
Hackers steal Western Michigan University professor's paycheck - rickdale
http://www.mlive.com/news/kalamazoo/index.ssf/2014/02/hackers_stole_western_michigan.html#incart_river_default
======
fnordfnordfnord
Employee handbook probably has a clause in "IT Policy" that says 'Employee is
responsible for maintaining the security of his/her password' or some similar
such nonsense that the Uni will try to hide behind. Typically the only way for
employees to opt out of this (when this option is available at all) is to
elect to receive a paper check.

My employer's system (which comes from a big name edu-prise sw vendor) takes a
6 digit password and my system username is public information (it is not
advertised, as a username, but it is visible on public facing documents).
Access to this system would allow a person to change my payroll & benefits
info, mailing address, and other contact info, change student grades (for the
current semester), access confidential student information, and in some cases,
add/drop currently enrolled students from courses. The system default password
and reset default are also public information. This is a disaster waiting to
happen.

~~~
jlgaddis
_> My employer's system (which comes from a big name edu-prise sw vendor)
takes a 6 digit password and my system username is public information ..._

Ahhh, Sungard.

~~~
fnordfnordfnord
Yup.

------
thezach
My father and mother work at this University. The same login gets you into
email, that gets you into payroll and all other employee areas of the employee
website. So if the attacker was able to get the login and password through
whatever means it would make any sort of email confirmation useless.

As far as the WMU police investigating this I think its a bit of a conflict of
interest as their system was hacked and they will likely blame the 2 employees
who lost their paychecks as its in the universities intrest no to send out
more money.

~~~
yetanotherphd
I don't think there is any conflict of interest. The police are only concerned
with the criminals who stole the password. Whether the university owes the
employees their pay because of the lax security they implemented, is almost
certainly a civil matter.

~~~
HarryHirsch
At my university the Health and Safety people do nothing worse than hand out
warnings, even if they come across serious safety issues in laboratories. It's
almost as if they were at risk of losing their jobs if they imposed fines or
shut down a lab altogether. Let the fun and games continue until someone
burns!

If you believe that the police and the internal IT investigation aren't under
pressure to find for the university I've got an Eiffel Tower to sell to you.

------
keithpeter
UK resident: My wages are paid into my bank account using an electronic
payments system that does not use the Internet at all. The accounts/HR people
have computers that are on a separate VPN from the rest of us.

The attack mode in this case revolved around the use of a client system to
tell HR/Payroll where to pay the money. We don't do that, any change in bank
account details is a visit to an office with paperwork.

~~~
csmithuk
I've lost a payment in a similar fashion before. The accounts team took the
written paperwork and misinterpreted a 6 for a 0 (I didn't write the form) and
it just happened to be a valid destination account number. It took me 2 weeks
to get the payment back.

Doesn't always come down to technology.

In fact, when it comes to technology it's usually pretty good. Humans on the
other hand always err on the side of incompetence as there's usually someone
else to blame...

If you do not believe this about humans, work in or for the public sector in
the UK for a bit!

~~~
keithpeter
I do work in UK public sector. I have been fortunate in the payroll/HR
departments, obviously.

Chunk of cash suddenly appearing in my bank account would have me asking
questions by the way.

I imagine bank security in the case of the unwitting recipient of your wages
were reassured by the payment coming from a BACS or similar system. When I
paid my redundancy cheque into my bank account over the counter, a bank
manager appeared in seconds and wanted to know why this very large amount was
being paid in...

------
chrisBob
The same thing happened recently at BU, but our school is covering all losses
even though I think the users are at fault in our case: At BU it was people
that responded to a fishing email that had their account info changed.
[http://www.bu.edu/today/2014/fighting-phishing-bu-
moratorium...](http://www.bu.edu/today/2014/fighting-phishing-bu-moratorium-
on-changes-to-direct-deposits/)

~~~
jacalata
That was my first guess for this story too - six people is a very small number
if someone found a system exploit. Although it is still possible that's the
case, and only specific passwords/accounts/etc were vulnerable.

------
nmridul
>> A hacker had gotten into Cool's WMU account and changed the routing number
for his payments, he said, sending $1,518.62 to a bank in Utah..... There was
$11.08 left in the Utah account, which is all Cool has gotten back of his
paycheck.

Just curious. A professor is paid only $1,529.70 ? Hope it is weekly.

~~~
mhb
Gym teacher?

[http://homepages.wmich.edu/~cool/](http://homepages.wmich.edu/~cool/)

~~~
maxerickson
He's a gym teacher teacher.

------
Blahah
University has a crappy insecure system for paying staff, they get hacked, so
the staff stuffer? Just pay the man!

------
smtddr
_> >"Unfortunately, it's pervasive," Porter said of such theft by computer. If
the criminals are willing to dedicate "time, brains and fortitude, it's hard
to stop it all."_

This article reads like it'll be difficult to catch the person who stole the
money. I remember all the arguments about bitcoin being more (pseudo)anonymous
than a Bank, but if authorities can't even get the person who got this Bank
ACH Deposit then I must have a horrible understanding of the Banking process.
What's the problem? I thought bank-fraud was the easiest crime to catch
assuming the culprit isn't someone with connections in high-places.

~~~
Blahah
Or a fake ID... opening an untraceable bank account is one of the major use
cases for identity theft. It's very likely that the money was moved into a
bank account opening with a stolen or false identity, and the person will not
be caught.

~~~
smtddr
mindblown.gif ...I had no idea a regular person could open & collect funds
from a bank account that was fraudulently opened and actually get away with
it.

~~~
dclowd9901
Since the banks enable this kind of crime, I kind of think they should be held
liable.

------
patcheudor
This is an interesting case. If an employee is liable for the loss as a
consequence of a data breach in a university system then does that mean it's
acceptable for an employee to do their own penetration testing of university
systems handling their money? This would help them better understand the
weaknesses to protect themselves and push the university to fix their systems.
Yes, this professor could have been phished and given up their credentials to
a bad guy, but that shouldn't entirely offload the liability onto the employee
as the university should have had strong measures in place for validating
changes to routing numbers.

------
judk
Obligatory Mitchell and Webb: identity theft:

[http://m.youtube.com/watch?v=CS9ptA3Ya9E](http://m.youtube.com/watch?v=CS9ptA3Ya9E)

------
thezach
The password system also has no login attempt counter... so basically you
could bruteforce all you want according to my brother whos a student there.

------
frodopwns
This same thing happened at CU Boulder. The phishing attempts take the form of
an email from IT stating that the user has exceeded their max email capacity.
The letter then tells the user to forward their credentials to the mailer.

It is sad that people can't learn to keep their passwords to themselves.

------
z02d
Off topic: A professor just earns $1,581 per month?

~~~
bennyg
Depends on professor status. Adjunct professors, maybe. If it's not really
full-time and they aren't researching anything, then why should they get paid
a ton?

------
moocowduckquack
Has he argued with any Comp Sci students?

(edited to avoid implying fault on his part)

~~~
HarryHirsch
This is not funny. Unpaid wages are never funny. Actually, the Catholic Church
classes it as a "sin that cries to heaven", and groups it with murder,
inhospitality and exploitation of those with no clout. What they all have in
common is a disregard for the humanity of your fellow man, and you can't
punish that enough.

~~~
moocowduckquack
I'm not trying to be funny. People already known to the victim is the sane
place to start any investigation.

edit - my edit earlier was going from 'pissed off' to 'argued with' as I
realised that 'pissed off' can often imply intent to piss off.

------
thenerdfiles
Yay. That's the kind of world I've always wanted to live in.

Gooooo, Justice! — Really, get the _fuck_ out!

