Hackers thwarted in bid to steal from Broadalbin-Perth school district

PHOTOGRAPHER: Michael Lamendola

Hackers tried to steal nearly $400,000 from the Broadalbin-Perth Central School District’s bank accounts but failed because of sophisticated security protocols, including the use of real-time password-generating systems, district officials said.

“It was simply someone out there trying to hack into our systems to take some money out of our accounts,” said district Superintendent Stephen Tomlinson. The school’s accounts with First Niagara contain millions of dollars at any one time, he said.

The attacks occurred about a week ago when hackers sought wire transfers of $38,000 and $350,000, school officials said. The hackers could not complete the transfers due to security protocols used by the district and the bank, Tomlinson said.

“We are fortunate we have checks and balances in our business office to catch this. There are multiple people who need to be involved in transfers of money,” he said.

One of the protocols is the use of a device that generates a pass code that is time-synchronized to a similar device at the bank. The district employee has to enter an instantly generated pass code within seconds of the transaction, otherwise the transaction is aborted.

Sanjay Goel, an associate professor with the School of Business at the University at Albany and an expert on computer hacking, said the devices are one of the best ways to combat unauthorized access to financial accounts.

Tomlinson said he does not know where the hackers were from, or whether they are even in the U.S. He said the school district is working with the bank’s fraud identification unit to analyze the attack.

Tomlinson said the loss of $400,000 would have been a blow to the district. “In these tough fiscal times, losing that money would not have been beneficial,” he said. “The message is we are very diligent in how we are protecting taxpayer money. There is a lot in place to protect the money.”

Hackers apparently gained access to the district’s financial data after a school employee opened an email, Tomlinson said. “They sent a spam email to one of the computers in the office. The email was opened and released a software program. The program collected data about our financial institution,” he said.

The infected computer was networked to other computers within the district and the malicious program, or malware, found its way to a finance office computer. Tomlinson said the district has isolated the infected computer.

Goel said the malware was likely a trojan that opened a “back door” on the computer, then installed a key logger. “The key logger records every stroke that you strike and sends the data back. They can then harvest the password,” he said. “It is easy to mine through the data. They use harvesters to quickly identify user IDs and passwords.”

Mark Shaw, president of Storedtech of Albany, an information technology company, said: “Malware is embedded in everything. People spend time writing software to trick you to go their website. They look for an entry point into your computer and they use a lot of social engineering to gain access.”

In the past, individuals sent most of the spam, but Goel said organized crime has taken up the effort. Email is sent to institutions as well as individuals, and most do not have sophisticated protections, he said.

“Attacks happen all the time,” Goel said. “These are random attacks, attacks of chance.”

Shaw said malware is “big business and people make a lot of money out of it.” He said despite all the warnings about malware, “people fall for it. It still works.”

People may not even know their computers are infected, or may not realize it until the computer starts running slowly. Shaw said people should run anti-malware programs often on their computers, rather than anti-virus programs, to catch bad software before it can cause harm, such as grabbing information about credit cards or other financial data.

Goel has not heard of similar attacks occurring recently in the area. Shaw called the attack on Broadalbin-Perth “a happy coincidence” for the hackers, as they “are out for the average consumer.”

In 2009, hackers succeeded in stealing $500,000 from a Duanesburg school district bank account. They had tried to steal $3.8 million.

The state Comptroller’s Office is suggesting school officials with access to online banking be educated on how to make sure they aren’t leaving critical information available in the event computer hackers get malicious software into the system or unauthorized personnel get access to computers.