In my previous post How Hacker Targets Become Victims, I examined a common Man-In-The-Middle attack that hacker organizations are using today to steal from various types of organizations. An "Attacker" gains control of a target computer system, and then hijacks the web browser once the target logs into the account, without alerting the target to the problem. It's an amazing attack because it completely bypasses most of the controls that the banks put in place to protect business accounts. The attack vector renders standard and multifactor authentication controls irrelevant and makes bank efforts to authenticate the computer system useless. What would happen if all of the sudden your organization were unable to make payroll because a hacker wiped the bank account clean the night before? As many of these organizations found out, the organization would likely be left to cover the loss themselves.
The impact that the attacks have on small businesses, non-profits, and public organizations is extraordinary. While the industry is still working on collecting clean data and defining statistical measurements, InfusionPoints conducted a study that sampled electronic theft incidents in the United States that matched this scenario from 18 organizations from 2008 through 2010. The targets included small businesses, public school districts, non-profits, and local governments, and attempted theft amounts that ranged from $22,000 to $700,000, totaling nearly $9M. When examining the reports, we found that the targeted organizations failed to recover any loot (how the FBI defines the losses) in nearly 50% of the cases, with all but one experiencing some loss. Of the $9M in potential losses, the total actual losses totaled nearly $4M.
Breaking down the numbers a bit more, we began to see some trends. High value targets, those with potential losses of around $1M or more that generally included public sector accounts, recovered more loss (about 85%) than lower value targets recovered (about 18%). Based on our analysis of the reports, this difference is likely due to the fact that larger organizations have more controls in place to rapidly detect problems than their smaller counterparts, and banks are more willing to cover the losses of their larger customers.
We believe that our admittedly non-academic study just barely scratches the surface of what we figure is a very substantial problem for businesses. In November 2009, the National Cyber Forensics and Training Alliance submitted that reported losses of theft due to this type of attack were on the order of $1M - $1.5M per week, or nearly half a billion dollars in actual losses in one year. Then, in Operation Trident BreACH, the FBI reported that one hacker organization had caused $70M in actual losses, by itself, in an 18-month period ending October 2010. With about 400 incidents included in the investigation and a total attempted theft of $220M, the resulting actual average loss is $175,000 per day, or about 30% actual over potential loss.
Protecting against these attacks is not complicated and we're helping clients better understand how to do so. There are a few things that organizations can do to quickly take control of their bank accounts:
We founded InfusionPoints to be our clients' first choice for an independent trusted partner to build secure systems that protect their employee's, partner's and customer's data