E-BANDITS HIT CA ESCROW COMPANY FOR NEARLY HALF A MILLION DOLLARS

July 27th, 2010

in-escrow-sign3

Redondo Beach-based firm Village View Escrow was recently hit for $465,000 by thieves who hijacked the company’s bank account electronically.

The cyber-thieves sent a fraudulent e-mail to the owner and to her assistant. Both women opened the e-mail, which secretly released a password-stealing virus onto their respective computers. Armed with the banking login information for both women, the hackers deactivated the customary advisory service and used the requisite two login credentials to issue electronic instructions to the escrow company’s bank to wire out various amounts of money to various other accounts. In total, 26 wire transfers were ordered, all of which were executed because of the two (apparently) legitimate login credentials. No confirming advisory messages for each transfer were sent to the escrow company because the cyber-thieves had disabled that notification feature using the stolen login credentials.

Some 20 individuals around the world received the wired money and re-transmitted it to the cyber-thieves after withholding a portion as payment for their services. Such intermediaries are known in the business as “mules”, and are often clueless about the criminal nature of their involvement in the scheme.

Working frantically after the theft was discovered, the escrow company owner managed to get $70,000 of the fraudulent wire transfers reversed. That left a $395,000 shortfall which the bank will not reimburse. The escrow owner had to take a loan to cover the shortfall at 12%, and can not even draw a salary as she tries to put the company back on its feet.

Several of the features built into InterComputer’s Trusted Banking solution would have stopped the illicit use of legitimate banking credentials before any wire transfers could have been ordered by the cyber-thieves.

Tags: ,
Posted in Banking Industry, Computer Crime | No Comments »


THE OTHER SHOE DROPS: BRAZEN CYBER CRIMINALS ROB BANK

June 2nd, 2010

In most reported cyber crimes involving theft of funds, the victim is a small business or municipality. In a rare case, cyber thieves recently stole money directly from a credit union’s internal funds.

On May 20, Treasury Credit Union of Salt Lake City, Utah, became the victim of more than 70 unauthorized transfers from internal accounts. All the transfers were in amounts under $5000, but the total stolen was “in the low six figures”.

blogpic

The FBI is investigating the case, in which many of the transfers were actually executed by “money mules”, i.e., people recruited for that specific purpose. Some of the “mules” were apparently unwitting about the criminal nature of their activity. The “brains” behind this type of cyber crime are often located in Eastern Europe (in this case, Ukraine).

The key to the crime was the furtive planting of a “Trojan horse” program on the computer of one of the credit union’s employees. That malware program forwarded the employee’s on-line banking credentials (user name, password, etc.) to the criminals in the Ukraine, who used them in an orchestrated manner to steal as much money as possible before the crime was discovered and halted.

InterComputer’s Trusted Banking solution is designed expressly to prevent the compromise of electronic identities and communications in electronic banking and insure against losses from cyber crime of any kind.

Tags: , ,
Posted in Banking Industry, Computer Crime | No Comments »


NEW FEDERAL LAW EXPANDS HEALTH INFORMATION SECURITY REQUIREMENTS

April 29th, 2010

The American Recovery and Reinvestment Act of 2009 (ARRA) expands the privacy protections for health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

On April 17, 2010, the Department of Health and Human Services (HHS) released guidance on technologies and methodologies for securing legally protected health information (PHI), which takes effect immediately.

Until now, HIPAA’s privacy and security requirements applied only to health care providers, health insurance plans and health care clearinghouses. Now those requirements (and the penalties for non-compliance) also apply directly to third-party administrators and other vendors.

The act significantly increases civil penalties for violations. Maximum penalties are $10,000 per violation, with a cap of $250,000 for multiple violations during the calendar year. The penalties apply to all violations after the date of enactment. Health and Human Services will periodically audit covered entities and will investigate covered entities upon receiving a complaint.

Effective immediately, state attorneys general can bring civil actions in federal court against covered entities seeking injunctions against violations and can sue for damages on behalf of state residents.

InterComputer’s Trusted Health Information solution prevents the compromise of electronic identities and communications between health care providers, insurance companies, other vendors, and patients, and insure against losses and regulatory penalties from cybercrime of any kind.

medical_01

Tags: , , , ,
Posted in Computer Crime, Electronic Medical Records | No Comments »


CYBERTHIEVES HIT MISSOURI DENTAL PRACTICE FOR $200K

April 1st, 2010

steve-martin-dentist

Yes, this IS going to hurt a bit.

On March 22, cyberthieves penetrated a computer at the Smile Zone dental practice in Springfield, MO, and transferred over $200,000 from the practice’s bank account in 11 different transfers.

The investigation is ongoing, but it appears likely the thieves used an application of ZeuS, Zbot, or SpyEye crimeware to hijack the computer and instigate the wire transfers. “Money mules”, people who knowingly or unknowingly serve as relay stations for money transfers, were also involved in this crime.

Banks reliably deny any liability when their customers’ online banking credentials are stolen or compromised. Unlike consumers, who enjoy legal limitations on cybercrime losses, businesses can only try to reverse the illegal transfers and hope for the best. If the illegal transfers are not undone within the first 24 hours, the likelihood of recovering the stolen money falls dramatically.

In this particular case, the bank only required a user name and password to conduct online banking transactions. That information was, apparently, easily hijacked by the thieves, who then posed as the dental practice and wired the money out.

InterComputer’s Trusted Banking solution is designed expressly to prevent the compromise of electronic identities and communications between banks and their clients, and insure against losses from cybercrime of any kind.

Tags: ,
Posted in Banking Industry, Computer Crime | No Comments »


BANK SUES VICTIMIZED CUSTOMER OVER CYBERCRIME

March 29th, 2010

When cyberthieves stole more than $800,000 from the accounts of a machine equipment company in Texas, one might expect the victim to seek redress from their bank. To date, such compensation for electronic banking losses has been exceedingly rare as banks have carefully avoided setting such a precedent. A number of victims have sued their banks in an attempt to recover their losses, but in this case the bank has set a new precedent: it has preemptively sued the victim.

InterComputer’s Trusted Banking solution is designed to prevent cybercrimes such as this case.

For more on this story, click here.

Tags: , ,
Posted in Banking Industry, Computer Crime | No Comments »


ON-LINE BANKING SECURITY – HOW MANY FACTORS ARE ENOUGH?

March 3rd, 2010

On-line banking security is increasingly the subject of news reports of various types of cybercrime, usually involving electronic identity theft and the illegal transfer or diversion of funds from the victim’s bank account. As the problem grows in size, legal challenges are increasingly attempting to hold banks liable for losses from such crimes. Banks are, of course, very reluctant to accept such liabilities and are battling the problem with both legal and technological strategies.

Typically, banks are offering “two-factor authentication” as a de facto industry standard for on-line banking security. The following video, provided by ZD Net, clearly explains what two-factor security is and how it works:

The problem with two-factor security is that hackers have now discovered how to defeat it in real-time. The following article from the MIT Technology Review details an actual case where a construction company lost almost half a million dollars to such an attack:

http://www.technologyreview.com/computing/23488/?a=f

The authentication of a customer’s electronic identity and the correct application of the customer’s authority limits are the very reasons for on-line banking security. If either objective is not reached, the system has failed and the results can be disastrous.

InterComputer’s fully-insured InterOperating System (IOS) begins with a three-factor approach adding something the user is (a biometric measurement) in addition to something he knows and something he has. This approach, combined with many other design, architectural and procedural factors, combine to create an electronic “trusted path” and result in InterComputer’s IOS being the only underwritten electronic transaction system commercially available today.

To learn more about InterComputer’s Trusted Banking solution, click here.

Tags: , ,
Posted in Banking Industry, Computer Crime | No Comments »


ELECTRONIC MEDICAL RECORD SECURITY – HUGE CARROT, HUGE STICK

March 3rd, 2010

Hospitals, doctors, and insurance companies face intense pressure to electronify medical information and health histories. This pressure is comprised of both a very big stick and a very big carrot.

The stick comes in the form of proliferating state and Federal laws mandating the safekeeping of electronic medical records (EMR). Last year, the hospital that treated the mother and babies in the famous “Octomom” case was unable to prevent unauthorized access to their medical records by the hospital’s own employees. California regulators fined the Kaiser Permanente hospital in Bellflower a total of $437,500 for failure to prevent just two instances of unauthorized access. Other prominent institutions, such as UCLA Medical Center, have suffered newsworthy failures to protect EMR information in the cases of Farah Fawcett, Britney Spears, Maris Shriver, and others. In addition to the financial damage such failures incur, hospitals are deeply concerned about the effects of adverse publicity on their reputation and about incurring big expenses in related legal actions.

The carrot comes in the form of a huge Federal earmark for $19 billion in stimulus money to incent the development and implementation of electronic medical records (EMR) technology.

InterComputer is working within the health care industry to address two major market requirements:

1. The need to control access to EMR in compliance with applicable Federal and state laws
2. The need to securely communicate and exchange documents among hospitals, doctors, and insurance companies

The InterComputer InterOperating System (IOS) is fully compatible with all major EMR solutions and applications and fully insured against loss due to cybercrime of any kind within the system. Its advanced user identity, authority delegation management, and secure messaging technologies, can absolutely prevent the kind of incidents that have proved so costly to Kaiser’s bottom line. IOS also delivers automated compliance with both HIPAA and SarbOx regulatory requirements.

To learn more about InterComputer’s EMR capability, click here.

medical_01

Tags: , , , ,
Posted in Electronic Medical Records | No Comments »


MASSIVE CYBER ATTACK SHOCKS 2500 COMPANIES

February 24th, 2010

Last month, engineers discovered a massive, long term, global cyber attack that has successfully breached more than 75,000 computer systems at nearly 2,500 companies in nearly 200 countries. Amit Yoran, chief executive of NetWitness (the company that first detected the attack) said, “The attack also highlights the inability of the private sector — including industries that would be expected to employ the most sophisticated cyber defenses — to protect itself…The traditional security approaches of intrusion-detection systems and anti-virus software are by definition inadequate for these types of sophisticated threats…The things that we — industry — have been doing for the past 20 years are ineffective with attacks like this. That’s the story.”

Run by an eastern European criminal group, the attack (dubbed the “Kneber bot”) began in 2008 and successfully targeted “proprietary corporate data, e-mails, credit-card transaction data and login credentials at companies in the health and technology industries”.

The Kneber bot commandeers users’ computers, scrapes them for login credentials and passwords — including to online banking and social networking sites — and then exploits that data to hack into the systems of other users. It has the ability to target any information the attackers want, including file-sharing sites for sensitive corporate documents.

Stories of successful cyber attacks are no longer novel, but this story is remarkable for two reasons: the long term, large-scale nature of the attacks and the presumed sophistication of the targets’ cyber defenses.

InterComputer’s insured Interoperating System (IOS) is structurally immune to attacks like the Kneber bot. It provides an “end-to-end trusted path” for electronic messages and payments that is impossible to achieve by cobbling together products from various vendors. While InterComputer is not in the business of securing computers and networks, the IOS is not a potential point of entry for any attack like the Kneber bot. All messages sent or received within the IOS are fully insured against cybercrime of any kind, including any attack like the Kneber bot. To learn more about the IOS, click here.

Details of the attack and its implications are available at:

http://www.washingtonpost.com/wp-dyn/content/article/2010/02/17/AR2010021705816_pf.html

Tags: , ,
Posted in Computer Crime | No Comments »


ARE YOU HELPING YOUR HACKER?

February 8th, 2010

Password overlap is the practice of using one on-line password at more than one website. At first glance, it seems obvious that doing this would make it far easier for a hacker who steals the password at a less-secure website to turn around and use it to “walk in the front door” of a very secure website—like your bank, for example. But who would be dull enough to use their online-banking password for any other website?

It turns out that, according to a recent msnbc blog post by Bob Sullivan ( http://redtape.msnbc.com/2010/02/for-years-computer-security-experts-have-been-preaching-that-users-should-never-share-the-same-password-across-their-connecte.html), nearly 75% of 4 million people surveyed do exactly that. Worse, about half of all consumers use both their banking password and their banking user name at other sites. In such cases, any hacker who steals them from an unsecure site can have instant, unfettered access to the rest of your cyber-life as well as your real cash and personal information.

While most consumers are not willing to create and maintain a unique user name/password combination for every website they use, your on-line banking login information should be unique and used only for your banking website. Sullivan’s post wisely suggests that if unique logins are too much for you to handle, you should consider creating at least three unique logins: one for your financial sites, one for sites that store your personal information, and one for generic logins.

Fortunately, most financial institutions provide additional security layers for your on-line access. Nevertheless, increasingly sophisticated cybercriminals are successfully breaching on-line banking security to the tune of hundreds of millions of dollars per year. To date, banks have refused to reimburse their customers for losses due to cybercrime and have vigorously worked to prevent the establishment of any legal precedent requiring them to do so.

That is why InterComputer Corporation is working with the largest U.S. banks to implement an insured electronic transaction environment that covers all parties with complete underwritten loss recovery.

Tags: ,
Posted in Banking Industry | No Comments »


COURT ALLOWS LAWSUIT AGAINST BANK FOR ON-LINE THEFT

February 8th, 2010

The issue of who pays when a customer’s on-line access to bank accounts is compromised has been simmering ever since on-line banking began. Banks have, understandably, been exceedingly reluctant to accept liability when a customer’s electronic banking identity and password are compromised and money disappears from their accounts. Financial institutions have spent heavily to prevent the establishment of any precedent that would result in banks being on the hook for cybercrime losses. Until now, no court in the U.S. has actually found any financial institution liable in such a case.

However, recent news reported in Computerworld Security (http://www.computerworld.com/s/article/9137451/Court_allows_suit_against_bank_for_lax_security) chronicles a decision by an Illinois District Court to allow such a lawsuit against Citizens Financial Bank to proceed to trial.  You can see another view of this case at darkreading.com (http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=220100950).

This incident is a good example of how angry cybercrime victims are and how nervous banks are. In this case, someone acquired the customer’s account name and password and used them to steal $26,000 from the customer’s home equity line of credit.  Unless a pre-trial settlement is reached, the bank will obviously spend many times that amount to defend itself in court and avoid setting a costly precedent.

The victims in this case are not alleging that the bank violated its cyber security policies, or even that the bank was the source of the name/password leak. They are alleging that the bank was negligent for not providing stronger protection against cybercrime. Specifically, the victims assert that the bank should have offered “two-factor authentication”, which relies not only on what the user knows (ID and password) but what the user has (a security token).

Unfortunately, even two-factor security is no longer any guarantee that on-line access to bank accounts is secure, as reported in this ZD-Net article (http://blogs.zdnet.com/security/?p=4402.)

InterComputer’s solution utilizes three-factor authentication (plus an “out of band” protocol) as just one part of one of the seven layers of protection built into every application.  Nevertheless, the true value of InterComputer’s profound technological superiority to current industry practices is that it is insurable. Underwritten Insurance against financial loss, lost business, and third party liability from cybercrime will allow bank information security officers (and their customers) to sleep well at night.

If you were the bank’s chief security officer, which solution would you choose: one that promised tough security only, or one that delivered cutting-edge, patent-pending security along with an insured guarantee?

Tags: , ,
Posted in Banking Industry, Computer Crime | No Comments »


« Older Entries