A supervisor for the town of Poughkeepsie, New York lashed out at a local bank after someone siphoned $378,000 out of municipal coffers and transferred it to Ukraine. Supervisor Patricia Myers, who waited more than three weeks to disclose details of the heist, didn't question whether any of the responsibility rested with …
The perfect victim
Running IE6 because the IT department says so and because someone in procurement has bought something 6 years ago and noone can be bothered to replace it or upgrade it... Firewall settings at "lame" because some pseudomanager said so...
Hm... They are right for the picking (and well deserved to be so)...
re: the perfect victim
Right on target!
When big businesses like M$ try to make technical life easier for the unenlightened, they are only setting them up for failure. No system will ever be able to secure the weakest part: the end user. We all know this, but somehow nobody does anything about it, because sales are more important. Even open software like Firefox isn't immune to inept users. So sad, but is there a cure?
Probably not a cure...
...but you can make life hard for the scammers by avoiding anything branded "Microsoft".
£370 transfer to the US triggered Nationwide's alarms
Just embarrassing that it was payment to ISACA for CISM membership / exam
They have allowed you to transfer over the Internet?
Interesting, they force me to drag my sorry a*** passport in hand to their office every time I have to transfer money abroad (talking proper transfer here, not visa payments). Otherwise they are generally OK on allowing stuff.
It triggered another banks alarms for me. ISACA must be dodgy!
6 of 1
and half a dozen of the other....?
The city should have better controls on downloading or receiving links to Megan Fox piccies, and work ethics in place to stop the drones from accepting them, but the banks should also have locks in place to stop money in government afforded accounts being transferred to accounts outside the jurisdiction of the recipient body.
Seriously, how hard can it be for banks to instigate something that says, if this body receives federeal funding, or, a person who, has never transfered money to countries outside the US, has a transfer to another country, that said transfer is stopped until someone in authority physically, in person, authorises it.
The buck stops with the bank, they are the final gateway for fraud, and are failing everyone
i must agree
I must agree, if someone subverted the banks security to withdraw funds, this is the bank's responsibility.
if, on the other hand, the account owner is running out of date, known insecure software and they get pwned, that's too bad for them.
Don't run ie. Don't run windows for anything secure. Personally, i declined online banking since i don't use it, so i can't have money hoovered out that way.If I were the banks I would distribute a LiveCD and urge people to use it for all banking.
Just recommend a decent AV, and have a policy on the online banking website that looks for key interceptors before showing the logon page.
Take our secure gateway... all over SSL, before the logon page either a Java or ActiveX control is downloaded and checks for anything that intercepts key strokes, and also any known naughty viruses currently loaded into memory. Also downloads a cache cleaner that removes traces of accessing the site.
Followed by RSA token authentication.
That gets you in. Although if you want to download files to your local system from the gateway the system checks for a local certificate and registry entry to see if your an authorised device, as well as checking for up-to-date (bar 2 updates) antivirus that's turned on, Windows firewall is enabled, latest service pack (we wait 3 months before updating it so users have a chance to update) and any major / critical security patches are applied too. (Users get 48 hours for these).
Anything fails, then system explains in plain english including screenshots how to get your system back to health.
The point is, transactions can be very, very secure. Nothing is perfect - if a user writes down their encryption password for their laptop, and keeps their RSA key, and their domain username/password all in the same laptop bag and it gets nicked then the security is gone.
But banks can, and should make more of an effort.
And leave IE / Windows out of it. FF and Safari are like blocks of swiss chesse - and that's without the FF add-on's people rave about until it crashes FF or installs a pre-approved Mozila virus! Linux requires just as many updates as Windows, and OS X is hardly a securtiy hardened OS either.
Good system administration can make any software stack as secure as the next. Show me a user friendly, daily use OS that doesn't require AV, firewall and patching and I'll get my coat.
Gov. Crisis Response: 3A: Blame the Banks
Following standard US government crisis response procedures, we are invoking item #3A: It's all the Bank's fault.
Knowing our current bureaucracy, policies, procedures, protocols, standards, and regulations make it impossible for us to make mistakes, this must be someone else's fault.
Also please note that most banks are run by Republicans; so it's all their fault as well.
Now, please allow me to grab my coat with it's full taxpayer paid pension and exit stage left.
"movement...of money from a town account to an account in Eastern Europe did not immediately raise a red flag with a bank, was not questioned by anyone at the bank, but was simply processed"
Silly bankers. Everyone knows big local government payments only go to contractors controlled by family members.
"They are right for the picking"
You mean, "ripe for the picking"?
@henry wertz 1
I fully agree with your synopsis to a point.
you make fully valid observations. something as important as banking should be done in person, you would no more trust your local charlatan to take care of your finances, than you would your local paedophile for child care.
Your assumption that it was IE that was responsible irks me somewhat, in an enlightened moment you may realise that people/companies/institutions are just as vulnerable whichever browser was used, so until confirmation of which OS and browser was used, perhaps we should just stick with, it was any flavour linux, and a mozilla browser shall we?
Of course your opinion will prevail, it's the current fad.
"in which cybercooks successfully made off with $40m"
Did they 'beat' a hasty retreat or maybe "whisked" the loot away. Everyone gets a slice of the pie, but you can't have your cake and eat it...
oh very well. Please yourself!
2 factor authentication
Repeat after me - Something you HAVE and something you KNOW. Completely foils a keylogger if you have a smart card challenge/response for transfers. We use Coutts for the Media Banking for an artist, it's extremely configurable, and transfers require a challenge/response against a smartcard. Brilliant.
Banks like LloydsTSB should pay attention - something you know and something else you know is not 2-factor and is hence a lot more vulnerable, which makes scenarios like this possible in the first place.
You're still hosed then..
A smartcard needs a driver. Ding. Secondly, you can have a man-in-the-browser attack - you don't see what you actually authorise. Ding.
Unless you use an out-of-band method for confirmation you will always have the exposure. Examples of out of band are SMS confirmations (but not easy to log in) and a thing called an Internet Passport, which has just been introduced by the Swiss Kantonalbank of Bern, which adds biometrics, making it 3 factor.
I worked in an organisation where the accounts system had a support contract that included remote access. We were told (ordered) to allow some specific IP addresses to have the relevant access directly into the accounts system. One of the IP addresses was located with an ISP in Estonia, with a name that suggested it was some kind of gateway, presumably allowing anyone with the relevant credentials onward access into the accounts system (from which electronic payments could be instigated).
I've had banks close my accounts after I made what they consider to be suspicious transactions. Few paypal transfers and some paypal refunds quickly flagged their security people.
A bank wouldn't flag transfer from a town to the Ukraine? That makes sense.
I don't care that the towns computers were running garbage software and their IT people probably make more money then they should for the little education they have. However the bank is responsible in situations like this.
After it is gone, good luck getting it back!
Here in the USA, the banks "aren't responsible". They are insured by our government (in the form of FDIC) for only $250k (it used to be $100k). If you have a "loss" of more than that amount, so sorry, the bank is not liable AT ALL. Even if you do get FDIC to give you something, since it is related to foreign things, it falls under the department of Homeland Security. Most of the people there are wannabe political hacks, and don't care AT ALL. I've got a friend who has been waiting almost TWO YEARS to get some of the scammed $$$ back into his account. In the meantime he can't even open a bank account in his name since it all was frozen (again by Homeland Security) just to be "safe" (or to have a political hack keep his job).
Maybe the suit by the city against the bank will bring things to light (but don't count on it)!!
true, post-key logger install it would make no difference what browser they were using. And if they manually ran an app the browser wouldn't matter then either. But ie tends to be the most exploited and slow to be patched (compared to ff, chrome, etc.) so i still recommend against ie.
as for the os... No. In linux files are saved non-executable, the "download and run this app" attack will not work, since the type of user who would fall for this will not know how to chmod +x or use the gui to do that. Plus the practical matter that theres virtually no exploits in the wild for anything but windows.
"Download and run this app" attacks will work just as well in Linux, OSX or Unix as they will in Windows, because all you need to do is add the relavent instruction on how to make the app executable. The people who run the apps that are downloaded are the sort of people who will do anything that their computer tells them to do. Besides - I haven't noticed that I've not been able to run apps on my linux boxes (fedora) when I've downloaded them, you just double click and answer a couple of dialogue boxes, maybe enter your root password and you've just installed an RPM. I can't remember the actual process because it's so easy I don't need to bother to remember it.