Thursday, June 16, 2011

U.S. Bank Must Pay Back Customers for Money Stolen by Hackers

Robert McMillan writes on Techworld.com:

A US court has ruled that Comerica Bank is liable for a $560,000 (£350,000) cyberheist, saying the bank should have done a better job to spot millions of dollars in fraudulent transactions after one of the bank's customers was tricked in a phishing attack two years ago.


In a June 13 decision, the court ruled in favour of Experi-Metal, a custom car parts maker that had sued Comerica after the January 2009 incident. In just a few hours, criminals tried to move millions of dollars to Eastern Europe, before Comerica's fraud department shut down the scam.


Most of the money was recovered, but in his ruling Judge Patrick Duggan of the US District Court for the Eastern District of Michigan said that the bank should have done a better job of stopping the fraud. A "bank dealing fairly with its customers, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier," Judge Duggan wrote in his ruling.


Experi-Metal's troubles started in the early morning hours of January 22, 2009. That's when the company's vice president of manufacturing, Gerry King, received a phishing email telling him to fill out what appeared to be a mundane piece of online paperwork: a "Comerica Business Connect Customer Form." He forwarded the email to Controller Keith Maslowski, who then logged into a website belonging to the criminals. With Maslowski's login credentials, the criminals were off and running. Over the next six-and-a-half hours they raced to steal as much of Experi-Metal's money as they could before their window of opportunity closed.


More here.

Wednesday, June 15, 2011

Payroll Firm ADP Investigating System Intrusion

John Ribeiro writes on PC World:

Automatic Data Processing said on Wednesday that it is investigating a system intrusion that likely impacted only one client.


The intrusion, which occurred on a non-payroll legacy platform that is no longer sold by ADP's benefits administration business, was detected by the company's security team during routine system monitoring, the payroll and business outsourcing company said.


ADP did not name the affected client, but said the client was from Workscape, a benefits administration provider it acquired last year. ADP said it immediately notified the client to make the client aware of the situation.


ADP has about 550,000 clients. It said it could not disclose any additional details on the security breach, as the incident is the subject of an ongoing law enforcement investigation.


More here.

Tuesday, June 14, 2011

Hacking Blitz Drives Cyberinsurance Demand

Ben Berkowitz writes for Reuters:

The recent string of sensational hacker attacks is driving companies to seek "cyberinsurance" worth hundreds of millions of dollars, even though many policies can still leave them exposed to claims.


Companies are having to enhance not just their information technology practices but also their human resources and employee training functions just to get adequate coverage against intrusion -- and in some cases, they are also accepting deductibles in the tens of millions of dollars.


Insurers and insurance brokers say demand is soaring, as companies try to protect themselves against civil suits and the potential for fines by governments and regulators, but also as they seek help paying for mundane costs like "sorry letters" to customers.


"When you have a catastrophic type of data breach then yes ... the phones ring off the hook," said Kevin Kalinich, co-national managing director of the professional risk group at insurance broker Aon Corp.

More here.

Monday, June 13, 2011

U.S. Senate Website Gets Hacked

Andrew Morse and Ian Sherr write in the Wall Street Journal:

A hacker group that has claimed attacks on media and law-enforcement affiliates extended its month-long cyber mischief Monday, boasting that it had cracked the U.S. Senate's website.


The group, Lulz Security, posted on its own website a configuration file for the Senate's main website. The material in the file suggests sensitive information was not breached, but does indicate Lulz Security infiltrated the Senate's website.


"This is a small, just-for-kicks release of some internal data from Senate.gov," Lulz Security said in a news release. "Is this an act of war, gentlemen?"


The group appeared to be referencing a recent Wall Street Journal article that reported the Pentagon considered some forms of computer sabotage constituted warfare.


More here.

Thieves Found Citigroup Site An Easy Entry

Nelson D. Schwartz and Eric Dash write in the New York Times:

Think of it as a mansion with a high-tech security system — but the front door wasn’t locked tight.


Using the Citigroup customer Web site as a gateway to bypass traditional safeguards and impersonate actual credit card holders, a team of sophisticated thieves cracked into the bank’s vast reservoir of personal financial data, until they were detected in a routine check in early May.


That allowed them to capture the names, account numbers, e-mail addresses and transaction histories of more than 200,000 Citi customers, security experts said, revealing for the first time details of one of the most brazen bank hacking attacks in recent years.


The case illustrates the threat posed by the rising demand for private financial information from the world of foreign hackers.


More here.

Regulators Pressure Banks After Citi Data Breach

Maria Aspan writes for Reuters:

Major U.S. banks came under growing pressure from banking regulators to improve the security of customer accounts after Citigroup Inc became the latest high-profile victim of a cyber attack.


While Citigroup insisted the breach had been limited, experts called it the largest direct attack on a major U.S. financial institution, and said it could prompt an overhaul of the banking industry's data security measures.


The Federal Deposit Insurance Corp, the nation's primary regulator, is preparing new measures on data security. Its chairman Sheila Bair said on Thursday she may ask "some banks to strengthen their authentication when a customer logs onto online accounts."


More here.

FBI Agents Get Leeway to Push Privacy Bounds

Charlie Savage writes in the New York Times:

The Federal Bureau of Investigation is giving significant new powers to its roughly 14,000 agents, allowing them more leeway to search databases, go through household trash or use surveillance teams to scrutinize the lives of people who have attracted their attention.


The F.B.I. soon plans to issue a new edition of its manual, called the Domestic Investigations and Operations Guide, according to an official who has worked on the draft document and several others who have been briefed on its contents. The new rules add to several measures taken over the past decade to give agents more latitude as they search for signs of criminal or terrorist activity.


The F.B.I. recently briefed several privacy advocates about the coming changes. Among them, Michael German, a former F.B.I. agent who is now a lawyer for the American Civil Liberties Union, argued that it was unwise to further ease restrictions on agents’ power to use potentially intrusive techniques, especially if they lacked a firm reason to suspect someone of wrongdoing.


“Claiming additional authorities to investigate people only further raises the potential for abuse,” Mr. German said, pointing to complaints about the bureau’s surveillance of domestic political advocacy groups and mosques and to an inspector general’s findings in 2007 that the F.B.I. had frequently misused “national security letters,” which allow agents to obtain information like phone records without a court order.
More here.

Sunday, June 12, 2011

FBI Investigating Cyber Theft of $139,000 from Pittsford, NY

Brian Krebs:

Computer crooks stole at least $139,000 from the town coffers of Pittsford, New York this week. The theft is the latest reminder of the widening gap between the sophistication of organized cyber thieves and the increasingly ineffective security measures employed by many financial institutions across the United States.


The attack began on or around June 1, 2011, when someone logged into the online commercial banking account of the Town of Pittsford, a municipality of 25,000 not far from Rochester, N.Y. The thieves initiated a small batch of automated clearing house (ACH) transfers to several money mules, willing or unwitting individuals in the U.S.A. who had been recruited by the attackers prior to the theft. The mules pulled the money out of their bank accounts in cash and wired it to individuals in Saint Petersburg, Russia and Kiev, Ukraine via transfer services Western Union and Moneygram.


Over the next four business days, the thieves initiated another three fraudulent batch payments to money mules. Some transfers went to money mules who owned businesses, such as a $14,750 payment to Mission Viejo, Calif. based Art Snyder Software. Most money mules were sent payments of less than $5,000.


Pittsford town supervisor William Carpenter said the FBI is investigating the incident, and that many of the details of how the attackers got in remain unclear. He said the FBI told him the thieves most likely stole the town’s online banking password using a banking Trojan. He added that the town has recovered just $4,800 of the stolen funds, the proceeds of a single transfer.

More here.