Brian Krebs is reporting that Texas bank PlainsCapital is suing Hillary Machinery, a customer of PlainsCapital. This is significant because to this point it is common for customers to bring suit against a bank over lax security, but this is a rare case of a bank bringing suit against a customer. Details can be found at Krebs' blog.
There are hazy details about the case. I don't want to take sides on the litigation, but I do want to point out that both parties could have prevented the actual breach.
There was one detail that I picked up on. PlainsCapital did not issue a statement, but there does appear to be a memo that was made public. In this memo it outlines the details of the intrusion as reported by Sam Roark, vice president of delivery channels. The bank uses some common methods of authentication in order to gain access to the system and make transactions. Specifically, you need to know your username (public information) and your password (private information). Once you sign in, it will send an email to you before you can make any transactions and you must then click a link. The memo states the following about this process: “This is known as multifactor authentication.” It is not my intention to pick sides. In fact, I would place most of the blame elsewhere.
However, I would like to use this example to make the concept of multifactor authentication clear. Multifactor authentication uses a combination of something that a user knows, something that a user has and something that a user is. In order for the multifactor authentication to be more secure than single factor, you need at least two of the three categories. Think about your ATM authentication for instance. You must insert your card and enter your pin.
This is something you have and something you know. The bank uses two instances of something you know (your username and password and then your email account's username and password). This is not any more secure than single factor and indeed is not considered multifactor authentication. If this was a phishing attack from the intruder, then the user could unwittingly give up both pieces of information and the attack would be successful because the attacker doesn't need to kidnap (something you are) or steal a physical item (something you have). It is incorrect to say that the Bank was using multifactor authentication for this reason. Had the bank really been using multifactor authentication (with a secure token or something similar for instance) then this attack would not have been successful. Banks should consider this in future litigation and policy making.
The customer is the actual target of the attack. The customer is responsible for the privacy of their security credentials. Unfortunately, these credentials have been known to be easy to leak. There is no detail about how they were leaked but there are a couple of possibilities. The most obvious is a phishing attack. A user within the bank was simply asked to give the attacker the information that he was looking for. Probably believing that the attacker was a trustworthy individual, the user gave the credentials. After this and the lack of actual multifactor authentication there was no barrier to a successful attack. The way that the customer could have prevented this is to make sure that anybody that has access to the banking information is well aware and vigilant not to give the credentials to anybody. This is user training and is often a goal of any security strategy.
The more sophisticated route would be a fully technical breach. If the attacker(s) were able to gain access to an internal system that had the authentication credentials in an accessible place, then this is all that is necessary for the attack to work. There are mitigations that give you a reasonable expectation you are not going to be breached, but these technologies are never 100% effective. There are always 0-day attacks and obfuscation techniques to hide the presence of a breach. Technologically, the customer would have to make a risk based assessment as to when enough security is enough. This attack may have been more sophisticated than the security measure put in place. Currently, Hillary machinery has not released information about the measures they have in place. It is entirely possible that the state of their network security was woefully insignificant. However, the assumption that it was insignificant cannot yet be made.
Put It Together
All in all, both parties had an opportunity to stop this breach. In the end, the customer is responsible for keeping their credentials secure. The bank should have policies in place that would stop a breach if credentials are stolen, though. Neither party is fully responsible for the breach but neither party can claim that they aren't responsible. Of course, this is now a legal issue, and we'll have to see how the legalities work out.
The original article/video can be found at Bank Sues Customer Over Intrusion That Led to Theft