At Bridge Metal Industries L.L.C. in Mount Vernon, the future looks bright. A manufacturer of advertising and in-store display lighting with more than $16 million in sales last year, BMI recently was awarded a $1.5-million state grant to expand its production of energy-saving LED fixtures for major retail customers that include Walmart, Target and CVS.
Unlike the company”™s past, its future for now does not include Internet banking. Not after the crime last summer when sophisticated computer hackers over two days transferred more than $1 million from the bank account of the innovative manufacturer on South Third Avenue in Mount Vernon to two banks in Eastern Europe.
The stolen money has been restored to Bridge Metal Industries, but the victimized owners”™ confidence in online security has not returned. Company credit cards, too, are no longer used since those dark days last summer. The Federal Bureau of Investigation continues to work on the case.
Robert Blanchard, a principal partner at BMI, discovered the cyber thefts on a Monday last July. Unable to log onto the company”™s Citibank account with his password, Blanchard contacted the bank, which sent him a new password overnight. But that Tuesday, July 7, Blanchard still was unable to access the company account with the changed password.
Blanchard later learned that two transfers, each in excess of $99,000, were made to a Latvian bank that Monday afternoon. On Tuesday, about $810,000 was commandeered from the BMI account to a bank in Ukraine.
The Wall Street Journal first described the online bank heist in a recent story reporting a broader ongoing Federal Bureau of Investigation probe of a computer-security breach that targeted the Citibank subsidiary of Citigroup Inc. Citing unnamed government officials, the Journal said the hackers, apparently linked to a dormant Russian cyber gang called the Russian Business Network, stole “tens of millions of dollars” from Citibank accounts.
Â
Â
The Journal reported that investigators found a computer at BMI had been infected by a computer at another company co-owned by Blanchard. The BMI computer then was “dragooned” into a group of computers used to attack others. The software on one of the company computers included a spyware program that logged keystrokes and could capture the bank account password and code information.
While reluctant to discuss more details regarding the theft from his company, Blanchard said the Journal”™s account of it was accurate.
Citigroup officials quickly responded to the Journal report, calling “false” the newspaper”™s allegations of a computer systems breach, large money losses and an FBI investigation. “We take the security of our customers’ accounts and systems seriously,” Citigroup said. “We continuously take steps to protect our customers against fraud, and we have state-of-the-art processes to detect and prevent criminal activity.
“Occasionally, as with virtually all financial institutions, there are instances of fraud or breaches of third-party systems that result in our taking actions to protect our customers and Citi,” the Citigroup press release stated, an apparent reference to the BMI theft.
A Citigroup spokesman told The Wall Street Journal the Mount Vernon case was “an isolated incident of fraud.”
“It”™s very hard to place blame here,” Blanchard said recently in Mount Vernon, where BMI and an associated commercial-lighting company, Galaxy Switchgear Industries L.L.C, have occupied an 82,000-square-foot plant since moving from the Bronx in 2005. “I can”™t blame Citibank.”
Blanchard said Citibank recovered the large sum transferred to the Ukraine about six days after the theft was discovered. The bank later restored to BMI”™s account the remaining sum from the two Latvian transfers. Blanchard said he did not know whether Citibank ever recovered that money from the Latvian bank.
“I think Citibank acted above and beyond what anybody would be expected to,” Blanchard said.
He showed a recent letter he received from an attorney in Atlanta, Ga., after the Journal article appeared. The attorney said his client”™s circumstances as a victim of cyber theft “appear to be identical” to what Blanchard described at Bridge Metal Industries. His client”™s bank, however, “is denying all responsibility,” the lawyer added.
Â
“Since the article came out, I”™ve had numerous phone calls from people who were not only with Citibank but with other banks” when attacked by cyber thieves, Blanchard said. “This is obviously happening all over the country. So it seems to me that the sharing of this information and the sharing of it quickly is a good idea.”
Â
Commenting on the Journal report, Tom Kellermann, vice president of security awareness for Core Security Technologies in Boston, Mass., and a former senior member of the World Bank’s treasury security team, told the Associated Press that Internet attacks on banks are very common. Kellermann said large financial institutions are “consistently targeted” by criminal organizations in Eastern Europe, Brazil and Southeast Asia.
“Ninety-eight percent of bank heists are now occurring virtually and not in the real world,” the AP quoted Kellermann. He said the industry is “hemorrhaging funds” as a result.
The U.S. Department of Treasury’s Financial Crimes Enforcement Network reported that banks that accept deposits filed 14,700 reports of suspected wire transfer fraud in 2008, a 58 percent increase from 2007 and 167 percent increase from 2006. Depository banks reported 1,477 cases of suspected computer intrusion in 2008, a 24 percent decrease from 2007.
Kellermann also noted that fewer than 30 countries have cybercrime laws. Hackers such as those that attacked BMI computers are seldom found and seldom prosecuted.
Blanchard welcomed President Barack Obama”™s appointment of Howard A. Schmidt, a former eBay and Microsoft executive, as the administration”™s cyber security coordinator. When announcing the appointment, on the same day the Journal article describing the BMI theft and FBI probe was published, Obama called cyber crime one of the “most serious economic and national security challenges we face.”
Blanchard thinks the government has not done enough to help businesses and citizens victimized by cyber criminals. “This is a zap game where everything happens so quickly,” he said. “The government needs to give us some place to call. There are a lot of people out there with questions who need answers and I don”™t think the answers are readily available. And I think the government should be providing that.”
Â
Blanchard says what”™s needed is “the unification of the process, whatever it is”¦For a consumer like my company or myself, it”™s a little bit of an ordeal to try to figure out what to do. Do I call the FBI, Treasury Department, Comptroller of the Currency? Do I call the Mount Vernon police and ask for the Latvian division?”
Â
Two days after the cyber theft, Blanchard did call the FBI and Office of the Comptroller of the Currency as well as the U.S. Attorney”™s office. “I learned later that I should have called Homeland Security too,” he said.
Blanchard proposed a Centers for Disease Control for cyber crimes. “You have a set of viruses that are spread by (computer) bodies,” he said. A CDC can provide “a centralized place” where victims can report and receive information and specialists “from many different realms in the cyber world” can identify viruses and provide cures if possible.
“We have a tremendous amount of talent, but how do you put it all in one place?” Blanchard said. “I believe in the CDC and I think it”™s necessary. I think at the end of the day it will help.”
Blanchard brought his suggestion for a CDC or 911 call center for cyber crimes to a meeting last fall between BMI staff and Fordham University”™s Cyber Security Research Group, a small group of faculty and students in the Bronx university”™s department of computer and information science. The academic experts in turn advised Blanchard that his business could reduce the risk of another cyber attack by dedicating only one physical computer for banking use.
“Nationally or internationally, this is a pretty serious problem,” said Frank Hsu, Fordham professor of computer and information science and an organizer of the university”™s annual International Conference on Cyber Security. Blanchard, he said, asked his research group, “Why is there not a CDC for this?”™”™
“That”™s almost a wake-up question,” Hsu said. “There must be some central reporting system. This coming from the users, from real-life experience, from the corporate executives, it shows it”™s very important. It”™s an urgent need.”
The federal government since 2000 has operated the Internet Crime Complaint Center, IC3, a partnership of the FBI, National White Collar Crime Center and Bureau of Justice Assistance that also receives input and staffing support from private industry. It serves as a central clearinghouse that receives complaints of cyber crimes and refers them to law enforcement and regulatory agencies.
Apparently IC3 operates largely in a virtual anonymity shared by the criminals it tracks.
“There are many, many agencies,” said Hsu. “There are many, many committees. There are many, many task forces.” The professor was not familiar with IC3.
