Massive, under-reported online banking breach raises serious disclosure and remedy questions

Massive, under-reported online banking breach raises serious disclosure and remedy questions

Summary: It was just last week that I wrote about a scary list that you can only hope doesn't include you....a public list of all of the recent compromises to personal data that's being stored by banks, merchants, universities, and most recently (the biggest breach of all), the Veteran's Administration (a breach that included over 26 million names and that may end up costing $500 million).

TOPICS: Banking

It was just last week that I wrote about a scary list that you can only hope doesn't include you....a public list of all of the recent compromises to personal data that's being stored by banks, merchants, universities, and most recently (the biggest breach of all), the Veteran's Administration (a breach that included over 26 million names and that may end up costing $500 million).  The list is massive and left me with the impression that the odds that you and I have somehow been affected are pretty good.  Especially when you consider the fact that the list is only partial (in some cases, it just says "unknown" in terms of the number of records compromised) and how some incidents are probably not getting reported. 

One massive security breach that's not on that list and that apparently gave Madrid-based hackers direct access to the online banking credentials belonging to customers of over 300 banks has avoided the spotlight until our very own George Ou noticed and looked under the hood.  The incident and his reporting raises serious questions about what really happened, who was affected, and how it was disclosed.  While I can't tell for sure whether or not the disclosure is enough to satisfy lawmakers, my belief is that it's clearly not enough for the public.

According to Ou, he received a tip from a customer of one of the impacted banks who himself had received a notice that his password had been reset.  In what has to be one of the better case studies of how a monoculture can lead to massive security problems, the reason so many banks were affected was because of how they all turned to the same third party provider -- GoldLeaf Financial Solutions, Inc. -- for certain home page services that included the capture and digestion of online banking credentials.  With one exploit, hackers were able to redirect the login IDs and passwords to a site in Madrid, Spain.

The disclosure that has so far followed leaves much to be desired.  According to a press release from GoldLeaf (one that was regurgitated word-for-word by news outlets such as Forbes under the heading of news and analysis):

Goldleaf Chief Executive Officer, Lynn Boggs, said, "We have identified and corrected the problem. We have fully restored our Web site, remote deposit and ACH services. In addition to contacting our customers, we have communicated with our vendor partners, regulators and law enforcement authorities. We are fully operational and will remain diligent in our security efforts."

What exactly was communicated isn't known.  What we do know is that most of the information that has so far been made public (outside of Ou's post) is at best misleading and at worst, wreaks of spin control. The problem starts with the press release's headline which reads Goldleaf Technologies Responds to Phishing Attempt.  That's an interesting choice of words to describe what happened here.  If it was a phishing attempt, Goldleaf could easily escape any blame by deferring some of it to insecure client software (emails, browsers, etc.) and the rest to a lack of best practices on the end user's behalf. Phishing is a form of email-based social engineering that dupes users into clicking on links (in email) that they wouldn't otherwise click on.

eBay is a frequent target of phishers. Even when such phishing attempts are successful, it's hardly eBay's fault. Neither email nor phishing played a role in this exploit.  End users were not social engineered.  They entered their credentials as they normally would, into Web pages that were served from the domains they should have been served from.  At the very least, Goldleaf needs to redisclose so that (a) it's absolutely clear that it's services were hacked and (b) phishing played no role in this attack.

Further drawing the disclosure and reporting into question is an AP Wire story that quotes Goldleaf spokesman Scott Meyerhoff as saying that the security breach affected about 150 to 175 bank Web sites for anywhere from a minute to an hour and a half.  In a subsequent interview with Goldleaf however, Ou learned that the actual number was more than 300.  The best case scenario (300 banks compromised for 1 minute each) involves 300 minutes or five hours of exposure.  If one bank was exposed in this way for five hours, how many of that bank's customers could have been potentially compromised? The worst case scenario (300 banks compromised for 90 minutes each) is the equivalent of one bank being exposed for 27,000 minutes or nearly 19 days.  Can you imagine one bank being compromised for nearly 3 weeks?  So, questions remain.

What 300 banks?  We don't know.  Where are their press releases?  No idea.  Was it really a minute to an hour and half? Or was it longer? We don't know.  There's no obligation to reveal the data or the methodology that led Goldleaf to that conclusion.  Even so, a lot of logins can happen in 90 minutes across 300 banks.  How many actually did happen? Was money taken?  How were the customers of the banks notified of the potential breach? Where can or should have they gone for more information to find out if their accounts had been compromised?

Some banks, the ones we know of, notified their customers by both regular mail and email. First State Bank, one of the affected banks, sent two separate notices.  The first one, signed by First State E-Banking offficer Christa Walton, has the audacity to include a link that points people to a remedy Web page that isn't even within First State's domain: an absolute no-no that is exactly the same trick used by phishers.  Says that first email:

.....In an effort to ensure that all customers are aware, this same communication was mailed via US Postal Service.  If, at receipt of this mailed communication, you have already obtained access to your accounts through our new Online Banking site, located at <URL masked by ZDNet>, there is no need to take any further action.....

The reason I masked the URL found in Walton's email is that it's a URL that isn't in First State's Internet domain. Technically, it could be fodder for phishers who might try to take advantage of the fact that some banks had to move their online banking home page to an off-domain page. Personally, I find it unconscionable that a bank would even consider sending an email that flies in the face of all conventional wisdom and best practices regarding the security and privacy of its customers (the USPS cc: helps but is far from perfect).  In Walton's second email, she advises:

On Thursday, May 25, 2006, First State Bank became aware of an apparent attempt by an unauthorized party to gain access to our third-party website host and thus to our Online Banking site......Although there is no current evidence that customers information has been accessed, this incident may have increased the probability of your information being used for fraudulent purposes......Your Online Banking password has been defaulted back to your original password; when you established your Online Banking may not have access to your original login information, First State Bank has established a help center that you may contact at 1-800-527-6335 or by email at temporary Online Banking login website has been established at <URL masked by ZDNet>.  This temporary site is safe...... 

Forget for a minute that most people don't have a clue what their original password is (heck, I can't even remember my current ones). When receiving an email like this from a financial institution, if you're even half as sensitized to the phishing problem as I am, then you'd probably do what I do when I get an email like this one: delete it without even looking. In this case, the email goes beyond the faux pas of providing an off-domain site (that asks for user credentials); it provides an 800 number to call for more information or help. What are email recipients supposed to do with that? Call it? Over their dead bodies (hopefully).  I can see it now....hundreds of people calling an 800 number that they got from an email whose source can't be authenticated and then calling that number, divulging all sorts of other compromising data to some unathenticated source. 

The bottom line (or at least one of them)? This event is a case study that demonstrates how badly a financial breach can unravel into a disaster. The void in information that the public deserved to have as soon as the incursion was discovered is simply shocking.  Not only that, it's evidence of how the public will invariably end up mis-, under- or, worse yet, dis-informed (in the name of spin control) when organizations are left to their own litmus tests to decide whether a breach is serious enough to warrant disclosure (as the toothless disclosure legislation that's currently before Congress suggests they should be), just what exactly should be disclosed, and what the remedies are.  Opponents to more heavy-handed legislation with stricter requirements argue that consumers will be overwhelmed by the number of disclosures as though that's a good reason not to have them.  To that I say disclose away folks.  I want to know each and every time some bit of personal information may have been compromised and I want all the gory details -- including specific actions I should take that don't go against the very best practices that the financial and technology industries recommend in the first place.

Topic: Banking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Hear! Hear!

    Whenever I read that ZDNet is just an industry shill, I shall think of this insightful, pointed and incisive article. The story here is the story, just what real journalisin is all about. Good work!
  • More dangerous than the link is the text itself.

    You masked out the url of the bank's temporary off domain site, but it strikes me that the text of the message is what would really help phishers. After all, wouldn't they want to change the url to one they had controll of? I'm not pointing any fingers at zdnet here; the bank is to blame. Basically they just published a form letter to serve as a model when phishing their own customers. I would say the odds are near 100% that the same exact message ends up going out to all of the spam lists, but with the phisher's web site in the link instead.
    • You don't get it.

      That's the point the story was making! ANY email (no matter what text) should be considered bogus if it sends you to an off-domain site. As a result, the "official" explanation should be summarily deleted as should an email mimicing the same text.
    • Imposter domains...

      My concern was that someone would set up a domain that was close in spelling to the one that was used....thereby fooling people who didn't look very close. Any text could work in the context you mentioned.

  • businesses can get proactive on phishing

    Email is so easy to communicate with customers - no paper, no printing costs, no postage. The trade off is the security risk, and it's becoming an unacceptable one. Ebay, PayPal and various banks fight phishing attempts every day, but nothing so far seems to really work when keeping their customers (or potential customers) from risk. Maybe it's time to start changing they way they email, and start using authentication solutions that can exist between them and their customer base. Yes, it would be a step where their customers would have to initially download a piece of software, but don't we already have to do that with Skype or Instant Messenger? Isn't it worth the benefit? It would take the guesswork out of separating the valid emails from phishing scams.
    • I mentioned a simple solution

      At least they should have a legitimate S/MIME signature. Sure they could still get one for their bogus domain, but that forces them to prove who they are and they can't spoof the message being from the real domain. S/MIME is 100% compatible with nearly all clients anyways, and it costs next to nothing to set up on the sender's end.
      • What about all customers getting PGP keys?

        What if the banks set up an account and also set up a PGP key
        set? The phishers would have to get a key for each individual.
        That would cause the bad guys to do a huge amount of work to
        get the info they want. If the bank has a breach and looses
        confidence in the keys then they could let the customers know
        to call a pre-arranged 800 number or the local office to talk to
        someone they know to get new keys.

        I do like that you are asking the banks why we in the US don't
        have the same level of security as the folks in Europe.
        • PGP requires software

          S/MIME is already installed and supported by nearly all email clients by default. This was a Netscape standard and works with Outlook and all the other webmails out there. PGP requires extra software to be installed.

          With S/MIME, you can already receive signed emails by doing nothing. But you can sign your own emails and recieve encrypted email if you simply get a free certificate from
          • Thanx

            I understand about the extra software required and don't think it
            would be that much extra overhead. Sometimes the best security is
            to have multiple layers, of course, the less intrusive the better.

            I don't remember if you had any previous issues with certificates.
            Can they be spoofed or hacked and that leave a path into the
            customers system? I haven't heard of anybody breaking the PGP (or
            other public/private key system) keys and being able to trick a user
            into thinking they were talking to someone else.
    • Getting proactive

      It never ceases to amaze me that providers of solutions such as
      the one above are so tied to Windows that they seem to think it's
      the only OS out there.

      FYI, nans, there are people operating businesses and accessing
      internet banking sites who don't use Windows. Does your
      Windows only solution make any sense at all in that situation? I
      don't think so.
    • Downloadable software? Not gonna work

      Downloadable software is not going to work unless it's available for Mac, Windows, and Linux. A bank that suddenly requires Windows-only software to access its online banking site is ruining the entire point of the platform-neutral Web, and will lose thousands of customers instantly.

      There are other answers, but that is not it. Not the way most lazy programmers do it (building an app that requires Windows and IE).
  • Contact your bank?

    I'm thinking the best way to get our bank's attention is to contact them about this breach (whether they were involved or not... since we really don't know). Simply ask them if they (we, the customers,) were affected and what is their policy for handling such breaches. A spike in customer service calls might get their attention about disclosures and having a published disclosure policy.

  • What my bank said.

    My bank, soon to be my former bank (unrelated to this incident), sent a letter using the 'phishing' phrase. and apolgising for the inconvenience experience when they went off-line for 'repairs'. They closed with a mild suggestion that I consider changing my password the next time I login and monitor the account of 'unauthorized activity'. So much for corporate responsibility. ANY QUESTIONS?
  • I'm afraid that...

    until the general population becomes more 'paranoid' and less trusting of the "electronic world" in which we live, or until enough security measures are finally in place to totally 'foolproof' these systems (is this even possible?), this will probably continue.

    Social engineering seems to be the weapon of choice these days for the bad guys. My parents have spoken of days when they slept in houses with unlocked doors. Are we 'paranoid' today because we lock ours? I choose to think its more like we use common sense based upon the society in which we live. I think we are getting closer every day to "sleeping with our doors locked" while online...most regular visitors to this site already do.
  • The power of reporters...

    This continuing identity theft thingy is indeed a sad story. Who is to blame?

    I blame the major technology companies: Microsoft for derailing and delaying the creation of a secure infrastructure with their ill conceived "Palladium" announcement some 3 years ago. It delayed initiatives under way then...but Microsoft just bought time. I blame the PC OEMs and the Intel's for not more aggressively promoting the Trusted Computing Group's approach not only to enterprises but, moreover, for the total lack of public relation work to the consumer industry.

    PCs with the Trusted Platform Module (TPM) are, in the meantime, available from every PC OEM...but they are stealthily marketed to the enterprise space only. Yet consumers are the market targeted by phishing and other schemes. It has long been recognized that password authentication is "for the birds"...there is much more...

    12 month from now there will be web services leveraging the TPM (secure authentication, password protection... etc.) but the consumer will lose out because all the consumer PCs bought today don't have a TPM...

    The failure of the industry at large to promote these new technologies is akin to gross negligence at best, borders on corporate irresponsibility at worst!

    It is up to the tech reporters to start writing about this technology, educate the market, enterprises and consumers alike, and start exposing the short comings of the industry.

    Solutions are here today. But the HP's and the IBM's and the Microsoft's and the Intel's need to get off their thrones and act.
    • That does not mean what you think it means

      Sounds like you bought the "trusted computing" marketing crap hook, line, and sinker.

      Absorb it.
  • banking breach

    This explains a lot. Around that same time, I started logging into the B of America home page. I got the pop-up msg stating that I was being directed from a secure to a non-secure page and asking if I wanted to continue. Fortunately, I said no. A few minutes later, I tried again and did not get the pop-up. Still, I didn't complete the login process, figuring that something might still be going on. I contacted my branch and got zero response.
    • B of America?

      They use Goldleaf? Did they disclose?