On-Line Banking Theft, It’s Worse Than You Think

When was the last time the local news carried a story of a bank robbery?  I’m referring to the ski mask and firearm weapon of choice.

It’s not as much as before.

Sadly, movies like the Ocean’s Eleven and The Italian Job glorified criminals

Banks do not report news of credit card fraud or online banking theft to “protect the public”, but inside sources tell me it’s a lot worse than you think.

Today, cyber criminals are at it more than ever.

Criminal Intent #1 – Phishing Email

Phishing email is a common one.  They send you an email from the Paypal Security Center or even your bank.  Of course, I always get a chuckle when I don’t even have an account at that particular bank.  I could hit “Delete” but now I choose “Add Sender to Blocked Senders List”.

They are getting clever at disguising themselves.

They are targeting everything under the sun, including Telecom and VoIP providers.

Here is an example for Vonage:

Displayed URL: https: //secure.vonage.com/vonage-web/features/index.htm

Actual URL: http: //secure.vonage.com.vonage-web.public.search.q-87234jasndjsad883qhhsjfsdkf88-ie-searchbox.form-ie2src.001at1977.com

Criminal Intent #2 – Key Logger Software Trojans

It gets worse…

Cyber criminals are using malicious key logger software trojans.

Even with a 0.001% success rate, that’s still 10 live active bank accounts after 1 million users, which is easy to accumulate.  Lyrics, shareware/freeware, and ring tone sites are the worse for nasty viruses, worms and trojans.

Banks should require two factor authentication, like a RSA token or even biometrics (i.e fingerprint).  The old expression is “Something you know and something you own”.

As well, a single factor system can also be “tiered” such as multiple passwords or pre-defined challenge questions.

Guarding Against Hacker Intrusions – A Single Password is not Enough!

The Federal Financial Institutions Examination Council (FFIEC) requires that banks and credit unions only allow customers to access their accounts IF they use at least one other identification factor in addition to the passwords.

In order for a more secure transaction, banks in the US are required to insist on more identification with their customers online.

From: http://www.ffiec.gov/ffiecinfobase/booklets/e_banking/ebanking_02_risk_mang.html

Authenticating Existing Customers

In addition to the initial verification of customer identities, the financial institution must also authenticate its customers’ identities each time they attempt to access their confidential on-line information. The authentication method a financial institution chooses to use in a specific e-banking application should be appropriate and “commercially reasonable” in light of the risks in that application. Whether a method is a commercially reasonable system depends on an evaluation of the circumstances. Financial institutions should weigh the cost of the authentication method, including technology and procedures, against the level of protection it affords and the value or sensitivity of the transaction or data to both the institution and the customer. What constitutes a commercially reasonable system may change over time as technology and standards evolve.

Authentication methods involve confirming one or more of three factors:

  • Something only the user should know, such as a password or PIN;
  • Something the user possesses, such as an ATM card, smart card, or token;
  • Something the user is, such as a biometric characteristic like a fingerprint or iris pattern.

Authentication methods that depend on more than one factor are typically more difficult to compromise than single-factor systems therefore suggesting a higher reliability of authentication. For example, the use of a customer ID and password is considered single-factor authentication since both items are something the user knows. A common example of two-factor authentication is found in most ATM transactions where the customer is required to provide something the user possesses (i.e., the card) and something the user knows (i.e., the PIN). Single factor authentication alone may not be adequate for sensitive communications, high dollar value transactions, or privileged user access (i.e., network administrators). Multi-factor techniques may be necessary in those cases. Institutions should recognize that a single factor system may be “tiered” (e.g., require multiple passwords) to enhance security without the implementation of a true two-factor system