Security: Buyer Beware

Lon A. Berk

Counting on cyber-insurance to cover fraud loss could be a big mistake if the policy excludes man-in-the-middle attacks or other common scenarios.

You are in charge of finances for a small business and are on vacation at the beach. Suddenly, you remember you have forgotten to pay a company bill. All is not lost, you think. You run to your room, grab a laptop, and bring it down to the Tiki Bar.

There, you order a drink and connect to the hotel’s wireless system. Then you call up your company’s bank’s Web page, click the “log-in” button, enter your password, and order a check issued to the creditor.

You sign off; finish your drink and breathe a sigh of relief, appreciating the wonders of modern technology.

A week later, you are back in the office and all is chaos. Somehow, while you were gone, a series of transfers totaling nearly $2 million occurred from the company’s account to banks in China, Indonesia, and Russia. Needless to say, the transfers have seriously hampered cash flow, and there is talk of filing for bankruptcy.

Worst of all, everyone is in your office asking you what happened. You do not know. But, you say, the company is safe because it purchased a cyber-insurance policy with $10-million limits.

Just as you say this, the phone rings. It is the insurance company saying that, after discussing matters with the bank and some lawyers, they are denying coverage. You hang up. The phone rings again. It is the bank claiming their logs show that you were the only one to use the online system recently.

A Costly Shower

So what happened? You were the victim of a man-in-the-middle attack. While you were sitting in that Tiki Bar, a gentleman sat at the table across from you, using a laptop. You probably took him to be another person scrambling to meet a work deadline while on vacation.

He was no such thing. Instead, on his laptop was a suite of network-security software that can be easily collected for download on the Internet. That software allowed him to collect and decode your exchange of information with the bank.

Network traffic travels over the Internet in sequential batches of code, called “packets.” For a laptop to send these packets over the Internet, it needs to find an access point. Wireless routers generally send beacons alerting wireless hosts, such as your laptop, of their existence. The host then chooses one of the available routers, with which it forms a wireless connection.

Some of the software on that gentleman’s computer allowed him to fool your laptop into thinking that his laptop was the router. He effectively copied the beacons from the router and transmitted them from his laptop to yours.

Consequently, unbeknownst to you, your laptop connected to his laptop. He then copied all the packets your laptop sent before sending them on to the hotel’s router. From there, they were sent over the Internet to your bank. He thus had all the information he needed to sign on to your company’s bank account, including cookies, bank-account numbers, user names, and passwords.

If there had been a lot of people using laptops in that hotel bar, traffic to the router might have been significantly slowed, since it would have had to first go through his laptop and then on to the router. His laptop might have created a bottleneck, possibly alerting you something was amiss. But, as it was just he and you in the bar, you probably attributed any slowdown to the nature of island living.

Similarly, you might have received a notice from your browser that there was an issue with the certificate of the site to which you were connecting. You likely clicked “ignore,” figuring this too was a necessary consequence of signing on to the Internet from the tropics.

Had you looked, perhaps you might have noticed that the “lock” symbol in your browser was not present, as it usually is when you sign on to the bank’s Web site. No surprise. Most people do not even notice that.

With your account number, user name, and password, the man in the bar probably signed on to a legitimate VPN service and then logged on to the bank’s Web site, using your credentials. He might even have done this while you were still logged on. In any event, by the time you were showering for dinner, he had siphoned $2 million from your company’s bank account.

Subtle Differences

Now, what about that insurance policy? Why was there no coverage?

The risk of being victimized by this sort of attack is, naturally, one of the reasons your company acquired cyber-insurance. It is this sort of risk that many insureds rightly think they are protected against when they purchase such insurance. Unfortunately, even though many cyber policies are marketed as if they provide such protection, some of the policies sold do not.

A recent decision by a New York court illustrates this point. In Universal American v. National Union Fire Insurance Company, Index No. 6501613/2010 (Jan. 7, 2013), Universal American bought insurance to cover cyber risk. The policy provided coverage for:

Loss resulting directly from a fraudulent

(1) entry of Electronic Data or Computer Program into, or

(2) change of Electronic Data or Computer Program within the Insured’s proprietary Computer System … provided that the entry or change causes

(a) Property to be transferred, paid or delivered,

(b) an account of the Insured, or of its customer, to be added, deleted, debited or credited, or

(c) an unauthorized account or a fictitious account to be debited or credited.

In 2008, Universal lost more than $18 million as a result of entries with access based upon legitimate user authorizations. Upon discovery of its loss, Universal submitted a claim to National Union. The claim was denied. National Union argued that the intent of the policy was “to provide coverage against computer hackers, i.e., situations in which an unauthorized user accessed the system and caused money to be paid out.”

A trial court agreed with National Union, and the appellate division recently affirmed that decision as well.

The same reasoning explains why there was no coverage for the man-in-the-middle attack in that hotel bar. There was no “situation in which an unauthorized user accessed the [insured’s] system …” Arguably, your computer was not accessed; nor was the hotel’s. In fact, in a sense, your computer accessed the hacker’s machine. And the bank’s system was used, just as in the Universal American decision, with legitimate user credentials, albeit by an illegitimate user.

There is little doubt that the right cyber insurance is a sound investment and an important way to transfer the financial burden of cyber risk. But in many cases, the insurance may not protect against all cyber risks. Perhaps more than with any other insurance product, it is important to know what is being bought.

This may require consultation with legal and information technology professionals who can review the company’s network practices and evaluate whether the coverage offered responds appropriately to the risks faced. Companies with many users accessing networks from the road should, for example, be sure to buy insurance that would cover man-in-the-middle attacks.

With no standard form for cyber insurance, coverages may differ in subtle ways. Many policies, for instance, only cover loss of banking credentials where the credentials are lost as a result of unauthorized access to the insured’s computer system.

Companies need to ensure that the form they buy defines “unauthorized access of computer systems” so that it is broad enough to include man-in-the-middle attacks. If there is any doubt about the extent of coverage, seek clarification from the insurer and/or the insurance professional.

There are benefits in addition to financial coverage that some insurers offer policyholders buying cyber insurance. From such insurers, policyholders may obtain information on cyber risks and loss control, as well as educational programs. These programs may assist companies in developing cyber-security practices, including, for example, educating employees on the tools needed when they engage in company business over the Internet.

One leading security professional, for instance, recommends that banking business only be conducted on a computer dedicated to that task, which is booted from a live CD.

In the end, to protect themselves against cyber risks, companies need to be as careful with the cyber insurance they buy as they are with the networks they access.

Lon A. Berk is a partner in the insurance-recovery and cyber-investigation practices at Hunton & Williams LLP, McLean, Va. Reach him at lberk@hunton.com. The opinions in this article are neither the firm’s nor its clients.

The Attack of the Man in the Middle

1. While on vacation, you grab your laptop and hit the Tiki Bar to pay a corporate bill online, via your company’s bank account.

2. Meanwhile, a hacker sitting at a nearby table just logged in to Coconut42, the bar’s wireless network, copied its identification beacons, and set his laptop up to emulate the router’s credentials.

3. You power up your laptop, spot Coconut42—the only wireless network listed—and connect. Then you log in to your company’s bank account and pay the bill. But, since you’re connected directly to the hacker’s laptop and not the bar’s router, he can intercept, copy, and decrypt all the data you send before he passes it along to the bar’s router, which in turn sends it to the bank. The same is true in reverse.

4. With your security credentials in hand, the hacker is free to log in to your corporate bank (as you!), transfer $2 million to foreign bank accounts, and move on to the next Tiki Bar.

Warning signs

There are no foolproof methods to spot a man-in-the-middle attack, but there a few warning signs you can watch out for:

– Network speeds are slow.

– Your browser notifies you that there’s a problem with the bank’s security certificate.

– The “lock” symbol in your Web browser is missing.