tx_plow_boy asked what I though about "my bank" after the revelations by Hillary Machinery. Hillary is alleging that negligence on the part of PlainsCapital led to the theft of over $800,000 from Hillary Machinery's account. $600,000 was recovered, but Hillary Machinery wants PlainsCapital to admit that they are responsible and pay up.
I've read Walt Nett's article, "Company, bank blame each other," in the Avalanche-Journal. I've read what Hillary Machinery says in the news section on their website, and I've read the two stories about similar breaches they link to directly from their site. I'm going to take a closer look at the info we have on the Hillary Machinery breach and see what I can come up with. Most of the information I'm using will be straight from their website. As we look at this the circumstances of this theft, keep in mind that I am not a lawyer, and I have only the information I've read (and linked to for you) to go by.
Looking at the info provided by Hillary Machinery on their website, here is what we have. To shorten this a little, I'll take it point by point.
1. In November 2009 PlainsCapital became the target of cybercriminals. They used vulnerabilities in PlainsCapitals internet banking system and initiated fraudulent wire and automated clearinghouse transfers.
Since I can find no mention of similar data breaches at PlainsCapital, I would probably classify the bank as a victim. It appears that the target was actually Hillary Machinery. For the same reason, I would say that the bank was not where the vulnerabilities were exploited. The normal scenario when an institution gets breached is to grab as much information as possible, or in the case of banks, grab money in small amounts from as many accounts as possible. Grabbing a large amount of money from one account points to the exploited vulnerability being at Hillary Machinery.
2. Even though the transactions were not authorized by a representative of Hillary Machinery Inc and inconsistent with Hillary's the bank still allowed them to occur.
The "not authorized by a representative of Hillary Machinery" is a bit of a red herring. If the perp stole the needed information from Hillary Machinery, the bank woudln't know that it wasn't someone from Hillary until the transaction was set in motion, and even then maybe not until two or three had been made. At that point the bank should have contacted the company to make sure the transactions were legit.
3. To make matters worse, PlainsCapital Bank has yet to take responsibility for the stolen funds claiming that their Internet banking systems are "reasonably secure."
Face it. The bank can't admit any culpability. The second they admit any kind of fault they will be sued out of business. If this case ends the way these things usually do it will be settled out of court with PlainsCapital paying some undisclosed amount without admitting any fault.
I don't think the lions share of blame goes to PlainsCapital on this one. It looks like Hillary was breached, whether by a virus, a trojan, or social engineering. Any share of the blame that goes to PlainsCapital goes after Hillary recognizes their own part in this very expensive fiasco.
I hope that answers your question, tx_plow_boy.
quite simply, it appears that Hillary entrusted their money to PlainsCapital to keep it safe and secure from predators. It also appears that the money was taken from PlainsCapital bank's facility, not Hillary's safe. it also appears that had Plains employed what is generally accepted by larger, more adept banks, as the latest in "reasonable" security, this would likely not have happened. Finally, it would also appear that from other cases, even if it did, PlainsCapital would have had some sort of private insurance to protect their customers from criminal activity, just as they would a robbery or burglary. sorry, your explanation doesn't fly with the populous.
ReplyDeleteThe exploitation that was used would be the same as someone writing fraudulent checks. If the signature that is usually on the check can be forged close enough, the bank will think nothing of it.
ReplyDeleteThe same seems to have happened here. Someone came into possession of Hillary's electronic checkbook credentials. Access could have been gained by hijacking an internet session (via virus, trojan, etc), discovering the username and password (keylogger, social engineering, brute force, etc), from a former employee with that knowledge, or even dumb luck. What is not mentioned in the article(s), is what kind of electronic security does Hillary's use. If they are just using an occasionally updated Norton Antivirus, then they are doing less to secure their online interactions than PCB is using. Has Hillary's conducted an internal audit to make sure their network wasn't compromised?
It seems Hillary is leaving their site security to their host, Earthlink. How did I find their host? One line in their site's coding led me right to it. I wouldn't be surprised if that same line could be/was used to get into Hillary's email storage. Not to mention that nowhere on their site do they use any security measures. PlainsCapital boasts their 128-SSL and firewall on their site. While detailing your protection methods is kind of irresponsible for a bank to do, it is proof they are using it.
Hillary also operates an Ebay store. Ebay uses security measures, but that is just another vector an attacker could explore.
Simply put, it is much more reasonable to believe Hillary was compromised and not PlainsCapital. PCB has various legal obligations to monitor electronic security and breaches. Hillary only has their checkbook to answer to.
OK, you guys don't seem to be familiar with the guidance that the FFIEC issued years ago that most larger banks have already adopted for thier business customers. For the sake of argument, lets assume 2 things:
ReplyDelete1. no criminal culpability on either side (plains or hillary personnel)
2. hillary's system got hijacked and their username and password got stolen.
Now, just about all the major banks, BOA, Comerica, Chase, Wells Fargo, have implemented the FFIEC's guidance for the 2nd factor necessary for a multi-factor authentication system, which is a temp passord generating token or smart card that changes every 30-60 seconds. In otherwords, assuming Hillary's username and password got jacked from their computer or network, the hi-jacker would still need the password that got generated from the token or smart card to access the bank. Even if a keylogger trojan etc got the username, password, and token, they would not have the time to register another computer (IPA) before another code was generated. Session hijacking is not a realistic possibility here, that requires an emulator and the person on the wrkstation would have easily detected that. Plains even says in the article that they use IPA's to identify a computer......this is about as useless as tits on a boar, which is also reiterated by the FFIEC in their guidance.
That Guy, assuming Hillary's domain is hosted by Earthlink means that their website is hosted offsite not onsite, and probably thier email as well.....this says they don't have a web server or a mail servcer on site, just a filer server plugged into an ISP gateway, right?, thus assumming the file server and ISP site security is reliant upon earthlink is just that, an assumtion, and probably not likely. It's more likely that their LAN site is secured via the ISP serving thier LAN, not their domain and you don't know who that is by simply looking up thier website IPA and who's host5ing it.
Simply, had Plains implemented the guidance issued by the FFIEC and the FTC that most the other major banks have, this would not even be a topic of discussion.
Nett wrote in his newspaper story: "Owen said someone was able to "register" another computer's IP address on PlainsCapital's Internet banking system without being challenged with something such as a secondary security question, opening the door to the bogus transfer requests."
ReplyDeleteI am glad my bank has the security question in place.
If a cyber-attacker was to steal all of my security credentials by compromising the bank's login authentication system, he would have to find voulnerabilities in more than one sub-system (which is of greter amount of difficulty to do). I am confident that banks are smart enough to keep login and uernames databases greatly separated from the security question database that is in a whole other subystem.
1. Tx_plow_boy, you're only seeing half the story. No matter what security measures PlainsCapital employs, if someone manages to steal Hillary's login information and whatever additional verification info PlainsCapital may require from Hillary, it is not the banks fault that the account was accessed. I personally feel that the bank should have noticed that the bogus transactions were out of character for Hillary, but without knowing what kind of transactions were normal and more specifics about the bogus transactions, I can't say for sure.
ReplyDeletePlainsCapital is required by law to have certain minimum security measures in place. One of those measures is that no bank employee can see your password. Another is security questions that have to be answered to reset the password. I don't know if there are any special legal requirements for the wire and ACH transfers used to steal the money.
PlainsCapital may have private insurance. From what I am seeing, that insurance company would be requiring an investigation before paying anything because it is far from clear that PlainsCapital has any culpability.
Just because Hillary's domain and/or mail is hosted or served up by Earthlink, doesn't mean their local LAN is too. And although email is insecure to begin with, it would still take an enormous amount of skill to monitor, decifer and capture the data packets off an email socket.
ReplyDeleteTell you what, let's assume for a moment:
1. no criminal culpability on the part of Plains or Hillary.
2. that Hillary's system WAS hi-jacked and the username and password WAS stolen.
3. commercial accounts, not consumer accounts.
The FFIEC issued guidance to financial institutions in 2005 and revised in 2007 urging banks to authenicate users via a multi-factor method. 1 factor being somthing the user KNOWS ie., username/password and a second factor being somthing the user HAS ie., password generating token, smartcard, USB token, essentially, an electronic key code that is in sync with the banks; it's offline. See http://en.wikipedia.org/wiki/Security_token
Referring to the earlier assumption, had Plains system required the use of a password generating token or smartcard where the access code changes every 30-60 seconds, then the hacker would need more than just a stolen username and password to access the system. Referring back to the article, they would have also needed it to register another computer on the PNB system as well.
Now, there was some mention in the article about an IPA. IPA's are not secure anymore and even the FFIEC references that they should not be used as an identifying factor in mutli-factor authentication because they are often random and easily spoofed or masked and/or re-directed.
USB tokens, smartcards, biometrics, is the only way to go and when trying to secure that much money, why would ANY bank not employ it to protect themselves and their customers. BOA, Chase, Wells Fargo, Comerica, they all use them now and many require their business users to have them.
3. The security question probably was in place, and was probably compromised, too.
ReplyDeletetx_plow_boy,
ReplyDeleteJust wanted to let you know your earlier post somehow wound up in the spam queue. Since it's substantively the same as what you posted later, I'm not going to approve it now.
there are plenty of laws requiring banks to protect consumer accounts, but very little protecting commercial accounts which is why these cases end up in litigation and settled out of court. until there is more law protecting commercial accounts, thats where they will continue to be settled. there is a case in Maine, PATCO construction that recently had it's first day in court.....last week as a matter of fact. the court denied the banks motion to dismiss, which seems to be the trend in these cases; an attempt to settle usually comes soon after that because the bank doesn't want the possiblility of an official court decision stating that thier system is insecure which could obviously cause panic account closures.....law enforcement has had little success tracking down those responsible so the responsibility, IMO, falls with a bank's ability to have systems in place to protect thier customers. customers arent in the business of protecting their money which is why they put it in the bank to begin with.
ReplyDeleteI worked for Wells Fargo and let me tell you that it is easy for faux to occurr from within the bank. Banks are to protect themselves first. All bank personnel must memorize and recite Patriot Act(to cover their own @$$). All passwords and credit scores pop up on computer screen along with socials, d.o.b., address funds available, etc. Sales banker is to take notes to upsell or open new accounts. These notes are usually never checked and assumed theybare thrown away. A banker could sell this info to criminal evterprises
ReplyDeleteI would be willing to expose more if anyone is interested.
ReplyDeleteI would think many people would be interested. I'd have to doublecheck to be sure, but I think having passwords visible is against PCI-DSS requirements - but I'm not sure if banks have to follow PCI-DSS or lose the ability to handle credit cards the way merchants are.
ReplyDeletetx_plow_boy, I've learned something I wasn't aware of that puts a different light on this whole thing. I did not know there was a $10,000 limit on ACH type transactions without having to notify the gov. and tell them why. So whoever stole HIllary's money had to make 80+ transfers in, if I understand the timeline correctly, 24 hours or less. All kinds of flags should have been flying at PlainsCapital. I still think Hillary has to own some responsibility, but if I have the timeline correct, and my assumption that Hillary probably doesn't do that many ACH transfers in a month, much less a day, is correct, the lions share of the blame does fall on PlainsCapital.
ReplyDeleteI would agree Bert. Another broad based media source, KrebsOnSecurity who is probably on the investigative reporting cutting edge of these incidents, just recently published an article on this same case and alot more specific information was released in the article. WOW!
ReplyDeletehttp://www.krebsonsecurity.com/2010/01/texas-bank-sues-customer-hit-by-800000-cyber-heist/
I become less and less sympathetic to PlainsCapital as I learn more about what went on. You don't use email (EMAIL?!!!!) to send "secure access codes", not without using the phone to make sure the person you think you sent them to got them. And even then it's not secure. Standard email is not for high (or even medium) security information. Period. End of Discussion.
ReplyDeleteDon't get me started on not being more diligent when receiving requests from areas that not only do your customers not normally make requests from (I assume), but are known to be havens for cybercriminals.
And to top it off, PlainsCapital is stupid enough to sue to get a court to say their security measures are adequate? It looks to me like they need to hire a (new?) Chief Security Officer, and get ready to pony up some dough.
Bert,there is more......Computer World / PC World just took the story as well http://www.computerworld.com/s/article/9149218/Bank_sues_victim_of_800_000_cybertheft
ReplyDeleteI feel slighted. They didn't recognize my blog post 4 days earlier than Krebs. :)
ReplyDeleteOf course, I didn't mention the lawsuit.
It'll probably show up in my alerts later tonight if it hasn't already. I haven't checked them yet. This is going to be one for the books, for sure.
Thanks for keeping me updated.
don't be....your doing fine work here!
ReplyDeletehmmmmmmm intereting survey....sounds a little familiar
ReplyDeletehttp://www.phishcops.com/docs/Trends_in_MFA_NonCompliance.pdf
Good report. I tried to talk to City Bank here in Lubbock when they instituted the "secret picture" and tell them it wasn't a second factor, and that as a security measure all it really does is give a false sense of security.
ReplyDeleteHey Bert, this story made the Dallas News http://www.dallasnews.com/sharedcontent/dws/bus/stories/DN-PlainsHillary_02bus.ART0.State.Edition1.3f41f60.html
ReplyDeleteThanks for the heads-up. Pretty much a rehash, but I did learn a little more about Hillary. That they still haven't determined how their credentials were stolen is a little odd - but only a little - and doesn't change that PlainsCapital shouldn't have let most of the transactions through without a more thorough check.
ReplyDeleteit's getting better
ReplyDeletehttp://video.foxbusiness.com/v/4000423/cyber-attack-hits-company-twice/?playlist_id=87185
Well, you have to give PlainsCapital credit for chutzpah. I'm probably going to have to do an update on this pretty soon.
ReplyDelete[...] hicks, then acted more ignorant by trying to sue for vindication. I said it in the comments of my original post on this subject that email is not a secure verification method, and that point is being made by [...]
ReplyDelete