> According to the lawsuit, in June 2018 Everest determined both the 2016 and 2017 breaches were covered exclusively by the debit card rider, and not the $8 million C&E (“computer and electronic crime”) rider
Jeez, insurance companies are all the same. Regardless if you're an individual or a bank with millions on the line... you get treated with the same slight of hands and nonsense interpretations of reality.
> those exclusions rules out coverage for any loss “resulting directly or indirectly from the use or purported use of credit, debit, charge, access, convenience, or other cards . .
How could a spear phishing campaign using malware that hijacked critical parts of the banks infrastructure not be part of the C&E coverage, and merely 'debit and credit'. The last part was merely how the money was exfiltrated. But the entire crime was the result of the intrusion.
This seems like an easy to win case to me. But who knows.
This is how legal arguments work when actual money is at stake. If there's a non-insane point of view that says you could interpret a clause in either direction one side takes one position and the other side takes the other position.
It's usually something similar to this, for example a policy with a clause saying we always cover if X and another clause saying we never cover if Y, when both X and Y are true. That kind of thing.
My favorite example along these lines is the insurance for the World Trade Center disaster, which hinged on a question of if the 9/11 attacks were one event, or two, since of course it was two separate planes taking off at different airports piloted by different terrorists.
No matter how much you plan ahead and try to use definitive language it's usually possible to end up in a spot where it's still a matter of debate.
In this case it's a lot of discussion of proximate cause (the phrase "but for" is the tell there) which is a standard feature of insurance claim arguments after some sort of major loss.
Typically what happens is each side assesses how close the other's argument is to compelling and then based on that both sides come to a settlement agreement.
The incumbents in the insurance/banking industry will have to invest heavily in security and in some cases overhaul entire systems. Personally I think its more cost effective long-term than hiring a bunch of lobby groups and lawyers to find loopholes.
I mean the Equifax security was laughable and no one got in trouble. I wouldn't be surprised if this case takes a complete 180 from common sense.
Are there objective audits or rankings where financial institutions are assessed for their cyber-security measures/infrastructure?
How do I even know whether my bank has good security? Cyber-security being such a major threat, I would be willing to change banks if my bank is proven to have crappy online security.
If any exists, its by third parties who have no insight from the inside. Central banks wouldn't disclose 'cyber-security index' in stress tests due to the risk of scaring customers off or causing a bank run.
Even well written standards are not objectively audited. There’s a huge variety in the quality of external auditing, and a fair amount of pay-to-play. A lot of people will tell you that every PCI certified company to ever be involved in a breach was non-compliant at the time of the breach. Is that because the PCI DSS is such a remarkable standard that complying with it will protect you from 100% of breaches? Or is it because you can retroactively find some type of issue with 100% of PCI audits?
Some US financial institutions are incorporating cybersecurity disclaimers.
Case in point: ETRADE. Just received an update to the customer agreement. The definition of “Force Majeure Event” (unforeseeable circumstances) was updated to include cybersecurity incidents. Also this: ETRADE ... makes no representation or warranty of any kind ... with respect to security.
> “Force Majeure Event” shall mean any act beyond E-TRADE’s control, including any earthquake, flood, severe or extraordinary weather conditions, natural disasters or other act of God, fire, acts of war, acts of foreign or domestic terrorism, insurrection, riot, strikes, labor disputes or similar problems, accident, action of government, government restriction, exchange or market regulation, suspension of trading, communications, system or power failures, cybersecurity incident, and equipment or software malfunction.
Here's the new force majeure clause:
> No Liability for Indirect, Consequential, Exemplary, or Punitive Damages; Force Majeure
In no event shall any E-TRADE Indemnified Parties be held liable for (i) indirect, consequential, exemplary, or punitive damages or (ii) any loss of any kind caused, directly or indirectly, by any Force Majeure Event, and the Account Holder unconditionally waives any right it may have to claim or recover such damages (even if the Account Holder has informed an E-TRADE Indemnified Party of the possibility or likelihood of such damages).
Wow. First they define acts beyond their control to include things clearly within their control. Then they say they're not liable for "any loss of any kind" resulting therefrom.
These contracts are maddening because they won't be enforced as written until they are. Until a loss due to an avoidable issue costs them more to cover than it does in reputational damage. So it doesn't get reported because it doesn't feel like a real policy.
New York law applies here. If you sue them and lose, you pay their attorney fees. You've waived the right to a trial by jury and have likely agreed to forced arbitration unless you've explicitly opted out (see last page).
While the contract states that, that part should actually be unenforceable unless a certain set of conditions is in place.
As I noted in another post, it's important for people to review the rules of governing arbitration forum.[1] That said, law is more an art than a science and weird determinations are often made when major $$ and entrenched interests are involved.
I recently paid to have a car transported across Australia. The warranty excluded force majeure events, as you'd expect, but on the list along with flooding, riots and the like, was the ambiguous "accident". Surely "accidents" were exactly what I'd want covered with a car transporter?!
A bit over a year ago I had a car my father and I had spent 13 months restoring shipped from CA to VA by a high-end enclosed auto transporter. Four hours into the drive an axle bearing seized up and the trailer caught fire. Total loss of all six cars, with over $1.25M in total damages (excluding the trailer).
The logical maneuvering the insurance companies employed to avoid paying their shares would have been awe inspiring to behold if I was not personally involved and therefore caught in the middle of a devastating situation.
If I learned anything, it’s that marketing B.S. and testimonials mean absolutely nothing when a transportation company is at fault after an accident. Also, always insure your classic automobiles with “agreed upon value” policies. This way you are covered to some reasonable fraction of your restoration outlay...otherwise you end up cry-laughing when the low-ball, hand-selected comparative values show up for significantly under the value of your receipts.
Agreed on the agreed-value policies. We unfortunately had a claim with a car covered by Hagerty and they couldn't have been more professional, courteous, or speedy in resolving the claim. (We were 0% at fault in the accident, but even if we had been, I suspect the treatment would have been the same.) Hagerty agent even followed up afterwards to see how we were doing and to express sympathy for the loss of our car.
Also, don't you care about interest or capital gains?
The interest rate on savings is under 3%. It's like paying that amount on an insurance policy to guarantee that your money isn't stolen by the bank or through the bank's negligence. And considering how banks behave these days, that's not a crazy investment.
It's shocking how many people make this error. Walter White buries millions of dollars in only one spot in Breaking Bad. People make only one copy of their cryptocurrency wallet seed. People have only 1 bank account. Etc.
A lot of that is dependent. Do you keep multiple copies of passwords around, which increases the chance that someone can get access to your account. Do you open multiple bank accounts and spend extra money when you have less than 400 dollars in it at any one time?
In the U.K. we are getting challenger banks which are free. It’s super easy to open a new FREE account and spread your money around. You also get 2-3 diffeycards so even if you lose one or two you still have access to you money. Plus you can always transfer between accounts for free using their mobile apps.
It’s a pretty sweet deal so I’m wondering if there isn’t anything like that in the US. With SV I’d be very surprised if the U.K. is pioneering this
If the accounts are free and from different entities then it would make sense for most people to split things up, for sure.
Retail banking is pretty heavily regulated in the US so maybe that's the issue? I've seen a lot of startups in other banking areas, like Mint or Square, but none for checking/savings accounts.
Then these financial institutions are openly declaring themselves insecure. But, of course, clickwrap contracts declare them not responsible for anything ever.
No depositor lost any money in this case. The bank had trouble getting its insurance to pay up. If this was bitcoin, the money would be gone, because bitcoin does not have the same restrictive regulation scheme as united states dollars held in a united states bank.
I am planning to move my stocks from ETRADE to Vanguard.
Vanguard's user agreement says this:
Data security is, of course, a top priority. To mitigate computer virus attacks and other acts of cyberterrorism, We have implemented controls monitored by a dedicated team of information security specialists. We also maintain a network of redundant systems, off-site data storage, and off-site tape vaults to ensure that all source data are recoverable in a disaster.
I'm on the bank's side of the lawsuit based on what I read in this article. They were covered under "computer and electronic crime" insurance. If the hacks don't fall under that coverage, what would?
If the attackers had gotten the money out via wire transfers, then that would presumably be covered.
The attackers likely avoided that route because it would be easy to trace.
That’s likely the same reason that the insurance policy has special treatment for debit card/ATM incidents, because those sorts of transactions are more difficult to trace and therefore have a higher risk classification.
That's not what this is staying at all though. It's saying "In order to get paid you must show you took reasonable precautions not get hacked AND get hacked." It's pretty hard to argue ignoring a known issue for 9 months is taking reasonable precaution. I don't see how that's any different then not paying when someone falls on because of broken steps you knew about and didn't fix, which would be pretty common.
For years people were arguing that the "free market" way to get companies to actually care about IT security was to do it through their insurance premiums: companies with poor practice should be charged more. It sounds like that's come to pass now.
It's possible, but the only evidence we have is that insurance companies want to avoid the payout, not that poor practices impacted premiums at all. Given what I've seen from security audits of the past, particularly when influenced by non-security professionals (such as the accountants in this scenario, both the insurers and the insured), I have little faith that if insurance companies dictate the practices that we'll get actual useful security increases, but plenty of extra bureaucratic hoops that will result in the same "productivity vs security _risk_" dilemma we have now, except the CBA changes to "is the hit to our productivity worth this hoop compared to the cost our lawyers would involve to prove this hoop was unnecessary or unrelated times the likelihood that it comes up"
I'd like to see some big payouts on that, just to get those silly riders off every blessed insurance estimate I ever receive. "It's a vacant building with no internal walls or floor! It's not going to get hacked!" I don't understand why these riders are all on basic real estate insurance, rather than specifically on e.g. business liability or whatever.
> I'm on the bank's side of the lawsuit based on what I read in this article
Did you read this bit:
‘The second exclusion in the C&E rider negates coverage for “loss involving automated mechanical devices which, on behalf of the Insured, disburse Money, accept deposits, cash checks, drafts or similar Written instruments or make credit card loans . . ..”‘’
And never lose the opportunity to blame 'Russian' hackers.
“Foregenix .. determined the hacking tools and activity appeared to come from Russian-based Internet addresses .. according to the bank Verizon’s forensics experts concluded that the tools and servers used by the hackers were of Russian origin”
They're clever enough to hack a bank but not clever enough to disguise their IP address.
Why would the Russian's care if their address was known? They aren't going to be extradited or punished by the Russian government, they may be funded by the government or people very well connected to the government. Not to make it political, but they hacked many of our election systems and didn't even get punished for that.
I love the casual potential blaming of Russian state actors for corporate cyber attacks, but complete disbelief when NSA is accused/implicated in the exact same...
Complete disbelief? I thought it was common knowledge that the NSA spies on everyone and has spies working or intercepting shipments from most of the major tech manufacturers in the world.
The NSA's typical practices aren't generally thought to include encouraging domestic criminal groups to steal sizable quantities of money from foreign banks. Or sitting idly by as it happens on a regular basis.
We expect the NSA to be compromising foreign systems. We don't expect them to be doing this with them.
That rider sounds to me like the ATM itself has to be compromised. It wasn't. The hack was upstream and the ATM was just doing what the network rules told it to.
No, it just says that the ATM must be involved in the loss, they need to be the cause or the source of the loss. And I think it is pretty well arguable that ATMs were involved in this case, even if in relatively minor role.
Yeah it makes it seem a bit implausible or at least should be cause for just a teeny weeny second of consideration. If I were hacking into a bank I'd consider myself pretty smart if I thought to pin it on the most boringly believable (by most Americans, stewed as they are in a soup of anti-Russia talk) hacking culprit.
If you're going to build a botnet, it'll probably mainly be a bunch of Russian and Chinese machines. They've got the most WinXP instances still running without hardly any updates.
What’s interesting to me about this is it seems like the hack still required physical presence to pull it off. The criminals had to actually visit hundreds of ATMs over the span of a holiday weekend to withdraw the cash
I suspect it had to have been people in on the scam because I don’t see how you could conceivably convince strangers to withdraw cash for you at that scale without raising eyebrows
If a guy in an Indian call center can convince people that the IRS is about to have them arrested if they don't immediately pay their back taxes with iTunes gift cards, you can certainly convince people to withdraw money from an ATM and send it somewhere.
It seems more likely that the ATM withdrawers were just normal criminals already integrated into normal criminal organizations. Everybody gets a cut, but nobody takes too big a cut because violence and repeat business. Normal criminals love ATM stuff because it's quite low-risk.
It's really easy to trick people to commit crimes. Post a bunch craigslist job postings for a non-existant bank QA job that pays $100/hr. Have them withdraw the cash from the ATM, deposit it into their bank and wire the money out to an international bank.
> The bank’s complaint against Everest notes that the financial institution doesn’t yet know for sure how the thieves involved in the 2017 breach extracted funds. In previous such schemes (known as “unlimited cashouts“), the fraudsters orchestrating the intrusion recruit armies of “money mules” — usually street criminals who are given cloned debit cards and stolen or fabricated PINs along with instructions on where and when to withdraw funds.
> I don’t see how you could conceivably convince strangers to withdraw cash for you at that scale without raising eyebrows
The book "Kingpin" talked about how most of the people doing the withdrawing of cash were usually "mules" who were in on the scam. They'd withdraw the money, get a small cut and send the rest to a middleman.
The book itself goes into a lot more detail on how it worked:
This is a pretty common method of attack on banks, and this is far from the first time it's been done. I'm guessing the criminals expect a certain level of loss from the mules doing the withdrawals but aren't too bothered as it's not their money :)
It goes back at least to 2009 (Worldpay US) and possibly before that.
The ATM element is important as one of the hardest parts of electronic bank theft is getting the money out of the banking system in an untraceable form.
> Verizon was hired to investigate the 2017 attack, and according to the bank Verizon’s forensics experts concluded that the tools and servers used by the hackers were of Russian origin
Wow. One incompetent company leading another incompetent company. What could possibly go wrong?
I don’t have hope for these types of companies. Their security is a joke. Their industry security is a joke.
The security consultants that work for Verizon aren't the same folks that allowed the Yahoo/Oath credentials dump from half a decade ago.
Verizon has a reputable security consulting arm that competes with Bishop Fox, FireEye, Rapid7, NCC Group, and other recognized computer security firms. Verizon is a massive company and isn't just wireless and home internet.
However, I don't care how different or secure their security division is. If they're happy to run it under the Verizon brand they I will continue to assume they are incompetent monkeys and they deserve to loose business for this.
Either up your security so Verizon is finally considered a credible brand, or spin the security business off as a separate entity.
They have zero incentive to do security. It costs them more money than the fines and since everyone in the industry is insecure, it's not like they lose much business either
It's as if these systems don't emit an audit stream, which when combined with the least bit of monitoring would have set off all sorts of red flags during these obviously anomalous events.
Such negligence tends to make me wonder if it's to leave open the possibility of some easy insurance fraud. In this particular case, that seems to have backfired with supposed hackers arriving first, and the insurer sleazily wiggling out of their own obligations.
At a past job, we ran thousands of shared linux servers for web hosting purposes. This was back in the early 2000s, and even then we had replaced all the installed shells with versions logging all interactive commands via UDP to a centralized syslog server. There was a simple IRC bot filtering the logs and echoing suspicious stuff into an IRC channel we monitored. Things like attempts to gain root, looking at /etc/passwd, lines starting with "./", running known irc bouncers or other script kiddie activities would be clearly visible and someone would intervene.
That was just a web hosting company with a small team and quite limited resources. I expect better from these national financial service providers, this is just pathetic.
It never got old. Phishing+macros+lateral movement are still a very significant vector. The industry exacerbates this by running with the feel-good "don't blame the user!" mantra.
At some point you really do need to give up on your fancy canaries, gateway and host IDS, perimeter blinky boxes, threat intelligence feeds, endpoint protection products, etc, and just start firing those in your employ who willfully and joyously thumb their noses at basic security hygiene.
The problem is that most endpoint protection is a joke. Companies buy enormously expensive enterprise endpoint protection systems with big dashboards to tell them if their endpoints are protected, and one of two things happens: either the dashboard falsely reports that everything is up to date (and you have Outlook 2007 running in the wild) or the dashboard reports that you have 4,394,665 security issues that need fixing, and not only does nobody have a clue where to get started, the minute they move laterally in the org to try to update anything, users scream DON'T YOU DARE TOUCH THAT!
You can't fix your security posture until you fix your update culture.
> and just start firing those in your employ who willfully and joyously thumb their noses at basic security hygiene.
Until it's your top salesperson who 2x'd the quarterly revenue target... I'd like to live in a world where everyone knew basic security hygiene, but we have to teach it first, not punish.
Considering the current lessons are "if you don't use frequently changed garbage passwords with a mix of cased characters, numbers, and special characters you aren't secure" and "...but we'll allow you to reset the lockout because you can never remember your password using this self-service reset guarded by unchanging common answers to facebook quizzes", I'd say the solutions is ( Find the right thing to teach > teach it > expect it).
But then it can be over emphasized, and no one in your organization trusts any links or attachments because of phishing. Then it all becomes a horrible mess of skype/slack IMs with the actual links to Sharefile or Dropbox shares. Then you wave goodbye to async communication because everytime someone sends you a hyperlink they _absolutely need_ to know if you were able to get the file...
I have worked at financial companies where they get it right, and it is not a problem. Having crappy infrastructure and procedures is never an excuse for poor security.
well if he/she is such a fantastic earner they should be held personally liable for the banks losses stemming from their reckless conduct (clicking on email links or opening strange documents)
The power in corporations will pretty much always lie with profit centers (i.e. sales) over cost centers (i.e. security). I'd doubt that almost any company will be able to overcome that. Better to focus on mitigation of risks than fight political battles that you're not going to win as an infosec team IMHO.
If we're going to start firing people, first on my chopping block would be IT staff who implement security theater policies which go against NIST recommendations (like forced rotation of passwords every x days) and create security hygiene problems as side effects.
I guess I was under the impression that compensating controls don't really let you question the efficacy of the point of the original requirement, but instead "we're meeting the requirement in this other way"?
The company I work for (in the utility industry) does this regularly and there are disciplinary actions for falling for the attack
The consequences range in severity based on the number of times an employee is caught over a 12 month period, or if, as part of the attack, the employee enters their credentials on the webpage linked in the email (a big no-no). They range from: a meeting with your manager to discuss, a requirement to park outside the security gate and walk in for at least 2 weeks, to your vacation accrual rate being reduced, all the way to unpaid suspension or termination with 4 failures in 12 months.
Of course as part of the on-boarding process the company provides pretty extensive training on how to spot a phishing attempt but some attacks can still get a large portion of our company.
The downside is now some employees who have been burned before are terrified of opening any external emails. This ironically resulted in an exceptionally low participation rate in our company's annual employee engagement survey conducted by, you guessed it, an external party.
My employer does this as well. Even though I have been on the internet since the early 1990s, I still fell for one. There is just no way around it, if you process 300 emails a day you are going to slip once or twice. The human brain just works that way.
I think they have other mitigation strategies. Like probably quietly installing extra scanners on the email of the most "problematic" people who open anything and forward chain letters constantly.
I worked somewhere where we received a yearly Christmas bonus of some maximum amount reduced by various factors. Maybe the threat of loosing 10% of some yearly bonus for: "fails to meet security standards" would work well as a deterrent.
Lots of supposedly known senders that are actually hostile actors, some account takeovers, and there are many external facing people who expect to receive word docs from unknown people.
Accounts payable, for example, gets lots of these things as an expected part of the workflow, as does legal, and various parts of management.
PDFs have had problems of their own.
Many of the people that you most want to secure are the same people who need to be exposed to the outside world. CEO and CFO HAVE to deal with random people, as it's the job, but they are the most dangerous. If someone needs a 5 step verification process that takes days to communicate with your CEO, then you are not going to get may new clients or investors.
Yep. And what about the most obvious? HR. Resumes, cover letters, reference material, etc. Many places don't subscribe to the evil ATS or taleo parser tools and casually open whatever is sent to them with a familiar icon or extension as attachment.
These people need to be receiving Word Docs with macros and need to open those docs executing macros by default, from unknown/unauthenticated people? That doesn't make much sense to me. I see automated tasks as being internal. Receiving automated tasks from random people and executed by default seems like asking for trouble.
You dont understand. Everyone has all Macros enabled by default because Bob down the hall wrote an Excel macro that lets us plug numbers in our spreadsheet from the mainframe in 5 seconds instead of typing them for 20 minutes.
Everyone knows that to get the Macro to work, step one is to enable all macros.
We could reduce our risk a lot using a combo of technology that isolates executions to certain deprivileged memory ranges with tech that blocks code injections in general. Think a separation kernel running a desktop OS in one partition and in another a PDF viewer written in Rust. The general tech for stuff like that was being sold commercially far back as 2005, minus Rust of course. They did have Ada runtimes, though. The NSA and military ended up retiring the concept because there was too much complexity in PC hardware they thought would lead to attacks bypassing the VM boundaries. They did.
The old approach, which I used, was to use a mix of desktop and embedded boards physically separated with a KVM switch plus controlled, sharing mechanism. Just keep the untrustworthy stuff on their own machines. It's klunky but a greater chance of working securely.
Would it be possible to simply serve employees a hardened email VM on demand which included editing and composition utilities (office, Adobe)? I envision something that could be destroyed after each use to prevent persistence and could be put on a VLAN which included only the email server and specific internal services if need be to make pivoting difficult.
That's what I was talking about with VM risk, though. You're right back to it. Even the most secure VM will have the hardware and firmware in its attack surface. Those are getting tons of attention right now. It will reduce the number of times you get breached with associated damage. It's not as secure as physical separation, though.
There is something similar on the market called Bromium. It spawns micro VMs for some filetypes so that possible code execution is contained within the micro VM. Still haven't tested it.
Am pretty curious what kind of "skeleton key" ATM card they were using to access all of the ATM's as different users. Lest they were posed as repair people and stood there with a laptop hooked in.
From what I've seen the attackers pay organized teams of people to do the withdrawals that wouldn't have a problem getting caught by the cops for a percentage. Load a stack of blank cards, then send out the squad.
IANAL, but this bank needs a better general counsel. The contract says "big payouts unless ATMs are involved, in which case small payouts". Sure, in order to draw out the court case longer than a day, they'll make some vaguely plausible argument to ignore the plain language of the contract. Still, it would have been so much better to realize ahead of time that "we're a bank, tied to an ATM network, so our insurance should cover the use of ATMs too!"
No mention of what was done when the policy was sold. Most insurance companies do a check to minimize their liability. I would think that the insurance company would do a PCI and whatever other audits are used to verify security of the financial institution before writing a policy. An audit (and corresponding mitigation) would save the bank money on their insurance cost.
> include one-time passcodes like we do know for most things
The only things I can think of that uses one-time passcodes are the occasional password reset or login from a new device? Are there other uses I'm not aware of?
It feels to me like the first incident should be covered and the second one should not. It doesn't seem fair to keep relying on insurance when you know you have a problem.
I would imagine that a heist like this would take significant amount of prep work. The weekends were just the tips of the icebergs. While $2.4M is fair chunk of money, I too think that the payout for the amount of effort seems relatively meager.
It's not nationalistic since I was not "having strong patriotic feelings, especially a belief in the superiority of one's own country over others" per the definition of the word. I was asking "when is enough, enough?" That's not me trying to promote a certain nationality or nation, that's me saying, "Russia is acting like dicks, let's take away their ability to do so if they don't stop acting like dicks soon."
In the end, it's probably not a good idea, anyways.
Jeez, insurance companies are all the same. Regardless if you're an individual or a bank with millions on the line... you get treated with the same slight of hands and nonsense interpretations of reality.
> those exclusions rules out coverage for any loss “resulting directly or indirectly from the use or purported use of credit, debit, charge, access, convenience, or other cards . .
How could a spear phishing campaign using malware that hijacked critical parts of the banks infrastructure not be part of the C&E coverage, and merely 'debit and credit'. The last part was merely how the money was exfiltrated. But the entire crime was the result of the intrusion.
This seems like an easy to win case to me. But who knows.