Hackers pluck 8,300 customer logins from bank server
New variation on an old
Hackers have stolen the login credentials for more than 8,300 customers of small New York bank after breaching its security and accessing a server that hosted its online banking system.
The intrusion at Suffolk County National Bank happened over a six-day period that started on November 18, according to a release (PDF) issued Monday. It was discovered on December 24 during an internal security review. In all, credentials for 8,378 online accounts were pilfered, a number that represents less than 10 percent of SCNB's total customer base.
"Although the intrusion was limited in duration and scope, SCNB immediately isolated and rebuilt the compromised server and took other measures to ensure the security of data on the server," the bank, located about an hour east of New York City, stated. "To date, SCNB has found no evidence of any unauthorized access to online banking accounts, nor received any reports of unusual activity or reports of financial loss to its customers."
The breach represents a variation on more traditional types of attacks on online banking. Cyber crooks typically target customers by surreptitiously planting malware on their computers that log their user name and password. The FBI estimates that online banking losses to small and medium-sized businesses alone have reached $100m.
By contrast, accessing a server storing online credentials for tens of thousands of customers isn't the kind of intrusion one hears about every day. Best security practices are clear that passwords should never be stored on servers unless they are encrypted.
The bank began notifying affected customers on Monday evening using first-class mail. The two-week delay "was necessary for making a lot of arrangements so we could come out with an absolutely conclusive statement about what happened," said Douglas Ian Shaw, the bank's corporate secretary. Retail customers whose details were lifted will be given two years worth of credit monitoring services at SCNB's expense.
In the fourth quarter, the bank budgeted $351,000, or about 4 cents per share, to account for expenses related to the intrusion. Additional expenses may be incurred. ®
And a BANK at that!
A BANK was storing passwords in cleartext? Not only should they compensate customers for any losses, their systems engineers should be charged with criminal negligence.
No thanks... i like my passwords hashed... HASHED
"""it was a unix/linux system them, being as the only way to rebuild your server from base is in a Unix/lLinux enviroment."""
You'll find that people use 'build' when they install just about any operating system on any computer. I know I've seen it applied to Windows servers plenty of times in plenty of different organizations.
"""Pray tell me, how does xss/cryptoapi/ etc etc etc etc unfixed MS bugs/flaws play into the scenario of seriousness, when now you're talking about 8k+ bank accounts being compromised."""
What? Unfixed bugs are unfixed bugs. Plus nobody said a bug was even at fault here, for all we know the compromise started with a botnetted Windows workstation.
"""At least, when an MS server is compromised you don't have to rebuild from scratch, or compensate x thousand/million/billion customers."""
If you have a compromised system and you don't rebuild from bare metal, you're really risking not removing all sorts of malware. Also, plenty of MS servers have been breeched over the years, often with far more than 8400 customer logins revealed to intruders. And the use of a non-MS environment doesn't cause you to compensate billions of customers.
Also, what have you been smoking?