OmniAmerican Bank targeted by cyber criminals
Technorati Tag: Security Breach
Date Reported:
1/24/08
Organization:
OmniAmerican Bank
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
Unknown
Types of Data:
Internal bank systems and account numbers
Breach Description:
An "international gang of cyber criminals" breached OmniAmerican bank systems and used a variety of information to create new personal identification numbers (PINs) and fake debit cards. The criminals then used the cards at to make withdrawls at ATMs in Eastern Europe, Russia, Ukraine, Britain, Canada and New York.
Reference URL:
Star-Telegram Story
Sacramento Bee Story
Report Credit:
Barry Shlachter, Star-Telegram
Response:
From the online sources cited above:
An international gang of cyber criminals hacked into OmniAmerican Bank's records, the bank's president disclosed Wednesday.
They stole scores of account numbers, created new PINs, fabricated debit cards, then withdrew cash from ATMs in Eastern Europe, including Russia and Ukraine, as well as in Britain, Canada and New York.
[Evan] This is either a geographically dispersed "gang", or the information was sold to various buyers.
"It was a pretty sophisticated scheme," said Tim Carter, president of the Fort Worth-based bank.
[Evan] I wonder how sophisticated this attack really was. My first suspicion is a targeted (spear) phishing attack, which isn't very sophisticated.
The amount stolen is not yet known, he said, describing it only as "minimal." No depositors will lose money, he said.
Fewer than 100 accounts, some of them dormant, were compromised, all with a daily withdrawal limit of less than $1,000, he said.
After discovering the fraudulent activity Friday afternoon, OmniAmerican placed temporary limits on some ATM and debit-card transactions and suspended some electronic banking services, which were restored Sunday, Carter said. At no time were customer deposits at risk, he stressed. "We reduced by half the dollar amount that could be withdrawn and limited [access] to Texas. We cut out anything outside Texas," Carter said.
[Evan] Seems like a logical response, but what a hassle for customers. As of Monday morning, the warning below is still posted on OmniAmerican's home page.
The unauthorized withdrawals were stopped Friday, and bank employees worked over the weekend to deal with the damage, he said.
[Evan] The unauthorized withdrawls made on accounts that were known to have been compromised at least.
The bank learned of the breach from customers inquiring about unusual activity in their accounts, from internal monitoring and from a law-enforcement agency, which Carter declined to name.
Letters alerting check-card holders of the fraudulent activity were mailed Wednesday, the bank said.
OmniAmerican is also issuing approximately 40,000 new debit cards as a safeguard against future fraudulent activity, Carter said. Each needs a revised personal identification number.
Martin Carmichael, the Plano-based chief security officer at McAfee, a computer-security firm, said this type of cyber-attack has become "a commonplace occurrence," although some banks are reluctant to admit that their security has been breached.
[Evan] I agree with Mr. Carmichael. In my work with banks, they all expect to lose a certain amount of money. They say it comes with the territory. If a breach is disclosed to the public, it could negatively affect customer confidence which equates to lost revenue. Lost dollars due to customer confidence usually outweigh the lost dollars from the breach itself. I guess anyway. Banks are attacked and/or compromised every day because they have the one thing everybody wants…money.
Carmichael said OmniAmerican apparently fell victim to one of the more skilled gangs of criminal hackers.
[Evan] Again, I question how skilled an attacker really needs to be. Many "skilled" attackers go unnoticed and why would skilled attackers stop at "fewer than 100 accounts" before calling attention to themselves?
"If you look at the sophistication of it -- going in, modifying PINs, issuing cards -- this is not a kid out there," he said. "This appears to be something set up. Time was involved in executing it."
Whoever they are, he said, "they're elite, more elegant, and it's difficult for banks and many enterprises to keep pace with their activities.
"Banks are under a great amount of pressure to balance risk and shareholder value," said Carmichael, speaking from Las Vegas, where he is attending a conference. "They could do more, [but they] have a hard time justifying the cost until an incident occurs."
[Evan] Very well put, sad and true.
Commentary:
Maybe this was a sophisticated attack like some are claiming. I just think about how easy it could be to carry out a spear phishing attack either to download and install malware or collect a password of a bank employee (because many people use one password for everything) and proxy the network traffic through compromised systems in other countries. Phishing and other attacks based on human behavior are usually much more successful than high-tech exploits.
OmniAmerican deserves some credit for a firm and decisive incident response.
Past Breaches:
Unknown
Date Reported:1/24/08
Organization:
OmniAmerican Bank
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
Unknown
Types of Data:
Internal bank systems and account numbers
Breach Description:
An "international gang of cyber criminals" breached OmniAmerican bank systems and used a variety of information to create new personal identification numbers (PINs) and fake debit cards. The criminals then used the cards at to make withdrawls at ATMs in Eastern Europe, Russia, Ukraine, Britain, Canada and New York.
Reference URL:
Star-Telegram Story
Sacramento Bee Story
Report Credit:
Barry Shlachter, Star-Telegram
Response:
From the online sources cited above:
An international gang of cyber criminals hacked into OmniAmerican Bank's records, the bank's president disclosed Wednesday.
They stole scores of account numbers, created new PINs, fabricated debit cards, then withdrew cash from ATMs in Eastern Europe, including Russia and Ukraine, as well as in Britain, Canada and New York.
[Evan] This is either a geographically dispersed "gang", or the information was sold to various buyers.
"It was a pretty sophisticated scheme," said Tim Carter, president of the Fort Worth-based bank.
[Evan] I wonder how sophisticated this attack really was. My first suspicion is a targeted (spear) phishing attack, which isn't very sophisticated.
The amount stolen is not yet known, he said, describing it only as "minimal." No depositors will lose money, he said.
Fewer than 100 accounts, some of them dormant, were compromised, all with a daily withdrawal limit of less than $1,000, he said.
After discovering the fraudulent activity Friday afternoon, OmniAmerican placed temporary limits on some ATM and debit-card transactions and suspended some electronic banking services, which were restored Sunday, Carter said. At no time were customer deposits at risk, he stressed. "We reduced by half the dollar amount that could be withdrawn and limited [access] to Texas. We cut out anything outside Texas," Carter said.
[Evan] Seems like a logical response, but what a hassle for customers. As of Monday morning, the warning below is still posted on OmniAmerican's home page.
The unauthorized withdrawals were stopped Friday, and bank employees worked over the weekend to deal with the damage, he said.
[Evan] The unauthorized withdrawls made on accounts that were known to have been compromised at least.
The bank learned of the breach from customers inquiring about unusual activity in their accounts, from internal monitoring and from a law-enforcement agency, which Carter declined to name.
Letters alerting check-card holders of the fraudulent activity were mailed Wednesday, the bank said.
OmniAmerican is also issuing approximately 40,000 new debit cards as a safeguard against future fraudulent activity, Carter said. Each needs a revised personal identification number.
Martin Carmichael, the Plano-based chief security officer at McAfee, a computer-security firm, said this type of cyber-attack has become "a commonplace occurrence," although some banks are reluctant to admit that their security has been breached.
[Evan] I agree with Mr. Carmichael. In my work with banks, they all expect to lose a certain amount of money. They say it comes with the territory. If a breach is disclosed to the public, it could negatively affect customer confidence which equates to lost revenue. Lost dollars due to customer confidence usually outweigh the lost dollars from the breach itself. I guess anyway. Banks are attacked and/or compromised every day because they have the one thing everybody wants…money.
Carmichael said OmniAmerican apparently fell victim to one of the more skilled gangs of criminal hackers.
[Evan] Again, I question how skilled an attacker really needs to be. Many "skilled" attackers go unnoticed and why would skilled attackers stop at "fewer than 100 accounts" before calling attention to themselves?
"If you look at the sophistication of it -- going in, modifying PINs, issuing cards -- this is not a kid out there," he said. "This appears to be something set up. Time was involved in executing it."
Whoever they are, he said, "they're elite, more elegant, and it's difficult for banks and many enterprises to keep pace with their activities.
"Banks are under a great amount of pressure to balance risk and shareholder value," said Carmichael, speaking from Las Vegas, where he is attending a conference. "They could do more, [but they] have a hard time justifying the cost until an incident occurs."
[Evan] Very well put, sad and true.
Commentary:
Maybe this was a sophisticated attack like some are claiming. I just think about how easy it could be to carry out a spear phishing attack either to download and install malware or collect a password of a bank employee (because many people use one password for everything) and proxy the network traffic through compromised systems in other countries. Phishing and other attacks based on human behavior are usually much more successful than high-tech exploits.
OmniAmerican deserves some credit for a firm and decisive incident response.
Past Breaches:
Unknown
Posts Atom 1.0
I have been with Omni for a while and I just had my account hacked this week 07-29-10
Reply to this
Mark,
I would like to hear more, and see what we can do for you. How did you find out that your account was "hacked", and do you think that this is an indication of a larger problem at the bank?
Use the "Contact Us" link on the top of the left sidebar (on the blog) if you would rather discuss privately.
Thank you for reading and participating!
-Evan, FRSecure
Reply to this