Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M (krebsonsecurity.com) 70

Brian Krebs reports: Hackers used phishing emails to break into a Virginia bank in two separate cyber intrusions over an eight-month period, making off with more than $2.4 million total. Now the financial institution is suing its insurance provider for refusing to fully cover the losses. According to a lawsuit filed last month in the Western District of Virginia, the first heist took place in late May 2016, after an employee at The National Bank of Blacksburg fell victim to a targeted phishing email. The email allowed the intruders to install malware on the victim's PC and to compromise a second computer at the bank that had access to the STAR Network, a system run by financial industry giant First Data that the bank uses to handle debit card transactions for customers. That second computer had the ability to manage National Bank customer accounts and their use of ATMs and bank cards.
This discussion has been archived. No new comments can be posted.

Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M

Comments Filter:
  • by magusxxx ( 751600 ) <magusxxx_2000NO@SPAMyahoo.com> on Tuesday July 24, 2018 @10:26AM (#57000708)

    ...the clerk never got that $100 Applebee's gift card.

  • by Aurelfell ( 520560 ) on Tuesday July 24, 2018 @10:34AM (#57000738)
    It's no longer about preventing attacks from happening, but accepting that they are going to happen and hardening systems to minimize or eliminate theft and damage when they do. This might seem obvious to a lot of people in the tech industry, but it represents a major paradigm shift for banking.
    • by Anonymous Coward

      How is this new? It was never about preventing attacks. Banks have been robbed since they were created. Losses have to be expected because some people are trash and there is no perfect security.

    • by Rick Schumann ( 4662797 ) on Tuesday July 24, 2018 @11:31AM (#57001078) Journal

      It's no longer about preventing attacks from happening, but accepting that they are going to happen

      Bullshit. There's a word for what you're talking about: surrender. In 2018 people should be smarter and systems should be more secure, but for some reason they're not. This needs to be FIXED. Throwing up your hands and saying "Oh well, guess that's just the way it is!" is cowardly and idiotic in the extreme. If what you're saying was actually true then the only course of action anyone with an average IQ or above could logically take would be to pull all their money out of all accounts and keep it at home in a safe buried in the ground, or at least stashed in a safety deposit box at a bank, or similar hardened secure facility, and pay cash for everything, forever. Banks would fold, e-commerce would dry up and die, as we functionally went back to no later than the 1950's. It's bad enough that I see how many breaches of financial systems there are all the time and have had to personally resort to paying cash for everything I do in person (to reduce my overall exposure to risk) but to just give up is nonsense. We have to do better, we have to fix the security problems.

      • Exactly. Banks are lax on security because it isn't their money, and insurance will cover it. It's the same reason they are lax on investing and loans. Somebody will bail them out.

        If we started holding banks feet to the fire, this shit would end.

        Now I do have some sympathy for the banks. Security costs money, and consumers shop for banking products almost soley on fees and rates. Having a "security" fee on a bank statement just won't fly.

        Perhaps we can have security audit checks as a public record and somet

        • This is about more than banks. Like I said elsewhere: when the lights go out and stay out, water stops coming out of the taps, and everyones' bank accounts are drained, then suddenly everyone will care -- and it'll be TOO FUCKING LATE. Shit needs to be FIXED, NOW.
          • by nnet ( 20306 )
            Then FIX it. Cure greed and avarice first. Quit expecting others to do it for you. YOU start the movement. OK?
            • I am starting it by opening a dialogue with people on the Internet about it.
              What the hell is your problem? Are you one of these people who just accepts whatever it is that's going on and doesn't care? Can't even be bothered to discuss what's going on?
        • Comment removed based on user account deletion
  • Twice?!?! (Score:5, Insightful)

    by Major Blud ( 789630 ) on Tuesday July 24, 2018 @10:39AM (#57000768) Homepage

    Now the financial institution is suing its insurance provider for refusing to fully cover the losses.

    Hack me once, shame on you, hack me twice, shame on me?

    Seriously, 8 months passed between the phishing incidents. That's plenty enough time to do a security audit and train your staff, and the insurance company knows that.

    • Things always go in threes.
    • Could someone with mod points hand that guy some? This sums up the situation pretty accurately.

    • by Ichijo ( 607641 )

      Seriously, 8 months passed between the phishing incidents. That's plenty enough time to do a security audit and train your staff, and the insurance company knows that.

      So the insurance company accepted the premiums knowing they wouldn't have to pay for any loss caused by a security breach? Isn't that fraud?

      • Maybe, maybe not. It depends on what the contract requirements are.....system update frequency, external security audits, etc. I doubt we're going to be able to find the text of said contract until it goes on record at trial.

        • by bws111 ( 1216812 )

          The relevant parts of the contract are in TFA. It has nothing to do with any security measures or anything like that. The question is: which coverage applies? Was it 'computer fraud', which has a limit of $8M. Or was it 'debit card/ATM fraud', which has a limit of $250K. The bank says it was the first, the insurance company says it was the second.

          • Thanks, I didn't get that far into the article (TL;DR). It is an interesting question, was an ATM or debit card ever used at any point? If not, I'd have to side with "computer fraud".

            • by bws111 ( 1216812 )

              Yes, ATMs were how they got the money. The used the computer access to alter PINs, disable daily limits, etc, then used 'hundreds' of ATMs around the country to withdraw money.

          • I expect that question will have to be answered by a court. Unless of course it looks like the insurance company will lose, then they will settle so there is no legal precedent set.
      • by bws111 ( 1216812 )

        You could just read TFA and see what the real issue is.

        The bank has two types of coverage. The first is for 'computer and electronic crime'. The limit on that coverage is $8M. That coverage specificially excludes 'automated mechanical devices which ... disburse money ...'. as well as 'the purported use of cards to obtain funds or credit'.

        The second coverage is a 'debit card rider' covering against ATM and debit card fraud. The limit on that coverage is $250K.

        The insurance company says that since the the

  • by Luthair ( 847766 ) on Tuesday July 24, 2018 @10:49AM (#57000814)
    Sony, Home Depot, and a number of others have been compromised because they failed to separate what should be secure systems from the rest of their infrastructure. This behaviour is blatantly negligent.
    • by zlives ( 2009072 )

      especially when there are tools already available to segregate networks at application level.

  • You know, Slashdotters, some time ago I started thinking that people were getting dumber as a whole over time instead of smarter, and I said so.
    Then some time passed, and I came to another, worse realization: People have always been dumb, it's just that I'm starting to really notice it more now.

    Memo to all businesses: YOU HAVE TO DO BETTER WITH THIS SHIT ONE WAY OR ANOTHER!
    The current state of computer system security, all over the world so far as I can tell, is dismal. So far as I can tell from wh
    • Sony proved that it's more cost effective to be hacked a few times than hire numerous competent people to make strong systems [ didn't say they did it on purpose though, do not attribute to malice that which is equally explained by incompetence ].
      • You're being sarcastic, but sure, let's see how 'cost effective' flies with everyone when power plants blow themselves up, there' no water coming out of the tap, and everyones' bank accounts are drained, all at the same time.
    • FOLLOW-UP: https://politics.slashdot.org/... [slashdot.org] Should we start a betting pool? How about a doomsday clock? Shit needs to be fixed NOW.
    • by Anonymous Coward

      Failure is NOT AN OPTION.

      Dude, seriously?

      At the corporate level, failure is always an option ... even if the idiots in management are incapable of seeing it.

      And when it comes to security of devices, failure in terms of security is almost always a given, because companies want to push out incomplete products as soon as they can. And I assure you, the security isn't the first thing they do.

      The reason you hear about this every week is precisely because failure is not just an option, it's apparently a preferre

      • Let's see how they feel about 'failure being an option' when they're dragged by their feet out into the street and introduced to Monsieur Guillotine.
  • by chill ( 34294 ) on Tuesday July 24, 2018 @01:48PM (#57002016) Journal

    Part of the problem, if judging by the existing 41 comments here on Slashdot, is IT people either *can't* or *won't* read. All y'all are bitching about an insurance company denying the claim, etc.

    They didn't deny the claim! There are *two* policy riders possibly that cover situation and the insurance company is claiming the one with the $250,000 cap is the one that applies -- so paid that one.

    It is an interesting *legal* situation, but totally not at all what the slashmob is whining about.

  • With Zero-Day discoveries being found all the time, any evil computer science genius can screw the systems six ways to Sunday.
    What's needed is hard backups and system analysis software to alert the CT people that something strange is happening. We've given the whole world the keys to the treasure chest.

It's been a business doing pleasure with you.

Working...