2 million bank accounts robbed

Jack Lloyd lloyd at randombit.net
Tue Jun 15 09:22:46 PDT 2004


So... don't give your account info to organized crime, and don't use Outlook,
and your risk is reduced by, what, 90%? And doing online banking from a Net
cafe... I mean really.

At least some of these numbers seem wrong. If "nearly 2 million" people got
ripped off last year, and "at least 1.8 million" people fell for phishing
attacks, then why would keyloggers/viruses cause "up to half" of the account
compromises? Did nearly a million people fall for phishing attacks and yet were
too stupid to even get their account details correct?

-J

On Tue, Jun 15, 2004 at 12:08:21PM -0400, R. A. Hettinga wrote:
> <http://www.msnbc.msn.com/id/5184077/>
> 
> MSNBC
> 
> Survey: 2 million bank accounts robbed
> Criminals taking advantage of online banking, Gartner says
> EXCLUSIVE
> By Bob Sullivan
> Technology correspondent
> MSNBC
> Updated: 4:25 a.m. ET June 14, 2004
> 
> Nearly 2 million Americans have had their checking accounts raided by
> criminals in the past 12 months, according to a soon-to-be released survey
> by market research group Gartner. Consumers reported an average loss per
> incident of $1,200, pushing total losses higher than $2 billion for the
> year.
> 
>  advertisement
> Gartner researcher Avivah Litan blamed online banking for most of the problem.
> 
> "There has been a big increase in the abuse of existing checking accounts,"
> Litan said. "What's really scary about it is right now there are no
> back-end fraud detection solutions for it."
> 
> The survey results, extrapolated from a telephone poll of 5,000 consumers
> conducted in April, offer a rare glimpse at the state of bank fraud:
> Financial institutions are tight-lipped about fraud losses. But Litan said
> the study confirms comments she regularly hears from bank investigators.
> 
> "The results are consistent with what banks are telling me. ... When I talk
> to them, they all nod their heads that this is the area where they are
> seeing the most fraud escalation," she said.
> 
> 'Constant siege'
> The trend neatly follows a sharp rise in so-called phishing e-mails, which
> attempt to steal consumers' user names and passwords by imitating e-mail
> from legitimate financial institutions. A Gartner study released in May
> showed at least 1.8 million consumers had been tricked into divulging
> personal information in phishing attacks, most within the past year.
> 
> Phishing attempts designed specifically to steal bank information began to
> skyrocket about 10 months ago, according to Dave Jevans, chair of the
> Anti-Phishing Working Group. Overall, phishing e-mails have jumped 4,000
> percent in the past six months, and just last month, Citibank overtook eBay
> as the most common target. The company faced an average of 16 attacks per
> day, and 475 separate phishing attacks during April, an increase of nearly
> 400 percent from March.
> 
>  Citibank didn't immediately return requests for comment.
> 
> "It's working, there's no doubt about that...There's people who are under
> constant siege now," Jevans said. "It's like people setting up fake ATMs
> everywhere."
> 
>  Some days, banks are targeted dozens of times, which not only leads to
> identity theft, but also jam-packed customer service telephone lines.
> 
> "Clearly the issues are far more significant than anyone expected they
> would be. Phishing and spoofing (setting up look-alike bank Web sites) are
> really getting to people," said Larry Ponemon, founder of privacy think
> tank Ponemon Institute, and a bank consultant. "It is an epidemic. It's a
> very big problem."
> 
> Creative ways to drain accounts
> But phish isn't the only way criminals gain access to online bank accounts,
> according to industry experts. Computer criminals are becoming increasingly
> proficient at writing Trojan horse programs and keyloggers that steal
> passwords and account information. Such secret malicious programs, which
> exerts say are more widespread than many realize, could be the cause of up
> to half the account takeovers, Litan speculated.
> 
> Such programs can be installed on home users' computers through virus-laden
> e-mails. People who do their online banking at public computers, such as at
> Internet cafes, are also at risk from this kind of password swiping.
> FREE VIDEO * Run at the bank
> MSNBC.com's Bob Sullivan reports on online banking theft.
> 
> NBC News
> The Gartner survey found that more than 4 million consumers reported
> suffering checking account takeovers at any time during recent years, with
> half that number saying it had happened in the most recent 12-month span --
> indicating a sharp increase in the activity.
> 
> While consumers who responded to the survey didn't know how the money was
> moved out of their checking accounts -- fake ATM cards are another
> possibility, for example -- Litan said she suspects a sharp rise in hackers
> taking over online bank accounts is the likely cause. 
> 
>  Criminals are using creative ways to transfer money out of hijacked
> accounts, she said.
> 
> "A couple of banks tell me (the criminals) set up a bill payment account,
> then pay themselves," she said.
> 
>  Another method, said U.S. Postal Inspector Barry Mew, takes advantage of
> the images of canceled checks made available to online bankers. Imposters
> use them to create authentic-looking counterfeit checks; they have an added
> air of legitimacy, since the check numbers are appropriately in series.
> 
> Enough safeguards?
> Online banking, including online bill paying, has spiked in popularity in
> recent years, particularly as more financial institutions offer the service
> for free. According to Gartner, 45 percent of the 141 million U.S. adults
> who use the Internet pay bills online. Consumers like the convenience and
> banks like the operating savings. 
> 
>  But not everyone is comfortable banking online, and Gartner's study
> confirms some of that group's worst fears: that accounts can be tapped into
> by criminals.
> 
> "They should be afraid," Litan said. "The banks should be requiring more
> than just passwords to use online banking. They all know they have to do
> something, but they are all afraid to take the first step."
> 
> Identity theft expert Rob Douglas described the study results as
> "blockbuster," and said banks may be forced to re-think the way they are
> giving consumers access to checking accounts online.
> 
> "They may say it's because customers are not practicing the appropriate
> safeguards," he said.  "But when it comes to online banking, they are not
> doing a good enough job of educating customers what to watch out for.
> Someone is making a lot of money."
> 
> Litan said the industry was reeling in part because there is no software
> designed to detect unusual checking account withdrawal patterns, outside of
> software that looks for money laundering, which doesn't catch simple
> unauthorized withdrawals.
> 
> Most credit card users are familiar with industry software called Falcon,
> which alerts issuers when out-of-the-ordinary purchases are attempted. Such
> software will often cause a card issuer to call a consumer and ask
> questions like, "Are you really in London buying a diamond necklace right
> now?"
> 
> There's no similar product for online banking, Litan said.
> 
>  Still, there are simpler solutions banks could implement to protect
> themselves and consumers. One idea is a "shared secret" -- a picture that
> consumers would give to a bank, which would then appear each time the
> consumer visited the bank's site, confirming it was the authentic corporate
> Web site and not a "spoof" site controlled by a hacker.
> 
> "There's a lot at stake here," Litan said. "And there's a lot that banks
> can do."
> 
> Limited window for refunds
> In most cases, analysts say, consumers are eventually refunded the money
> they lose. Federal regulations governing electronic transfers, known as
> Regulation E, requires banks to refund the money as long as consumers
> notify the institution within 60 days of receiving their bank statement.
> But outside the 60-day window, banks are under no obligation to issue
> refunds.
> 
>   Fact File
> Know your rights
> 
> Regulation E protects consumers when they are hit by electronic financial fraud
> 
> *
> What's covered
> 
> *
> Consumer liability
> 
> *
> What consumers should do
> 
> *
> What banks are required to do
> 
> *
> For more information
> 
> Consumers have well-defined rights with respect to fraudulent electronic
> transfers, and should generally be able to obtain refunds with little
> hassle. The rights are spelled out in what's known as "Reg-E," or the
> Federal Reserve Board's Regulation E. The Fed was authorized to draw up the
> regulation by the Electronic Funds Transfer Act of 1979. The regulation
> covers all manner of transfers into and out of bank accounts outside of
> paper checks, including the use of debit cards. It does not cover credit
> card transactions.
> 
> * Print this
> 
> Many banks don't make consumer rights clear enough, said George Tubin, an
> analyst at Tower Group. He praised Bank of America, Citibank, and Wells
> Fargo for offering credit-card style "zero liability" policies on their
> online banking products.
> 
> "Until a bank is comfortable enough with their product to say you're
> covered, how can consumers feel comfortable?" he said.
> 
> Betty Reese, a spokeswoman for Bank of America, said her firm simply
> requires consumers to report any fraud on "a timely basis."  She decline to
> disclose fraud statistics.
> 
>  Still, getting a refund can be inconvenient, and there are scattered
> reports of banks not making the process easy.  And ultimately, all
> consumers pay when banks increase fees to recoup their losses.
> 
> The new Gartner results "are staggering numbers," said Jim Bruene, editor
> and founder of the Online Banking Report.
> 
>  "If that's true, we are really facing a monster problem," he said. "It's
> something that could have been anticipated by the banks. ... There should
> be and will be more controls in place."
> 
> -- 
> -----------------
> R. A. Hettinga <mailto: rah at ibuc.com>
> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
> 44 Farquhar Street, Boston, MA 02131 USA
> "... however it may deserve respect for its usefulness and antiquity,
> [predicting the end of the world] has not been found agreeable to
> experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'





More information about the cypherpunks-legacy mailing list