State of Utah Fleeced for $2.5 Million

By jimmy at 1:58 pm on February 17, 2009Comments Off on State of Utah Fleeced for $2.5 Million

Over 2.5 Million dollars was stolen from the State of Utah’s Treasury, according to a recent article in the Salt Lake Tribute.  According to the article, an attacker obtained a vendor number for the University of Utah’s construction department, then submitted paperwork with a forged signature from the director changing the departments back account to a new Bank of America account located in Texas (The article uses the word “signature” but I can’t seem to find if it was digital or hand-written, I am assuming hand-written given the context).  The attacker apparently set up this account using intermediaries who may not have known its purpose.  With the account in place, and the paperwork filed, the attacker began submitting invoices on the State of Utah’s website on behalf of the University department, such that deposits were made, summing to nearly $2.5 million, into the fraudulent account.  Fortunately the account was frozen before $1.8 million dollars were transfered, resulting in a net loss of $700,000.
The article mentions that the vendor number of the University’s department should not have been leaked, however given that that number is most likely used by several different parties, its secrecy should not be counted on.  The primary breakdown of security occurred when the attacker was able to forge paperwork changing the departments bank account number.  The Treasury department of the State of Utah should have enforced much stricter regulations on this process, potentially requiring in person verification of one’s identity.  Furthermore, a more stringent auditing system should have been enforced such that such a large sum of money wouldn’t have been allowed to be paid to a fictitious entity.
What makes this article most interesting, perhaps, is the fact that the attack was so simple and so well known.  Investigators claimed the attack was simple “it sounds like any kid could have done this”.  Furthermore, the article explains the idea for the scam was invented five years ago in Nigeria, and has been applied several times since then.  In the volatile world of computer security we live in today, one can understand and perhaps forgive systems administrators for falling victim to new and cutting edge exploits and scams, but not to old and simplistic signature forgeries.   Arbiters of financial systems should familiarize themselves with common security attacks, and ensure that vital components of their systems should be protected.  I can understand the desire to file invoices online for convenience, however one should be wary that adding such features also increases the risk of attacks like these.


Filed under: Current EventsComments Off on State of Utah Fleeced for $2.5 Million

Comments are closed.