Commonwealth fined $100k for not mandating antivirus software

Commonwealth fined $100k for not mandating antivirus software

Summary: According to a recently published SEC cease-and-desist order, the Commission has recently fined Commonwealth Financial Network $100,000, for not mandating antivirus software on the computers of its representatives, leading to a security incident which took place in November 2008, allowing the cybercriminal behind the attack to place eighteen unauthorized purchase orders, resulting in $523,000 of unauthorized purchases.

SHARE:
TOPICS: Security, Banking
9

According to a recently published SEC cease-and-desist order, the Commission has recently fined Commonwealth Financial Network $100,000, for not mandating antivirus software on the computers of its representatives, leading to a security incident which took place in November 2008, allowing the cybercriminal behind the attack to place eighteen unauthorized purchase orders, resulting in $523,000 of unauthorized purchases.

Despite Commonwealth's brisk reaction which greatly minimized the financial impact of the compromised accounts, the incident took place shortly after a representative contacted the IT Help Desk indicating a malware infection might have taken place without receiving "follow-up" attention:

"In or around November 2008, an unauthorized party obtained the login credentials of one of Commonwealth’s registered representatives through the use of a malware/keystroke logger virus. The virus was placed on the registered representative’s computer, which at the time did not have antivirus software properly employed. The intruder ran a search query for the Commonwealth registered representative’s customer accounts with cash balances in excess of a certain amount, generating a list of 368 accounts.

On that same day, the intruder placed or attempted to place eighteen unauthorized purchase orders for the common stock of one publicly-traded company in eight of the 368 customer accounts identified, totaling over $523,000 of unauthorized purchases. Commonwealth immediately canceled the unauthorized purchases and transferred them into its error account, ultimately absorbing a net loss of approximately $8,000, and reported the incident to the Commission staff. Commonwealth also notified the owners of the 368 accounts."

With Commonwealth not offering a DIY online trading platform (Citizens Financial sued for insufficient E-Banking security), which would have allowed them to forward the responsibility for a potential compromise through a "No security software, no E-banking fraud claims for you" contract agreement, lacking security E-banking best practices in general, and actual enforcement of them on the computers of their representatives has been exposing their client's financial assets in the most insecure way possible - having them rely on the common sense security practices whose enforcement they took for granted.

Would the presence of antivirus software have made any difference considering the tactics applied by cybercriminals successfully bypassing signatures-based scanning? Partly, since it would have at least increased the probability of detection, and mitigated the potential of infection with known malware.

The solution? E-banking on Live CD or through alternative operating systems in order to bypass a huge percentage of crimeware and the way it currently works, has always been an alternative. However, until financial institutions themselves start building awareness on the concept, and admit that the current E-banking security process is not just flawed, but has been systematically exploited for years, the concept would remain an enemy to the most advantageous of E-banking's features - convenience that millions of users are used to.

Topics: Security, Banking

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • If they will not force the use of AV software

    then they will probally not force the use of alternate means of access.
    GuidingLight
  • Hell, they should be fined for using Windows too!!

    NT.
    DonnieBoy
    • Not a Windows problem.....

      Its a human problem with incompetent admins and techs. Seems to me they missed the most basics of security so just imagine all the other security related items they failed to implement that are much more involved to protect their systems. Financial firms should know better than this and should be leading the way for best practices, but I see some still ignore it and act like it will never happen to them. You would implement the same thing no matter what you use and they obviously didn't do that, which sends the blame right to the man in charge.
      OhTheHumanity
  • RE: Commonwealth fined $100k for not mandating antivirus software

    They should be fined for not upgrading to the latest most secure version of Windows...because these people weren't using Vista...which isn't nearly as vulnerable to these types of malware.
    condelirios
  • Don't like the title

    I was thinking "Commonwealth of Virginia? Commonwealth of Pennsylvania? Which could it be?".
    ejhonda
  • RE: Commonwealth fined $100k for not mandating antivirus software

    wheres my money?
    edz47
  • Huh?

    There are commercial key-loggers available to spy on
    computers, used by many businesses, which anti virus
    programs do not block. So how would forcing everybody to
    use an AV have prevented this?
    AzuMao
  • Late reply: overdoing it may be worse - the Brazilian case

    I only fell on this topic 6 months later through a referral link, but I hope it's still not too late to add that sometimes the remedy can be worse. I live in Brazil, where many major banks (Banco do Brasil, Caixa Economica Federal, Banco Real, Unibanco, Banco Mercantil do Brasil, etc.) use a security solution for their e-banking services called G-Buster, developed by a Brazilian company called GAS Tecnologia. I don't hesitate to call G-Buster itself a piece of malware.

    G-Buster uses rootkit behavior to inject itself into the [i]winlogon.exe[/i] process and keeps checking some registry entries and system files that are supposed to be "protected". It does that every 5 seconds all day long, whether or not the user accesses the bank's site. It degrades Windows' performance enough to slow down things VERY noticeably, increase boot times by over a minute and stress the processor enough to raise its temperature by up to 5?C. And like any real rootkit, it's extremely hard to remove.

    It can be avoided by not using Internet Explorer to access the e-banking site. Using Firefox, the bank's site only installs a harmless [i].xpi[/i] plug-in that doesn't stay resident. But once the real G-Buster is installed via IE, you're in for a headache. And since it's considered "legitimate" software and essential for many customers who aren't tech-savvy or have other limitations to access their Internet banking sites, no security software detects it. (They [u]do[/u] detect and flag as malware, however, a perfectly safe script an affected and angry programmer put on-line to remove the crapware.)

    After having a lot of trouble with G-Buster (I normally avoid using IE, I can't remember why I did it once and got "infected" with the "security" software), I made a formal complaint to my bank. They called me back and I had a heated discussion with one of their representatives, of course stubbornly defending the software (in which they probably invested millions, counting also deployment costs). But this shows how an ill-devised security strategy can cause problems to users as much as no security (though, of course, in this case no theft occurs other than the user's time and system resources).
    goyta
  • RE: Commonwealth fined $100k for not mandating antivirus software

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">sesli sohbet</a> <a href="http://www.yuregininsesi.com">sesli chat</a>
    efsane