against the banks in court with mixed success. Patco Construction Co. of Maine lost $588,000 in 2009 and, after repeatedly losing in lower courts, was able to win a judgment from the 1st Circuit Court of Appeals in July 2012 forcing the bank to cover tits losses. On the other hand, Choice Escrow and Land Title LLC of Missouri also lost $440,000 in 2009, and on June 11, 2014, the 8th Circuit Court of Appeals ruled that not only was the bank not responsible for the losses, but that the bank can pursue Choice Escrow to pay for its legal defense costs. Given the potential losses from a breach and the expensive, uncertain, and lengthy nature of attempting to recover funds from a bank it is clear that businesses need to focus on protecting themselves from fraudulent transfers.
Malware and botnets are an enormous threat on the Internet today, and many of them are designed to steal financial details in order to facilitate wire transfer fraud. The ZeuS botnet alone (the same piece of malware that caused the Patco breach described above) is estimated to have stolen $70 million over its lifetime. NTT Com Security’s Global Threat Intelligence Report shows that botnets were responsible for the largest proportion of attacks happening on the Internet in 2013 with 34% of the total. Disturbingly, the same report also shows that 54% to 71% of malware is not detected by antivirus software, which highlights an underlying security issue: Installing antivirus and tossing a firewall on the network is not enough to prevent these types of attacks.
Real network security requires building the capability to monitor a network and respond to attacks. We saw this with the Target breach where, despite spending $1.6 million on FireEye network monitoring software, Target managed to ignore the alerts it generated based on the malware attacking their network. We saw this again with the Neiman Marcus breach where 60,000 alerts were ignored over a three-and-a-half month period. If large companies with multimillion-dollar security budgets can’t protect themselves from malware, then the prospects would seem exceedingly bleak for the small and midsized companies that are being victimized by wire transfer fraud.
In spite of all this, there are low-cost and remarkably simple steps we can take to help significantly reduce the chances of a malware attack compromising a bank account. It can be as simple as isolating the computers used to access bank accounts. Most malware attacks rely on the fact that a single workstation is often used for multiple purposes: If a user is browsing the web he opens his workstation to drive-by download attacks; reading email opens the workstation to malware contained within email attachments; and file-sharing (whether it is a USB memory stick, a corporate shared network drive, or a peer-to-peer network) opens workstations to direct cross-contamination from other infected systems it interacts with.
On the other hand, if a few designated workstations, and these workstations alone, are used solely for the purpose of processing bank transfers to the exclusion of web browsing, email, and all of the other activities that could bring malware onto the system, then the risks of infection would be drastically reduced -- even moreso if these workstations could be firewalled off from the rest of the network or given their own dedicated Internet connections. The cost of a cable modem and a small firewall would almost certainly be a tiny fraction of the potential cost of a single fraudulent transfer.
Phishing attacks serve to illustrate this point further: There is no technical solution that can effectively stop a user who has been duped from sending out passwords; we must instead rely on training and awareness to make sure that individuals who hold the digital keys to a company’s bank accounts are aware of the threats they are facing and how they operate. If more people have the passwords to initiate bank transfers, then there are more people who could potentially leak that information. Keeping the key holders to a minimum allows companies to focus their training and awareness efforts on those few key individuals who matter.
We must also not forget the banks themselves. Many offer enhanced security measures for wire transfers that businesses just aren’t using. In the case of Choice Escrow, mentioned above, the bank offered a system where two passwords would be required, one to approve a wire transfer and another to release the transfer. In this case Choice Escrow chose not to use those dual controls. We have no way to know if using dual controls would have made a difference in the breach or the court case, but it is certainly telling that an easy-to-use security feature was not being employed. There are likely many companies that are not leveraging all the security tools the banks are providing for them, simply for the sake of convenience.
The ultimate liability solution may go beyond technology as well. The ability for hackers to launch fraudulent wire transfers seems to be under the radar of most businesses, as is the lack of liability that the banks accept. At least one bank, JPMorgan Chase & Co, does offer insurance on commercial accounts. Perhaps as more businesses become aware of the underlying risks in commercial bank accounts they will move to banks that offer more robust protections and instigate a change in the banking industry. Or perhaps we are just waiting for our “Target” moment when a major publicly traded corporation finds tens of millions of dollars missing from its bank account and makes the front-page news.
Less publicized (but nonetheless costly) incidents of fraud, questions of liability, and mixed success in court complicate the allocation of security resources.
High-profile breaches of consumer data have been in the news lately, with Neiman Marcus, Michael's, and Target each losing hundreds of thousands to millions of payment card details. As of last week it looks as if we will be able to add P.F. Chang’s to that list as well.
Much of the media coverage of these events has revolved around the impact on consumers and what consumers should do to protect themselves, but the reality of these breaches is that the consumers are the least likely to be affected: Federal law limits liability for fraudulent credit or debit card purchases to $50 in most cases (with the condition that the loss or theft of the card is reported promptly in the case of debit cards). The real impact of these breaches has been on the companies that have been compromised. Target reported $61 million in total breach expenses during the quarter of the breach, and this number is sure to grow as time goes on.
There is another type of financial fraud that is hitting companies as well: wire transfer fraud. This type of fraud costs approximately $1 billion per year but generally doesn’t get the media coverage we have seen with recent personal information breaches, perhaps because it doesn’t involve millions of individuals’ payment card numbers or because breach notifications usually aren’t required if a consumer’s personal information isn’t lost.
The ploy is fairly simple, an attacker gains access to a commercial bank account, wires as much money as possible to another bank account, and withdraws the stolen money before the unauthorized transfer is noticed. Often the recipient bank accounts and withdrawals are handled by unwitting “mules” who answer the “Work From Home!” ads that seem to be plastered all over the Internet and on telephone poles across the country. The mules believe they are working for a legitimate company handling office finances when in reality they are withdrawing the stolen money and forwarding it to the overseas (usually somewhere in Eastern Europe) masterminds behind the scheme.
Unlike personal consumer bank accounts, which fall under FDIC regulations and have the same federal liability limits as debit cards ($50 if the bank is notified within 2 days and $500 if the bank is notified within 60 days), there is essentially unlimited liability for commercial bank accounts. It is entirely possible for an entire bank account to be cleaned out in a matter of hours. In 2009 Experi-Metal Inc., a Michigan based company, had $5.2 million wired out of its account at Comerica in a single day. The bank was able to recover most of the money because the transactions had been detected by fraud-alerting algorithms, but Experi-Metal was still left short by $561,000.
Experi-Metal’s story is fairly typical, most victims are left with losses in excess of $100,000. This seems like a pittance compared to the Target losses, but it could be a devastating blow for a small or midsized business with a much smaller revenue stream than the $21.5 billion Target reported during the same quarter as the recent breach. These attacks are happening regularly, and they aren’t just targeting businesses: Public schools, libraries, universities, and non-profits have all been victimized in this manner.
Most banks accept no liability for the missing money, because the breaches are occurring on the customer’s computer systems, not the bank's. These can range from a simple phishing attack in which an email purporting to be from the bank attempts to trick an unwitting user into directly revealing his or her banking passwords to complex botnets made up of malware-infected computers around the world waiting to capture these credentials.
Law enforcement does try to break up these fraud networks when they can, but it can take years. With many of the perpetrators targeting US businesses but operating out of foreign countries, it can be difficult for US law enforcement to find the masterminds behind the operation and get the quick cooperation they would need to effect any meaningful arrests. Businesses certainly shouldn’t hold out any hope that these modern-day bank robbers will be caught and their money returned.
Some businesses have tried to fight back against the banks in court with mixed success. Patco Construction Co. of Maine lost $588,000 in 2009 and, after repeatedly losing in lower courts, was able to win a judgment from the 1st Circuit Court of Appeals in July 2012 forcing the bank to cover tits losses. On the other hand, Choice Escrow and Land Title LLC of Missouri also lost $440,000 in 2009, and on June 11, 2014, the 8th Circuit Court of Appeals ruled that not only was the bank not responsible for the losses, but that the bank can pursue Choice Escrow to pay for its legal defense costs. Given the potential losses from a breach and the expensive, uncertain, and lengthy nature of attempting to recover funds from a bank it is clear that businesses need to focus on protecting themselves from fraudulent transfers.
Malware and botnets are an enormous threat on the Internet today, and many of them are designed to steal financial details in order to facilitate wire transfer fraud. The ZeuS botnet alone (the same piece of malware that caused the Patco breach described above) is estimated to have stolen $70 million over its lifetime. NTT Com Security’s Global Threat Intelligence Report shows that botnets were responsible for the largest proportion of attacks happening on the Internet in 2013 with 34% of the total. Disturbingly, the same report also shows that 54% to 71% of malware is not detected by antivirus software, which highlights an underlying security issue: Installing antivirus and tossing a firewall on the network is not enough to prevent these types of attacks.
Real network security requires building the capability to monitor a network and respond to attacks. We saw this with the Target breach where, despite spending $1.6 million on FireEye network monitoring software, Target managed to ignore the alerts it generated based on the malware attacking their network. We saw this again with the Neiman Marcus breach where 60,000 alerts were ignored over a three-and-a-half month period. If large companies with multimillion-dollar security budgets can’t protect themselves from malware, then the prospects would seem exceedingly bleak for the small and midsized companies that are being victimized by wire transfer fraud.
In spite of all this, there are low-cost and remarkably simple steps we can take to help significantly reduce the chances of a malware attack compromising a bank account. It can be as simple as isolating the computers used to access bank accounts. Most malware attacks rely on the fact that a single workstation is often used for multiple purposes: If a user is browsing the web he opens his workstation to drive-by download attacks; reading email opens the workstation to malware contained within email attachments; and file-sharing (whether it is a USB memory stick, a corporate shared network drive, or a peer-to-peer network) opens workstations to direct cross-contamination from other infected systems it interacts with.
On the other hand, if a few designated workstations, and these workstations alone, are used solely for the purpose of processing bank transfers to the exclusion of web browsing, email, and all of the other activities that could bring malware onto the system, then the risks of infection would be drastically reduced -- even moreso if these workstations could be firewalled off from the rest of the network or given their own dedicated Internet connections. The cost of a cable modem and a small firewall would almost certainly be a tiny fraction of the potential cost of a single fraudulent transfer.
Phishing attacks serve to illustrate this point further: There is no technical solution that can effectively stop a user who has been duped from sending out passwords; we must instead rely on training and awareness to make sure that individuals who hold the digital keys to a company’s bank accounts are aware of the threats they are facing and how they operate. If more people have the passwords to initiate bank transfers, then there are more people who could potentially leak that information. Keeping the key holders to a minimum allows companies to focus their training and awareness efforts on those few key individuals who matter.
We must also not forget the banks themselves. Many offer enhanced security measures for wire transfers that businesses just aren’t using. In the case of Choice Escrow, mentioned above, the bank offered a system where two passwords would be required, one to approve a wire transfer and another to release the transfer. In this case Choice Escrow chose not to use those dual controls. We have no way to know if using dual controls would have made a difference in the breach or the court case, but it is certainly telling that an easy-to-use security feature was not being employed. There are likely many companies that are not leveraging all the security tools the banks are providing for them, simply for the sake of convenience.
The ultimate liability solution may go beyond technology as well. The ability for hackers to launch fraudulent wire transfers seems to be under the radar of most businesses, as is the lack of liability that the banks accept. At least one bank, JPMorgan Chase & Co, does offer insurance on commercial accounts. Perhaps as more businesses become aware of the underlying risks in commercial bank accounts they will move to banks that offer more robust protections and instigate a change in the banking industry. Or perhaps we are just waiting for our “Target” moment when a major publicly traded corporation finds tens of millions of dollars missing from its bank account and makes the front-page news.
10 ways to strengthen web application security
17 06, 14 Filed in: Press Quotes
PCI-DSS 3.0 Helps Merchants Defend Against Emerging Threats
15 06, 14 Filed in: Blog Posts
Protecting sensitive personal data continues to be a priority for merchants and businesses that operate in the payment card industry. With the release of PCI-DSS 3.0 many organizations that are already PCI compliant or are working toward becoming PCI compliant are wondering what these changes will mean to their organization.
Let’s take a look at what has changed and the impact this will have on how organizations approach PCI compliance.
Merchants and businesses should find that PCI-DSS 3.0 is easier and more intuitive to work with than earlier versions. The main impact of the changes includes:
What new requirements are included in PCI-DSS 3.0?
With version 3.0, the PCI Security Standards Council enhanced or clarified existing PCI-DSS requirements. However a number of new compliance requirements were added including:
General: A new PCI-DSS ROC Reporting Template must be used as the template for creating the Report on Compliance.
General: More details have been added to the testing procedures to clarify the level of validation expected for each requirement. This reduces uncertainty over what is required to confirm compliance with a requirement and make determining compliance much more straightforward and consistent.
Req. 5.1.2: An organization will need to be aware of evolving malware threats to its systems and act if malware does become a significant threat, rather than the previous assumption that malware protection was only required on Windows systems.
Req. 8.2.3: The recent change gives greater flexibility to meet this requirement by providing a control which security equivalent to a password of at least 7 characters composed of numeric and alphabetic characters. Guidance recommends password entropy as a means of measuring this.
Req. 8.6: Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access.
Req. 9.3: Control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination.
Req. 9.9: For Brick and Mortar retailers who will need to catalogue POS terminals and regularly check them to detect any theft or tampering (e.g. for skimming). At the European PCI Community Meeting, it was clarified that this only applied to the card interaction points (swipe or dip, etc).
Req. 11.5.1: New requirement to confirm that alerts from the change detection mechanism are investigated. This update makes the requirement to investigate alerts more explicit.
Req. 12.8.2: Many organizations will have contracts in place which pre-date their PCI-DSS compliance efforts, but which did place a requirement on the Service Provider to maintain the security of CHD either explicitly or implicitly. These agreements must now explicitly address compliance with PCI-DSS requirements and so may require amendments to existing contractual agreements.
Req. 12.9: This is the mirror of changes to Requirement 12.8.2 – the Service Provider has a matching requirement to confirm it will maintain applicable PCI-DSS requirements to match the client’s requirement to obtain it from them.
What is the timing for these changes?
PCI-DSS 3.0 went into effect Jan. 1, 2014, but businesses are given a year to implement the updated standard. This means that during 2014 merchants and service providers can choose whether to validate compliance under version 2.0 or 3.0 of PCI-DSS, although they may not mix requirements from 2.0 and 3.0 together in a single assessment. Any validation conducted in 2015 must be conducted under version 3.0. Service providers also have until July 1, 2015 to meet specific requirements.
Want more information?
Watch my walkthrough of these changes in a comprehensive webinar: The Changing PCI Landscape: What does it mean for your organization? Additionally, download the white paper “PCI v3.0 Impact Analysis” for specific rule changes.
Let’s take a look at what has changed and the impact this will have on how organizations approach PCI compliance.
Merchants and businesses should find that PCI-DSS 3.0 is easier and more intuitive to work with than earlier versions. The main impact of the changes includes:
- New requirements for periodic inspection of PIN Entry Devices (PEDs) will have a major impact on retail merchants but will limit the likelihood and impact of skimming and Chip-and-PIN compromises.
- Greater clarity for organizations and any service provider partners on their respective responsibilities to avoid compliance gaps between them.
- While recognizing the importance of network segmentation for scope reduction, there are now clearer requirements for tests to ensure the effectiveness of any segmentation controls.
What new requirements are included in PCI-DSS 3.0?
With version 3.0, the PCI Security Standards Council enhanced or clarified existing PCI-DSS requirements. However a number of new compliance requirements were added including:
General: A new PCI-DSS ROC Reporting Template must be used as the template for creating the Report on Compliance.
General: More details have been added to the testing procedures to clarify the level of validation expected for each requirement. This reduces uncertainty over what is required to confirm compliance with a requirement and make determining compliance much more straightforward and consistent.
Req. 5.1.2: An organization will need to be aware of evolving malware threats to its systems and act if malware does become a significant threat, rather than the previous assumption that malware protection was only required on Windows systems.
Req. 8.2.3: The recent change gives greater flexibility to meet this requirement by providing a control which security equivalent to a password of at least 7 characters composed of numeric and alphabetic characters. Guidance recommends password entropy as a means of measuring this.
Req. 8.6: Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access.
Req. 9.3: Control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination.
Req. 9.9: For Brick and Mortar retailers who will need to catalogue POS terminals and regularly check them to detect any theft or tampering (e.g. for skimming). At the European PCI Community Meeting, it was clarified that this only applied to the card interaction points (swipe or dip, etc).
Req. 11.5.1: New requirement to confirm that alerts from the change detection mechanism are investigated. This update makes the requirement to investigate alerts more explicit.
Req. 12.8.2: Many organizations will have contracts in place which pre-date their PCI-DSS compliance efforts, but which did place a requirement on the Service Provider to maintain the security of CHD either explicitly or implicitly. These agreements must now explicitly address compliance with PCI-DSS requirements and so may require amendments to existing contractual agreements.
Req. 12.9: This is the mirror of changes to Requirement 12.8.2 – the Service Provider has a matching requirement to confirm it will maintain applicable PCI-DSS requirements to match the client’s requirement to obtain it from them.
What is the timing for these changes?
PCI-DSS 3.0 went into effect Jan. 1, 2014, but businesses are given a year to implement the updated standard. This means that during 2014 merchants and service providers can choose whether to validate compliance under version 2.0 or 3.0 of PCI-DSS, although they may not mix requirements from 2.0 and 3.0 together in a single assessment. Any validation conducted in 2015 must be conducted under version 3.0. Service providers also have until July 1, 2015 to meet specific requirements.
Want more information?
Watch my walkthrough of these changes in a comprehensive webinar: The Changing PCI Landscape: What does it mean for your organization? Additionally, download the white paper “PCI v3.0 Impact Analysis” for specific rule changes.
New OpenSSL breach is no Heartbleed, but needs to be taken seriously
06 06, 14 Filed in: Press Quotes