Threats Without Borders - Issue 168
Cybercrime Investigation Newsletter, week ending February 4, 2024
I posted the recently filed lawsuit, “The People of the State of New York V. Citibank N.A.,” to LinkedIn this weekend.
The New York State Attorney General is attempting to use the Electronic Funds Transfer Act (EFTA) to hold financial institutions liable for customers' funds lost to fraud and scams. I’m not an attorney so that I won’t speculate on the case's legal merits. As a cyber-fraud investigator and now banker (maybe), I can see the far-ranging implications should the Attorney General be successful.
The Attorney General levies multiple allegations against Citi concerning their “lax” cybersecurity and fraud prevention protections. Maybe, maybe not.
The larger issue that should concern every financial institution that moves money for customers is the allegation that Citi violates federal law by denying restitution claims for funds lost by electronic fraud.
From the AG’s press release:
Attorney General James alleges that because Citi makes wire transfers available to consumers online and through mobile banking apps, Citi must reimburse victims of fraud under the Electronic Fund Transfer Act (EFTA), similar to when banks reimburse victims of electronic credit or debit card fraud. Under EFTA, banks such as Citi must reimburse their customers for money in their accounts that is lost or stolen through unauthorized electronic payments. However, Citi illegally exploited a narrow exception in these laws to deny consumer claims for reimbursement, resulting in millions of dollars in losses for New York consumers. Through this lawsuit, Attorney General James seeks to stop Citi’s deceptive practices and collect restitution for victims who were denied reimbursement in the last six years, penalties, and disgorgement.
Is there no limit to the bank’s liability? Say a customer sends $15,000 through a wire telling the bank it is to purchase an automobile. Ten days later, the customer realized the purchase was a fraud, and they filed a claim with the bank. Why is the bank required to refund the money from its own coffers? What did the bank do wrong in that situation?
If some of these allegations are true, CITI does hold liability. They should not manipulate customers into voiding legal protections. They should equally be liable for poor security procedures that allow criminals to access customers’ accounts. But how much liability should the bank bear for its customers' poor choices? I’ve written extensively about this topic, and there is a fine line between accountability and victim blaming, but the financial institution also needs some protection.
Where will a bank’s liability end if the lawsuit is successful?
A colleague chided me that I’m now a bank apologist and have lost my sense of justice for the victim.
I don’t think so. Read the complaint and make your own decision. We’ll probably be on the same page.
https://storage.courtlistener.com/recap/gov.uscourts.nysd.614493/gov.uscourts.nysd.614493.1.0.pdf
Some News…
The Federal Trade Commission has proposed a regulation outlawing robocalls made with voice cloning technology. The Commission is rightly concerned about the use of artificial intelligence to clone the likeness of celebrities and politicians. https://docs.fcc.gov/public/attachments/DOC-400212A1.pdf
Pennsylvania State Police seize $300K during a traffic stop. The driver admits it’s probably drug money. Ion Scan says it’s drug money. Driver’s phone contains images and text messages indicating it’s drug money. County Judge - give the drug money back to the drug dealer. https://www.pennlive.com/news/2024/02/court-orders-return-of-300k-that-state-police-seized-during-pa-traffic-stop.html
Cofense highlights the most common phishing themes used in 2023. https://cofense.com/blog/most-common-phishing-email-themes-of-2023/
ReliaQuest has recently released a report on ransomware trends in Q4 2023. According to the report, there has been an 80% increase in the number of organizations that have fallen victim to ransomware attacks as compared to Q4 2022. The report highlights that ransomware groups like LockBit, ALPHV, Play, and Clop have evolved their tactics and are expanding their reach. ReliaQuest predicts that ransomware attacks will likely continue their upward trend in 2024, with groups innovating new techniques and targeting vulnerabilities in lucrative industries. https://www.reliaquest.com/blog/q4-2023-ransomware/
According to Hong Kong police, a finance employee was tricked into paying out $25 million to fraudsters using deepfake technology to pose as the company’s chief financial officer in a video conference call. “In the multi-person video conference, it turns out that everyone [he saw] was fake,” Yes, AI and ML and all of these other technologies are making cybercrime easy, but… where were the controls? Why was a single employee allowed to move 25 MILLION dollars without any other validation? The fix can be pretty easy, too. https://edition.cnn.com/2024/02/04/asia/deepfake-cfo-scam-hong-kong-intl-hnk/index.html
Legalizing marijuana was supposed to quash the black market. Wrong. The illicit sale of cannabis is proliferating. The government can’t even run a drug market! https://www.aei.org/research-products/report/how-should-state-and-local-governments-respond-to-illegal-retail-cannabis/
Cool Job
Senior Cybersecurity Analyst - The PGA. https://pgatour.wd5.myworkdayjobs.com/en-US/PGATOURExternal/job/PGA-TOUR-Global-Home---Ponte-Vedra-Beach-FL/Senior-Security-Analyst_R009812
Cool Tool
Airdrop for non-Apple users. https://www.sharedrop.io/
Irrelevant
Find a pinball machine - wherever you are! https://pinballmap.com/
My friend, Chris Glanden from Barcode Security, has created a new live-event web series called Risk Radar to complement the popular Barcode Security Podcast. Your humble editor will be the guest next Tuesday to discuss cybersecurity for small and medium businesses. The show will be broadcast live on LinkedIn from 3:00 to 3:30 PM EST. You can check out the LinkedIn event page for more details. Tune in and see the guy who writes this nonsense each week. https://www.linkedin.com/events/7160362260219969537
Thank you for opening this week’s issue. Please consider sharing it with your colleagues.
Matt
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinion and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.