
Tech Firm Ubiquiti Suffers $46M Cyberheist - ca98am79
http://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/
======
EricBurnett
I feel like the banking industry needs to catch up here: in this day and age
with digital fraud being easy and getting easier, they should be able to
reverse any transfer internationally.

This will fall apart when we get to cashing out downstream, or buying physical
goods that are on-demand manufactured/shipped, or stock market trades, but a
large percentage should be recoverable in $large cases and (outside of certain
sophisticated patterns) the receiver of the money who spent it should be on
the hook for the difference.

30m unrecoverable as yet is just silly.

~~~
omouse
Interestingly enough, the original goal for PayPal as Elon Musk articulates it
is that they would end up as infrastructure for all digital transactions which
would make fraud much more difficult. _All the fraud issues seem to be at the
intersection between different methods of transfers._ Wire transfers can
involve multiple banks and the information for them can be shoddy; there's too
much room for error and the whole authentication issue, ugh.

Paypal or now bitcoin (or the blockchain at least) as the main infrastructure
would definitely reduce fraud and errors.

------
beamatronic
Does this mean an employees of the company got an email from someone posing as
their boss, or their CEO, instructing them to wire $46 million dollars, and
they simply...did so? without asking any questions?

~~~
pquerna
Yes. Basically.

I've seen similar attacks before, granted for lower amounts, but in many
companies, finance departments sending out wires for many hundreds of
thousands of dollars is a common operation -- suppliers, contracts signed, and
everyone wants their wire transfer to be done ASAP.

Get an email from the CFO/CEO/SVP of X saying to wire money for contract Z
ASAP, and action will be taken.

~~~
andor
Sounds like cryptographically signing emails is not such a bad idea after
all...

~~~
roasty
Yeah, except it's also possible, and not unusual, to compromise the cfo or
someone's email/computer and then send signed emails all day.

------
ghshephard
This is a hard attack to defend against - because the person sending the money
can also two-factor authentication them.

With that said - internally, there are usually lots, and lots and lots of
controls over who/how one can send money, and it's pretty darn rare for
someone to be able to "spoof" a request like this without throwing a lot of
red flags.

------
coldcode
It's amazing that you can con a technology (or any) company out of 46M simply
by sending emails sitting on your couch in your pajamas.

------
matheweis
Wow, they were only able to recover $8.1 million!!? Hopefully they have some
sort of insurance that covers that.

