
Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M - uptown
https://krebsonsecurity.com/2018/07/hackers-breached-virginia-bank-twice-in-eight-months-stole-2-4m/
======
dmix
> According to the lawsuit, in June 2018 Everest determined both the 2016 and
> 2017 breaches were covered exclusively by the debit card rider, and not the
> $8 million C&E (“computer and electronic crime”) rider

Jeez, insurance companies are all the same. Regardless if you're an individual
or a bank with millions on the line... you get treated with the same slight of
hands and nonsense interpretations of reality.

> those exclusions rules out coverage for any loss “resulting directly or
> indirectly from the use or purported use of credit, debit, charge, access,
> convenience, or other cards . .

How could a spear phishing campaign using malware that hijacked critical parts
of the banks infrastructure not be part of the C&E coverage, and merely 'debit
and credit'. The last part was merely how the money was exfiltrated. But the
entire crime was the result of the intrusion.

This seems like an easy to win case to me. But who knows.

~~~
CPLX
This is how legal arguments work when actual money is at stake. If there's a
non-insane point of view that says you could interpret a clause in either
direction one side takes one position and the other side takes the other
position.

It's usually something similar to this, for example a policy with a clause
saying we always cover if X and another clause saying we never cover if Y,
when both X and Y are true. That kind of thing.

My favorite example along these lines is the insurance for the World Trade
Center disaster, which hinged on a question of if the 9/11 attacks were one
event, or two, since of course it was two separate planes taking off at
different airports piloted by different terrorists.

No matter how much you plan ahead and try to use definitive language it's
usually possible to end up in a spot where it's still a matter of debate.

In this case it's a lot of discussion of proximate cause (the phrase "but for"
is the tell there) which is a standard feature of insurance claim arguments
after some sort of major loss.

Typically what happens is each side assesses how close the other's argument is
to compelling and then based on that both sides come to a settlement
agreement.

~~~
duxup
'no consumer could reasonably be misled into thinking vitaminwater was a
healthy beverage'

People will argue anything.

~~~
umanwizard
Is that really the exact language they used in their briefs?

------
interlocutor
Some US financial institutions are incorporating cybersecurity disclaimers.

Case in point: ETRADE. Just received an update to the customer agreement. The
definition of “Force Majeure Event” (unforeseeable circumstances) was updated
to include cybersecurity incidents. Also this: ETRADE ... makes no
representation or warranty of any kind ... with respect to security.

~~~
grouseway
Jesus. The whole point of a bank is security. Otherwise we'd all keep it under
the mattress. This boggles the mind.

~~~
prawn
I recently paid to have a car transported across Australia. The warranty
excluded force majeure events, as you'd expect, but on the list along with
flooding, riots and the like, was the ambiguous "accident". Surely "accidents"
were exactly what I'd want covered with a car transporter?!

~~~
Mtinie
A bit over a year ago I had a car my father and I had spent 13 months
restoring shipped from CA to VA by a high-end enclosed auto transporter. Four
hours into the drive an axle bearing seized up and the trailer caught fire.
Total loss of all six cars, with over $1.25M in total damages (excluding the
trailer).

The logical maneuvering the insurance companies employed to avoid paying their
shares would have been awe inspiring to behold if I was not personally
involved and therefore caught in the middle of a devastating situation.

If I learned anything, it’s that marketing B.S. and testimonials mean
absolutely nothing when a transportation company is at fault after an
accident. Also, always insure your classic automobiles with “agreed upon
value” policies. This way you are covered to some reasonable fraction of your
restoration outlay...otherwise you end up cry-laughing when the low-ball,
hand-selected comparative values show up for significantly under the value of
your receipts.

~~~
sokoloff
Agreed on the agreed-value policies. We unfortunately had a claim with a car
covered by Hagerty and they couldn't have been more professional, courteous,
or speedy in resolving the claim. (We were 0% at fault in the accident, but
even if we had been, I suspect the treatment would have been the same.)
Hagerty agent even followed up afterwards to see how we were doing and to
express sympathy for the loss of our car.

------
darkstar999
I'm on the bank's side of the lawsuit based on what I read in this article.
They were covered under "computer and electronic crime" insurance. If the
hacks don't fall under that coverage, what would?

~~~
runciblespoon
> I'm on the bank's side of the lawsuit based on what I read in this article

Did you read this bit:

‘The second exclusion in the C&E rider negates coverage for “loss involving
automated mechanical devices which, on behalf of the Insured, disburse Money,
accept deposits, cash checks, drafts or similar Written instruments or make
credit card loans . . ..”‘’

And never lose the opportunity to blame 'Russian' hackers.

“Foregenix .. determined the hacking tools and activity appeared to come from
Russian-based Internet addresses .. according to the bank Verizon’s forensics
experts concluded that the tools and servers used by the hackers were of
Russian origin”

They're clever enough to hack a bank but not clever enough to disguise their
IP address.

~~~
dyarosla
Or they disguised the IP addresses to look like Russian IPs? Although I'm no
hacker- anyone know hard that would be to do?

~~~
monocasa
If you're going to build a botnet, it'll probably mainly be a bunch of Russian
and Chinese machines. They've got the most WinXP instances still running
without hardly any updates.

------
kevinconaway
What’s interesting to me about this is it seems like the hack still required
physical presence to pull it off. The criminals had to actually visit hundreds
of ATMs over the span of a holiday weekend to withdraw the cash

I suspect it had to have been people in on the scam because I don’t see how
you could conceivably convince strangers to withdraw cash for you at that
scale without raising eyebrows

~~~
jjeaff
If a guy in an Indian call center can convince people that the IRS is about to
have them arrested if they don't immediately pay their back taxes with iTunes
gift cards, you can certainly convince people to withdraw money from an ATM
and send it somewhere.

~~~
jessaustin
It seems more likely that the ATM withdrawers were just normal criminals
already integrated into normal criminal organizations. Everybody gets a cut,
but nobody takes too big a cut because violence and repeat business. Normal
criminals love ATM stuff because it's quite low-risk.

------
readhn
Verizon has a cybersecurity unit that can be subcontracted by outside
companies? Interesting.

EDIT:
[http://www.verizonenterprise.com/products/security/](http://www.verizonenterprise.com/products/security/)

~~~
SteveNuts
It's hilarious that they don't have a certificate on their domain.

~~~
readhn
Good catch! I wonder why?

~~~
robbyt
"Enterprise"

------
dev_dull
> _Verizon was hired to investigate the 2017 attack, and according to the bank
> Verizon’s forensics experts concluded that the tools and servers used by the
> hackers were of Russian origin_

Wow. One incompetent company leading another incompetent company. What could
possibly go wrong?

I don’t have hope for these types of companies. Their security is a joke.
Their industry security is a joke.

~~~
linkregister
The security consultants that work for Verizon aren't the same folks that
allowed the Yahoo/Oath credentials dump from half a decade ago.

Verizon has a reputable security consulting arm that competes with Bishop Fox,
FireEye, Rapid7, NCC Group, and other recognized computer security firms.
Verizon is a massive company and isn't just wireless and home internet.

~~~
Rjevski
However, I don't care how different or secure their security division is. If
they're happy to run it under the Verizon brand they I will continue to assume
they are incompetent monkeys and they deserve to loose business for this.

Either up your security so Verizon is finally considered a credible brand, or
spin the security business off as a separate entity.

------
newnewpdro
It's as if these systems don't emit an audit stream, which when combined with
the least bit of monitoring would have set off all sorts of red flags during
these obviously anomalous events.

Such negligence tends to make me wonder if it's to leave open the possibility
of some easy insurance fraud. In this particular case, that seems to have
backfired with supposed hackers arriving first, and the insurer sleazily
wiggling out of their own obligations.

At a past job, we ran thousands of shared linux servers for web hosting
purposes. This was back in the early 2000s, and even then we had replaced all
the installed shells with versions logging all interactive commands via UDP to
a centralized syslog server. There was a simple IRC bot filtering the logs and
echoing suspicious stuff into an IRC channel we monitored. Things like
attempts to gain root, looking at /etc/passwd, lines starting with "./",
running known irc bouncers or other script kiddie activities would be clearly
visible and someone would intervene.

That was just a web hosting company with a small team and quite limited
resources. I expect better from these national financial service providers,
this is just pathetic.

------
exabrial
Initial malware that came in through a Microsoft Word Document... It's 2018
and everything that is old is new again

~~~
daxorid
It never got old. Phishing+macros+lateral movement are still a _very_
significant vector. The industry exacerbates this by running with the feel-
good "don't blame the user!" mantra.

At some point you really do need to give up on your fancy canaries, gateway
and host IDS, perimeter blinky boxes, threat intelligence feeds, endpoint
protection products, etc, and just start firing those in your employ who
willfully and joyously thumb their noses at basic security hygiene.

~~~
lbotos
> and just start firing those in your employ who willfully and joyously thumb
> their noses at basic security hygiene.

Until it's your top salesperson who 2x'd the quarterly revenue target... I'd
like to live in a world where everyone knew basic security hygiene, but we
have to teach it first, not punish.

~~~
Severian
But then it can be over emphasized, and no one in your organization trusts any
links or attachments because of phishing. Then it all becomes a horrible mess
of skype/slack IMs with the actual links to Sharefile or Dropbox shares. Then
you wave goodbye to async communication because everytime someone sends you a
hyperlink they _absolutely need_ to know if you were able to get the file...

~~~
mannykannot
I have worked at financial companies where they get it right, and it is not a
problem. Having crappy infrastructure and procedures is never an excuse for
poor security.

------
March_f6
Am pretty curious what kind of "skeleton key" ATM card they were using to
access all of the ATM's as different users. Lest they were posed as repair
people and stood there with a laptop hooked in.

~~~
raesene9
Generally in these cases spoofed cards + access to back end system. They just
look like ordinary customers from the ATM perspective.

------
jessaustin
IANAL, but this bank needs a better general counsel. The contract says "big
payouts unless ATMs are involved, in which case small payouts". Sure, in order
to draw out the court case longer than a day, they'll make some vaguely
plausible argument to ignore the plain language of the contract. Still, it
would have been so much better to realize ahead of time that "we're a bank,
tied to an ATM network, so our insurance should cover the use of ATMs too!"

------
donarb
No mention of what was done when the policy was sold. Most insurance companies
do a check to minimize their liability. I would think that the insurance
company would do a PCI and whatever other audits are used to verify security
of the financial institution before writing a policy. An audit (and
corresponding mitigation) would save the bank money on their insurance cost.

~~~
ddalex
No need to due diligence on a policy if you don't intend to ever honor it

------
esseti
wondering why i've to use 2fa (with a damn token) to access my inbank but
there's no need of 2fa (on phone maybe?) to withdraw money from atm.

PS: do they seriously have a system that can turn off the need of entering the
pin to withdrwa money? why?

~~~
michaelt
ATM withdrawls are already two-factor - unless your ATM experience is very
different to mine.

You need the card (something you have, factor 1) and the PIN number (something
you know, factor 2).

~~~
islanderfun
I guess that is traditional 2fa that never occurred to me. Shouldn't we update
that to include one-time passcodes like we do know for most things?

~~~
icedchai
We live in a tech bubble. Most people don't use one time pass codes for
anything.

------
williamscales
It feels to me like the first incident should be covered and the second one
should not. It doesn't seem fair to keep relying on insurance when you know
you have a problem.

------
wattaman
I wish I knew how to do that

------
deevolution
Bullish on bitcoin.

