Account Takeover: The New Wrinkle

Fraudsters Disable email Verification Service in CA Scam
Account Takeover: The New Wrinkle
This year's disturbing trend of corporate account takeover incidents continues unabated - and with a new wrinkle.

Michele Marisco, owner of Village View Escrow Inc., Redondo Beach, CA, says her company fell prey to fraud after hackers were able to break into the company's network, steal bank credentials and send 26 consecutive wire transfers out of the country, totaling $465,000.

Dual controls were not used by the business, but an email verification service offered by Professional Business Bank, Pasadena, CA, was successfully disabled by the criminals.

This scheme, which occurred in March, is currently under investigation, and no litigation has yet been filed. But security experts familiar with the Village View Escrow case say there are lessons to be learned by other institutions and businesses to avoid corporate account takeover via ACH and wire fraud.

[ For more on the specifics of this incident see: Fraud Victim Weighs Lawsuit Against Bank.]

More Safeguards

One area where the principals in the Village View Escrow case fell short was allowing changes to be made to online banking alerts without verifying they were legitimate, says privacy and security expert Rebecca Herold. When the hackers disabled the email notification at Professional Business Bank, an alert message should have automatically been generated and sent to the area responsible for applications and systems maintenance. "It sounds like Professional Business Bank did not have any of these safeguards in place," Herold says, "or that any existing safeguards were either ineffective or ignored."

The sign-off mechanisms used in verifying wire transfers for Village View Escrow occurred electronically. This, says Herold, is insufficient. "It's not enough when a simple email message is the only action taken, or verification is through some application that did not have an additional authorization type of requirement, such as a digital signature or a physical token."

Branden Williams, Director of the Security Consulting Practice at RSA, the security division of EMC, agrees that a secondary authentication (or out of band) message should be sent prior to the wire transfer being completed. "Something like a text message or phone call to an approved user," he says. "Is it one more step for the business? Yes. Is it worth it? Yes."

There also should have been a red flag mechanism to notify management and perhaps auditors when unusual money transfers occurred. If Village View Escrow Inc. did business primarily in California, Herold says, then bells and whistles should have been established to go off as soon as a transfer occurred to a location outside of the state.

A 'Big Deal'

The rate of corporate account takeover has increased steadily since 2009, with the FBI reporting millions being taken from business accounts. Fraud incidents have resulted in high-profile court cases of businesses suing banks and banks suing customers, and the Federal Deposit Insurance Corporation in May even dedicated a one-day symposium to the crisis.

It's well past time for banks and businesses to be concerned about this type of fraud, Williams says. "Unfortunately, until someone goes through the 'it happened to me' scenario, it always seems like the next guy will get hit."

Fighting back is hard, especially when the fraudsters are continually changing the game. Elaine Dodd, vice president of the fraud division at the Oklahoma Bankers Association, agrees that banks and businesses need to provide better protection of accounts, but "better protection" is a moving target. "What is the 'better protection' at the bank level when -- like this case -- the bank had an additional layer of protection with the email notification, and it was overcome at the business computer level?"

Dodd's standard advice to businesses for all ACH and wire transactions: Use a stand-alone computer that is not being used by anyone else to surf the web, where users may click attachments or hyperlinks that carry viruses.

As more businesses step forward as victims of corporate account takeover, Williams foresees organizations investing in insurance to protect themselves from such losses. "It will be a big deal here," he says, "as the risk of a successful attack is dramatically increasing."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network