Community Bank of the Ozarks customer accounts compromised
Technorati Tag: Security Breach
Date Reported:
10/20/08
Organization:
Community Bank of the Ozarks
Contractor/Consultant/Branch:
None
Location:
Sunrise Beach, Missouri
Victims:
Customers
Number Affected:
"hundreds"
Types of Data:
Unconfirmed - Bank account information.
Breach Description:
"Officials of Community Bank of the Ozarks were scrambling over the weekend to contain a security breach that left hundreds of debit card customers unable to access their money."
Reference URL:
WestSide Star
Report Credit:
Gary W. Young, WestSide Star
Response:
From the online source cited above:
Officials of Community Bank of the Ozarks were scrambling over the weekend to contain a security breach that left hundreds of debit card customers unable to access their money.
"Yes, we’ve put out an alert," confirmed bank president Barney Benton Monday morning.
[Evan] In my brief research for this posting, I could not find any other information or source related to this breach. The alert must have been very focused. Maybe the size of the community has some affect on the media coverage. The population of Sunrise Beach is probably less than 500 people given the 2000 census data (368).
"Somebody took some cards and broke into the bin [main files] coded to our bank, which allowed them to break into accounts."
[Evan] I'm a little confused here. Are we talking "bin" as in Bank Identification Number (BIN)? How does taking "some cards" allow access to accounts?
Benton said he learned of the alleged theft Friday and immediately called federal authorities.
He also emphasized that the bank carries insurance against fraud, in addition to the Federal Insurance Deposit Corporation’s now $250,000 guarantee on deposits.
[Evan] Nothing is free and somebody ends up paying somewhere.
"We’re going to take care of it - everybody will get their money," he assured.
One Community Bank customer reported she couldn’t use her debit card as early as last Thursday evening.
[Evan] I would be seriously torqued if I went to buy something and found out that I couldn't use my debit card because my bank was p0wned (my leetspeak for the day).
On that very day, charges of more than $700 were made to her checking account at an Academy Sporting Goods store in Austin, Tex.
[Evan] Austin, Texas is more the 700 miles away.
More than $1,500 was fraudulently charged to her account on Oct. 16-17, all from the Austin area.
"I’m turning it over to the FBI," said Benton, a 20-year bank president. "It won’t hurt us much, but it sure galls me."
[Evan] I take exception to this mentality (assuming it's possible to judge mentality from a single statement). What is the motivation to change and ensure better protections if you look at a breach with the mentality of it "won't hurt us much"? The statement seems selfish. I wouldn't expect it from a "community" bank. It "galls" Mr. Benton? It galls me and I'm not even involved.
Commentary:
This breach appears to be pretty serious given the alleged facts that information was stolen directly from a bank and was used to commit fraud. Unfortunately, I couldn't locate any additional information about it.
Back to the "hurt us much" statement; let's think this through a little. True, the bank might not be hurt much, but what about others? There are customers who might not be hurt per se, but they were certainly inconvenienced. There are the fraudulent charges, which also might not hurt "much" but follow-up and remediation could be considered a waste of time and money. How about the diversion of FBI and other law enforcement resources from whatever they might have been working on to attend to this? The hurt might not be much in singular, but the aggregate is too much. Worse yet, the hurt is probably unnecessary had good information security principles been followed from the beginning.
Past Breaches:
Unknown
Date Reported:10/20/08
Organization:
Community Bank of the Ozarks
Contractor/Consultant/Branch:
None
Location:
Sunrise Beach, Missouri
Victims:
Customers
Number Affected:
"hundreds"
Types of Data:
Unconfirmed - Bank account information.
Breach Description:
"Officials of Community Bank of the Ozarks were scrambling over the weekend to contain a security breach that left hundreds of debit card customers unable to access their money."
Reference URL:
WestSide Star
Report Credit:
Gary W. Young, WestSide Star
Response:
From the online source cited above:
Officials of Community Bank of the Ozarks were scrambling over the weekend to contain a security breach that left hundreds of debit card customers unable to access their money.
"Yes, we’ve put out an alert," confirmed bank president Barney Benton Monday morning.
[Evan] In my brief research for this posting, I could not find any other information or source related to this breach. The alert must have been very focused. Maybe the size of the community has some affect on the media coverage. The population of Sunrise Beach is probably less than 500 people given the 2000 census data (368).
"Somebody took some cards and broke into the bin [main files] coded to our bank, which allowed them to break into accounts."
[Evan] I'm a little confused here. Are we talking "bin" as in Bank Identification Number (BIN)? How does taking "some cards" allow access to accounts?
Benton said he learned of the alleged theft Friday and immediately called federal authorities.
He also emphasized that the bank carries insurance against fraud, in addition to the Federal Insurance Deposit Corporation’s now $250,000 guarantee on deposits.
[Evan] Nothing is free and somebody ends up paying somewhere.
"We’re going to take care of it - everybody will get their money," he assured.
One Community Bank customer reported she couldn’t use her debit card as early as last Thursday evening.
[Evan] I would be seriously torqued if I went to buy something and found out that I couldn't use my debit card because my bank was p0wned (my leetspeak for the day).
On that very day, charges of more than $700 were made to her checking account at an Academy Sporting Goods store in Austin, Tex.
[Evan] Austin, Texas is more the 700 miles away.
More than $1,500 was fraudulently charged to her account on Oct. 16-17, all from the Austin area.
"I’m turning it over to the FBI," said Benton, a 20-year bank president. "It won’t hurt us much, but it sure galls me."
[Evan] I take exception to this mentality (assuming it's possible to judge mentality from a single statement). What is the motivation to change and ensure better protections if you look at a breach with the mentality of it "won't hurt us much"? The statement seems selfish. I wouldn't expect it from a "community" bank. It "galls" Mr. Benton? It galls me and I'm not even involved.
Commentary:
This breach appears to be pretty serious given the alleged facts that information was stolen directly from a bank and was used to commit fraud. Unfortunately, I couldn't locate any additional information about it.
Back to the "hurt us much" statement; let's think this through a little. True, the bank might not be hurt much, but what about others? There are customers who might not be hurt per se, but they were certainly inconvenienced. There are the fraudulent charges, which also might not hurt "much" but follow-up and remediation could be considered a waste of time and money. How about the diversion of FBI and other law enforcement resources from whatever they might have been working on to attend to this? The hurt might not be much in singular, but the aggregate is too much. Worse yet, the hurt is probably unnecessary had good information security principles been followed from the beginning.
Past Breaches:
Unknown
Posts Atom 1.0
Comments