A Virginia Bank Breached Twice and No Fix
My Thoughts on the Underlying Problem
Hello folks, this is Jared once again, and this time, I’m here to talk about an article entitled "Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M" and how I think its the bank that neglected to fix the underlying problem.
Let’s start at the beginning. In late May, 2016, the bank in question which I’m not going to mention by name was breached because someone at the company clicked on a link which was a successful phishing attempt. After the first heist, all employees should have been trained on phishing simulations so they can prevent the issue from happening again. The hackers were able to defeat the ability of anti fraud and anti theft detection, the hackers were able to run off with $500k. The first heist happened over a Memorial Day weekend, so that complicated matters, and that's understandable.
In June, 2016, the bank in question implemented additional safeguards, this is a good thing, and it was recommended they make these changes after the investigation. You think we’d be done with this, but there’s more to this story and I’m wondering if it was insurance, or whether the bank didn’t do enough.
Eight months later, the perpetrators were able to gain access once again to the systems because of a phishing email. This tells me that there was minimal phishing simulations or even training to detect this type of thing so links wouldn’t be clicked on so the perps could even get access to such systems. Not only were they able to get in to the same systems, but they were able to compromise a workstation that had access to other software which manage credits and debits to customer accounts. I’m not too familiar with the software, the article is saying that the name of the software is called Navigator.
To add insult to injury, after the first incident in 2016, because the fraudsters deleted evidence, the bank lost over 1 million dollars. The evidence by Verizon, the company hired to investigate the breaches, concluded that the fraudsters were Russian in nature, and tools and techniques were from this country. This was interesting news, and the story should’ve ended there, but now, there seems to be a lawsuit which I think doesn’t make sense to me, because the bank in my opinion didn’t do the basics on making sure they weren’t phished to begin with. Verizon has a department called Verizon Enterprise Solutions, which was used in this investigation, not Verizon, the phone company or internet provider.
The rest of the article talks about the cyber insurance aspects where there were two policies and none of them really covered the losses as the bank would’ve liked. The lawsuit claims that the bank should’ve had the insurance company pay because it should’ve been under the more expensive plan where it would’ve covered over a million dollars in coverage loss.
Cyber insurance is something new, we’ve never had any of that until recently. One of the basketball teams, the golden state warriors, recently had a sponsor called Cyber Policy who I have never heard of. This is one company that provides something that is new to the game. I wouldn’t necessarily blame the insurance company when the overall problem is not the policies, but the phishing aspect of the overall story.
According to CyberPolicy, they provide insurance to small businesses as well as tools, ideas on what to buy, and other things that may be of interest to the person who needs the service. Each company who provides these services will be different in nature, but all should help in protecting the business the best they can on being attacked.
According to CyberPolicy, 43 percent of breaches occur in small business, and they close their doors within six months of a breach. Their motto is plan, prevent, and insure.
What I think needs to happen is that the bank needs to follow through with a phishing training plan. Phish Labs is based in South Carolina. They also have a response center based in Washington, based on the area code located on the web site linked within this article. Phish Labs also has a blog you can link to from the site that talks about various stories, trends, and links to various reports that talk about the problems and what to do about it. If this bank linked in the Krebs story started with the idea of it being a phishing problem, then maybe the second incident would not have happened. If it did, and that was a possibility, then they could ask if the training took hold.
Phish Labs says that you need to have ongoing training, and once a year training is not going to be enough. I’ve seen a lot of stuff, and I understand what to look for. Sometimes I’m curious on where things go, so I’ll press enter on the link, or for the sighted, click on it. I’ll look at the web page to see what types of information is requested, and either I’ll blog, or talk about it if it's something different. Most of the time, I just look, delete, and move on. I don’t enter any type of real data in these sites, and I don’t run documents that I don’t know what they are.
What I’ve also done once, is enter false data on an apple phishing page which asked for name, address, credit card, bank account, and more. All the data I’ve entered on that page I entered invalid. It then asked me to log in, but since I never intended to log in, I didn’t much care. Oh yes, I forgot one thing. I also entered an invalid email address which once belonged to me, and a random password. On most pages I don’t enter anything, but wanted to see where it took me once I entered data. I know it's foolish, and I’ve only done it once. I already knew the email in question was a phish because it said that there was a problem and I needed to reauthenticate. I had already used my apple account with no issues, and I hope the phishers find what they’re looking for.
Do you think that the issue is with the insurance policy and the company not paying, or do you agree with my idea that it is a phishing issue that hasn’t been addressed? I’d be curious on your thoughts, and you’re welcome to contact me through my profile. The comments are welcome. Thanks for reading, and make it a great day.