Nothing quite says “Happy Holidays” like discovering that a family member’s bank account has been hacked. While I’m not at liberty to provide details, there’s an interesting twist to this bank heist story that I think you’ll find interesting. In fact, I’m hoping that some of you (considering that many of TriGeo’s customers are banks) might be willing and able to comment - perhaps from personal experience, or with regard to your bank’s policy.
Our story begins with the familiar discovery that funds are missing. Since a home PC and on-line banking are involved, it’s natural to suspect the PC was compromised. Everyone believes that some malware found its way to an unprotected system, spotted the on-line banking activity, captured the credentials and dutifully transmitted them or awaited further instructions from whoever had control of this machine.
What’s interesting about this case is that the bank has asked for the hard drive of the compromised PC.
What would you do? What advice would you offer to the owner of this PC?
My initial advice was to quarantine the machine - get it off the internet to cut any command and control linkage, and assess the damage. I characterized the incident as a “break in” and now it’s time to inventory what’s missing. Just because it seems likely that banking credentials had been compromised, that didn’t mean they were the only thing of value that was stolen.
Had the computer been used to manage a stock portfolio, buy presents on Amazon, pay bills, update a Facebook account or store personal records?
Source data, like browser history, would be a good place to start, but essentially this person’s on-line identity needed a thorough scrubbing to minimize further damage and potential fraud. Of course, the PC needs to be scrubbed as well, but that comes later.
With regard to the bank’s request, I felt cooperation with the bank would be reasonable. I did point out that this is not a forensically sound request. Certainly nothing on the drive could be considered “evidence” given the break in the chain of custody, but I assumed that the bank would want to identify what malware they were dealing with and perhaps gain some indication of its origin or when it was installed. I also suggested first cloning the drive so that the owner could retain a copy.
As a generally trusting (perhaps naïve) person, this seemed prudent, but several others involved in the discussion questioned the bank’s motive…
Why did they want the drive?
What assurances did they offer with regard to how personal data would be handled?
Some felt that the bank would use the drive in an attempt to place blame on the individual, perhaps to even avoid covering the losses. Most agreed that the real drive should remain with the owner and the clone should be handed to the bank. Others were concerned that there was no apparent law enforcement involvement, and encouraged the individual to report to one or more agencies (depending on the jurisdiction and the size of the loss).
Fortunately, I’m not personally involved in this case, but unfortunately that means we’ll likely never know how this turns out. Still, it raises some interesting questions about cooperation, responsibility, negligence and liability.
Imagine you’re the victim in this case, and the bank asked for your drive.
What would you do?
Leave a Reply