Slashdot Mirror
Banks, Wall St. Feel Pinch from Computer Intrusion
An anonymous reader writes "Financial institutions and companies in the securities/futures business are reporting sizable increases in the amount of losses and suspicious activity attributed to computer intrusions and identity theft, says the Washington Post's Security Fix blog. The Post obtained a confidential report compiled by the FDIC which analyzed Suspicious Activity Reports from the 2nd Quarter of 2007. SARs are filed when banks experience fraud or fishy transactions that exceed $5,000. The bank insurance agency found that losses from computer intrusions averaged $29,630 each — almost triple the estimated loss per SAR during the same time period in 2006 ($10,536). According to the Post, 'The report indicates that the 80 percent of the computer intrusions were classified as "unknown unauthorized access — online banking," and that "unknown unauthorized access to online banking has risen from 10 to 63 percent in the past year."' Another set of figures analyzed by The Post looks at similar increases affecting the securities and futures industry."
maybe this will force these idiots to upgrade their infrastructures and take network security seriously. That would probably help all of us in the long run.
The higher the technology, the sharper that two-edged sword.
No shit baby! Time to switch back to FACE TO FACE. what a concept.
That's what you get when you put beancounters in charge of computer security, a WHOLE LOT of shortcuts in the name of cost savings which lead ultimately to insecurity.
root@127.0.0.1
Nigerian millionaires not fulfilling their promises to send large amounts of money to banks.
Maybe it they would stop trying to force people to carry an ATM card that does not require a password, this wouldn't be such a problem.
Whoever found cos(s + t) = cos s cos t - sin s sin t didn't protect his identity and now it's all over the web. Sickening.
The reason that these are going up is because of stupid users who see an e-mail from their bank (supposedly) that says "Alert, your account has been disabled until you login to this site and enter all of the information that we, as your bank would already know!". I think if we can focus on user education about phishing, and how banks will NEVER ask you for your username and password and account information via an e-mail, the number of fraudulent transactions would go down significantly. Since the main type listed was related to unauthorized online activity, it is because users are being stupid and giving out their username and password to phishing sites.
Now, you may say, "Just add more questions that only the user will know to their online banking logins!". The issue is, the phishers will just pull those same security questions from the banking site. I've even seen ones where they will have you do the initial login then they will login to your banking site and pass the actual security questions to you to answer, allowing them to completely bypass any security measures that your bank has setup. One thing that Chase does that might help a little bit is if you login to your online banking site from somewhere not already verified (different IP address) they will make you send an activation code to your Cell Phone or your registered account e-mail address before they will let you logon and do anything. This might help a little bit, but i'm sure the scammers will find a way around it. Also, those type of security measures are only implemented by large companies, leaving the smaller banks (and their customers) out in the cold when it comes to security.
So basically my point is, we shouldn't focus so much on network security measures as we should on user education. Network security is great, but when your users can be tricked into giving away their most personal information no amount of network security is going to protect them from themselves.
"To strive, to seek, to find, and not to yield." - Tennyson
What's ZeroCool in chinese?
They tried to give you ID cards- but you wanted freedom instead. Now prepare for a long media campaign of disasters to convince you ID cards are the only option. You beleive the french are cowards, you beleive castro was an evil man, you WILL beleive ID cards are there to protect us.*
*When I say you, I mean the american population, even if you never beleive, milllions will.
Jon R Westlund
07/07/1980
472-94-3805
Cheap, Good, Easy to Use Security is possible, but who would pay for it, and who would mandate it?
... all make or lose money in a commercially profitable way. ... allow your personal information to be stolen, then blame you for all the damages. Why would government put some businesses out-of-business to prevent Id-Theft/Insurance (one of many catch-22 scams)?
... I expect it will be another 10 too 20 years, even though the Cheap, Good, Easy to Use Security "Open" technologies/platforms and "Open" standards are all available today on the commercial market (but only for governments, businesses and wealthy it appears).
... the USA no longer has a capitalist-economy.
Banks, Insurances, Id-Thefts, Medical, Personal, Professional
Silly, Id-insurance you pay for, because governments, credit companies, banks
The only bank/financial business to provide me a little better security structure with a cron-token has been etrade. the most frequent notices I have received indicating whoops Id-Theft of personal information has been the government. This tells me many business (1) do not know when theft happes, or (2) Will not tell me anything about an Id-Theft.
Id-Theft is an expensive personal problem caused by government and/or business (should be criminal) negligence. If some one uses your name, SSN, and other personal information to get a line of credit/loan, then government or business is providing approval for the theft. I live in the same house for 5 to 20 years, government and businesses/financial companies all know or can easily obtain my personal information and call or ask local/fed tax offices where I am filling. So, someone in another state using my personal information should set off all kinds of alarms/alerts.
I want a voice/bio eSig for financed financial transactions, but in the USA
Id-Theft remains a personal problem, a business write-off/tax deduction, a new business for protection services, a government responsibility abdicated to provide tax dollars for more corporate welfare, and allow whoever (including criminal) to make money off the general public. Communist-economics (exploit the worker) by any spin/name still stinks
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
Isn't this problem limited to the USA because their banks use only user/password for authentication?
I know the procedures for 5 or 6 banks in 3 different European countries, and all of them require a lot more to authenticate me.
The 3 procedures are:
* Bank 1 (the simplest, and first system I have seen, some 10 years ago).
- authenticate with user id (unrelated to name or account number) and password
- be prompted to enter a one-time number from a list which I received by postal (registered) mail (it asks for the number at row x, column y)
All other banks have long moved to something like the 2 others:
* Bank 2.
- put a special card received from the bank into a special calculator also received from the bank and enter password
- enter user id (unrelated to name or account number) on bank web site
- receive a one-time 6 digit number and type it into the special calculator
- the calculator gives an 8 or 10 alphanumeric one-time password to enter into the web form
* Bank 3.
- I can't remember the details, but as with bank 2, there is a special device and procedure to follow involving password, user id, device id and one-time numbers exchanged between the device and the bank's site.
- On top of that, the bank sends me an email every time I connect, with the date, time, the IP address from which I connected, and the money operations performed if any.
This is genuine "two mode" authentication. Sure, if someone stole my computer AND my keychain the security is compromised. Or, if someone puts a gun to my head. But still, compared to current web login security, this system is a vast improvement.
All a bank has to do is say, "Here, this gizmo is free. And by the way, you have to use it if you want to do online banking." Managing these devices isn't any harder than managing ATM cards. Which people lose every day, and its not that big a deal.
I will create a sig when innovation restarts in the U.S.
My own bank uses such a device, but they have been hit by bank specific trojans which simply let you authenticate a different transaction while you thought you were authenticating your own.
The only solution is a separate device less easily owned than a PC which displays all the transaction details. Mobile phones would work (would be nice if they used better cryptography, but even without it's a lot more difficult to exploit on a large scale without physical presence).
A key is a lot better than either of those, people understand what keys do, they understand what they should do if they get stolen or lost. Digital keys are almost impossible to copy, while passphrases are trivial to intercept and fingerprints are trivial to copy ... two things a lot of people don't understand!
An extra factor is fine, but start with what works best. What you have.
An RSA token is a terrible way to handle internal security for anything other than a VPN. Imaging typing in a one time password every single time you lock your computer, access an application, etc. It would drive most people to just leave their computers unlocked all the time and logged in.
If a really capable hacker just decided the next time a windows worm is discovered to trojan all the transactions for a large number of banks the damage he will be able to cause is going to be huge, if he wants to be nasty he could use the online transaction history to make the transactions look legit too to maximize the amount of money he could pump around before you guys simply shutdown online transactions entirely.
...
He'd be able to make his money off put options rather than directly stolen money
Every time I read an article regarding someone hacking into a bank system or account. I always wondered... how do you take the momeny without being caught? I mean I can understand that for small amounts, you can probably wired it to an account you've setup with fake details. Then take cash out. But what about large amounts?
I understand that my question is a bit sensitive. Please delete if it's inappropriate for this site.
What is needed, if they want to keep the system at least a little similar, is to simply add a PIN. Keep the pin separate, never printed, just like a PIN for a bank card. The PIN must be used for opening any account or using the SSN in any manner an ID thief might. For general use only ssn is required, same as it is today. This alone would cut back on ID theft, as it would break the current method of "ssn + name = free$$" by requiring a PIN that only the original holder of the SSN should know, rather than requiring a simple to find number and some info thats publicly available.
Tm
Tm
Support TBI Research: http://www.raisinhope.org
It's not just the banks that need to have tight security, it also applies to all companies listed on the stock market.
Scenario 1: As Company C prepares its year-end report, hacker H sniffs the CEO/CFO mail conversation and sees that market expectations will be greatly exceeded or greatly dissapointing. He thereafter invests in suitable warrants and profits.
Scenario 2: If the hacker has penetrated the network well, he could seriously disrupt stock market value by releasing trade secrets, destroying servers, causing online business downtime (think amazon gone for a day), etc. Combine with an investment in warrants, and there is an easy profit.
Isn't this largely because you are basically running fundamentally insecure systems? Systems which simply cannot reasonably be operated without giving the end user the authority to install "Malware, trojans etc. are used to steal identities og businesses or persons."
What do you want now? Sympathy or praise for choosing expediency over security?
The problem is not and never has been the end user. We have know for decades that a significant proportion of end users are thieving sociopathic scum. We've had systems designed with this in mind for about the same amount of time. The problem is that nobody is being fired/prosecuted/sued for negligence.
Deleted
A number of banks have implemented two-factor authentication using mobile phones. When a transaction is initiated, the bank send a number by text to your nominated mobile phone. You then enter the number in the screen. No need for expensive HHAD devices. And it really seems to work very well. In theory you can defeat it via man-in-the-middle attacks but these are a lot harder to implement than normal phishing.
See for example http://nab.com.au/Personal_Finance/0,,84176,00.html
Tim
A major detail left out of the story, is that payment card industry (PCI) data security standards are written to place all the burden on the merchant while the banks do nothing meaningful to upgrade the 1960's technology.
Technology exists today where every time you would use your card at a data connected store - your use number would change. The number would be visible on a super thin LCD or E-paper display on the card.
Thus every time you use your card, except on phone or web purchases, the number changes. If you chose, one could also add biometric info to the card.
The silly system in place today, makes simply copying the numbers off a card all that is needed to commit fraud.
Visa/Mastercard etc are pretty powerless, it is the banks that control the system and they don't want to make the needed investment.
Title case makes my brain mis-parse the headlines. I don't understand who this new Saint Feel is, and why he needs to pinch intruders.
'The Post obtained a confidential report compiled by the FDIC'
Maybe they hacked into the banks' systems to get it?
Wisdom follows, pay attention!
The defence is easy: no online transfers to anywhere in the former Soviet Union (the so called CIS states). No transfers to companies or persons that have slavic-sounding names. The vast majority of hackers and virus writers are russians, that is undeniable fact. No transfer to Brazil, because most of banking data stealing trojans are authored in Sao Paolo.
If customer wants to deal with ex-soviet or brazilian partner, kindly inform him/her to turn up in person at the counter to do the transaction or and submit an attorney counter-signed waiver that he/she is aware of risks and takes full reposibility for any losses.
Any pending transfer request to people or firm hispano-sounding name should be routed to client support and the alleged sender should be called and asked to veriy if he/she really wanted to do that. If you have manpower, do the same with communist china-bound transactions, because a lot of trojans are mad in PRC.
This protects the most basic right to have private property, and to be free of theft. Therefore racial discrimination is allowed, because having private property is a more basic right embedded in the Constitution, while racial issues were legislated only between 1860s to 1960s.
Let's face it, the russian hackers are as fierce in their war against USA, as the red commies of Stalin and Khruschev were. They want to ruin you and when you are in ruins they come to occupy and rape your sisters, like they did in the Baltic and Hungary in 1945, not a single female was left intact, virgin or not. Vodka smelling ruthless barbarians. What's more there is ample proof that russian hackers are controlled by Putin's Kremlin, US DoD contractor Secure Computing Inc. recently testified for that in court.
Ideally, the former Soviet Union should be purged and cut off from the net. Online crime would drop 2/3rd that very minute according to all statistics. What do russians contribute to the net? Nothing! All we need is their oil and natural gas shipments. You don't need anything beyond a fax machine to trade with them. Purge them from the net!
BTW, FYI, etc.:
verses
versus
www.clarke.ca