If Carson Treasurer Karen Avilla had had a nagging feeling she was being watched whenever she got on her laptop computer, she would have been right.
Cyber-thieves were able to shift nearly $450,000 from the city's general fund last week by using a program that was able to mimic the computer strokes made by Carson's financial officer. Each time Avilla logged on to her city-provided laptop in the morning, someone was -- virtually -- looking over her shoulder, recording every single keystroke.
Armed with the spyware program, the hackers obtained bank passwords. They wired $90,000 to a "Diego Smith" in North Carolina. One day later, on May 24, the thieves got bolder and wired $358,000 from the city's bank account to a bank in Kalamazoo, Mich.
Avilla and her deputy discovered the theft just in time to have all but $45,000 of the funds frozen. But the experience left city leaders rattled.
"As I sat there with the detectives and the forensic folks from the bank, I thought, 'I don't even want to touch a computer,' " Avilla said Thursday. "I felt violated. It made me think, 'Who's out there?' "
The crime raised concerns about the security of municipal coffers, especially when wireless networks are used. Although such city hacking cases have been isolated, some experts said many municipalities lack the large information technology staffs and large budgets for computer security.
"If you go after a local municipality, they're more likely to have fewer people dedicated to computer security," said Eric Schultze, chief security architect for Shavlik Technologies in Minnesota and a widely cited expert in anti-hacking circles.
Avilla said she still doesn't know how her computer was targeted. She said she doubts it had the latest security software patch protections -- something sheriff's detectives and bank investigators told her is essential in safeguarding her computer.
She said that as soon as word got out, Carson fielded calls from officials in other cities, asking how they could protect themselves.
South Gate City Manager Gary Milliman said he has seen all sorts of fraud perpetrated against cities in 32 years, but nothing like this. "I think it's a concern," Milliman said. "It's something we're going to check into to make sure there isn't a vulnerability in our system."
Earlier this year, the finance director of the Northern California city of Willows discovered that a hacker had taken $4,000 from a city fund. Avilla said cities may not always notice smaller thefts.
"One thousand dollars. You think a bank is going to bat an eye?" Avilla said. "It's not an inexpensive enterprise to have a full team that goes around checking every laptop ever used. I think we can use more IT folks, but when a lot of these departments were created, a few people had computers. Now everyone does. On top of that, almost everyone has a laptop."
Experts said that without up-to-date security software, such a computer could be especially vulnerable if people who use it visit websites that contain spyware.
But hackers also send mass e-mails which, if opened on vulnerable computers, can allow installation of "keystroke loggers."
"It automatically sends all keystrokes logged to a hacker, via e-mail or another form of communication," Schultze said. "So a hacker sitting halfway around the world can log into your bank account, enter your user name and do what they want to do."
Kevin Overcash, vice president of product management for Breach Security in Carlsbad, Calif., said that when organizations started installing a lot of wireless networks, hackers devised ways to breach them through what is called "drive-by hacking."
In trying to provide a service to their residents -- by allowing them to check their water bills via the Web, for example -- municipalities sometimes make themselves vulnerable, he said.
"That kind of access opens you up to hackers. It opens the door for people to have access to data if you do not have good security," Overcash said.
Avilla said she noticed a problem when she found she was unable to log on to the city's bank account. She thought she must have been typing the password incorrectly.
On May 22, the bank gave her a new password. But unbeknownst to her, the cyber thieves got that password as soon as she tapped it into her computer.
On May 24, Avilla and her deputy checked bank balances and discovered the previous day's $90,000 wire transfer to someone in Wilson, N.C. Avilla checked with the bank and discovered the $358,000 transfer that day through National City Bank in Kalamazoo.
"I thought, 'We got a problem,' " Avilla said.
She called the bank and filed a police report, leading to the freezing of the city's funds. No one has been arrested, authorities said.
L.A. County Sheriff's Capt. Todd Rogers said the department's high-tech crimes unit is on the case. The Secret Service is also helping in the investigation, he said.
Avilla said the experience has made her angry and determined to seek legislation that would address the problem. "There's got to be more than one way to fight this," she said. "They get us in so many ways. There's got to be a way for us to get them."