f you've visited a regional bank's Web site in the past month, there's a fair chance you've seen a drop-down window that reads:

"Please be advised, our Web site host has notified us that they experienced a possible security compromise on May 25, 2006, between 1:35 p.m. and 2:50 p.m. CST. The matter was quickly identified and corrected. If you were on our Web site during that time and were asked to provide personal information, please contact us ..."

At least a dozen banks have posted such notices. All of Web host Goldleaf Technology's 600 client bank sites were affected by the security compromise, for periods from nine to 91 minutes. Catering to financial institutions, the company also provides ACH processing and remote check capture. Only site hosting was affected, said Scott Meyerhoff, Executive Vice President for parent company Goldleaf Financial Solutions.

"On May 25, there was a successful attempt to redirect bank Web sites we host to a phish site to entice customers to give their personal financial data," he said. Goldleaf's Web sites are static pages: no sensitive bank data resided on the servers or was put at risk. The redirect sent customers through a server in Madrid, Spain, at a large American company that was an unwitting participant.

From there, customers were again redirected to servers in several countries. The phony site did not resemble official bank sites, making customers instantly suspicious. The company quickly suspended Internet access to its services.

A close call

As of June 16, no banks or their customers had reported fraudulent activities stemming from the phishing attempt. "That is heartening to us," Meyerhoff said. He would not discuss the nefarious methods used to redirect bank customers logging onto their trusted banking sites, "other than to say the attempt occurred through our hosted environment."

Computer industry experts and commentators pointed out that Goldleaf's servers were hacked in order to accomplish this feat. "This is different from normal phishing, where they send you an e-mail," said Gavin Reid, Manager of Cisco Systems' Computer Security Incident Response Team. According to Reid, someone external to a system should never be able to gain access to edit HTML coding. Best practices involve securing servers so hackers cannot insert a redirect instruction.

Meyerhoff said, "How [do] we prevent this in the future? Unfortunately, ... this type of activity will not stop. We will remain vigilant to safeguard our customers; having security personnel on staff and fully reviewing the system on a regular basis will ensure we have the safest environment possible."

Customer reactions

Most banks' spokespersons contacted for this story declined or were unavailable to comment. McFarland State Bank Executive Vice President Steve Swanson said the bank was satisfied with Goldleaf's explanation for how the breach occurred and will continue to use its hosting services. However, publicly traded West Georgia National Bank may reconsider its future with Goldleaf. "We're in a decision-making mode," said M. Dan Butler, Executive Vice President and Chief Information Officer. "We were not too happy."

The bank discovered the breach when a customer, suspicious of the phishing site, contacted West Georgia National, which notified Goldleaf. "Even though it was a small period of time, we were the ones calling them instead of them calling us," Butler said.

"We got their comments back in brief form. There was not much to their explanation."

WGNB's own online banking network is monitored by Secure Works. "Goldleaf needs to partner with someone like that and monitor those [servers] every working hour." A few other banks have quietly removed the "designed by Goldleaf Technologies" designation from their sites.

Reflecting on the process

John Pescatore, Vice President for Internet security at Gartner, said "My understanding is that the attacker was able to install something that ... reflected people to the hacker's site."

"[If] Goldleaf didn't notice until the customer told them, Goldleaf had some process problems," he said.

"It is actually much cheaper to prevent these attacks than to deal with one. Most [financial institutions] spend $90 per account after they get hit. Most of these attacks would cost $16 per customer to [prevent]," Pescatore said.