Bank Tellers stealing Identities

Ever consider the possibility that a person gets a job as a bank teller…for the sole purpose of stealing a patron’s identity?

Do you realize how easy this would be?

  • No techy hacking skills required.
  • No gun required.

So we’ve all been instilled with fear of our bank getting data breached by Russian hacking rings, while that mousy looking teller with the sweet smile could be your greatest threat.

A nytimes.com article points out that a teller from Capital One had gained access to seven accounts and gave information to a co-thief who drew checks on these accounts.

Tellers can fake debit cards and wire unauthorized funds. They can also sell personal data to other thieves.

The nytimes.com article says that a teller was part of an ID theft ring that stole $850,000. The idea of tellers committing these thefts is very real. One teller even took photos with a cell phone of account data to cash phony checks. Another thief, who worked at a credit union, took loans out in customer’s names.

There are many ways that tellers can steal, including creating credit cards in customer’s names. Tellers may also be easily bribed by thieves to sell them customer information, as the tellers’ income isn’t that great, averaging about $25,000 a year.

The thieves, who bribe the tellers, don’t necessarily pay them with money. They may offer them luxuries that the teller can only dream of, such as flying in private jets and meeting famous athletes, says the nytimes.com report.

And if you think that banks require rigorous background checks for new teller  hires…think again. Furthermore, continues the article, savvy thief-tellers will keep their fraudulent withdrawals under $10,000, to keep below the detection radar. These sneaks can get away with this for years.

The general rule of thumb is that tellers have way too much access to customers’ data, and banks are lax at correcting this problem beyond simply reimbursing customers with their stolen money. The banks don’t want to invest the money and time in straightening out this problem, though a small number of banks have implemented tighter controls on tellers.

But what can we, the customer, do? We just have to keep our fingers crossed? The most effective way to prevent fraud is to do two things:

  1. Go over your accounts security controls with a bank advisor. Set up limits on transactions, require second signatures for large dollar amounts, and restrict money flow in any way that will cause financial harm.
  2. Set up alerts and notifications, so you, the account holder can become fully aware of every transaction of any kind.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Protect from Personal Loan Scam

Are you thinking of getting a personal loan? Hopefully you have a high credit score, as this will give you a better chance of getting the loan through a legitimate company. But even if your credit is excellent, you need to be aware of the personal loan scams out there.

2DNot Respecting Your Limit

  • You don’t want to do business with a lender that pressures you into borrowing more than you can handle

Upfront Payment

  • You should never have to pay any fees for the application process. If you’re requested to do this, move on.

Pumped up Interest Rate

  • Know what the going interest rate is. A good lender will quote you near this average rate.
  • A bad lender will recognize the desperation of the applicant with bad credit and try to sock them with an abnormally high interest rate.

Us and Only Us

  • Be suspicious of lenders that don’t like the idea of you shopping around for better rates.
  • This is a red flag that they have questionable loan practices.

Location, Location

  • An honest, legitimate lender or bank has a verifiable physical address. Get this confirmed with Google maps.
  • If you can’t, move on. But know that even a predatory lender may have a very solid physical address.

Solicitations

  • As in ones you didn’t request. Watch out for banks that send you unsolicited invitations for a personal loan application.

 

Don’t Be Intimidated

  • Because a seedy outfit may want to scare you into closing on their loan. But they can’t do anything to you, even if they use the term “legal action.”
  • If you want to reject their loan offer, then do so.

SSN

  • Does the lender want your Social Security number? This is fine if they’re wanting to do a credit check.
  • If they’re not doing a credit check but want your SSN, move on.

Signing Empty Documents

  • Do not sign anything that does not have the interest rate, terms, loan amount, monthly payment and other crucial information.
  • Before signing anything, make sure there are no blank areas that can be filled in later.
  • Run if the lender wants you to sign something that’s missing information.

Guaranteed!

  • Is a bank guaranteeing your personal loan? Sounds great, right?
  • Not so fast. They cannot do this if they have not verified your financial history or credit history.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Bank Account depleted, Company sues

Is it Bank of America’s fault that a hospital was hacked and lost over a million dollars? Chelan County Hospital No. 1 certainly thinks so, reports an article on krebsonsecurity.com. In 2013, the payroll accounts of the Washington hospital were broken into via cyberspace.

4HBank of America got back about $400,000, but the hospital is reeling because the hospital says the bank had been alerted by someone with the Chelan County Treasurer’s staff of something fishy. The bank processed a transfer request of over $600,000—even though the bank was told that this transfer had not been authorized.

In short, some say Bank of America failed to follow contractual policies. And what does the bank have to say for this? They deny the lawsuit allegations. They deny brushing off the hospital’s alert that the wire transfer was not authorized.

This scenario has been replicated many times over the past five years, says the krebsonsecurity.com article. Hackers use Trojans such as ZeuS to infiltrate banks. And not surprisingly, phishing e-mails are the weapon of choice.

Though bank consumers are protected from being wiped out by hackers as long as they report the problem within 60 days, businesses like hospitals don’t have this kind of protection. The business victim will need to sue the bank to recoup all the stolen money. Legal fees will not be covered by the defendant, and they are enormous, which is why it’s not worth it to sue unless the amount stolen is considerable.

Businesses and consumers should:

  • Require that family and employees from the ground up complete security training that includes how to recognize phishing e-mails.
  • Stage phishing attacks to see how well everyone learned their security training
  • Retrain those who fell for the staged attacks
  • Make it a rule that more than one person is required to sign off on large transfers
  • Know in advance that the bank will not reimburse for most of the stolen money in a hacking incident, and that legal fees for suing can exceed the amount of money stolen.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. Disclosures.

Sad Scary State of Bank Security

Who needs guns, threatening notes to rob a bank when you can do it with just your fingertips inside your home?

1SA hacking ring in the eastern portion of Europe may be the most successful team of bank robbers to date, having purportedly robbed $1 billion from multiple banks. This can only be done by infecting computers with malicious software (malware) and sucking out all the money.

Obviously, these hackers aren’t dumb criminals, but they also play on poor security measures of the banks. Apparently, the success of the hackers’ attack was contingent upon an employee clicking on a malicious link in an e-mail or opening a malment in the e-mail (“malment” = malicious attachment).

And that’s exactly what happened; someone fell for the oldest cyber trick in the book. This could have been prevented by not only having Microsoft updates done on a regular basis and having updated antivirus, but educating employees.

The next step in the chain reaction was the triggering of Carbanak, a virus that installs software that logs keystrokes…figuring out passwords this way. But Carbanak also captured screenshots.

How could banks let something like this happen?

Let’s Dissect this Robbery

The thieves sent out phishing e-mails—those containing malicious links or attachments—that are designed to trick people into clicking on them because the messages look legitimate. The crime ring just sat back and waited, knowing it was only a matter of time before someone clicked on one of their malments.

The keylogging gave the thieves all the information they needed to drain the banks. Boy, they sure broke in easily! All because the banks didn’t keep their devices security updated, leaving an unpatched opening—and perhaps the employee(s) who fell for the ruse were doing banking business on the same device they use for personal use—big huge mistake.

And whose fault is that? The bank’s; we can’t expect the run-of-the-mill employee to have built-in knowledge about how hacking rings work and that it’s a gateway to cyber theft if one mixes business activities and personal activities on the same computer. Learn from their mistakes. Update your devices and don’t click links in emails.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. Disclosures.

What happens when a Bank Account is hacked?

Who’d ever think that 50 years ago, your money was safer in your bank account than it is today in this “modern” age: remote theft. If you bank with a large or small bank, your account may be at risk by hacking rings.

7WHowever, most of the time, but not always, if your account is drained by a cyber thief, the bank will cover it for you.

The latest information is that a big attack is planned in the spring, but it’s the “It’s easier to get one dollar from a million people than it is to get a million bucks from one person” type of attack plan. The apparent hacking plan involves stinging mass numbers of banking customers via the customers’ computers.

Because banks are a favorite target for cyber thieves, financial institutions are always improving their cyber security. However, criminals get into bank accounts by suckering customers into revealing personal information; we’re talking thieves who don’t directly hack the bank, but hack YOU.

  • Never click links inside e-mails—including those that SEEM to be coming from PayPal, Chase or whatever institution you use.
  • Typically, these scam messages are constructed by thieves posing as your bank. They tell you your account is about to be compromised, or there are suspicious withdrawals or something else to grab your attention, and that to correct the problem, you must visit their site and enter some information. This is a scam to get your login information! The phony site that the link goes to is constructed to look exactly like the authentic bank sites.
  • If you’re not convinced these scammy e-mails you got have gone to a million other people, then phone your bank and inquire about the message.
  • Never use the “remember your computer” option that banks offer. Forget the convenience; just deal with the login hassle every time for better security.
  • Don’t hide your savings in your house because you figure they’re safer there. If you follow the aforementioned rules, your money will be far safer in your bank than hidden inside your toddler’s teddy bear.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

10 Simple Tips to Bank Safely Online

One of the issues I’m passionate about, as an online-security analyst, is that of banking safely online; so I recommend the following simple tips to help ensure your security in cyberspace.4H

  1. Wired ethernet link. This offers more security than does a powerline or Wi-Fi network. In fact, the powerline carries your data via electrical wires—not secure at all. Data from wires can leak into adjacent homes, and Wi-Fi signals are out in the open, literally. An ethernet attack, however, may require a home break-in by the crook, and then he has to set up his device.
  2. Nevertheless, powerline and Wi-Fi do come with encryption capabilities; encryption scrambles data for safer online banking. Any attacker would need your password to infiltrate. But remember this: Wi-Fi’s WEP, which is obsolete, can be hacked into, even though it’s still offered as an option for router setup.
  3. Do not leave a router on its default password. Otherwise, crooks can get in and redirect your traffic to who knows where.
  4. Never trust third-party Wi-Fi hotspots.
  5. Make sure that the financial site you visit has a padlock icon and “https” before the URL address; this means it’s secure and legitimate. “Http” (no “s”) is not secure.
  6. Keep up to date on security updates for your browser and operating system. This will protect against a crook who uses a keylogger to track your keystrokes. With a keylogger, a hacker can get your keystroke pattern and will figure out your passwords.
  7. Never click on links in e-mails. Even if it’s supposedly from your bank. Never.
  8. To really beef up online banking security, use a separate computer just for online banking.
  9. Enable your financial institution’s two-step verification. This is typing in a password that’s one-time, that gets texted to you. Unfortunately, many banks don’t have this tactic. But if you’re concerned with banking safely on the Internet, see if your institution does. If you can’t find this information on their web site, call them.
  10. One more simple tip about safe online banking: Hotspot Shield VPN service guards your entire online experience when you’re using unprotected networks, such as at coffee houses, hotels, airports, etc., be they wired or wireless.

You can have peace of mind that your web sessions (downloads, filling out forms, shopping, banking) are safe and secure with the https-protected tool. With Hotspot Shield, all mobile data is encrypted. Hotspot Shield also has a mobile version, and it compresses bandwidth so that you can download nearly double the content at the same cost. This VPN service has saved 102.9 million megabytes.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Banks and Retailers fight it out over Who’s at fault

The duking out between banks and retailers was launched this past December when a credit card data breach occurred to an estimated 110 customers of a big retail store.

1CIs the retailer responsible? Should the credit card issuers or banks take the brunt of preventive action? What about the consumer? Lawmakers are trying to figure out what can be done to keep the consumer’s data safe from hackers.

The 110 million breach aside, the generality is that the big tripod (banks, retailers, credit card issuers) doesn’t seem to grasp the concept of shared responsibility when it comes to protecting consumers’ data.

James Reuter of the American Bankers Association points out that banks tend to take the brunt of the responsibility with data breaches, way more than what banks are even accountable for. Banks “are making customers whole,” he says.

Meanwhile, retailers are all banding together saying that the customers have zero liability. Retailers know that the banks will swoop in and bear much more financial burden than they’re actually responsible for.

Reuter believes whichever entity—be it a retailer, card company or even bank—is responsible for hacking due to lame protection strategies, should take full responsibility.

Banks really want retailers to step up to the plate too. Forty-six states already have standards for businesses to inform customers of data breaches. However, banks would like a federal standard. Senators Tom Carper and Roy Blunt have introduced such a bill.

After a breach may be too late:

The customers of the breached retailer in December didn’t just have their credit card numbers taken, but other data such as e-mail addresses and phone numbers. Once hackers have these, they have more tools with which to drum up identity theft schemes—something they can’t do with just a credit card number.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Banking and Brokerage Accounts vulnerable to “Account Takeover”

It wasn’t pretty: those fairly recent credit card breaches at a few big-name retailers. As newsworthy as these were, they’re actually not the greatest risk for wealthy folks; a bigger foe is a money management firm lacking sufficient checks and balances.

3DAttack schemes:

Another type of attack can hit an organization hard: some cyber punk getting into your clients e-mail account, then using their stolen information to rob money from the clients financial accounts. E-mail related fraud is booming.

Perhaps the biggest scheme is when an employee gets an e-mail in which someone is requesting money—and urgently. Often, the employee is lured into clicking on a link inside the e-mail, and the end result is that the employee ultimately reveals personal data, allowing the system to get hacked.

Another common realm of infiltration is via unsecured public wireless networks, such as at an airport or hotel. Fraudsters will set up hot spots—fake, of course—that yield Internet access but will ensnare employee data.

Employees can also expose their accounts to hacking by using their e-mail address to log into their own financial accounts. This makes the job easier for cybercriminals.

Protect Your Business

Here are some ways to add protection:

Revamp how employees wire money for clients (one way to do this is to require that the recipient’s authenticity be verified with a phone call).

Clients should verify any and all wire transfers from their accounts.

If a client’s computer is not recognized or has an unfamiliar IP address, the client should be called with a code that completes the transaction.

Incorporate multifactor authentication in the login process and when transfers of any substantial amount are made.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Big Time Identity Theft Hackers Indicted

Robert Siciliano Identity Theft Expert

ABC news and a bazillion other outlets report that a former informant for the Secret Service was one of three men charged with stealing credit and debit card information from 170 million accounts in the largest data breach in history. The former informant, Albert Gonzalez of Florida, A.K.A “Segvec”, “SoupNazi,” and “j4guar17,” whose motto was ”Get Rich or Die Tryin'” was alleged to have been the ringleader of the criminal hacking operation of a prolific network that spans over five years of serious criminal activity. Once a criminal, always a criminal.

Gonzalez and two other unidentified hackers believed to be from Russia have been charged with hacking into Heartland Payment Systems, 7-11 and Hannaford Brothers Company, Dave and Busters and TJX Corporation, which involved up to 45 million credit card numbers..

Gonzalez was originally arrested in 2003 by the U.S. Secret Service and began working with the agency as an informant. Federal investigators say they later learned that the hacker had been tipping off other hackers on how to evade detection of security and law enforcement worldwide.

Gonzalez provided “sniffer” software used to intercept the credit and debit card numbers for the Russian hackers. Sniffer software or “malware” malicious software, acts like a virus attaching itself to a network and often spreading. The software allows the criminal hacker backdoor access to all the data in the server and provides remote control functionality.

The NY Times reports according to the indictment, Gonzalez and his conspirators reviewed lists of Fortune 500 companies to decide which corporations to take aim at and visited their stores and used a technique called “wardriving” to monitor wireless networks. The online attacks took advantage of flaws in the SQL programming language, which is commonly used for databases.

Threat Level, by Wired magazine, reported that Gonzalez had lived a lavish lifestyle in Miami, once spending $75,000 on a birthday party for himself and complaining to friends that he had to manually count thousands of $20 bills when his counting machine broke.

Protect yourself;

1. You can’t prevent this type of credit card fraud from happening to you when the retailer isn’t protecting your data. Eventually credit card protection solutions will  be available. For now, protecting yourself from account takeover is relatively easy. Simply pay attention to your statements every month and refute unauthorized charges immediately. I check my charges online once every two weeks. If I’m traveling extensively, especially out of the country, I let the credit card company know ahead of time, so they won’t shut down my card while I’m on the road.

2. Prevent new account fraud.  Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

3. Invest in Intelius Identity Theft Protection and Prevention. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Robert Siciliano Identity Theft Speaker discussing credit card data breaches and the sad state of cyber security on Fox News

Criminal Hackers Clean Out Bank Accounts Using Spear Phishing

Robert Siciliano Identity Theft Expert

It wasn’t long ago that most phishing emails were from a supposed Nigerian General Matumbi Mabumboo Watumboo. And you and I were flattered that we were the chosen ones to help the general transfer 35 million out of the country, because the Nigerian government was a bunch of jerks and wouldn’t let him keep the inheritance his wife had inherited from her deceased uncle Bamboo.

Phishing continues to become more sophisticated, more effective, and more prevalent. According to a recent study, a 52% increase in phishing scams occurred in July alone. Computerworld reports that basic phishing emails successfully led to corporate bank accounts being completely drained. Criminal hackers waited until Pennsylvania schools administrators were on vacation, then used simple  money transfers to liquidate over $440,000 between December 29 and January 2.

Much of the phishing that occurs today is “spear phishing,” in which the spammers concentrate on a localized target, generally an individual with control over a company’s checkbook. This insidious type of phishing occurs when a recipient clicks a link, either in the body of an email or on the spoofed website linked in the email, and a download begins. That download is almost always a virus with a remote control component , which gives the phisher full access to the user’s data, including user names and passwords, credit card and bank account details, and Social Security numbers. The malicious software can attach itself to the victim’s web browser, where it waits for the victim to log into a bank site before launching. When the victim does log into his or her bank account, the software sets up new payees and transfers money to the criminal hacker.

In the school hack, the software added 42 people to its payroll during Christmas break and quickly began paying them. The issuing bank received 74 transfer requests during the four day period.

When consumers’ bank accounts are emptied, federal regulations limit their liability to $50, as long as the victim reports the theft within a set time frame. But things are a lot more complicated for corporations and other entities. Whether or not the victim is responsible for the missing cash varies from bank to bank.

Protect your yourself.

This is an easy fix, rule #1 – don’t click on links in an email if you aren’t 100 percent sure of its legitimacy. Whenever I receive an electronic statement from a bank or credit card company I always go to my “favorites” menu or type in the address manually to get to the entities website to check my statement. I’m only 99.9% sure its legit, so I just take the extra step to go to my favorites.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in Intelius Identity Theft Protection. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

3. Make sure your McAfee anti-virus is up to date and set to run automatically.

4. Update your web browser to the latest version. An out of date web browser is often riddled with holes worms can crawl through.

5. Check your bank statements often, online, at least once a week.

Robert Siciliano Identity Theft Speaker discusses phishing