41 comments

[ 4.6 ms ] story [ 102 ms ] thread
The same thing happened recently at BU, but our school is covering all losses even though I think the users are at fault in our case: At BU it was people that responded to a fishing email that had their account info changed. http://www.bu.edu/today/2014/fighting-phishing-bu-moratorium...
That was my first guess for this story too - six people is a very small number if someone found a system exploit. Although it is still possible that's the case, and only specific passwords/accounts/etc were vulnerable.
Yay. That's the kind of world I've always wanted to live in.

Gooooo, Justice! — Really, get the fuck out!

UK resident: My wages are paid into my bank account using an electronic payments system that does not use the Internet at all. The accounts/HR people have computers that are on a separate VPN from the rest of us.

The attack mode in this case revolved around the use of a client system to tell HR/Payroll where to pay the money. We don't do that, any change in bank account details is a visit to an office with paperwork.

If you read the article, it specifically says in the fourth paragraph: "However, he said he believes the university should reimburse him for his loss, since it was its system that was hacked.".

It wasn't his banking account being phished, you should read the linked articles before commenting on things.

Edit: yes, I made it to the last paragraph and realised that you actually allow people to change account details from a client computer. I shall read every word in future.
I've lost a payment in a similar fashion before. The accounts team took the written paperwork and misinterpreted a 6 for a 0 (I didn't write the form) and it just happened to be a valid destination account number. It took me 2 weeks to get the payment back.

Doesn't always come down to technology.

In fact, when it comes to technology it's usually pretty good. Humans on the other hand always err on the side of incompetence as there's usually someone else to blame...

If you do not believe this about humans, work in or for the public sector in the UK for a bit!

I do work in UK public sector. I have been fortunate in the payroll/HR departments, obviously.

Chunk of cash suddenly appearing in my bank account would have me asking questions by the way.

I imagine bank security in the case of the unwitting recipient of your wages were reassured by the payment coming from a BACS or similar system. When I paid my redundancy cheque into my bank account over the counter, a bank manager appeared in seconds and wanted to know why this very large amount was being paid in...

When I worked for a university in the UK as salaried Research Associate they "forgot" to pay me one month - didn't even apologize. They gave me a cheque that I cashed in the universities own branch and cycled to my own branch to deposit the money before my mortgage payment came out.
Off topic: A professor just earns $1,581 per month?
Depends on professor status. Adjunct professors, maybe. If it's not really full-time and they aren't researching anything, then why should they get paid a ton?
(comment deleted)
He's an assistant professor. The article also says he is 66, so there is a fair chance it is a part time job.
>> A hacker had gotten into Cool's WMU account and changed the routing number for his payments, he said, sending $1,518.62 to a bank in Utah..... There was $11.08 left in the Utah account, which is all Cool has gotten back of his paycheck.

Just curious. A professor is paid only $1,529.70 ? Hope it is weekly.

Actually, this fellow is paid $70K/year (he's at a public university where salaries are public). He got into the system before the big shift to lecturers and adjuncts, and since he has been in the system for a long time there is a long history of salary increases, back when times were good, and never a decrease - the phenomenon of sticky wages in action.

Whether his compensation is fair is a different question. His homepage lists what courses he is teaching but not the number of actual sections. A lecturer can teach three sections of a full-time four-credit course. With preparation, grading and contact hours this constitutes a 40-hour workweek.

I realize that central Michigan has a fairly low cost of living, but that seems surprisingly low for a tenured professor.
$70K is the market rate for an assistant professor at that level of school.

For comparison, a full-time lecturer gets around $40K, and the rate for a part-time adjunct with no benefits is something like $6K per section taught. That is low. It's no surprise that universities are moving to that employment model.

Has he argued with any Comp Sci students?

(edited to avoid implying fault on his part)

This is not funny. Unpaid wages are never funny. Actually, the Catholic Church classes it as a "sin that cries to heaven", and groups it with murder, inhospitality and exploitation of those with no clout. What they all have in common is a disregard for the humanity of your fellow man, and you can't punish that enough.
I'm not trying to be funny. People already known to the victim is the sane place to start any investigation.

edit - my edit earlier was going from 'pissed off' to 'argued with' as I realised that 'pissed off' can often imply intent to piss off.

University has a crappy insecure system for paying staff, they get hacked, so the staff stuffer? Just pay the man!
My father and mother work at this University. The same login gets you into email, that gets you into payroll and all other employee areas of the employee website. So if the attacker was able to get the login and password through whatever means it would make any sort of email confirmation useless.

As far as the WMU police investigating this I think its a bit of a conflict of interest as their system was hacked and they will likely blame the 2 employees who lost their paychecks as its in the universities intrest no to send out more money.

I don't think there is any conflict of interest. The police are only concerned with the criminals who stole the password. Whether the university owes the employees their pay because of the lax security they implemented, is almost certainly a civil matter.
At my university the Health and Safety people do nothing worse than hand out warnings, even if they come across serious safety issues in laboratories. It's almost as if they were at risk of losing their jobs if they imposed fines or shut down a lab altogether. Let the fun and games continue until someone burns!

If you believe that the police and the internal IT investigation aren't under pressure to find for the university I've got an Eiffel Tower to sell to you.

>>"Unfortunately, it's pervasive," Porter said of such theft by computer. If the criminals are willing to dedicate "time, brains and fortitude, it's hard to stop it all."

This article reads like it'll be difficult to catch the person who stole the money. I remember all the arguments about bitcoin being more (pseudo)anonymous than a Bank, but if authorities can't even get the person who got this Bank ACH Deposit then I must have a horrible understanding of the Banking process. What's the problem? I thought bank-fraud was the easiest crime to catch assuming the culprit isn't someone with connections in high-places.

Or a fake ID... opening an untraceable bank account is one of the major use cases for identity theft. It's very likely that the money was moved into a bank account opening with a stolen or false identity, and the person will not be caught.
mindblown.gif ...I had no idea a regular person could open & collect funds from a bank account that was fraudulently opened and actually get away with it.
Since the banks enable this kind of crime, I kind of think they should be held liable.
Employee handbook probably has a clause in "IT Policy" that says 'Employee is responsible for maintaining the security of his/her password' or some similar such nonsense that the Uni will try to hide behind. Typically the only way for employees to opt out of this (when this option is available at all) is to elect to receive a paper check.

My employer's system (which comes from a big name edu-prise sw vendor) takes a 6 digit password and my system username is public information (it is not advertised, as a username, but it is visible on public facing documents). Access to this system would allow a person to change my payroll & benefits info, mailing address, and other contact info, change student grades (for the current semester), access confidential student information, and in some cases, add/drop currently enrolled students from courses. The system default password and reset default are also public information. This is a disaster waiting to happen.

Many universities no longer offer paper checks as an option, sometimes with exceptions for the first paycheck, and the final one. You must set up direct deposit with a bank or credit union.
I know, and a paper check might not protect you in any case if the attacker is able to change that option through the online system.
> My employer's system (which comes from a big name edu-prise sw vendor) takes a 6 digit password and my system username is public information ...

Ahhh, Sungard.

This is an interesting case. If an employee is liable for the loss as a consequence of a data breach in a university system then does that mean it's acceptable for an employee to do their own penetration testing of university systems handling their money? This would help them better understand the weaknesses to protect themselves and push the university to fix their systems. Yes, this professor could have been phished and given up their credentials to a bad guy, but that shouldn't entirely offload the liability onto the employee as the university should have had strong measures in place for validating changes to routing numbers.
The password system also has no login attempt counter... so basically you could bruteforce all you want according to my brother whos a student there.
This same thing happened at CU Boulder. The phishing attempts take the form of an email from IT stating that the user has exceeded their max email capacity. The letter then tells the user to forward their credentials to the mailer.

It is sad that people can't learn to keep their passwords to themselves.