It looks like bank account and retirement account theft are going to be this years “stolen laptop.” By that I mean it will be the story that is reported with increasing frequency.
Today’s story is found in Techworld. It seems that some participants in the Governments Thrift Savings Plan had a keystroke logger installed on their computers. The bad guy used the login and account information to electronically transfer cash to other accounts.
“External penetration testing has demonstrated that our system has not been breached,” the TSP said. “There is no evidence of any successful attacks against the system to identify a PIN and thus obtain access.”
This is kind of a strange quote. The failure of an external pen test to identify any holes does not demonstrate that the system hasn’t been breached. To determine if the system has been breached, you would need to examine the system logs, IDS logs, etc. To trust those logs it would be necessary to have used a third party log server to preserve the integrity of the logs. A forensic examination of the systems may be needed.