{"id":976,"date":"2009-02-17T13:58:57","date_gmt":"2009-02-17T21:58:57","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/?p=976"},"modified":"2009-02-17T13:58:57","modified_gmt":"2009-02-17T21:58:57","slug":"state-of-utah-fleeced-for-25-million","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2009\/02\/17\/state-of-utah-fleeced-for-25-million\/","title":{"rendered":"State of Utah Fleeced for $2.5 Million"},"content":{"rendered":"<p>Over 2.5 Million dollars was stolen from the State of Utah&#8217;s Treasury, according to a recent article in the Salt Lake Tribute.\u00a0 According to the article, an attacker obtained a vendor number for the University of Utah&#8217;s construction department, then submitted paperwork with a forged signature from the director changing the departments back account to a new Bank of America account located in Texas (The article uses the word &#8220;signature&#8221; but I can&#8217;t seem to find if it was digital or hand-written, I am assuming hand-written given the context).\u00a0 The attacker apparently set up this account using intermediaries who may not have known its purpose.\u00a0 With the account in place, and the paperwork filed, the attacker began submitting invoices on the State of Utah&#8217;s website on behalf of the University department, such that deposits were made, summing to nearly $2.5 million, into the fraudulent account.\u00a0 Fortunately the account was frozen before $1.8 million dollars were transfered, resulting in a net loss of $700,000.<!--more--><br \/>\nThe article mentions that the vendor number of the University&#8217;s department should not have been leaked, however given that that number is most likely used by several different parties, its secrecy should not be counted on.\u00a0 The primary breakdown of security occurred when the attacker was able to forge paperwork changing the departments bank account number.\u00a0 The Treasury department of the State of Utah should have enforced much stricter regulations on this process, potentially requiring in person verification of one&#8217;s identity.\u00a0 Furthermore, a more stringent auditing system should have been enforced such that such a large sum of money wouldn&#8217;t have been allowed to be paid to a fictitious entity.<br \/>\nWhat makes this article most interesting, perhaps, is the fact that the attack was so simple and so well known.\u00a0 Investigators claimed the attack was simple &#8220;<span>i<span>t sounds like any kid could have done this&#8221;.\u00a0 Furthermore, the article explains the idea for the scam was invented five years ago in Nigeria, and has been applied several times since then.\u00a0 In the volatile world of computer security we live in today, one can understand and perhaps forgive systems administrators for falling victim to new and cutting edge exploits and scams, but not to old and simplistic signature forgeries.\u00a0\u00a0 Arbiters of financial systems should familiarize themselves with common security attacks, and ensure that vital components of their systems should be protected.\u00a0 I can understand the desire to file invoices online for convenience, however one should be wary that adding such features also increases the risk of attacks like these.<\/span><\/span><\/p>\n<p>Article:<br \/>\nhttp:\/\/www.sltrib.com\/ci_11691598?IADID=Search-www.sltrib.com-www.sltrib.com<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Over 2.5 Million dollars was stolen from the State of Utah&#8217;s Treasury, according to a recent article in the Salt Lake Tribute.\u00a0 According to the article, an attacker obtained a vendor number for the University of Utah&#8217;s construction department, then &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2009\/02\/17\/state-of-utah-fleeced-for-25-million\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":86,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[187,186],"class_list":["post-976","post","type-post","status-publish","format-standard","hentry","category-current-events","tag-forgery","tag-fraud"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/976","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/86"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=976"}],"version-history":[{"count":1,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/976\/revisions"}],"predecessor-version":[{"id":977,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/976\/revisions\/977"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=976"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=976"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=976"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}