This article appeared originally in the November 2010 Levitt Letter.
Below is a digest of a USA Today article from July 29 by Byron Acohido. The complete text is posted at www.levitt.com/news. —Mark
Banks want consumers to help protect their deposits from thieves. About 80% of U.S. households bank online. However, it is less safe than visiting a branch. Cyber attacks have become alarmingly sophisticated and pervasive. Bankers now expect consumers to continually monitor their online accounts for unauthorized transactions. Banks have invested heavily in cyber defenses, and they’ve reimbursed account holders who can prove they’ve been ripped off.
Cyber theft has evolved into a multibillion-dollar global industry. There are nearly 70,000 “banking Trojan” programs—malicious software designed to pilfer online accounts. Eighty-five percent of big banks incur losses from cyber attacks on consumer online accounts. It’s an arms race. Solutions last only until the next kind of attack evolves. If you’re caught in the middle, the loss could be yours.
A San Diego personal trainer barely dodged a recent attack. An email from her bank advised her that all future emails would go to a new email address, per her online instructions. She’d never requested such a change, however. A clerk informed her that $5,800 was about to be transferred from her savings account to a woman—whom she didn’t know! Payment was stopped.
A computer virus probably let the attacker access her account, change the email address, and initiate the bill payment. The bank authorized the transfer because the thief knew the answers to the trainer’s “secret questions”—such as her mother’s maiden name and the city of her birth.
The cyber underground makes powerful hacking tools and tutorials available via an organized support infrastructure. Cyber thieves purchase account log-ons from data thieves. They find coding security holes in Web browsers. Internet Explorer, Firefox, Google, and Apple Safari enable users to surf the Internet. But browsers simply aren’t designed for secure financial transactions. Cyber thieves craft banking Trojans that inject software code into the Web browser. Then the attacker takes control of online banking sessions, altering what the account holder sees and making stealthy transactions.
The current online banking systems are at least one full generation behind current cyber crook techniques. One banking Trojan infiltrated a victim’s Web browser when he clicked on a corrupted Web link in an instant message. The Trojan watched for when the victim accessed his online bank account and sent a copy of the user name and password to the attacker. It also automatically injected a “spoofed” (looks real, but isn’t) bank form into the legitimate banking Web pages. Cyber criminals can steal credentials for thousands of accounts at a time with very little effort. Customers must know how to defent themselves. They must always protect passwords, ensure the bank has up-to-date contact information, and regularly review their accounts.
Verification devices that operate separately from the browser ensure secure transactions no matter what is on the customer’s PC. Unfortunately, banks are a long way from widelydistributing such devices. Banking and security experts say a consumer backlash is necessary to change the banking industry’s current approach.
Stopgap solution from Mark: Use online banking for only your smallest “convenience” account. Keep savings, money market, and other larger accounts away from online banking.