Massive, under-reported online banking breach raises serious disclosure and remedy questions

It was just last week that I wrote about a scary list that you can only hope doesn't include you....a public list of all of the recent compromises to personal data that's being stored by banks, merchants, universities, and most recently (the biggest breach of all), the Veteran's Administration (a breach that included over 26 million names and that may end up costing $500 million).  The list is massive and left me with the impression that the odds that you and I have somehow been affected are pretty good.  Especially when you consider the fact that the list is only partial (in some cases, it just says "unknown" in terms of the number of records compromised) and how some incidents are probably not getting reported. 

One massive security breach that's not on that list and that apparently gave Madrid-based hackers direct access to the online banking credentials belonging to customers of over 300 banks has avoided the spotlight until our very own George Ou noticed and looked under the hood.  The incident and his reporting raises serious questions about what really happened, who was affected, and how it was disclosed.  While I can't tell for sure whether or not the disclosure is enough to satisfy lawmakers, my belief is that it's clearly not enough for the public.

According to Ou, he received a tip from a customer of one of the impacted banks who himself had received a notice that his password had been reset.  In what has to be one of the better case studies of how a monoculture can lead to massive security problems, the reason so many banks were affected was because of how they all turned to the same third party provider -- GoldLeaf Financial Solutions, Inc. -- for certain home page services that included the capture and digestion of online banking credentials.  With one exploit, hackers were able to redirect the login IDs and passwords to a site in Madrid, Spain.

The disclosure that has so far followed leaves much to be desired.  According to a press release from GoldLeaf (one that was regurgitated word-for-word by news outlets such as Forbes under the heading of news and analysis):

Goldleaf Chief Executive Officer, Lynn Boggs, said, "We have identified and corrected the problem. We have fully restored our Web site, remote deposit and ACH services. In addition to contacting our customers, we have communicated with our vendor partners, regulators and law enforcement authorities. We are fully operational and will remain diligent in our security efforts."

What exactly was communicated isn't known.  What we do know is that most of the information that has so far been made public (outside of Ou's post) is at best misleading and at worst, wreaks of spin control. The problem starts with the press release's headline which reads Goldleaf Technologies Responds to Phishing Attempt.  That's an interesting choice of words to describe what happened here.  If it was a phishing attempt, Goldleaf could easily escape any blame by deferring some of it to insecure client software (emails, browsers, etc.) and the rest to a lack of best practices on the end user's behalf. Phishing is a form of email-based social engineering that dupes users into clicking on links (in email) that they wouldn't otherwise click on.

eBay is a frequent target of phishers. Even when such phishing attempts are successful, it's hardly eBay's fault. Neither email nor phishing played a role in this exploit.  End users were not social engineered.  They entered their credentials as they normally would, into Web pages that were served from the domains they should have been served from.  At the very least, Goldleaf needs to redisclose so that (a) it's absolutely clear that it's services were hacked and (b) phishing played no role in this attack.

Further drawing the disclosure and reporting into question is an AP Wire story that quotes Goldleaf spokesman Scott Meyerhoff as saying that the security breach affected about 150 to 175 bank Web sites for anywhere from a minute to an hour and a half.  In a subsequent interview with Goldleaf however, Ou learned that the actual number was more than 300.  The best case scenario (300 banks compromised for 1 minute each) involves 300 minutes or five hours of exposure.  If one bank was exposed in this way for five hours, how many of that bank's customers could have been potentially compromised? The worst case scenario (300 banks compromised for 90 minutes each) is the equivalent of one bank being exposed for 27,000 minutes or nearly 19 days.  Can you imagine one bank being compromised for nearly 3 weeks?  So, questions remain.

What 300 banks?  We don't know.  Where are their press releases?  No idea.  Was it really a minute to an hour and half? Or was it longer? We don't know.  There's no obligation to reveal the data or the methodology that led Goldleaf to that conclusion.  Even so, a lot of logins can happen in 90 minutes across 300 banks.  How many actually did happen? Was money taken?  How were the customers of the banks notified of the potential breach? Where can or should have they gone for more information to find out if their accounts had been compromised?

Some banks, the ones we know of, notified their customers by both regular mail and email. First State Bank, one of the affected banks, sent two separate notices.  The first one, signed by First State E-Banking offficer Christa Walton, has the audacity to include a link that points people to a remedy Web page that isn't even within First State's domain: an absolute no-no that is exactly the same trick used by phishers.  Says that first email:

.....In an effort to ensure that all customers are aware, this same communication was mailed via US Postal Service.  If, at receipt of this mailed communication, you have already obtained access to your accounts through our new Online Banking site, located at <URL masked by ZDNet>, there is no need to take any further action.....

The reason I masked the URL found in Walton's email is that it's a URL that isn't in First State's Internet domain. Technically, it could be fodder for phishers who might try to take advantage of the fact that some banks had to move their online banking home page to an off-domain page. Personally, I find it unconscionable that a bank would even consider sending an email that flies in the face of all conventional wisdom and best practices regarding the security and privacy of its customers (the USPS cc: helps but is far from perfect).  In Walton's second email, she advises:

On Thursday, May 25, 2006, First State Bank became aware of an apparent attempt by an unauthorized party to gain access to our third-party website host and thus to our Online Banking site......Although there is no current evidence that customers information has been accessed, this incident may have increased the probability of your information being used for fraudulent purposes......Your Online Banking password has been defaulted back to your original password; when you established your Online Banking service....you may not have access to your original login information, First State Bank has established a help center that you may contact at 1-800-527-6335 or by email at info@first-state.net.....A temporary Online Banking login website has been established at <URL masked by ZDNet>.  This temporary site is safe...... 

Forget for a minute that most people don't have a clue what their original password is (heck, I can't even remember my current ones). When receiving an email like this from a financial institution, if you're even half as sensitized to the phishing problem as I am, then you'd probably do what I do when I get an email like this one: delete it without even looking. In this case, the email goes beyond the faux pas of providing an off-domain site (that asks for user credentials); it provides an 800 number to call for more information or help. What are email recipients supposed to do with that? Call it? Over their dead bodies (hopefully).  I can see it now....hundreds of people calling an 800 number that they got from an email whose source can't be authenticated and then calling that number, divulging all sorts of other compromising data to some unathenticated source. 

The bottom line (or at least one of them)? This event is a case study that demonstrates how badly a financial breach can unravel into a disaster. The void in information that the public deserved to have as soon as the incursion was discovered is simply shocking.  Not only that, it's evidence of how the public will invariably end up mis-, under- or, worse yet, dis-informed (in the name of spin control) when organizations are left to their own litmus tests to decide whether a breach is serious enough to warrant disclosure (as the toothless disclosure legislation that's currently before Congress suggests they should be), just what exactly should be disclosed, and what the remedies are.  Opponents to more heavy-handed legislation with stricter requirements argue that consumers will be overwhelmed by the number of disclosures as though that's a good reason not to have them.  To that I say disclose away folks.  I want to know each and every time some bit of personal information may have been compromised and I want all the gory details -- including specific actions I should take that don't go against the very best practices that the financial and technology industries recommend in the first place.