Slashdot Mirror
Banks, Wall St. Feel Pinch from Computer Intrusion
An anonymous reader writes "Financial institutions and companies in the securities/futures business are reporting sizable increases in the amount of losses and suspicious activity attributed to computer intrusions and identity theft, says the Washington Post's Security Fix blog. The Post obtained a confidential report compiled by the FDIC which analyzed Suspicious Activity Reports from the 2nd Quarter of 2007. SARs are filed when banks experience fraud or fishy transactions that exceed $5,000. The bank insurance agency found that losses from computer intrusions averaged $29,630 each — almost triple the estimated loss per SAR during the same time period in 2006 ($10,536). According to the Post, 'The report indicates that the 80 percent of the computer intrusions were classified as "unknown unauthorized access — online banking," and that "unknown unauthorized access to online banking has risen from 10 to 63 percent in the past year."' Another set of figures analyzed by The Post looks at similar increases affecting the securities and futures industry."
maybe this will force these idiots to upgrade their infrastructures and take network security seriously. That would probably help all of us in the long run.
The higher the technology, the sharper that two-edged sword.
No shit baby! Time to switch back to FACE TO FACE. what a concept.
That's what you get when you put beancounters in charge of computer security, a WHOLE LOT of shortcuts in the name of cost savings which lead ultimately to insecurity.
root@127.0.0.1
Nigerian millionaires not fulfilling their promises to send large amounts of money to banks.
Maybe it they would stop trying to force people to carry an ATM card that does not require a password, this wouldn't be such a problem.
Whoever found cos(s + t) = cos s cos t - sin s sin t didn't protect his identity and now it's all over the web. Sickening.
The reason that these are going up is because of stupid users who see an e-mail from their bank (supposedly) that says "Alert, your account has been disabled until you login to this site and enter all of the information that we, as your bank would already know!". I think if we can focus on user education about phishing, and how banks will NEVER ask you for your username and password and account information via an e-mail, the number of fraudulent transactions would go down significantly. Since the main type listed was related to unauthorized online activity, it is because users are being stupid and giving out their username and password to phishing sites.
Now, you may say, "Just add more questions that only the user will know to their online banking logins!". The issue is, the phishers will just pull those same security questions from the banking site. I've even seen ones where they will have you do the initial login then they will login to your banking site and pass the actual security questions to you to answer, allowing them to completely bypass any security measures that your bank has setup. One thing that Chase does that might help a little bit is if you login to your online banking site from somewhere not already verified (different IP address) they will make you send an activation code to your Cell Phone or your registered account e-mail address before they will let you logon and do anything. This might help a little bit, but i'm sure the scammers will find a way around it. Also, those type of security measures are only implemented by large companies, leaving the smaller banks (and their customers) out in the cold when it comes to security.
So basically my point is, we shouldn't focus so much on network security measures as we should on user education. Network security is great, but when your users can be tricked into giving away their most personal information no amount of network security is going to protect them from themselves.
"To strive, to seek, to find, and not to yield." - Tennyson
They tried to give you ID cards- but you wanted freedom instead. Now prepare for a long media campaign of disasters to convince you ID cards are the only option. You beleive the french are cowards, you beleive castro was an evil man, you WILL beleive ID cards are there to protect us.*
*When I say you, I mean the american population, even if you never beleive, milllions will.
Cheap, Good, Easy to Use Security is possible, but who would pay for it, and who would mandate it?
... all make or lose money in a commercially profitable way. ... allow your personal information to be stolen, then blame you for all the damages. Why would government put some businesses out-of-business to prevent Id-Theft/Insurance (one of many catch-22 scams)?
... I expect it will be another 10 too 20 years, even though the Cheap, Good, Easy to Use Security "Open" technologies/platforms and "Open" standards are all available today on the commercial market (but only for governments, businesses and wealthy it appears).
... the USA no longer has a capitalist-economy.
Banks, Insurances, Id-Thefts, Medical, Personal, Professional
Silly, Id-insurance you pay for, because governments, credit companies, banks
The only bank/financial business to provide me a little better security structure with a cron-token has been etrade. the most frequent notices I have received indicating whoops Id-Theft of personal information has been the government. This tells me many business (1) do not know when theft happes, or (2) Will not tell me anything about an Id-Theft.
Id-Theft is an expensive personal problem caused by government and/or business (should be criminal) negligence. If some one uses your name, SSN, and other personal information to get a line of credit/loan, then government or business is providing approval for the theft. I live in the same house for 5 to 20 years, government and businesses/financial companies all know or can easily obtain my personal information and call or ask local/fed tax offices where I am filling. So, someone in another state using my personal information should set off all kinds of alarms/alerts.
I want a voice/bio eSig for financed financial transactions, but in the USA
Id-Theft remains a personal problem, a business write-off/tax deduction, a new business for protection services, a government responsibility abdicated to provide tax dollars for more corporate welfare, and allow whoever (including criminal) to make money off the general public. Communist-economics (exploit the worker) by any spin/name still stinks
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
Isn't this problem limited to the USA because their banks use only user/password for authentication?
I know the procedures for 5 or 6 banks in 3 different European countries, and all of them require a lot more to authenticate me.
The 3 procedures are:
* Bank 1 (the simplest, and first system I have seen, some 10 years ago).
- authenticate with user id (unrelated to name or account number) and password
- be prompted to enter a one-time number from a list which I received by postal (registered) mail (it asks for the number at row x, column y)
All other banks have long moved to something like the 2 others:
* Bank 2.
- put a special card received from the bank into a special calculator also received from the bank and enter password
- enter user id (unrelated to name or account number) on bank web site
- receive a one-time 6 digit number and type it into the special calculator
- the calculator gives an 8 or 10 alphanumeric one-time password to enter into the web form
* Bank 3.
- I can't remember the details, but as with bank 2, there is a special device and procedure to follow involving password, user id, device id and one-time numbers exchanged between the device and the bank's site.
- On top of that, the bank sends me an email every time I connect, with the date, time, the IP address from which I connected, and the money operations performed if any.
This is genuine "two mode" authentication. Sure, if someone stole my computer AND my keychain the security is compromised. Or, if someone puts a gun to my head. But still, compared to current web login security, this system is a vast improvement.
All a bank has to do is say, "Here, this gizmo is free. And by the way, you have to use it if you want to do online banking." Managing these devices isn't any harder than managing ATM cards. Which people lose every day, and its not that big a deal.
I will create a sig when innovation restarts in the U.S.
ZewohCoo
- Dan
My own bank uses such a device, but they have been hit by bank specific trojans which simply let you authenticate a different transaction while you thought you were authenticating your own.
The only solution is a separate device less easily owned than a PC which displays all the transaction details. Mobile phones would work (would be nice if they used better cryptography, but even without it's a lot more difficult to exploit on a large scale without physical presence).
A key is a lot better than either of those, people understand what keys do, they understand what they should do if they get stolen or lost. Digital keys are almost impossible to copy, while passphrases are trivial to intercept and fingerprints are trivial to copy ... two things a lot of people don't understand!
An extra factor is fine, but start with what works best. What you have.
An RSA token is a terrible way to handle internal security for anything other than a VPN. Imaging typing in a one time password every single time you lock your computer, access an application, etc. It would drive most people to just leave their computers unlocked all the time and logged in.
If a really capable hacker just decided the next time a windows worm is discovered to trojan all the transactions for a large number of banks the damage he will be able to cause is going to be huge, if he wants to be nasty he could use the online transaction history to make the transactions look legit too to maximize the amount of money he could pump around before you guys simply shutdown online transactions entirely.
...
He'd be able to make his money off put options rather than directly stolen money
What is needed, if they want to keep the system at least a little similar, is to simply add a PIN. Keep the pin separate, never printed, just like a PIN for a bank card. The PIN must be used for opening any account or using the SSN in any manner an ID thief might. For general use only ssn is required, same as it is today. This alone would cut back on ID theft, as it would break the current method of "ssn + name = free$$" by requiring a PIN that only the original holder of the SSN should know, rather than requiring a simple to find number and some info thats publicly available.
Tm
Tm
Support TBI Research: http://www.raisinhope.org
It's not just the banks that need to have tight security, it also applies to all companies listed on the stock market.
Scenario 1: As Company C prepares its year-end report, hacker H sniffs the CEO/CFO mail conversation and sees that market expectations will be greatly exceeded or greatly dissapointing. He thereafter invests in suitable warrants and profits.
Scenario 2: If the hacker has penetrated the network well, he could seriously disrupt stock market value by releasing trade secrets, destroying servers, causing online business downtime (think amazon gone for a day), etc. Combine with an investment in warrants, and there is an easy profit.
Isn't this largely because you are basically running fundamentally insecure systems? Systems which simply cannot reasonably be operated without giving the end user the authority to install "Malware, trojans etc. are used to steal identities og businesses or persons."
What do you want now? Sympathy or praise for choosing expediency over security?
The problem is not and never has been the end user. We have know for decades that a significant proportion of end users are thieving sociopathic scum. We've had systems designed with this in mind for about the same amount of time. The problem is that nobody is being fired/prosecuted/sued for negligence.
Deleted
A number of banks have implemented two-factor authentication using mobile phones. When a transaction is initiated, the bank send a number by text to your nominated mobile phone. You then enter the number in the screen. No need for expensive HHAD devices. And it really seems to work very well. In theory you can defeat it via man-in-the-middle attacks but these are a lot harder to implement than normal phishing.
See for example http://nab.com.au/Personal_Finance/0,,84176,00.html
Tim
A major detail left out of the story, is that payment card industry (PCI) data security standards are written to place all the burden on the merchant while the banks do nothing meaningful to upgrade the 1960's technology.
Technology exists today where every time you would use your card at a data connected store - your use number would change. The number would be visible on a super thin LCD or E-paper display on the card.
Thus every time you use your card, except on phone or web purchases, the number changes. If you chose, one could also add biometric info to the card.
The silly system in place today, makes simply copying the numbers off a card all that is needed to commit fraud.
Visa/Mastercard etc are pretty powerless, it is the banks that control the system and they don't want to make the needed investment.
BTW, FYI, etc.:
verses
versus
www.clarke.ca