LEARNING FROM PAST MISTAKES

I tend to read any legal cases about information security, because they are one source where accurate root cause information on breaches can be found.  Two very interesting decisions on security at banks were recently published.  One is the May 27 US District Court decision on Patco v. People’s United Bank.  An even more recent decision is Experi-Metal v. Comerica Bank, June 13, US District Court.  Both cases involve online transactions with large sums being fraudulently transferred out of business accounts and to Eastern Europe.  Unfortunately, these cases are not uncommon.  The first one I became aware of was Joe Lopez v. Bank of America; Lopez lost $90,000 back in 2004 in a wire transfer to Eastern Europe.  Last year my neighbor’s business lost over $300,000!  In this case, the funds were recovered through timely efforts of the FBI and their counterparts in Latvia.

These and many of the recently reported security breaches are caused by basic operational security problems, not super high tech exploits.  The vast majority of breaches are also perpetrated on firms that have had multiple breaches.  In other words those businesses are not learning from past simple mistakes.  In this post, I look at these two recent legal decisions and what we can now learn from the mistakes of the banks.  In another post, I will look at what we can learn from the mistakes of the banks’ clients.

In reviewing the courts’ decisions, the common factor is that neither bank had suitable fraud detection monitoring controls in place.  Both violated one of the basic principles of security:  monitoring.  Today, all security controls can be hacked…..the only way to control breaches is constant vigilance and the ability to react quickly.

In Patco v. People’s case, $588,851 was transferred out of Patco’s business account to unknown entities.  Someone had captured Patco’s bank log in information, either through a keystroke logger, man in the middle attack or other means, not identified in the proceedings.  Patco sued the bank to recover the funds.

In the Patco case, the Bank prevailed in Summary Judgment.  This decision turned on what it had promised to Patco and the legal interpretation of that contract under the Uniform Commercial Code.

But even more interesting is how the bank might have protected itself, its customer and its reputation.  The bank did have fraud detection software in place.  The criminals had used a computer not owned by Patco to log in and transfer funds.  The risk score recorded by the bank was 790 for these transactions.  The transaction was noted in real time by the risk scoring system to be from a “very high risk non-authenticated device”.  Log files of transaction risk scores subsequently showed that the highest previously recorded score was 214.  In other words the bank was able to detect that the fraudulent transactions had a risk score 300% higher than its previous maximum, but no one was watching!

This is one of the most common contributing factors to security breaches:  no monitoring.  Putting in place complex technical or administrative security controls does not work, unless those controls are monitored!  At this point, we have to assume that all controls can be breached given high enough incentives.  Therefore monitoring and incident response processes become essential to minimize potential losses.

PostScript on this case:  After the breach, United Bank is now reporting that it is monitoring the risk scores for ACH transactions!

 

The facts in the Comerica case were similar.  In this case $1.9M was transferred out of Experi-Metal accounts after the criminal used a phishing attack to gain the log on credentials.  The 93 transfers were done in a matter of hours out of Experi-Metals Employee Savings Account, which regularly had a zero balance!  The judge also noted in his decision that Experi-Metal had limited prior wire activity and that Comerica was aware of phishing attacks just prior to the fraudulent activity.  His conclusion was that Comerica had not acted in “good faith” as required under the UCC and therefore is responsible for the outstanding $560,000 that was not recovered.

Unfortunately, security monitoring is often left to the last in implementing controls.  The best approach is to establish first what information executive management needs to see, and then work backward to establish how that information will be collected.

Frederick Scholl

Frederick Scholl is an accomplished Global Senior Information Security Risk Manager. Dr. Scholl earned a BS and Ph.D. in Electrical Engineering from Cornell University. In 1991, Fred founded Monarch Information Networks, LLC to enable forward-thinking organizations to protect their information. Previously, he co-founded Codenoll Technology Corporation (NASDAQ: CODN). He chaired the IEEE committee that wrote the first standard for Ethernet communication over fiber optic links, now used world-wide.

Book an Appointment for Cybersecurity Issues

Request an appointment with Dr. Fred Scholl. We will discuss any cybersecurity issues you have.

More Good Reading

Cybersecurity Thrives in An Organizational Context

The First National Cybersecurity Summit

New Privacy Laws Require Security Professionals Up Their Game

Cybersecurity Workforce Development: Real or Imagined Problem?

Antidote for Fake Everything

Information Security Risks, Gray Rhinos and Black Swans

Managing Information Security On a Limited Budget

Building a Security Start-Up

Cybersecurity Risk Management for Directors

My Reading List for Security Start-Ups

Should Your CIO Learn to Code?

How IT Leaders Can Keep a Seat at the Table

Equifax points out—again—the need for speed in security management

Anatomy of a Security Breach

The Smartest Information Security Companies

Book Review: Play Bigger

Long Term Beneficiaries of WannaCry

RISK: A NEW MOVIE ABOUT JULIAN ASSANGE

TRADE SECRET THEFT CONTINUES UNABATED

TENNESSEE LEGISLATORS MUDDY WATERS AROUND PRIVACY BREACH NOTIFICATION REQUIREMENTS

LEADERSHIP CHECKLIST FOR SECURITY PROFESSIONALS

SIEM VENDORS HAVE IT ALL BACKWARDS

THE SECRET TO GROWING YOUR SECURITY STARTUP

CLOUD JOBS PEAKING?

The Spy Who Couldn’t Spell

IS THERE A CYBERSECURITY PROFESSIONALS SHORTAGE?

No Blue Pill for Cybersecurity Failures

Presidential Cybersecurity Commission Makes Some Good Suggestions

Understanding Intelligence

Align Your Security Program With the Business

Don’t fall victim to BEC

Enterprise Risk Management and Information Security

Evidence Based Risk Assessment: Lessons Learned from the Y-12 Breach

First Conviction for Illegally Distributing Android Apps

Locking Up the Ivory Tower

Cloud Vulnerabilities

More Security Lessons Learned from the Y-12 Breach

Security or Compliance?

Home Disaster Recovery Planning

Cloud Computing: Trust but Verify

Background Checks May Not Be Enough

PERFECT SECURITY STORM FOR LAW FIRMS?

How Not To Be a Cyber Janitor

SECURITY MEMO: IT CAN’T HAPPEN HERE, CAN IT?

Don’t Forget Cloud Availability

Compliance v. Security

GAO Report on Information Security in Federal Government

Lean Security

Mitigate Your Social Engineering Vulnerabilities

HIPAA Security. Are We Making Progress?

Brand Your Security Program

PDCA is Dead

LEARNING FROM PAST MISTAKES

How Better Security Can Create Shared Value

C’est La Vie, You Never Can Tell: Lessons Learned from the HBGary Hack

DDOS Tutorial

The future of information technology

Data Governance Anyone?

Learning from the oil spill disaster

Down the Rabbit-Hole…Again?

Ideas on Risk Management