A story presented today by Krebs on Security truly brings home the threat of sophisticated cybercrime. Cynxsure LLC of Hudson, New Hampshire, lost just under $100,000 to an international Internet fraud attack utilizing American citizens as money mules. However, what sets this theft apart from so many others like it are the preventative measures which Cynxsure had put in place to prevent such an incident.
The theft occurred in the form of ten fraudulent automated clearing house (ACH) transfers completed to unknown persons added to the company’s payroll, each totaling just less than $10,000. While it is unknown at this time whether the attack was a result of malicious software or virus, Cynxsure owner Keith Wolters has conducted multiple comprehensive scans on his personal computer—the only computer to access Cynxsure’s online banking accounts—and as of yet has found no evidence to that end.
In fact, Wolters took significant steps to ensure his computer was a secure one. Instead of entering information manually, which could be scanned and stored by a malicious key-logging program, he used a fingerprint-scanning tool, which decrypted his passwords and entered them automatically into online forms after his identifying thumbprint was scanned.
Cynxsure’s bank, Swift Financial, was unable to reverse the transfers or retrieve the thwarted funds. Swift, too, followed all mandatory precautionary measures to meet federal compliance guidelines. Wolters’ computer had been previously registered for authorization to access the company accounts using several secret questions. Whoever was responsible for the identity fraud attack managed to dodge this multi-factor security system by successfully answering these questions.
Cynxsure is now preparing to sue Swift Financial as the investigation continues. As always, when more information is available and a conclusion can be drawn as to how you can protect your business more effectively from the outcome of attack, we will be reporting on it here.