Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M (krebsonsecurity.com) 70
Brian Krebs reports: Hackers used phishing emails to break into a Virginia bank in two separate cyber intrusions over an eight-month period, making off with more than $2.4 million total. Now the financial institution is suing its insurance provider for refusing to fully cover the losses. According to a lawsuit filed last month in the Western District of Virginia, the first heist took place in late May 2016, after an employee at The National Bank of Blacksburg fell victim to a targeted phishing email. The email allowed the intruders to install malware on the victim's PC and to compromise a second computer at the bank that had access to the STAR Network, a system run by financial industry giant First Data that the bank uses to handle debit card transactions for customers. That second computer had the ability to manage National Bank customer accounts and their use of ATMs and bank cards.
Re:Insurance didn't protect them (Score:5, Insightful)
Re: (Score:1)
At some point, companies need to bear some responsibility for their shitty security. It's seldom just one patch, but companies who refuse to do what many of us consider basic security.
When the owners of said IT systems refuse to (or are incompetent to) perform system admin and se
Re: (Score:2)
In that case, sounds like Microsoft (if they were running Windows) should be liable, eh?
Sometimes you can't install a patch due to it fucking up existing software (that can't be patched).
Re: (Score:2)
I think they just found out that "cybersecurity insurance" is a joke: one missing patch or badly configured machine and your insurer will deny you. Remember, these are that same folks that manage medical insurance - you sure you want a bunch of "claim denied" messages when your IT systems go t**s up?
I'm guessing they are being denied due to "preexisting conditions" Just like health insurance. /s
Security company working with insurance here. Fire (Score:5, Interesting)
You may have had experience related to insurance and the fire code. Someone may have walked through your office building doing a fire inspection, looking for things like power strips plugged into other power strips, which are in turn plugged into another power strip. That fire inspection was likely done for insurance reasons. The insurance companies created the National Fire Protection Association, which writes the fire codes, and also created Underwriters Laboratories (UL), which does fire testing and allows it's logo to be put on tested products. You've certainly seen products that are UL listed, UL registered, and UL certified. These are some of the ways that insurance companies encourage fire safety.
If you don't comply with fire code, if you're using electrical appliances that aren't UL listed or better, the insurance company will start taking actions that encourage safety compliance. That can range from simply issuing a recommendation to raising your rates until you comply, and even saying "if this problem isn't fixed within three months, we will no longer cover you for electrical fires". The insurance company analyzes the risks and sets rates and other conditions appropriate for the level of risk.
My company, which does cybersecurity, is working with insurance companies to rate cyber risk the same way the rate fire risk. A company's rates will depend on what safeguards they have in place. Take Windows updates for example. If you roll out all Windows updates within 24 hours of release, you'll get the best rate. Roll them out within 2 weeks and you'll get a middle rate. Have XP servers exposed to the internet? The insurance company will probably give you 60 days to fix that, or you're no longer covered for certain things. It's not an all or nothing thing. We deliver a big report, it can be over 100 pages. Each thing in the report can increase or decrease the rate they pay for insurance, or cause the insurance company to not cover certain things until they get fixed.
Here they had a huge loss due to phishing. When paying out that first phishing claim, the insurance company probably said "we don't want this to happen again. In order to be covered for future phishing, you need to reduce your risk by doing x, y, and z". Sure enough 8 months later, another huge loss due to phishing. The bank probably didn't put proper measures in place to mitigate the risk.
One way to reduce phishing risk is for corporate security to send out a "phishing" email about once per month. Employees who click the link see a page reminding them about phishing. Employees who click the "report this email" button in Outlook get a smiley acknowledgement that they did the right thing.
Cheapest is to not have incidents (Score:2)
The best case for the insurance company is that claims aren't filed, and they don't have to do investigations or pay lawyers, they just collect premiums and use about 10% of that on compilance measures. It's not only cheaper for them to not have to deal with claims, but fewer $100 million claims means their risk is lower, their quarterly numbers are more predictable. That's good for them overall, and reduces their rate for re-insurance (the insurance that is purchased by insurance companies).
Re: (Score:2)
I think they just found out that "cybersecurity insurance" is a joke
The problem is the insurance contract terms you sign, and the signer is the same guy who's in charge of IT security.
Re:Insurance didn't protect them (Score:5, Interesting)
This case has nothing to do with claims being denied. The bank has two types of coverage. The first is for 'computer and electronic fraud'. The coverage on that is $8M. That coverage explicitly EXCLUDES 'loses due to purported use of cards to obtain funds or credit'. It also explicity EXCLUDES 'loses from automatic mechanical devices which ... disburse money ...'.
The second coverage they have is for 'debit card/ATM fraud'. The coverage on that is $250K.
So what happened? The thieves, by phishing, got access to the computers and changed PINs, disabled fraud protection and daily limits, etc. They did not steal any money (wire transfers, etc). Then they went to 'hundreds of ATMs' and used fraudulent cards to get money.
So which coverage applies? The insurance company says it was card/ATM fraud, here's your $250K. The bank says if it wasn't for the computer fraud there would have been no ATM fraud, so the higher coverage should apply.
Interesting legal question, but hardly indicative that 'cybersecurity insurance is a joke'.
And what's worse... (Score:5, Funny)
...the clerk never got that $100 Applebee's gift card.
Re: (Score:2)
Re: (Score:2)
Better: Stop using MS products (Score:3)
FTFA: "the 2017 breach was embedded in a booby-trapped Microsoft Word document."
Unfortunately most people are too dumb to dump MS, and crackers will continue to win.
This is the new reality of banking security (Score:5, Interesting)
Re: (Score:2)
Google has not been phished. That is not the same as not attacked or owned in some other way.
But yeah, they clearly fucked up.
With ubiquitous smartphones. I'm back to don't connect your work network to the internet, at all, for 90-99%% of staff. The rest get in through dedicated machines on a dedicated network, which are scanned for changes (which are logged) then reimaged, nightly.
Re: (Score:1)
How is this new? It was never about preventing attacks. Banks have been robbed since they were created. Losses have to be expected because some people are trash and there is no perfect security.
Re:This is the new reality of banking security (Score:4, Insightful)
It's no longer about preventing attacks from happening, but accepting that they are going to happen
Bullshit. There's a word for what you're talking about: surrender. In 2018 people should be smarter and systems should be more secure, but for some reason they're not. This needs to be FIXED. Throwing up your hands and saying "Oh well, guess that's just the way it is!" is cowardly and idiotic in the extreme. If what you're saying was actually true then the only course of action anyone with an average IQ or above could logically take would be to pull all their money out of all accounts and keep it at home in a safe buried in the ground, or at least stashed in a safety deposit box at a bank, or similar hardened secure facility, and pay cash for everything, forever. Banks would fold, e-commerce would dry up and die, as we functionally went back to no later than the 1950's. It's bad enough that I see how many breaches of financial systems there are all the time and have had to personally resort to paying cash for everything I do in person (to reduce my overall exposure to risk) but to just give up is nonsense. We have to do better, we have to fix the security problems.
Re: (Score:2)
Re: This is the new reality of banking security (Score:3)
Exactly. Banks are lax on security because it isn't their money, and insurance will cover it. It's the same reason they are lax on investing and loans. Somebody will bail them out.
If we started holding banks feet to the fire, this shit would end.
Now I do have some sympathy for the banks. Security costs money, and consumers shop for banking products almost soley on fees and rates. Having a "security" fee on a bank statement just won't fly.
Perhaps we can have security audit checks as a public record and somet
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
What the hell is your problem? Are you one of these people who just accepts whatever it is that's going on and doesn't care? Can't even be bothered to discuss what's going on?
Re: (Score:2)
Twice?!?! (Score:5, Insightful)
Now the financial institution is suing its insurance provider for refusing to fully cover the losses.
Hack me once, shame on you, hack me twice, shame on me?
Seriously, 8 months passed between the phishing incidents. That's plenty enough time to do a security audit and train your staff, and the insurance company knows that.
Wait a bit more (Score:3)
Re: (Score:2)
Could someone with mod points hand that guy some? This sums up the situation pretty accurately.
Re: (Score:2)
So the insurance company accepted the premiums knowing they wouldn't have to pay for any loss caused by a security breach? Isn't that fraud?
Re: (Score:2)
Maybe, maybe not. It depends on what the contract requirements are.....system update frequency, external security audits, etc. I doubt we're going to be able to find the text of said contract until it goes on record at trial.
Re: (Score:2)
I take it you have never actually read an insurance policy? There are quite often requirements and responsibilities on the insured. Failure to meet those responsibilities means that claims may be denied. There is no such thing as 'DEFACTO affirmation that they accepted the risk'.
Re: (Score:2)
The relevant parts of the contract are in TFA. It has nothing to do with any security measures or anything like that. The question is: which coverage applies? Was it 'computer fraud', which has a limit of $8M. Or was it 'debit card/ATM fraud', which has a limit of $250K. The bank says it was the first, the insurance company says it was the second.
Re: (Score:2)
Thanks, I didn't get that far into the article (TL;DR). It is an interesting question, was an ATM or debit card ever used at any point? If not, I'd have to side with "computer fraud".
Re: (Score:2)
Yes, ATMs were how they got the money. The used the computer access to alter PINs, disable daily limits, etc, then used 'hundreds' of ATMs around the country to withdraw money.
Re: (Score:2)
Re: (Score:2)
You could just read TFA and see what the real issue is.
The bank has two types of coverage. The first is for 'computer and electronic crime'. The limit on that coverage is $8M. That coverage specificially excludes 'automated mechanical devices which ... disburse money ...'. as well as 'the purported use of cards to obtain funds or credit'.
The second coverage is a 'debit card rider' covering against ATM and debit card fraud. The limit on that coverage is $250K.
The insurance company says that since the the
Physically Segment Your Networks (Score:3)
Re: (Score:2)
especially when there are tools already available to segregate networks at application level.
2018: People are still this gods-be-damned stupid (Score:2)
Then some time passed, and I came to another, worse realization: People have always been dumb, it's just that I'm starting to really notice it more now.
Memo to all businesses: YOU HAVE TO DO BETTER WITH THIS SHIT ONE WAY OR ANOTHER!
The current state of computer system security, all over the world so far as I can tell, is dismal. So far as I can tell from wh
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Dude, seriously?
At the corporate level, failure is always an option ... even if the idiots in management are incapable of seeing it.
And when it comes to security of devices, failure in terms of security is almost always a given, because companies want to push out incomplete products as soon as they can. And I assure you, the security isn't the first thing they do.
The reason you hear about this every week is precisely because failure is not just an option, it's apparently a preferre
Re: (Score:2)
Illiterate IT People (Score:4, Insightful)
Part of the problem, if judging by the existing 41 comments here on Slashdot, is IT people either *can't* or *won't* read. All y'all are bitching about an insurance company denying the claim, etc.
They didn't deny the claim! There are *two* policy riders possibly that cover situation and the insurance company is claiming the one with the $250,000 cap is the one that applies -- so paid that one.
It is an interesting *legal* situation, but totally not at all what the slashmob is whining about.
Re: (Score:2)
With Zero-Day Discoveries Being Found All The Time (Score:1)
With Zero-Day discoveries being found all the time, any evil computer science genius can screw the systems six ways to Sunday.
What's needed is hard backups and system analysis software to alert the CT people that something strange is happening. We've given the whole world the keys to the treasure chest.