Feb 04 2010
Late last year, the bank account of an outfit in Texas called Hillary Machinery, Inc. was siphoned to the tune of $800kus after their online banking credentials were compromised. The bank they did business with, PlainsCapital, required customers to supply a username and passphrase and then enter a single-use passphrase e-mailed to a certain address a few minutes later to complete the authentication process. Investigation showed that IP addresses roughly corresponding to networks in Italy and Romania were used to initiate the transfer of funds to bank accounts in the Russian Federation and Eastern Europe. From this evidence, it seems reasonable to state that their primary login credentials were compromised, and the e-mail address the one-time authenticator was sent to was also being monitored by the attackers, hence, the successful login. The hell of it is PlainsCapital has filed a lawsuit against Hillary Machinery because they had the audacity to accuse them of having lousy security.
Not that this is much of a stretch today, but that's beside the point.
PlainsCapital was able to recover $600kus of the $800kus stolen. The lawsuit filed asks the US District Court in charge of eastern Texas to certify that PlainsCapital's information security is, in fact, reasonable, and thus the electronic funds transfers were carried out in good faith. Furthermore, the lawsuit alleges that because the authentication procedure was carried out with valid credentials, their security posture is compliant (nevermind the fact that having valid credentials and having decent security are two entirely different things). Hillary Machinery claims that they never received the authentication e-mails, so it could not have been anyone on their end who transferred the money. This isn't implausible; all you have to do is delete an e-mail before the contents of the mail server get backed up and unless someone audits the mail server's logs (if it's a busy server, this is a nontrivial task) the mail may as well have never been there. When you get right down to it, even being certified compliant to some set of official regulations or other aren't a guarantee that your security's any good, because compliance and actual security are two very different things.
The lawsuit is still ongoing, so neither side is saying much until they get in front of a judge.