CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘cyber criminals’

The Sixth Circuit Finds Coverage For Fraudulent Wire Transfer Under Crime Policy

Posted on: September 12th, 2018

By: Allen Sattler

Business email compromise (“BEC”) claims consist of incidents where cyber criminals access or use a company’s email system to commit a crime, usually for financial gain and often including the use of trickery to convince an employee to wire transfer corporate funds to the criminal’s account.  According to statistics reported by the FBI,  BEC claims are on the rise, especially in the last three years.  In 2016, there was a 2,370% increase in email account compromise attacks, involving losses of nearly $346 million, and the frequency of BEC claims continues to rise.

Several insurers offer coverage for BEC claims, including for losses sustained as the result of fraudulent wire transfer.  In American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of Am., 5:16-cv-12108 (6th Cir 2018), the Sixth Circuit became the latest federal appeals court to interpret an insurance policy that included coverage for fraudulent wire transfers.  In a decision dated July 13, 2018, the Sixth Circuit ruled that the crime policy provides coverage for the loss incurred by the insured.

American Tooling Center (“ATC”), a Michigan manufacturer in the automobile industry, hired a Chinese company to manufacture stamp dies.  To receive payment for its work, the Chinese company would send invoices to ATC, and ATC would route payment to its vendor via wire transfer.  In 2015, a person outside the company intercepted an email from ATC to its vendor.  That person impersonated an employee of the vendor and told ATC that because of an audit, ATC should wire transfer payment on its outstanding invoices to a different bank account.  ATC complied with the instructions and wired over $800,000 to the thief’s bank account.  The thief was never identified, and the money was not recovered.

ATC made a claim to its insurer pursuant to a “Computer Fraud” provision of its crime policy to recover the money lost.  The insurer denied coverage, arguing that ATC did not suffer a loss until it eventually paid the outstanding invoices to the Chinese vendors, and that ATC therefore did not suffer a “direct loss” as required by the policy wording.  The insurer also argued that the acts by ATC in changing the bank account information without verification constituted intervening acts that break the chain of causation.  The Sixth Circuit disagreed, holding that ATC immediately lost the money when it wired the money to the thief, and that the thief’s instructions to ATC directly caused the loss.  The Court also rejected an argument by the insurer that the policy required that the thief first gain access to ATC’s computer systems prior to triggering coverage, and that here, the thief did not hack into the email system to commit the fraud.  The Court ruled that the policy language was not so limited.

The insurer sought reconsideration of the ruling, which the Sixth Circuit recently denied.

If you have any questions or would like more information, please contact Allen Sattler at [email protected].

A Majority of Federal Agencies Are “At Risk” For Further Data Security Incidents

Posted on: June 6th, 2018

By: Allen Sattler

The Office of Management and Budget (“OMB”) performed a cyber security risk assessment of 96 federal agencies, and it recently published its findings in the “Federal Cybersecurity Risk Determination Report and Action Plan.”  The OMB reported that only 25 of the 96 agencies assessed were adequately managing their risk.  Most agencies, 74% of them, were either “at risk” or “high risk.”  A “high risk” rating meant that the agency either did not have in place or failed to sufficiently deploy key, fundamental cybersecurity policies, processes, and tools.

The OMB performed the risk assessment in response to an Executive Order requiring that the OMB develop a plan to adequately protect the executive branch by improving its cybesecurity.  The assessment conducted by the OMB examined the agencies’ ability to identify, detect, and respond to cyber incidents.  Nearly 31,000 cyber incidents affected the 96 agencies in 2016 alone.

The OMB found that most agencies had poor situational awareness.  The OMB explained that those agencies often lacked the information and resources needed to understand or determine the tactics, techniques, and procedures being used by threat actors to exploit their systems.  For instance, in 38% of the cyber incidents analyzed, the agencies affected could not identify the method of attack used by the threat attacker.  The OMB also found that most agencies lack standardized procedures and information technology, which makes mitigating the vulnerabilities of those systems difficult.  For instance, one agency operates 62 separate email services on its systems, making it “virtually impossible” to track and inspect inbound and outbound communications to prevent attacks.  The OMB explained that if the email service is standardized, the agency can then manage the risk.  For instance, it can inspect, detect, and quarantine malicious messages, such as phishing attempts and emails that include attachments with malicious code.

The OMB also found that agencies lack the ability to detect when large amounts of data have been pulled from their systems by an outside attacker.  Only 27% of the agencies reported the ability to detect and investigate whether large amounts of data have been exfiltrated from their systems.  Also, while agencies have largely complied with policies requiring them to encrypt data in transit, less than 16% of agencies achieved their targets for encrypting data at rest.

The findings by the OMB are alarming given that the federal government is often a prime target for attack by cyber criminals, as shown by previous, high-profile breaches.  For instance, in 2015, the Office of Personnel Management sustained a data breach that resulted in the disclosure of fingerprint data belonging to 5.6 million federal employees.

If you have any questions or would like more information, please contact Allen Sattler at [email protected].

VISA Issues Security Alert Due to Increased Data Breaches Caused by Insecure Remote Access

Posted on: July 30th, 2014

By: David Cole

When a merchant experiences a data breach involving credit card information, it is often required by the card brands to hire a Payment Card Industry Forensic Investigator (PFI). The PFI investigates the incident and then provides a report to the card brands on what happened, how it happened, and whether the merchant’s system complied with the Payment Card Industry Data Security Standards (PCI DSS).  The card brands receive hundreds of PFI reports each year, and they occasionally issue security alerts when they see an emerging threat pattern in PFI reports.

Just this month, Visa issued a security alert titled “Insecure Remote Access and User Credential Management,” in which it reported an increase in data security breaches stemming from insecure remote access.  The alert notes that a number of remote access solutions are commonly used to provide remote management and support for merchants, such as LogMeIn, PCAnywhere, VNC, and Microsoft Remote Desktop.  When used correctly, applications like these are effective ways to provide technical support among large numbers of merchants.  But if used maliciously, they can expose payment card data and other sensitive information to cyber criminals. This is because insecurely deployed remote access applications create a conduit for cyber criminals to log in, establish additional “back doors” by installing malware, and steal payment card data.

The alert warns that the circumstances around multiple data breaches in the last several months suggest that an actor or group of actors are targeting merchants who share common Point-of-Sale (POS) integrators or remote support vendors.  It then identifies several common vulnerabilities that are allowing intruders to gain access through remote applications.  These include: (1) remote access ports and services always being available on the Internet; (2) outdate or unpatched systems; (3) use of default passwords or no passwords at all; (4) use of common usernames and passwords; (5) single factor authentication; and (6) improperly configured firewalls.

To protect against these vulnerabilities, the alert advises merchants to examine their remote management software for insecure configurations, use of outdated or unpatched applications, common or easily-guessed usernames and passwords, and ensure that overall payment processing environment is securely configured and maintained in accordance with the PCI DSS.  In addition, merchants should follow these other security practices to mitigate their risk:

  • Ensure proper firewalls rules are in place, only allowing remote access only from known IP addresses.
  • If remote connectivity is required, enable it only when needed.
  • Contact your support provider or POS vendor and verify that a unique username and password exists for each of your remote management applications.
  • Use the latest version of remote management applications and ensure that the latest security patches are applied prior to deployment.
  • Plan to migrate away from outdated or unsupported operating systems like Windows XP.
  • Enable logging in remote management applications.
  • Do not use default or easily-guessed passwords.
  • Restrict access to only the service provider and only for established time periods.
  • Only use remote access applications that offer strong security controls.
  • Always use two-factor authentication for remote access. Two-factor authentication can be something you have (a device) as well as something you know (a password).