A fire alarm company in Arkansas lost more than $110,000 this month when hackers stole the firm’s online banking credentials and drained its payroll account.
On Wednesday, Apr. 7, Ft. Smith based JE Systems Inc. received a call from its bank stating that the company needed to move more money into its payroll account, chief executive Melanie Eakel said. Over the course of the previous two days, someone had approved two batches of payroll payments — one for $45,000 and another for $67,000.
“They said ‘You’re overdraft,’ and I told them that was impossible because we didn’t do our payroll…we do it every Thursday, not on Mondays at 2 a.m., which was when this was put through,” Eakel said. “I told them we did not authorize that.”
A few days later, however, the First National Bank of Fort Smith sent JE Systems a letter saying the bank would not be responsible for the loss. First National did not return calls seeking comment.
“They said it was our [Internet] address that was used to process the payments, and our online banking user name and password,” Eakel said. “I feel like the bank should have caught this.
As Eakel discovered the hard way, businesses do not enjoy the same legal protection against online banking fraud afforded to consumers. All the attackers need to do is trick an employee with access to a company’s bank accounts into opening a booby-trapped e-mail attachment or specially crafted link: From there, the attackers can plant malware on the target’s system and siphon any credentials stored on or transmitted through the infected PC.
Whether or not that company will ultimately lose money from such an intrusion depends on a great many factors (including whether or not the bad guys who stole the credentials ever get around to using them). Having interviewed more than 100 companies that have been hit with this type of attack, however, I can say that when a victim loses money there is usually plenty of blame to go around for the both the bank and the customer.
First off, far too many banks still rely purely on user-facing security mechanisms for authentication, such as passwords, secret questions, and one-time tokens. All of these — even when used in tandem — have been defeated by the organized criminal gangs that targeted the companies I have interviewed.
Part of the problem is that most banks — even the smaller ones — no longer know their customers, by sight or by name. Consequently, few banks actually have a good feel for what their customers’ normal transaction activity looks like. That wouldn’t be such a big deal if most banks substituted that lack of knowledge for some type of technology that builds a profile of customer transactions, and then alerts the bank and/or the customer when anomalies arise. However, relatively few banks employ this type of technology today, particularly for their commercial customers.
Many of the business owners who lose sizable amounts of money from this type of fraud are not in the habit of reconciling their books on a daily basis. Indeed, a majority of the victims I’ve interviewed who lost substantial sums failed to detect the missing money for more than 24 hours. This is not to say that victims who discover the fraud on the same day it is perpetrated always recover some or all their money, but they stand a far better chance of doing so than those who don’t detect it right away.
Back to the banks for a second: At what point are the financial institutions of this country going to begin placing giant red flags on new accounts that suddenly receive deposits of slightly less than $10,000, money which the account holder shows up to withdraw in cash shortly thereafter? For that matter, shouldn’t the companies that facilitate the subsequent wire transfers be held to a higher standard?
IGNORANCE OF THE LAW…
JE Systems was robbed with the help of at least a dozen different “money mules,” willing or unwitting individuals in the United States who are hired through work-at-home job scams to help crooks launder their money. In every case I’ve covered, the mules pulled the money out in cash, wired the funds overseas to Ukraine and Moldova, and kept about eight percent in “commission” (minus the hefty wire fees).
For her part, Eakel said her company certainly could have been more vigilant with its books. But she added that she’d like to see some of the money mules prosecuted for aiding and abetting fraud.
“It’s overwhelming my emotion to talk about this,” Eakel told Krebs on Security in a phone interview, audibly choking on the words. “These mules or whatever they are need to find a real job and a legal, honest way to earn their money just like the rest of us, and stop stealing from innocent small businesses. Honestly, I don’t understand how these individuals can sleep at night.”
Category: Small Business Victims
eBanking Guidance for Banks and Businesses
Regulators Revisit eBanking Security Guidelines