City Bank Account Hacked for 400K

KOMO reports “The city of Burlington (Washington) is warning its employees to check their bank accounts after finding out funds have been stolen. They believe computer hackers got access to the city bank account, which is used as a direct deposit to pay workers. It is unknown how much money was taken, but more than $400,000 has been transferred to several accounts over the past two days.”Any time that more than $400,000 actually moves out of a city of Burlington account, there can’t possibly be a joke involved,” said town administrator Bryan Harrison. “It actually is very chilling.”

Chilling indeed. Hacks like this often take place as a result of a virus getting into a machine that has access to the bank account. In one scenario the offending machine is not properly updated with antivirus and the virus allows a criminal remote access to the device or the virus acts as a “Man In The Middle” Attack.

RSA reports in one of the most interesting cases of organized cybercrime this year, a cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign. Planned for this fall, the blitzkrieg-like series of Trojan attacks is set to be carried out by approximately 100 botmasters. RSA believes this is the making of the most substantial organized banking-Trojan operation seen to date.

RSA further reports American banks are the major target.  “Another attractive element for the attackers appears to be the slim deployment of two-factor authentication (2FA) for private banking consumers in the US, unlike many European banks that generally require all consumers to use 2FA for wire transfers.”

Multi-factor authentication, requires a username, password “something you know” and “something you have”—a personal security device separate from the PC. But that’s not even enough.

The Federal Financial Institutions Examination Council (FFIEC) states: “Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high risk transactions, but rather institute a system of layered security, as described herein.”

Enhanced device identification is also essential. The FFIEC suggests complex device identification. While complex device identification is more sophisticated than previous techniques, take one step instead of two and incorporate device reputation management.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.