Kaizen Menu
Incremental Improvements for Lasting Solutions

Archive

Date Posted: 2/28/2016

OPM Breach: Protecting Yourself from the Fallout

Everyone has heard about the massive breach of 21.5 million identities stolen from the Office of Personnel Management in an attack that was revealed in June of 2015. Any person who underwent a security clearance would be in the OPM database. The sensitivity of the information is immense as it contains personal information commonly used to identify you: mother’s maiden name, birthdate, place of birth, educational and work history, information about your family and your SSN.

Many financial and health websites use challenge questions and answers to identify yourself when resetting a password, updating account credentials or simply logging in from another computer.  It’s feared that hackers in possession of the OPM data could use that information to hijack sensitive accounts and gain access to financial information.

Change your challenge and identification questions

and answers on your financial accounts immediately

Take the time to identify your banking, financial services and bill payment websites, changing the following:

  • Change questions asked to those that would not be known during a clearance investigation: your favorite color or make of your first car, for example. Avoid any questions such as spouse’s name, birth place, where you went to school, etc.
  • If you can’t change your questions asked, change the ANSWERS to the questions. You just have to remember what they are. These do not have to be truthful. If you were born in Bethesda you could change the answer to Silver Spring. The point is to block online account access.
  • The next thing to do is to  change account alert notifications from email to a text message or a real phone call. Remove email notifications as your email account could be hijacked. It’s a bit more challenging and noticeable to steal one’s cell phone.

OPM is offering free credit monitoring services

Everyone affected will receive a physical letter with a PIN to activate free credit monitoring from a company called ID Experts. The company will provide the hack victims and their dependent minor children with free credit monitoring, identity monitoring, identity theft insurance and identity restoration services for three years. You can also take the steps, if you haven’t already, to examine your credit reports yourself by using annualcreditreport.com

OPM Breach Facts

  • 21.5 million individuals affected
  • 133 million dollars spent for credit monitoring
  • Attack initially began in March 2014 and noticed in April 2015
  • OPM had been warned multiple times of security vulnerabilities and failings. A March 2015 OPM Office of the Inspector General semi-annual report to Congress warned of “persistent deficiencies in OPM’s information system security program,” including “incomplete security authorization packages, weaknesses in testing of information security controls, and inaccurate Plans of Action and Milestones” Encrypting this data at rest would have prevented this exposure

 

Small Business Banking: Protecting Your Money from Hackers

What if you checked your business banking account and found it seriously depleted, with thousands of dollars missing? Call your bank? Query your employees? Call the police?  You could do all the above but it is most likely that the bank will report that the money was wired from your business banking account using your company’s banking credentials.  Malware installed on computers used to access your business banking account may have captured your business account credentials, and these could be used by thieves to move funds out of your business accounts.

How does this happen?

Malware is installed on computers via direct downloads (someone opening an attachment in email or electing to download an application from a website) or via a drive by download, wherein software is installed on your machine just by browsing a website or clicking on a pop up window. If the machine is unpatched, or does not have anti-malware software protecting it, the odds are much greater that the downloaded malware will be not be stopped and will install and lurk on your machine.

Malware designed to run and monitor web site activity for banking or investment web sites will use a keystroke logger to capture banking credentials such as a userid and password. The malware will send the credentials back to the attackers, to be used by the thieves to login to your business banking account and wire funds out of your bank to their own offshore accounts.

What is my recourse with the Bank?

Shocking, but my bank will make me whole again, right? My personal credit card was stolen before and I only had to pay 50.00. My personal debit card was lifted from a big box retailer hack, and I didn’t lose any money. The protections that consumers enjoy are not transferable to the business world.  Regulation E, of the Electronic Fund Transfer Act, provides consumers protection from theft, should their cards or accounts be compromised. Consumers are protected from liability, not businesses.

The electronic funds transfer component of the Uniform Commercial Code, UCC-4A, does limit liability, if a sending customer did not authorize the funds transfer, but it is difficult to gain protection.  For example:  If the Banks’s security procedure is “commercially reasonable method of providing security against unauthorized entries” and the  Bank acted in “good faith” in compliance with security procedure, meaning honesty in fact and observance of reasonable commercial standards of fair dealing. The funds transfer validated by the Sending Bank with security procedure is deemed authorized, even if the Sending Business did not in fact authorize the funds transfer, as it was a hacker who actually did the transfer.

The Sending Business Customer is not liable for an unauthorized transfer if the Business proves that the wire transaction was not directly or indirectly caused by the Business Customer or its employees or agents; a person with access to Sending Business Customer facilities; or a person who obtained information from source controlled by Sending Business.

This is extremely difficult for the Business to prove if the Business Banking credentials (userid and password) were used to initiate the funds transfer, and if it happened on the machine normally used by the customer. How, the Bank will ask, were we supposed to know if it wasn’t the business user? The compromise occurred with the Sending Business Customer, not at the bank.

Legally, the Bank is not required to make your business whole. Your credentials were compromised, the bank’s wire/ACH funds transfer system worked as required—it wasn’t hacked—and your money is gone.

Has this really happened?

Unfortunately yes, many, many times. Here’s just a few of those publicized:

December 2014:  $374,000 from a PNC bank account belonging to a plastics company in Pennsylvania, and $190,800 from the bank account owned by an assisted-living facility in Pennsylvania.

http://www.cnbc.com/id/101730783

August 2011: $561,000 lost from Sterling Heights, Michigan-based Experi-Metal Inc., $63,000 from Green Ford Sales of Kansas

http://www.bloomberg.com/news/articles/2011-08-04/hackers-take-1-billion-a-year-from-company-accounts-banks-won-t-indemnify

May 2012, Kingsport, Tenn.-based Tennessee Electric Company, Inc. (now TEC Industrial) was the target of an account takeover that saw cyber thieves siphon $192,65654 out of the company’s accounts at TriSummit Bank.

http://krebsonsecurity.com/category/smallbizvictims/

The list of affected businesses is long. Many are not publicized. While some companies have successfully sued their bank to recover their losses, most have not won, and the legal fees and time may be enough to deter many business owners from contemplating lawsuits.

How do I protect my company?

What your Bank can do for you

If you’re not doing business with a financial institution which offers security protections against malware and credential loss, switch to one that does. Banks that offer tools such as Trusteer, a product which creates a virtual secure sandbox space on customer’s computers to access and execute business banking transactions, are the gold standard to seek out.  These are usual downloaded to your machines free of charge, with instructions how to run the program to safely access your business banking applications without fear of malware.

Some financial institutions offer tokens, sometimes called multifactor authentication, to login to their business banking site. In addition to a userid and password, the token will generate a code, which the user is required to enter to login. The code changes ever few seconds and if grabbed by a malware keystroke logger, is useless.

Banks can also provide user controlled limits on wires and funds transfer, requiring a phone call or a second person to authorize the action.

What you can do to protect your business

  • All your company machines must have up to date, running and configured antivirus and firewall software installed. There are many free and low cost products available. There is really no excuse not to properly protect your business machines from malware.
  • Keep operating systems and software applications patched and up to date on all business machines by enabling automatic security updates.
  • Do NOT use a smartphone to do your business banking. Malware is rampant on smartphones and many people do not update their phones with patches, or phone providers are slow to provide them. Anti-malware software is not as sophisticated as PC software, given the limitations of the platforms. Social engineering via texts and emails is easier on a phone, and people seem to be less suspicious. While many banks will send email or text alerts of banking activity, don’t respond to these. They could be fake messages designed to direct you to a website loaded with malware. http://blog.kaspersky.com/faketoken-2014q1/
  • Do not do business banking from a wireless hotspot, such as a hotel, coffee shop or airport unless you are using a wireless security VPN which encrypts all your traffic.
  • Never use a shared machine or kiosk at a hotel, airport or other business. If you don’t control the machine, don’t bank from it.
  • As a best practice, isolate business banking, financials, accounting, etc. to one machine, one that is patched and protected with firewall and antimalware software and do not access the internet for mail or web from this machine. Watch YouTube videos and check Facebook from a personal PC, not a business machine.
  • Train your employees not to download attachments, either in email or from a web page from new and unknown sources.
  • Purchase Cyber Liability Insurance from a reputable insurance company to protect your business from losses due to hacking.

 

You work hard to grow and support your business. Don’t lose your hard earned money to a thief. Take similar steps to protect your assets in the cyber realm as you would with physical locks, bars and alarms for your business. Understanding the limitations of your business banking relationship is the first step.

 

Melissa McCoy