Author

Topic: Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M (Read 109 times)

sr. member
Activity: 504
Merit: 250
That's some expensive lesson, but then again it is banks, probably they won't even learn from it and leave the same security holes in it. Just like they didn't learn the first time...
copper member
Activity: 2940
Merit: 4101
Top Crypto Casino
Yeah, but unlike the Mt. Gox, Cryptsy, and other exchange "hacks", the customers are protected by insurance and the bank's own reserves.  I definitely agree that banks ought to have better internal controls such that they're not as vulnerable to phishing attacks like this, but I think crypto exchanges need more of what banks have, in general.  Insurance + capital reserves, so they can protect their clientele.  It doesn't help that these exchanges are about as transparent as a swamp at dusk.  Imagine if Yobit suddenly got "hacked" (and I'm still waiting for that to happen).  They'd close and all of their customers' money would be gone.  *poof*
I don't think any insurance will agree to ensure an exchange platform. Especially with the number of hacks we saw. I mean, there isn't a lot of exchanges that haven't be hacked (between the popular) Every 3 months it hits the news. And when it's time to pay the insurances are always looking to find something to be able to say: "nope we won't pay" lol.
I know exchanges are 'not so good" with their own security (on-site). I remember to see an infographic and there is still a lot to do in order to improve the security
legendary
Activity: 3528
Merit: 7005
Top Crypto Casino
Yeah, but unlike the Mt. Gox, Cryptsy, and other exchange "hacks", the customers are protected by insurance and the bank's own reserves.  I definitely agree that banks ought to have better internal controls such that they're not as vulnerable to phishing attacks like this, but I think crypto exchanges need more of what banks have, in general.  Insurance + capital reserves, so they can protect their clientele.  It doesn't help that these exchanges are about as transparent as a swamp at dusk.  Imagine if Yobit suddenly got "hacked" (and I'm still waiting for that to happen).  They'd close and all of their customers' money would be gone.  *poof*
copper member
Activity: 2940
Merit: 4101
Top Crypto Casino
Quote
The entry point for intrusions is often via the staff (rather than a breach in the system) it may be by negligence. lack of training in the tools used, careless, etc..
Companies now spend a lot of money to train staff in this type of attacks, and also creating internal networks with different access levels.

But like your mention about ICOs, the weakness comes from the human side, not the system itself
legendary
Activity: 2562
Merit: 1441
Quote
Hackers used phishing emails to break into a Virginia bank in two separate cyber intrusions over an eight-month period, making off with more than $2.4 million total. Now the financial institution is suing its insurance provider for refusing to fully cover the losses.

According to a lawsuit filed last month in the Western District of Virginia, the first heist took place in late May 2016, after an employee at The National Bank of Blacksburg fell victim to a targeted phishing email.

The email allowed the intruders to install malware on the victim’s PC and to compromise a second computer at the bank that had access to the STAR Network, a system run by financial industry giant First Data that the bank uses to handle debit card transactions for customers. That second computer had the ability to manage National Bank customer accounts and their use of ATMs and bank cards.

Armed with this access, the bank says, hackers were able to disable and alter anti-theft and anti-fraud protections, such as 4-digit personal identification numbers (PINs), daily withdrawal limits, daily debit card usage limits, and fraud score protections.

National Bank said the first breach began Saturday, May 28, 2016 and continued through the following Monday. Normally, the bank would be open on a Monday, but that particular Monday was Memorial Day, a federal holiday in the United States. The hackers used hundreds of ATMs across North America to dispense funds from customer accounts. All told, the perpetrators stole more than $569,000 in that incident.

Following the 2016 breach, National Bank hired cybersecurity forensics firm Foregenix to investigate. The company determined the hacking tools and activity appeared to come from Russian-based Internet addresses.

In June of 2016, National Bank implemented additional security protocols, as recommended by FirstData. These protocols are known as “velocity rules” and were put in place to help the bank flag specific types of repeated transaction patterns that happen within a short period of time

But just eight months later — in January 2017 according to the lawsuit — hackers broke in to the bank’s systems once more, again gaining access to the financial institution’s systems via a phishing email.

This time not only did the intruders regain access to the bank’s STAR Network, they also managed to compromise a workstation that had access to Navigator, which is software used by National Bank to manage credits and debits to customer accounts.

Prior to executing the second heist, the hackers used the bank’s Navigator system to fraudulently credit more than $2 million to various National Bank accounts. As with the first incident, the intruders executed their heist on a weekend. Between Jan. 7 and 9, 2017, the hackers modified or removed critical security controls and withdrew the fraudulent credits using hundreds of ATMs.

All the while, the intruders used the bank’s systems to actively monitor customer accounts from which the funds were being withdrawn. At the conclusion of the 2017 heist, the hackers used their access to delete evidence of fraudulent debits from customer accounts. The bank’s total reported loss from that breach was $1,833,984.

Verizon was hired to investigate the 2017 attack, and according to the bank Verizon’s forensics experts concluded that the tools and servers used by the hackers were of Russian origin. The lawsuit notes the company determined that it was likely the same group of attackers responsible for both intrusions. Verizon also told the bank that the malware the attackers used to gain their initial foothold at the bank in the 2017 breach was embedded in a booby-trapped Microsoft Word document.

THE LAWSUIT
In its lawsuit (PDF), National Bank says it had an insurance policy with Everest National Insurance Company for two types of coverage or “riders” to protect it against cybercrime losses. The first was a “computer and electronic crime” (C&E) rider that had a single loss limit liability of $8 million, with a $125,000 deductible.

The second was a “debit card rider” which provided coverage for losses which result directly from the use of lost, stolen or altered debit cards or counterfeit cards. That policy has a single loss limit of liability of $50,000, with a $25,000 deductible and an aggregate limit of $250,000.

According to the lawsuit, in June 2018 Everest determined both the 2016 and 2017 breaches were covered exclusively by the debit card rider, and not the $8 million C&E rider. The insurance company said the bank could not recover lost funds under the C&E rider because of two “exclusions” in that rider which spell out circumstances under which the insurer will not provide reimbursement.

The first of those exclusions rules out coverage for any loss “resulting directly or indirectly from the use or purported use of credit, debit, charge, access, convenience, or other cards . . . (1) in obtaining credit or funds, or (2) in gaining access to automated mechanical devices which, on behalf of the Insured, disburse Money, accept deposits, cash checks, drafts or similar Written instruments or make credit card loans . . ..”

The second exclusion in the C&E rider negates coverage for “loss involving automated mechanical devices which, on behalf of the Insured, disburse Money, accept deposits, cash checks, drafts or similar Written instruments or make credit card loans . . ..”

“In its Coverage Determination, Everest further determined that the 2016 Intrusion and the 2017 Intrusion were a single event, and thus, pursuant to the Debit Card Rider, National Bank’s total coverage under the Bond was $50,000.00 for both intrusions,” the bank said in its lawsuit.

Everest National Insurance Company did not respond to requests for comment. But on July 20 it filed a response (PDF) to the bank’s claims, alleging that National Bank has not accurately characterized the terms of its coverage or fully explained the basis for Everest’s coverage decision.

Charisse Castagnoli, an adjunct professor with The John Marshall Law School, said the bank’s claim appears to be based on a legal concept known as “proximate cause,” a claim that usually includes the telltale term “but for,” as this lawsuit does throughout.

“Proximate cause tries to get at where’s the legal liability associated with the original element that caused the loss,” Castagnoli said. “Take the example of a car crash victim whose master cylinder in the vehicle ran out of fluid and as a result the driver ran a red light and hit another car. The driver at fault might make the claim in a lawsuit against the car maker ‘but for your failure to manufacture this part correctly, this accident wouldn’t have occurred.'”

In this case, Castagnoli said what the bank seems to be claiming is that the Debit Card Rider shouldn’t apply because — but for the computer hacking — the losses wouldn’t have occurred. Indeed, the bank’s lawsuit claims: “All losses related to the 2017 Intrusion were the result of and would not have been possible but for the hacking of National Bank’s Computer Systems which resulted in the entering or changing of Electronic Data and Computer Programs within the Computer Systems.”

“Therefore, even though the losses were physically sustained through ATM extractions, the Debit Card Rider limits shouldn’t apply because that kind of a rider doesn’t contemplate the dynamic changes in credit limits, and overrides of fraud monitoring, were only possible through computer hacking to which the C&E Rider should apply,” Castagnoli explained.

The bank’s complaint against Everest notes that the financial institution doesn’t yet know for sure how the thieves involved in the 2017 breach extracted funds. In previous such schemes (known as “unlimited cashouts“), the fraudsters orchestrating the intrusion recruit armies of “money mules” — usually street criminals who are given cloned debit cards and stolen or fabricated PINs along with instructions on where and when to withdraw funds.

Castagnoli said establishing and proving these fine lines of proximate cause can be very difficult in insurance claims.

“While it is fairly easy to write a policy around data breach liability, when it comes to actual intrusions and managing intrusions, it’s a wild wild west,” she said. “The policies and definitions they use are not consistent across carriers.”

Castagnoli advises companies contemplating cyber insurance policies to closely scrutinize their policies and riders, and find an expert who can help craft a policy that is tailored for the insured.

“The serious brokers who are out there selling cyber insurance all say the same thing: Have an expert help you to write your policy,” she said. “It’s mind-numbingly complicated and we don’t have standard language in insurance policies that help insurance clients decide what policy is right for them.”

She added that although there have been a handful of cases where cyber insurance providers have denied coverage to the insured, most of those disputes have been settled out of court.

“This is a rapidly growing area and a profit center for a lot of insurance companies,” Castagnoli said. “But there is not a lot of published case law on this, and you have to wonder if something public comes out like this what it’s going to do to the reputation of the industry.”

https://krebsonsecurity.com/2018/07/hackers-breached-virginia-bank-twice-in-eight-months-stole-2-4m/

....

Here's an interesting story not so different from bitcoin exchanges being hacked in 2018.

I think this case wouldn't have made the news if there wasn't a legal dispute between the bank and their insurance company. The bank has an $8 million insurance policy & needs $2.4 million in insurance to cover their losses. The insurance company wants to pay them only $50,000.

Statistically its been said that phishing is the number #1 method utilized in funds being stolen from ICO's. Here too this bank in virginia was targeted via phishing not once but twice in 2016 and 2017. It looks as if phishing is the go to favored method for security intrusions and breaches in this day and age with even banks succumbing to it.

I know that some look @ crypto exchanges being hacked and believe them to be amateurish and subpar in their security measures. Interestingly it looks as if banks aren't necesssarily better off.
Jump to: