Posts

How Banks Fail to Provide Effective Online Security

Robert Siciliano Identity Theft Expert

A Texas bank is suing one of its customers who was hit by an $800,000 online bank theft that could determine who is to be held responsible for protecting their online accounts from fraud.

Computerworld reports Romanian and Italian based criminal hackers launched numerous wire transfers out of the client’s back account. The bank recovered $600,000 of the $800,000.

The victim wanted all its money back and sued the bank to be reimbursed of the $200,000. The bank in turn filed a lawsuit requesting the bank certify it had adequate security that was considered “commercially reasonable”. The bank doesn’t want anything more than to be absolved of the $200,000.

The bank states all transfers originated from unauthorized wire transfer orders that had been placed by someone using valid Internet banking credentials belonging to the victim. How the victim’s credentials fell into he wrong hands has not been disclosed. It seems it was the victim’s lax security opposed to the banks. There are numerous ways this can happen. What is evident is there were wire transfers of various dollar amounts ranging from $2500.00 to $100,000 made to different accounts all overseas. The bases of the victim’s lawsuit are that the bank should have systems in place to detect such activity.

Small businesses and banks are losing money via attacks on their online banking accounts. It’s very simple: criminal hackers send an e-mail with a link to a malicious site or download to employees who handle their company’s bank accounts. These malicious links then steal the username and passwords the employees use to log in to their online banking accounts. Done.

So, if my PC is compromised because I don’t have adequate security and $800,000 goes missing from my account, whose fault is it?  At first glance some may say the victims, others may say the banks. The fact that there are so many ways passwords can be compromised and accounts can be taken over, and banks know this, it should motivate banks to have redundant security in place. Hacks like this undermine people’s confidence in the system.

Here is a similar story being played out. I’m a big believer in taking action and making sure my systems are secure. And, the bank has some responsibility here too. I, we the public, have limitations on what we can do to be secure. I bet anything the bank will tighten up regardless of what the outcome of the lawsuit is because they have to see there is a weakness in their system. If they don’t, they are stupid.

I’ve been trying to transfer money from one bank account to another. My bank has made it difficult to do so. Painful even. It’s a customer service and a security issue. Ultimately they provide an option to do so and it requires paperwork, online authentication, phone calls and text messages. It’s not a matter of logging in and transferring money by entering another account. Even with my own login details I’m having a hard time transferring money.

Check to see how easy or difficult your bank makes it. Because if it’s easy peazy, that could be an issue if your PC is hacked.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in  Intelius identity theft protection and prevention. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU. (Disclosures)

3. Make sure your anti-virus is up to date and set to run automatically.

4. Update your web browser to the latest version. An out of date web browser is often riddled with holes worms can crawl through.

5. Check your bank statements often, online, at least once a week.

Robert Siciliano Identity Theft Speaker discussing online banking insecurity

Targeted Injection Attacks on the Rise

Robert Siciliano Identity Theft Expert

In the latter half of 2009, criminal hackers went from mass SQL injection campaigns to targeted attacks. SQL is abbreviation of Structured Query Language. Pronounced  ”Ess Que El” or ”Sequel”. The attackers shift in strategy focused on targeting high-profile websites, concluded Websense’s State of Internet Security report for the third and fourth quarter of 2009.

SQL injections have evolved in their purpose and sophistication. Originally meant as a tool to attack a merchant’s database and steal data. The attack was reconfigured last summer to install viruses on users’ computers that contain a remote control component.

Matt Chambers with Corporate IT Solutions says, “Web applications are one of the most outward facing components a corporation contains in its network design, and one of the least protected. Applications typically take input information and send it to a database for storage and processing. We interact with these kinds of applications every day, whether it’s a signup form or a login page for a favorite networking site.”

Patrik Runald, senior manager of security research at Websense, told SCMagazineUS.com “The bad guys are going after high-profile, high-volume websites, instead of going after the smaller websites, which are easier to inject code into.”

The report says attackers increasingly launched targeted attacks, which often start with an email containing a malicious link. During the second half of 2009, 81 per cent of email contained a malicious link, the report states.

When an employee receives a spear phish, based on information gathered from the companie’s website, and that employee clicks that link, the link may download a program that disables the companies anti-virus and defeats all security measures. This is why one must never click links in the body of an email. There are hardly ever links in emails that can’t be worked around either in the favorite menus or via manually typing in the browser.

1.      NEVER click links in email. It’s shear laziness, naiveté or stupidity when someone clicks links in the body of an email today.

2.      Get yourself and ethical hacker to test your network and see what damage he can do before the bad guy does.

3.      Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

4.      Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

5.      Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing credit card and debit card fraud on CNBC