Hacker News new | comments | ask | show | jobs | submit login
Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M (krebsonsecurity.com)
260 points by uptown 7 months ago | hide | past | web | favorite | 145 comments



> According to the lawsuit, in June 2018 Everest determined both the 2016 and 2017 breaches were covered exclusively by the debit card rider, and not the $8 million C&E (“computer and electronic crime”) rider

Jeez, insurance companies are all the same. Regardless if you're an individual or a bank with millions on the line... you get treated with the same slight of hands and nonsense interpretations of reality.

> those exclusions rules out coverage for any loss “resulting directly or indirectly from the use or purported use of credit, debit, charge, access, convenience, or other cards . .

How could a spear phishing campaign using malware that hijacked critical parts of the banks infrastructure not be part of the C&E coverage, and merely 'debit and credit'. The last part was merely how the money was exfiltrated. But the entire crime was the result of the intrusion.

This seems like an easy to win case to me. But who knows.


This is how legal arguments work when actual money is at stake. If there's a non-insane point of view that says you could interpret a clause in either direction one side takes one position and the other side takes the other position.

It's usually something similar to this, for example a policy with a clause saying we always cover if X and another clause saying we never cover if Y, when both X and Y are true. That kind of thing.

My favorite example along these lines is the insurance for the World Trade Center disaster, which hinged on a question of if the 9/11 attacks were one event, or two, since of course it was two separate planes taking off at different airports piloted by different terrorists.

No matter how much you plan ahead and try to use definitive language it's usually possible to end up in a spot where it's still a matter of debate.

In this case it's a lot of discussion of proximate cause (the phrase "but for" is the tell there) which is a standard feature of insurance claim arguments after some sort of major loss.

Typically what happens is each side assesses how close the other's argument is to compelling and then based on that both sides come to a settlement agreement.


'no consumer could reasonably be misled into thinking vitaminwater was a healthy beverage'

People will argue anything.


Is that really the exact language they used in their briefs?


The incumbents in the insurance/banking industry will have to invest heavily in security and in some cases overhaul entire systems. Personally I think its more cost effective long-term than hiring a bunch of lobby groups and lawyers to find loopholes.

I mean the Equifax security was laughable and no one got in trouble. I wouldn't be surprised if this case takes a complete 180 from common sense.


Are there objective audits or rankings where financial institutions are assessed for their cyber-security measures/infrastructure?

How do I even know whether my bank has good security? Cyber-security being such a major threat, I would be willing to change banks if my bank is proven to have crappy online security.


If any exists, its by third parties who have no insight from the inside. Central banks wouldn't disclose 'cyber-security index' in stress tests due to the risk of scaring customers off or causing a bank run.


Or risk inviting attacks.


Even well written standards are not objectively audited. There’s a huge variety in the quality of external auditing, and a fair amount of pay-to-play. A lot of people will tell you that every PCI certified company to ever be involved in a breach was non-compliant at the time of the breach. Is that because the PCI DSS is such a remarkable standard that complying with it will protect you from 100% of breaches? Or is it because you can retroactively find some type of issue with 100% of PCI audits?


"Our policy covers everything except your specific case".


Some US financial institutions are incorporating cybersecurity disclaimers.

Case in point: ETRADE. Just received an update to the customer agreement. The definition of “Force Majeure Event” (unforeseeable circumstances) was updated to include cybersecurity incidents. Also this: ETRADE ... makes no representation or warranty of any kind ... with respect to security.


For anyone else interested, here's the old:

https://us.etrade.com/e/t/estation/help?id=1209031000

and the new:

https://content.etrade.com/etrade/estation/pdf/10118customer...

Here's the new force majeure definiton:

> “Force Majeure Event” shall mean any act beyond E-TRADE’s control, including any earthquake, flood, severe or extraordinary weather conditions, natural disasters or other act of God, fire, acts of war, acts of foreign or domestic terrorism, insurrection, riot, strikes, labor disputes or similar problems, accident, action of government, government restriction, exchange or market regulation, suspension of trading, communications, system or power failures, cybersecurity incident, and equipment or software malfunction.

Here's the new force majeure clause:

> No Liability for Indirect, Consequential, Exemplary, or Punitive Damages; Force Majeure In no event shall any E-TRADE Indemnified Parties be held liable for (i) indirect, consequential, exemplary, or punitive damages or (ii) any loss of any kind caused, directly or indirectly, by any Force Majeure Event, and the Account Holder unconditionally waives any right it may have to claim or recover such damages (even if the Account Holder has informed an E-TRADE Indemnified Party of the possibility or likelihood of such damages).

Wow. First they define acts beyond their control to include things clearly within their control. Then they say they're not liable for "any loss of any kind" resulting therefrom.

These contracts are maddening because they won't be enforced as written until they are. Until a loss due to an avoidable issue costs them more to cover than it does in reputational damage. So it doesn't get reported because it doesn't feel like a real policy.

New York law applies here. If you sue them and lose, you pay their attorney fees. You've waived the right to a trial by jury and have likely agreed to forced arbitration unless you've explicitly opted out (see last page).


> New York law applies here.

While the contract states that, that part should actually be unenforceable unless a certain set of conditions is in place.

As I noted in another post, it's important for people to review the rules of governing arbitration forum.[1] That said, law is more an art than a science and weird determinations are often made when major $$ and entrenched interests are involved.

[1] https://news.ycombinator.com/item?id=17566966

edit: speaking only in regards to arbitration


Jesus. The whole point of a bank is security. Otherwise we'd all keep it under the mattress. This boggles the mind.


I recently paid to have a car transported across Australia. The warranty excluded force majeure events, as you'd expect, but on the list along with flooding, riots and the like, was the ambiguous "accident". Surely "accidents" were exactly what I'd want covered with a car transporter?!


A bit over a year ago I had a car my father and I had spent 13 months restoring shipped from CA to VA by a high-end enclosed auto transporter. Four hours into the drive an axle bearing seized up and the trailer caught fire. Total loss of all six cars, with over $1.25M in total damages (excluding the trailer).

The logical maneuvering the insurance companies employed to avoid paying their shares would have been awe inspiring to behold if I was not personally involved and therefore caught in the middle of a devastating situation.

If I learned anything, it’s that marketing B.S. and testimonials mean absolutely nothing when a transportation company is at fault after an accident. Also, always insure your classic automobiles with “agreed upon value” policies. This way you are covered to some reasonable fraction of your restoration outlay...otherwise you end up cry-laughing when the low-ball, hand-selected comparative values show up for significantly under the value of your receipts.


Agreed on the agreed-value policies. We unfortunately had a claim with a car covered by Hagerty and they couldn't have been more professional, courteous, or speedy in resolving the claim. (We were 0% at fault in the accident, but even if we had been, I suspect the treatment would have been the same.) Hagerty agent even followed up afterwards to see how we were doing and to express sympathy for the loss of our car.


As someone who does both, the bank, to me, is mainly a convenience. It makes it easy to pay people.

I don't really trust them to keep my money safe (nor do I trust myself, exactly, but I'm in a remote location and an unlikely target).


What about fire or other disaster? Also, don't you care about interest or capital gains?


What about fire or other disaster?

Easy. Don't keep it all in one place.

Also, don't you care about interest or capital gains?

The interest rate on savings is under 3%. It's like paying that amount on an insurance policy to guarantee that your money isn't stolen by the bank or through the bank's negligence. And considering how banks behave these days, that's not a crazy investment.


«Don't keep it all in one place»

It's shocking how many people make this error. Walter White buries millions of dollars in only one spot in Breaking Bad. People make only one copy of their cryptocurrency wallet seed. People have only 1 bank account. Etc.


A lot of that is dependent. Do you keep multiple copies of passwords around, which increases the chance that someone can get access to your account. Do you open multiple bank accounts and spend extra money when you have less than 400 dollars in it at any one time?


In the U.K. we are getting challenger banks which are free. It’s super easy to open a new FREE account and spread your money around. You also get 2-3 diffeycards so even if you lose one or two you still have access to you money. Plus you can always transfer between accounts for free using their mobile apps.

It’s a pretty sweet deal so I’m wondering if there isn’t anything like that in the US. With SV I’d be very surprised if the U.K. is pioneering this


If the accounts are free and from different entities then it would make sense for most people to split things up, for sure.

Retail banking is pretty heavily regulated in the US so maybe that's the issue? I've seen a lot of startups in other banking areas, like Mint or Square, but none for checking/savings accounts.


There are plenty of free checking accounts in the US (with no minimum balances): Simple, Ally Bank, CapitalOne 360, Charles Schwab Bank, USAA, etc.

More here: https://www.moneycrashers.com/best-free-checking-accounts/


Keeping your money in/under your mattress is arguably a good way to protect it against computer-based theft.


even more so for shares as is much harder to use physical share certificates


Then these financial institutions are openly declaring themselves insecure. But, of course, clickwrap contracts declare them not responsible for anything ever.


Er, what about FDIC? The actual deposits are insured, right?


In the event of failures:

FDIC insures deposits in U.S. branches up to $250k per account, IIRC;

SIPC covers securities held by brokerages, (forget the amount).


Bitcoin! nobody holds it but you and you can always transfer it no questions asked


No depositor lost any money in this case. The bank had trouble getting its insurance to pay up. If this was bitcoin, the money would be gone, because bitcoin does not have the same restrictive regulation scheme as united states dollars held in a united states bank.


If you store it in a long-term storage solution that makes sense (cold storage), it would not be "gone" because this wouldn't have happened.


Similarly, if people kept money in their mattresses instead of in banks, it couldn't be robbed from banks!


Did you switch trading institutions?


I am planning to move my stocks from ETRADE to Vanguard.

Vanguard's user agreement says this:

Data security is, of course, a top priority. To mitigate computer virus attacks and other acts of cyberterrorism, We have implemented controls monitored by a dedicated team of information security specialists. We also maintain a network of redundant systems, off-site data storage, and off-site tape vaults to ensure that all source data are recoverable in a disaster.


I'm on the bank's side of the lawsuit based on what I read in this article. They were covered under "computer and electronic crime" insurance. If the hacks don't fall under that coverage, what would?


If the attackers had gotten the money out via wire transfers, then that would presumably be covered.

The attackers likely avoided that route because it would be easy to trace.

That’s likely the same reason that the insurance policy has special treatment for debit card/ATM incidents, because those sorts of transactions are more difficult to trace and therefore have a higher risk classification.


I've seen similar insurance claims invalidated because the company couldn't prove then had taken reasonable steps to prevent an attack.

The fact there were two similar incidents 8 months apart tells me there was a fundamental security issue which wasn't addressed correctly.


That seems a bit like a catch 22 to me - if you get hacked enough, it must be your fault, so no payout.


Wait. How is this a catch 22? There is no. "In order to do Y you must first do X. But in order to do X you must first do Y"


In order to get paid you must be hacked, in order to be hacked it must be your fault, if it's your fault you can't be paid


That's not what this is staying at all though. It's saying "In order to get paid you must show you took reasonable precautions not get hacked AND get hacked." It's pretty hard to argue ignoring a known issue for 9 months is taking reasonable precaution. I don't see how that's any different then not paying when someone falls on because of broken steps you knew about and didn't fix, which would be pretty common.


For years people were arguing that the "free market" way to get companies to actually care about IT security was to do it through their insurance premiums: companies with poor practice should be charged more. It sounds like that's come to pass now.


Does this show it's come to pass at all?

It's possible, but the only evidence we have is that insurance companies want to avoid the payout, not that poor practices impacted premiums at all. Given what I've seen from security audits of the past, particularly when influenced by non-security professionals (such as the accountants in this scenario, both the insurers and the insured), I have little faith that if insurance companies dictate the practices that we'll get actual useful security increases, but plenty of extra bureaucratic hoops that will result in the same "productivity vs security _risk_" dilemma we have now, except the CBA changes to "is the hit to our productivity worth this hoop compared to the cost our lawyers would involve to prove this hoop was unnecessary or unrelated times the likelihood that it comes up"


An unpaid claim is only slightly worse than higher premium. Bank management wants to sleep soundly on that pile of money they're holding.


From one example? Hardly.

What about Equifax?


I'd like to see some big payouts on that, just to get those silly riders off every blessed insurance estimate I ever receive. "It's a vacant building with no internal walls or floor! It's not going to get hacked!" I don't understand why these riders are all on basic real estate insurance, rather than specifically on e.g. business liability or whatever.


> If the hacks don't fall under that coverage, what would?

The things actually specified in the contract, taking account the exclusions?


The insurance company has a pretty strong financial incentive to try and minimize their loss here, so I'm not surprised they're trying.

That said if too many "hacking insurance" policies fail to pay out, business are going to be less keen to use them.


> I'm on the bank's side of the lawsuit based on what I read in this article

Did you read this bit:

‘The second exclusion in the C&E rider negates coverage for “loss involving automated mechanical devices which, on behalf of the Insured, disburse Money, accept deposits, cash checks, drafts or similar Written instruments or make credit card loans . . ..”‘’

And never lose the opportunity to blame 'Russian' hackers.

“Foregenix .. determined the hacking tools and activity appeared to come from Russian-based Internet addresses .. according to the bank Verizon’s forensics experts concluded that the tools and servers used by the hackers were of Russian origin”

They're clever enough to hack a bank but not clever enough to disguise their IP address.


Why would the Russian's care if their address was known? They aren't going to be extradited or punished by the Russian government, they may be funded by the government or people very well connected to the government. Not to make it political, but they hacked many of our election systems and didn't even get punished for that.


I love the casual potential blaming of Russian state actors for corporate cyber attacks, but complete disbelief when NSA is accused/implicated in the exact same...


Complete disbelief? I thought it was common knowledge that the NSA spies on everyone and has spies working or intercepting shipments from most of the major tech manufacturers in the world.


The NSA's typical practices aren't generally thought to include encouraging domestic criminal groups to steal sizable quantities of money from foreign banks. Or sitting idly by as it happens on a regular basis.

We expect the NSA to be compromising foreign systems. We don't expect them to be doing this with them.


I'm pretty sure the NSA isn't hacking banks to steal a few million dollars, considering their budget.


That rider sounds to me like the ATM itself has to be compromised. It wasn't. The hack was upstream and the ATM was just doing what the network rules told it to.


No, it just says that the ATM must be involved in the loss, they need to be the cause or the source of the loss. And I think it is pretty well arguable that ATMs were involved in this case, even if in relatively minor role.


Yeah it makes it seem a bit implausible or at least should be cause for just a teeny weeny second of consideration. If I were hacking into a bank I'd consider myself pretty smart if I thought to pin it on the most boringly believable (by most Americans, stewed as they are in a soup of anti-Russia talk) hacking culprit.


Or they disguised the IP addresses to look like Russian IPs? Although I'm no hacker- anyone know hard that would be to do?


If you're going to build a botnet, it'll probably mainly be a bunch of Russian and Chinese machines. They've got the most WinXP instances still running without hardly any updates.


Easy enough by using a VPN and/or compromised Russian machines.


What’s interesting to me about this is it seems like the hack still required physical presence to pull it off. The criminals had to actually visit hundreds of ATMs over the span of a holiday weekend to withdraw the cash

I suspect it had to have been people in on the scam because I don’t see how you could conceivably convince strangers to withdraw cash for you at that scale without raising eyebrows


If a guy in an Indian call center can convince people that the IRS is about to have them arrested if they don't immediately pay their back taxes with iTunes gift cards, you can certainly convince people to withdraw money from an ATM and send it somewhere.


It seems more likely that the ATM withdrawers were just normal criminals already integrated into normal criminal organizations. Everybody gets a cut, but nobody takes too big a cut because violence and repeat business. Normal criminals love ATM stuff because it's quite low-risk.


It's really easy to trick people to commit crimes. Post a bunch craigslist job postings for a non-existant bank QA job that pays $100/hr. Have them withdraw the cash from the ATM, deposit it into their bank and wire the money out to an international bank.

https://securityintelligence.com/the-most-common-schemes-for...


I wish we could learn more about that. The article said it was Russian IPs and tools, but that doesn't account for the local ATM activity.

It also seems like you'd need a lot of domain knowledge to make this happen. If you gave me an open machine in a bank I'd have no idea what to do.


The article does touch on the matter:

> The bank’s complaint against Everest notes that the financial institution doesn’t yet know for sure how the thieves involved in the 2017 breach extracted funds. In previous such schemes (known as “unlimited cashouts“), the fraudsters orchestrating the intrusion recruit armies of “money mules” — usually street criminals who are given cloned debit cards and stolen or fabricated PINs along with instructions on where and when to withdraw funds.


This may be of interest to you. It talks about how this group pulled off the physical presence aspect too:

https://www.bloomberg.com/news/articles/2018-03-26/malware-m...


> I don’t see how you could conceivably convince strangers to withdraw cash for you at that scale without raising eyebrows

The book "Kingpin" talked about how most of the people doing the withdrawing of cash were usually "mules" who were in on the scam. They'd withdraw the money, get a small cut and send the rest to a middleman.

The book itself goes into a lot more detail on how it worked:

https://www.amazon.com/Kingpin-Hacker-Billion-Dollar-Cybercr...


Earn $4,000 a week working only 5 hours! Click here to learn more.


This is a pretty common method of attack on banks, and this is far from the first time it's been done. I'm guessing the criminals expect a certain level of loss from the mules doing the withdrawals but aren't too bothered as it's not their money :)

It goes back at least to 2009 (Worldpay US) and possibly before that.

The ATM element is important as one of the hardest parts of electronic bank theft is getting the money out of the banking system in an untraceable form.


Verizon has a cybersecurity unit that can be subcontracted by outside companies? Interesting.

EDIT: http://www.verizonenterprise.com/products/security/


It's hilarious that they don't have a certificate on their domain.


Good catch! I wonder why?


They actually do have a certificate, they're just not using it to serve the site for some reason.

If you go to https://www.verizonenterprise.com, it redirects to http://


"Enterprise"


Every big telco I've ever worked with will sell add on security including SOC and investigative services.

*edit: the quality isn't necessarily the best


IR people are in very high demand pretty hard for them to hire the best


Well my former employers BT hire Bruce Schneier I suspect the phone companies who are ex PTT / Civil Service might well have better teams.

Certainly BT security had a bit of a rep - not always in a good way :-)


> Verizon was hired to investigate the 2017 attack, and according to the bank Verizon’s forensics experts concluded that the tools and servers used by the hackers were of Russian origin

Wow. One incompetent company leading another incompetent company. What could possibly go wrong?

I don’t have hope for these types of companies. Their security is a joke. Their industry security is a joke.


The security consultants that work for Verizon aren't the same folks that allowed the Yahoo/Oath credentials dump from half a decade ago.

Verizon has a reputable security consulting arm that competes with Bishop Fox, FireEye, Rapid7, NCC Group, and other recognized computer security firms. Verizon is a massive company and isn't just wireless and home internet.


However, I don't care how different or secure their security division is. If they're happy to run it under the Verizon brand they I will continue to assume they are incompetent monkeys and they deserve to loose business for this.

Either up your security so Verizon is finally considered a credible brand, or spin the security business off as a separate entity.


They have zero incentive to do security. It costs them more money than the fines and since everyone in the industry is insecure, it's not like they lose much business either


It's as if these systems don't emit an audit stream, which when combined with the least bit of monitoring would have set off all sorts of red flags during these obviously anomalous events.

Such negligence tends to make me wonder if it's to leave open the possibility of some easy insurance fraud. In this particular case, that seems to have backfired with supposed hackers arriving first, and the insurer sleazily wiggling out of their own obligations.

At a past job, we ran thousands of shared linux servers for web hosting purposes. This was back in the early 2000s, and even then we had replaced all the installed shells with versions logging all interactive commands via UDP to a centralized syslog server. There was a simple IRC bot filtering the logs and echoing suspicious stuff into an IRC channel we monitored. Things like attempts to gain root, looking at /etc/passwd, lines starting with "./", running known irc bouncers or other script kiddie activities would be clearly visible and someone would intervene.

That was just a web hosting company with a small team and quite limited resources. I expect better from these national financial service providers, this is just pathetic.


Initial malware that came in through a Microsoft Word Document... It's 2018 and everything that is old is new again


It never got old. Phishing+macros+lateral movement are still a very significant vector. The industry exacerbates this by running with the feel-good "don't blame the user!" mantra.

At some point you really do need to give up on your fancy canaries, gateway and host IDS, perimeter blinky boxes, threat intelligence feeds, endpoint protection products, etc, and just start firing those in your employ who willfully and joyously thumb their noses at basic security hygiene.


The problem is that most endpoint protection is a joke. Companies buy enormously expensive enterprise endpoint protection systems with big dashboards to tell them if their endpoints are protected, and one of two things happens: either the dashboard falsely reports that everything is up to date (and you have Outlook 2007 running in the wild) or the dashboard reports that you have 4,394,665 security issues that need fixing, and not only does nobody have a clue where to get started, the minute they move laterally in the org to try to update anything, users scream DON'T YOU DARE TOUCH THAT!

You can't fix your security posture until you fix your update culture.


> and just start firing those in your employ who willfully and joyously thumb their noses at basic security hygiene.

Until it's your top salesperson who 2x'd the quarterly revenue target... I'd like to live in a world where everyone knew basic security hygiene, but we have to teach it first, not punish.


Considering the current lessons are "if you don't use frequently changed garbage passwords with a mix of cased characters, numbers, and special characters you aren't secure" and "...but we'll allow you to reset the lockout because you can never remember your password using this self-service reset guarded by unchanging common answers to facebook quizzes", I'd say the solutions is ( Find the right thing to teach > teach it > expect it).


But then it can be over emphasized, and no one in your organization trusts any links or attachments because of phishing. Then it all becomes a horrible mess of skype/slack IMs with the actual links to Sharefile or Dropbox shares. Then you wave goodbye to async communication because everytime someone sends you a hyperlink they _absolutely need_ to know if you were able to get the file...


I have worked at financial companies where they get it right, and it is not a problem. Having crappy infrastructure and procedures is never an excuse for poor security.


well if he/she is such a fantastic earner they should be held personally liable for the banks losses stemming from their reckless conduct (clicking on email links or opening strange documents)


The power in corporations will pretty much always lie with profit centers (i.e. sales) over cost centers (i.e. security). I'd doubt that almost any company will be able to overcome that. Better to focus on mitigation of risks than fight political battles that you're not going to win as an infosec team IMHO.


If we're going to start firing people, first on my chopping block would be IT staff who implement security theater policies which go against NIST recommendations (like forced rotation of passwords every x days) and create security hygiene problems as side effects.


Unfortunately PCI compliance requires rotating passwords last time I checked. : \


No. You are free to reference nist and use a compensating control for that. No more pw changes :) Source: QSA


I guess I was under the impression that compensating controls don't really let you question the efficacy of the point of the original requirement, but instead "we're meeting the requirement in this other way"?


That's correct :(

> 8.2.4 Change user > passwords/passphrases at least once > every 90 days.


and then you get Password1990!!!!!!


Train the employees by sending fake Phishing attempts and then letting them know when they have clicked on them. Do this regularly.


The company I work for (in the utility industry) does this regularly and there are disciplinary actions for falling for the attack

The consequences range in severity based on the number of times an employee is caught over a 12 month period, or if, as part of the attack, the employee enters their credentials on the webpage linked in the email (a big no-no). They range from: a meeting with your manager to discuss, a requirement to park outside the security gate and walk in for at least 2 weeks, to your vacation accrual rate being reduced, all the way to unpaid suspension or termination with 4 failures in 12 months.

Of course as part of the on-boarding process the company provides pretty extensive training on how to spot a phishing attempt but some attacks can still get a large portion of our company.

The downside is now some employees who have been burned before are terrified of opening any external emails. This ironically resulted in an exceptionally low participation rate in our company's annual employee engagement survey conducted by, you guessed it, an external party.


My employer does this. Some people laugh about falling for every single one.


My employer does this as well. Even though I have been on the internet since the early 1990s, I still fell for one. There is just no way around it, if you process 300 emails a day you are going to slip once or twice. The human brain just works that way.

I think they have other mitigation strategies. Like probably quietly installing extra scanners on the email of the most "problematic" people who open anything and forward chain letters constantly.


I worked somewhere where we received a yearly Christmas bonus of some maximum amount reduced by various factors. Maybe the threat of loosing 10% of some yearly bonus for: "fails to meet security standards" would work well as a deterrent.


or use those physical devices that google hands out as well as training.


The issue at hand is the faulty Windows security model. Users have been trained to give full admin rights to anything that asks.


"Users" probably shouldn't have that option. When I have to be responsible for Windoze boxes, no one gets admin except myself.


Let he who is without sin initiate the first termination process with HR.


Seems to me in 2018 you shouldn't be receiving Word Docs as email attachments from unknown/unauthenticated senders.

In ancient times .exe were banned outright, and I have customers who also ban .zip. And a Word Doc with embedded macro is in effect an executable.


Lots of supposedly known senders that are actually hostile actors, some account takeovers, and there are many external facing people who expect to receive word docs from unknown people.

Accounts payable, for example, gets lots of these things as an expected part of the workflow, as does legal, and various parts of management.

PDFs have had problems of their own.

Many of the people that you most want to secure are the same people who need to be exposed to the outside world. CEO and CFO HAVE to deal with random people, as it's the job, but they are the most dangerous. If someone needs a 5 step verification process that takes days to communicate with your CEO, then you are not going to get may new clients or investors.


Yep. And what about the most obvious? HR. Resumes, cover letters, reference material, etc. Many places don't subscribe to the evil ATS or taleo parser tools and casually open whatever is sent to them with a familiar icon or extension as attachment.


These people need to be receiving Word Docs with macros and need to open those docs executing macros by default, from unknown/unauthenticated people? That doesn't make much sense to me. I see automated tasks as being internal. Receiving automated tasks from random people and executed by default seems like asking for trouble.


You dont understand. Everyone has all Macros enabled by default because Bob down the hall wrote an Excel macro that lets us plug numbers in our spreadsheet from the mainframe in 5 seconds instead of typing them for 20 minutes.

Everyone knows that to get the Macro to work, step one is to enable all macros.


We could reduce our risk a lot using a combo of technology that isolates executions to certain deprivileged memory ranges with tech that blocks code injections in general. Think a separation kernel running a desktop OS in one partition and in another a PDF viewer written in Rust. The general tech for stuff like that was being sold commercially far back as 2005, minus Rust of course. They did have Ada runtimes, though. The NSA and military ended up retiring the concept because there was too much complexity in PC hardware they thought would lead to attacks bypassing the VM boundaries. They did.

The old approach, which I used, was to use a mix of desktop and embedded boards physically separated with a KVM switch plus controlled, sharing mechanism. Just keep the untrustworthy stuff on their own machines. It's klunky but a greater chance of working securely.


Would it be possible to simply serve employees a hardened email VM on demand which included editing and composition utilities (office, Adobe)? I envision something that could be destroyed after each use to prevent persistence and could be put on a VLAN which included only the email server and specific internal services if need be to make pivoting difficult.


That's what I was talking about with VM risk, though. You're right back to it. Even the most secure VM will have the hardware and firmware in its attack surface. Those are getting tons of attention right now. It will reduce the number of times you get breached with associated damage. It's not as secure as physical separation, though.


There is something similar on the market called Bromium. It spawns micro VMs for some filetypes so that possible code execution is contained within the micro VM. Still haven't tested it.

https://www.bromium.com/


Am pretty curious what kind of "skeleton key" ATM card they were using to access all of the ATM's as different users. Lest they were posed as repair people and stood there with a laptop hooked in.


Generally in these cases spoofed cards + access to back end system. They just look like ordinary customers from the ATM perspective.


From what I've seen the attackers pay organized teams of people to do the withdrawals that wouldn't have a problem getting caught by the cops for a percentage. Load a stack of blank cards, then send out the squad.


Could've been something like this: https://samy.pl/magspoof/


IANAL, but this bank needs a better general counsel. The contract says "big payouts unless ATMs are involved, in which case small payouts". Sure, in order to draw out the court case longer than a day, they'll make some vaguely plausible argument to ignore the plain language of the contract. Still, it would have been so much better to realize ahead of time that "we're a bank, tied to an ATM network, so our insurance should cover the use of ATMs too!"


No mention of what was done when the policy was sold. Most insurance companies do a check to minimize their liability. I would think that the insurance company would do a PCI and whatever other audits are used to verify security of the financial institution before writing a policy. An audit (and corresponding mitigation) would save the bank money on their insurance cost.


No need to due diligence on a policy if you don't intend to ever honor it


wondering why i've to use 2fa (with a damn token) to access my inbank but there's no need of 2fa (on phone maybe?) to withdraw money from atm.

PS: do they seriously have a system that can turn off the need of entering the pin to withdrwa money? why?


ATM withdrawls are already two-factor - unless your ATM experience is very different to mine.

You need the card (something you have, factor 1) and the PIN number (something you know, factor 2).


I guess that is traditional 2fa that never occurred to me. Shouldn't we update that to include one-time passcodes like we do know for most things?


We live in a tech bubble. Most people don't use one time pass codes for anything.


> include one-time passcodes like we do know for most things

The only things I can think of that uses one-time passcodes are the occasional password reset or login from a new device? Are there other uses I'm not aware of?


> Shouldn't we update that to include one-time passcodes like we do know for most things?

Some people I know are still not comfortable using an ATM, if you add passcodes they are going to have a very bad time.


to add an addition OPT password, sent on the phone or something like that.

however, if your system allows one to disable even the PIN code that's pointless.


> to withdraw money from atm.

Because ATMs have daily withdrawal limits and security cameras. Neither are infallible but they limit and discourage fraud.


How would this help ? In this incident hackers were able to disable pins and anti-fraud protections.


It feels to me like the first incident should be covered and the second one should not. It doesn't seem fair to keep relying on insurance when you know you have a problem.


I wish I knew how to do that


[flagged]


There were two distinct attacks (probably by the same persons) within an eight month time frame. Each attack took place over the span of a weekend.


I would imagine that a heist like this would take significant amount of prep work. The weekends were just the tips of the icebergs. While $2.4M is fair chunk of money, I too think that the payout for the amount of effort seems relatively meager.


[flagged]


Nationalistic battle is not ok here. Please do not post like this again.

https://news.ycombinator.com/newsguidelines.html


It's not nationalistic since I was not "having strong patriotic feelings, especially a belief in the superiority of one's own country over others" per the definition of the word. I was asking "when is enough, enough?" That's not me trying to promote a certain nationality or nation, that's me saying, "Russia is acting like dicks, let's take away their ability to do so if they don't stop acting like dicks soon."

In the end, it's probably not a good idea, anyways.


My friend, here's live cyber attacks map: https://threatmap.checkpoint.com/ThreatPortal/livemap.html it will help you ban more nationalities from internet. For example last week most frequent attack source for China is USA. Enjoy.


That shows the last hop the attack is coming from though how useful is it for making any conclusions about the actual origin?


Exactly


As soon as we kick the NSA off the internet.


Bullish on bitcoin.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: