Fool me once, shame on you, fool me twice, shame on me…
In May of 2016, an employee at The National Bank of Blacksburg fell victim to a targeted phishing email. It was this single email that led to a malware infection on not only that user’s computer but a secondary workstation as well. The secondary computer had access to the bank’s STAR Network system. This system is in charge of all debit card transactions, including pin numbers, daily withdrawal limits, as well as anti-theft and anti-fraud parameters. Equipped with access to this system, hackers were able to alter all of these components to maximize their benefit. Over a three day period, the cyber criminals were able to steal more than $569,000 from personal accounts.
Less than eight months later, the hackers struck again. Using a similar attack method, the cyber criminals used another phishing email to target the bank. This time not only did the intruders regain access to the bank’s STAR Network, they also compromise another workstation that had access to Navigator. Navigator is a banking software used to manage credits and debits to customer accounts. Coupling the two software programs allowed for maximum impact to the bank’s financials. Using Navigator, the hackers fraudulently moved approximately $2 million into various accounts. They then used STAR to manipulate maximum withdrawal limits, anti-fraud and anti-theft parameters, and pins to withdrawal over $1.8 million over a two day period.
But it gets worse…
Now, National Bank is suing their cyber security insurance provider, Everest National Insurance Company, for failing to cover the damages. According to Krebs on Security, National Bank has two types of cyber security policies. The first deemed “computer and electronic crime”, which had a single loss limit liability of $8 million, with a $125,000 deductible. The second was a “debit card rider” which provided coverage for losses which were a direct result from the use of lost, stolen, or altered debit cards or counterfeit cards. This policy has a single loss limit of $50,000, with a $25,000 deductible and an aggregate limit of $250,000.
Since both hacks involved fraudulently withdrawing funds with the use of debit cards, they fall under the “debit card rider” policy. Meaning the most the bank could get reimbursed would be $225,000 after their deductible has been paid. Now, that is only if they consider both attacks separately. Which they aren’t doing.
Everest is deeming both intrusions as a single event. It is speculated the two incidents are being combined into one event due to the short timeframe between attacks, as well as both intrusions originating from the same geographical area. Forensic teams have investigated both attacks and determined each originated from Russia. Since the insurance company is considering this as one incident, National Bank is looking at a maximum reimbursement of $25,000 after paying its deductible.
