Organized cyber thieves stole more than $28,000 from a small New England town last week. The case once again highlights the mismatch between the sophistication of today’s attackers and the weak security measures protecting many commercial online banking accounts.
On July 11, 2011, I alerted the town controller of Eliot, Maine that its accounts were probably being raided by computer crooks in Eastern Europe. I had heard from a “money mule,” an individual who was recruited through a work-at-home job scam to help the thieves launder money. He had misgivings about a job he had just completed for his employer. The job involved helping to move almost $5,000 from one of his employer’s “clients” to individuals in Ukraine. The receipt his employer emailed to him along with the money transfer said the client was “Town of Eliot, Ma.”
Norma Jean Spinney, the town controller, said she immediately alerted the town’s financial institution, TD Bank, but the bank couldn’t find any unusual transactions. Spinney said that three days later she received a call from TD Bank, notifying the town of a suspicious batch of payroll direct deposits totaling more than $28,000. TD Bank may have had a chance to stop this robbery, but apparently they dropped the ball.
Nevertheless, the town is not likely to see the stolen money again. Unlike consumers, organizations are not protected against online banking losses from cyber fraud. What’s more, a forensic analysis by a local IT firm showed that Spinney’s PC was infected with at least two banking Trojans at the time of the heist.
TD Bank spokeswoman Jennifer Morneau declined to discuss the incident, citing customer confidentiality policies.
Spinney said TD Bank required a user name and password, and the answer to least one “challenge question” when logging in to the town’s account.
New guidelines issued by banking regulators last month state that challenge questions are not adequate to protect corporate online-banking accounts from today’s cyber thieves. Unfortunately, many banks continue to rely on existing methods of authenticating customers: Bank examiners won’t start measuring how banking institutions conform with the recommendations until Jan. 2012.
If you’re responsible for a commercial bank account and you’re accessing the account online, the safest way to do so is to use a non-Windows computer such as a Mac, or a Live CD version of Linux. The bad guys may begin to write banking Trojans to help them rob organizations using other computing platforms, but all of the attacks I’ve written about to date involved malware that will not run on anything but a Windows PC. For those who must use Windows, accessing your accounts through a dedicated PC that is only used for that purpose is another alternative, if you access your accounts by using only that dedicated machine and never through any other.
If your bank allows it (and most do), consider taking advantage of anti-fraud mechanisms like Positive Pay, and requiring that more than one person must sign off on all accounting transactions.
The new guidelines include many recommendations for improving online-banking security. Bank customers should review them and compare them to their bank’s present security. A bank that provides adequate protection will not wait until 2012 to implement the enhanced measures.