The perils of phishing emails and cyber-insurance were laid bare this week after news emerged of an American bank that fell victim to hackers twice within eight months and is suing its provider for failing to cover the losses.
The Virginian National Bank of Blacksburg was hit in late May 2016 and again in January 2017 thanks to phishing emails which eventually resulted in the combined theft of $2.4m.
The first attack enabled attackers to install malware on a victim’s PC, allowing them to access the STAR interbank network and disable controls including PINs, daily withdrawal limits and anti-fraud measures, according to journalist Brian Krebs.
The attackers were then able to dispense funds from customer accounts of over half a million dollars to ATMs around the country.
The second attack apparently used a booby-trapped Microsoft Word document to access the bank’s Navigator software, which they used to artificially credit various accounts with $2m before withdrawing funds from ATMs in the same way and deleting the evidence.
Chandu Ketkar, principal consultant at Synopsys, argued that the breaches came from failures of security awareness training, monitoring controls, emergency response, and policy around Office macros.
Ryan Wilk, vice president at NuData Security, added that phishing risk can be mitigated by migrating away from static username/password combinations.
“This is a clear example of why merchants and financial institutions are moving past the user’s personally identifiable information (PII) as a way to authenticate them and incorporating multi-layered solutions with passive biometrics and behavioral analytics,” he added. “These technologies thwart the reuse of data by fraudsters and, instead, verify users based on their behavioral information.”
In a further twist, the bank is now suing its provider, Everest National Insurance Company, for failing to pay out.
The problem lies with the policy details: the bank had two types of coverage — one “computer and electronic crime” rider with a liability of $8m and another covering lost stolen or altered debit cards with just a $50,000 liability.
The insurer apparently claims both breaches fall under the latter.
It’s another example of the challenges facing the burgeoning cyber-insurance industry. In July it emerged that security vendor Trustwave is being sued by two insurers that claim its PCI audits failed to pick up issues which led to a massive breach at their client: Heartland Payment Systems.