Here’s my local town spokeswoman, excusing the theft of $139,000 by “hackers” from the town’s online bank account:
“We had good firewalls, anti-virus software and even with all of those measures, it still happened,” she said. “No matter who you are, you will always be vulnerable because new viruses are coming out every day, and these people make it their business to come up with new ways to get the information.”
In addition to this kind of duty shirking, the whole article is full of black-box techno-voodoo explanations of the hacker attack, which I think some people might take as a better excuse than this lame version of hoocoodanode. I don’t — city offices are about 50 yards from a locally-owned bank, yet the town chose to bank online, and they got ripped off. Writing paper checks in longhand was an option when they made their bad decision, and it’s still an option today.
Update: That last sentence wasn’t clear. My point isn’t that they should have been using paper checks, but rather that every method of distributing money to employees and creditors has security risks. Once upon a time, the town wrote paper checks. One day, they decided to switch to online banking. What safeguards did they put in place when they did that? Are they insured against this kind of theft? Did they consider the new risks that were different from the old? Answer those questions, but don’t shine me on with talk of trojans, and other bad voodoo. And tell me why every other little town in this region hasn’t been the victim of this kind of theft – are they lucky? Or did they do a better job with their security.
stuckinred
Yea and logging on to this blog probably increased your chances of getting hacked 20 times!
cathyx
I’ve heard that passing checks through the mail was less safe than online banking.
cmorenc
Doing business banking transactions the old-fashioned paper way is becoming less easy to do by the month, as more and more entities demand going to electronic transactions as a condition of doing commerce. This is even becoming true on a level of individual transactions: think how much PayPal has become as a preferred trusted way of conducting sales between ordinary individuals who don’t know each other personally, over using paper cashier’s (now called “bank”) checks (checks guaranteed by the issuing bank). I have a friend who recently rented a house from someone who will be abroad for a year, and a condition of the transaction was that rent payments needed to be done electronically account-to-account. I referee soccer, and one of the main organizations I work games for recently insisted its referees go to the RefPay system rather than receive paper checks; payment for games goes directly (electronically) from the soccer club into my bank account.
It isn’t easy to insist on going paper anymore, and that way has its vulnerabilities and flaws too.
Percysowner
Wow! I get my pay check via direct deposit. I pay almost all of my bills over the Internet. I’m always on time with my rent because I have my account set to write the check every month on the correct day. My cable, electric bill, and gas bills all have my bank number and get paid on time because I set it up that way. If my bank gets hacked you are going to blame ME for it happening? Yeesh, If the city were running checks over the carrier could be clonked over the head and have the checks stolen. The only person to blame here is the hacker. Blaming the victim is unfair.
stuckinred
My credit is so bad they won’t take my cash!
sb
Shorter mistermix: The fuckers got robbed and deserved it!
Carl Nyberg
What are the odds that one of the people involved in designing, implementing or using this vulnerable system was either the perp or working with the perp?
Carol
@Percysowner: I still use paper checks for some transactions, but I remember the days when muggers used to hang around looking for people who just cashed their monthly checks, and when checks were stolen out of apartment mailboxes-the thieves always knew better than we when the checks were coming.
At least with electronic hacking, there’s a chance the money and the thief will be found. Paper? Well, all you could do was have a stop-check order issued and have a replacement issued, which took two weeks.
Special Patrol Group
Shorter local town spokesperson:
Carol
@Carl Nyberg: Better than you think. No system can really be completely fool-proof against an insider ready to cash in from hidden trap doors.
taylormattd
I don’t get this post at all. You really think the solution is to write out checks by hand and have the person run down the street to the bank?
mistermix
@sb: Why is “the fuckers got robbed” an acceptable excuse in the virtual world, but if someone got $139K by, say, jimmying open a town safe, we’d be asking hard questions about their choices?
Carol
September 11, 2001. I was transfixed on what was on television, but had to pull myself away to hang around my inside mailbox to greet the mailman. Why? my unemployment check was mailed, and a previous check never showed up at the box. Now the front door was locked, but even a locked door had to be opened from time to time, and the old-fashioned 1920’s mailbox lock was designed for a time when nobody knewe hat a check was. So the lock was often pretty loose and hard to lock.
Unemployment finally went to direct deposit this year, and I find it’s much safer. I can pull out only the money I need to pull out-no more running around with the proceeds from a just-cashed check.
gnomedad
If they were really responsible, they’d rely on barter.
Gin & Tonic
@Percysowner:
Bullshit. If you leave your front door open and some junkie comes in while you’re gone and takes your TV, I’m blaming you, not the junkie (well, laughing at you more than blaming.)
There was a thread on this yesterday. Most “hacking” isn’t very sophisticated, and works because IT security is ignored (or given short shrift) by the target company.
mistermix
@gnomedad: Of course, the real issue that needs addressing is fiat currency. If they paid their employees in gold, this wouldn’t have been an issue.
4tehlulz
@mistermix: Banker detected. A real American demands silver.
dr. bloor
@taylormattd:
Don’t bother. He’s on a roll this morning.
AAA Bonds
owned
Cat
huh??? If the town was robbed because the thieves defeated their security system and cracked the safe you’d really be questioning the town’s choices?
And no, you don’t get to make a false metaphor comparing online banking security to say an unlocked filing cabinet. They followed basic security precautions.
I’ll take them at their word that it was an organized ring which will be using software which will be unknown to the people they expected to keep their computer safe.
mistermix
@Cat: Yes, I would criticize the town for getting their safe cracked if thieves stole $139K from it, because, as I mentioned in the post, there’s a bank with a bigger, stronger vault 50 yards from the town offices. And, it just might be the case (and, actually, it is the case) that the same bank offers a commercial banking service that would allow the town to do electronic deposit without having a hackable online account.
And, no, I won’t take them at their word because no other town in the area has lost $139K to some ring of techno-burglars.
(P.S., I love how people gin up a false equivalency, like your filing cabinet one, and then act as if I said it. “You’re the kind of guy who would say that, therefore I’m justified in saying you did”.)
daveNYC
The issue here isn’t that the town was paying it’s employees via direct deposit, it’s that they were setup to access the town’s account online. There’s no reason why they couldn’t send someone down to the bank to do the transfers and whatnot from there as opposed to from the town offices.
Cat
@mistermix:
Lets see if I have this right.
They have 139k in cash to pay their employees and it gets stolen. “They should have paid them with checks.”
They keep checks around and 139k in bad checks get written. “They should have paid them using direct deposit”.
They pay them via direct deposit and 139k gets stolen via their online payment processing. “They should have written checks”.
So what did the local government do to you that makes you want to blame the victim?
A) This is what they said the FBI told them. Its a very bad lie, so I’ll give them the benefit of the doubt.
B) There are several of reasons why you maybe unaware of another town getting robbed in this same way.
1. Their town’s treasure is unaware it happened.
2. They are keeping it quiet.
3. You may have missed the newsreport.
4. The reporter did a bad job and didn’t connect the two thefts together.
5. Their town’s treasure is about to discover it.
I’ve read of a small business all over being robbed this exact same way. I possible its a string of unrelated people using the exact same methods I suppose.
Commenting at Balloon Juice since 1937
Don’t access bank accounts using Windows and this won’t happen. I can’t comment on Apple products but if I ran the office, they would be using an obscure BSD variant.
mistermix
@Cat: No, you don’t have it right, but the good news about arguing with yourself is that one of you is almost certain to win.
Villago Delenda Est
@Gin & Tonic:
Ignored because to do it costs money, and therefore cuts into sacred profit. “Fiduciary responsibility” is a very quaint notion in the modern world, because it cuts into profit.
dpcap
@Commenting at Balloon Juice since 1937: That wouldn’t work when things like this are still a possibility.
With a little bit of “social hacking” or even disgruntled ex-employees, your system could be the most perfect in the universe and it can still be hacked.
dpcap
@Villago Delenda Est: of course “profit” implies that shareholders are getting something and as we’ve seen so often lately, CEOs are even willing to screw over their “owners.”
Gin & Tonic
@Villago Delenda Est: This is a municipal government that mistermix was talking about, so no profit to protect. I still blame the town, or their auditors, or whatever higher level of government they report to or cooperate with. All I know is from reading TFA, but they sound like idiots.
At the risk of being repetitive — if you don’t lock your front door when you leave the house and somebody steals your TV, it’s your fault.
Villago Delenda Est
@Gin & Tonic:
I was referring more to yesterday’s thread…but once again, the desire to “economize” by those who think government should be “run like a business” creates all sorts of false economies that lead to incidents like this.
“Locks on the door cost money!”
alwhite
I’ll bet you a dollar they did not use any “new virus” or yet undiscovered path to success. I’ll bet you another dollar that they used a well-known entrance, one for which there are tests and counter measures. A firewall is pointless if you are not doing other things correctly. Having worked on IT vulnerabilities for 20 years I am constantly amazed at how many companies buy ‘boxes’ and hire companies to monitor, spending tons of money but they won’t do some simple things or slightly inconvenient things that cost next to nothing but would have real results.
Carol
@dpcap: So true-and in a lot of small towns, there may be only one or two IT people. If either is distracted or crooked, it’s a problem. Sometimes it’s more distraction, and someone gets in while the person responsible is on a coffee break.
At work, we are told to log off for breaks, and freeze things if we have to say, go to the bathroom. Why? because anyone could then access the computer while you are away and do-whatever.
Count
Speaking as a security administrator, small cities don’t have the money to do things securely.
To think otherwise displays an ignorance that is stunning, but not unexpected. Someone with access to the bank probably had a keylogger on their computer installed via a trojan, or by social engineering. Try and prevent that with a minimal budget for security or security personal.
Ken
mistermix, no problems that I’m aware of down the I-90 from you in Williamsville. So, when is Pittsford going to let the ‘professionls’ of their neighborhood bank handle their finances?
MM
So there was a bank 50 yards away? Stop the presses! Do you even stop to consider that just MAYBE there were reasons that the Town didn’t do business with that bank? Maybe the other bank had better interest rates, or lower bank fees. or offered to process the Town’s electronic transactions at a lower rate than other merchant services. Maybe the bank 50 yards down said that they couldn’t process the Town’s deposits quickly enough for the Town’s satisfaction.
Oh who cares. Backseat driving about things we don’t understand is way more awesome.
That said, it wasn’t a new super virus, it was an exploit of something that already exists. It would likely have had next to nothing to do with which bank they used.
HyperIon
@stuckinred:
Strangely, I have never logged on to Balloon-Juice.
Is there something going on that I don’t know about?
dpcap
@HyperIon: all your base are belong to us!
Datacine
It’s all about the password.
Kiddies check out:
Kevin Mitnick
see how he hacked
soft information is the key
someone
A whole thread and no one has mentioned the “e” word. As someone who’s seen it happen this sounds like embezzlement and an administration who doesn’t want to admit it. Hacked? Yeah, by someone who had access to the password and got the money out without being traced. Happens every day indeed.
Greyjoy
As someone who has in the past worked for USBank in its online banking division, banks are required by the FDIC and the SEC to have Really Fucking Secure(tm) websites as well as internal networks, in order to protect customer data against exactly this sort of invasion.
Here’s what I think happened:
1. Town official with access to the account STUPIDLY uses the same laptop to check the city’s bank account that he uses to download porn and music.
2. Pre-existing virus on laptop from said porn-downloading says, “Aha! Bank info. Great.” Hackers then use login info and clean out the account.
3. Town officials who set policies in place to not do this shit on your virus-ridden home laptop are like “WTF? We have safeguards and rules. This sucks.”
It’s the same kind of thinking that causes some twit with valuable data to leave his laptop containing 3.5 million Social Security numbers on the bus, or whatever. When all along he wasn’t even supposed to have that data on his laptop, let alone leaving it on the bus. Sadly there’s no way to protect against “I’m The Exception” stupidity.
@someone: And yeah. If it isn’t the above, then it’s embezzlement. But my guess is that since the FBI is involved and they’ve only got $4800 back so far and none of the other town fathers has been arrested, my guess is hacking. I can’t imagine but that very few people would have access to that account, and it would be pretty simple for the FBI to take those 4-5 people and run a microscope over their finances to see if they suddenly came into $135K or made any unscheduled casual trips to the Caymans.
MM
@someone:
Embezzlement is definitely a possibility too. I just didn’t mention it on account of my interest in focusing on how ignorant mistermix is.
Jado
Hey!
HEY!!
They SAID “hoocoodanode”. That’s the magic word, so back off Mr. Asksalottaembarrassingquestions.
“This is a picture of Chewbacca the Wookie…”
http://en.wikipedia.org/wiki/Chewbacca_defense