Slashdot Mirror

← Back to Stories (view on slashdot.org)

Banks, Wall St. Feel Pinch from Computer Intrusion

Posted by Soulskill on from the only-going-to-get-worse dept.

An anonymous reader writes "Financial institutions and companies in the securities/futures business are reporting sizable increases in the amount of losses and suspicious activity attributed to computer intrusions and identity theft, says the Washington Post's Security Fix blog. The Post obtained a confidential report compiled by the FDIC which analyzed Suspicious Activity Reports from the 2nd Quarter of 2007. SARs are filed when banks experience fraud or fishy transactions that exceed $5,000. The bank insurance agency found that losses from computer intrusions averaged $29,630 each — almost triple the estimated loss per SAR during the same time period in 2006 ($10,536). According to the Post, 'The report indicates that the 80 percent of the computer intrusions were classified as "unknown unauthorized access — online banking," and that "unknown unauthorized access to online banking has risen from 10 to 63 percent in the past year."' Another set of figures analyzed by The Post looks at similar increases affecting the securities and futures industry."

31 of 90 comments (clear)

  1. Well, this is good ... by ScrewMaster · · Score: 4, Insightful

    maybe this will force these idiots to upgrade their infrastructures and take network security seriously. That would probably help all of us in the long run.

    --
    The higher the technology, the sharper that two-edged sword.
    1. Re:Well, this is good ... by Frosty+Piss · · Score: 3, Informative

      The problem is, user easy verses security. At a certain point of "security" people will choose not to because it's way too much of a hassle. And, there will always be a way around it.

      --
      If you want news from today, you have to come back tomorrow.
    2. Re:Well, this is good ... by ScrewMaster · · Score: 3, Insightful

      True, but I'm not necessarily talking about the end user ... there's a lot of money that could be well-spent on just securing their networks. Banks have money but like most corporations tend to be cheap when it comes to security. Hitting them in their pocketbooks like this may be just the kick in the pants they need to take the proper steps.

      There are probably some ways that security could be improved from the end-user's perspective as well. I understand that in some countries (I don't know if any U.S. banks do this) users of Internet banking services have a hardware device that plugs into their PC to identify them. I don't know how well that works, never having used anything like that myself, but if implemented correctly it would at least cut down on password phishing schemes.

      --
      The higher the technology, the sharper that two-edged sword.
    3. Re:Well, this is good ... by abigor · · Score: 3, Informative

      Actually, the article gives some examples of how the thefts occur, and it's normally not from network intrusions - rather, it's from things like a coworker in an office installing trojans on people's machines and stealing their passwords when they go to do online banking during their lunch hours or whatever.

      How do you protect against this sort of thing? The banks have certain heuristics that deal with detecting fraudulent transactions, but this really seems like one of those cases where what you know (passphrase) + who you are (biometrics) would go a long way towards a solution.

    4. Re:Well, this is good ... by Crafack · · Score: 5, Informative

      I'm in IT Operations for a bank in EU.

      We spend a sizeable amount of both time and money securing systems against outside access.

      The problem as reported in TFA is in the end-user zone. Malware, trojans etc. are used to steal identities og businesses or persons.

      True, most of these problems could be mitigated (for now) if the banks switched to some kind of one-time-pad system, but apparently for now the cost of the system are greater than losses due to attacks. /Crafack

      --
      ... Elecance is left to the implementors.
    5. Re:Well, this is good ... by Creepy+Crawler · · Score: 3, Interesting

      And that kind of technology would invariably lead to "Works only on Windows".

      I'd rather have a separate "channel" of information to verify against. If one would use internet banking, then a txt msg containing pertinent info would be sent, with a reply "$dollar amount and yes" as confirmation.

      Phones can be deactivated rather fast when it comes to stolen" and such things. It would provide extra security and very little hassle.

      --
    6. Re:Well, this is good ... by CastrTroy · · Score: 5, Interesting

      I call BS. There's a lot they could do to increase security for banking. How about actual 2-factor authentication. Something you know, and, something you know is not 2 factor authentication. Try something you know (your password), and something you have (those little RSA tokens). If they implemented those RSA tokens that spit out a new number every 60 seconds, they could stop almost all the phishing scams. Yet they refuse to do anything to actually even offer the more secure option. I'd pay for the RSA token out of my own pocket if it meant my money would be more secure.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    7. Re:Well, this is good ... by abigor · · Score: 2, Informative

      I think some European banks actually have systems a bit like what you describe. My friend has an account with a Dutch bank, and he has this little device that generates a unique passcode each time he wants to do any banking. I'm not really sure how it works, but its one-time-padness makes end user fraud a lot more difficult - you'd have to physically steal the device, its PIN, plus his actual banking password.

    8. Re:Well, this is good ... by cetialphav · · Score: 3, Informative

      If they implemented those RSA tokens that spit out a new number every 60 seconds, they could stop almost all the phishing scams. Yet they refuse to do anything to actually even offer the more secure option. I'd pay for the RSA token out of my own pocket if it meant my money would be more secure. Actually, some banks do this. ETrade, for example, provides the RSA tokens. If security were really that important to customers, the banks would respond. But most customers are not security savvy enough to even know what to ask. The mere concept of the RSA token goes completely over the head of most people. What the banks need to do is to take the lead in trying to educate consumers about security issues so that consumers can make more informed choices, but that is a difficult, thankless task that most of them don't want to do. The bottom line is that customers are not leaving banks in droves to go to competitors with better security even though there actually exists competitors with better security. Or to put it another way, providing better security provides only a marginal business advantage, whereas better interest rates provide a huge business advantage.
    9. Re:Well, this is good ... by cetialphav · · Score: 3, Insightful

      ETrade is both a brokerage house and a bank. I don't know if other American banks offer RSA SecurID tokens. I'm a happy ETrade customer so I haven't investigated that. A quick google search makes it look like other banks offer this, too.

    10. Re:Well, this is good ... by jdigriz · · Score: 2, Insightful

      2 seconds of googling would have revealed ETrade Bank in addition to their brokerage. I just saved you those 2 seconds. You're welcome.

    11. Re:Well, this is good ... by timeOday · · Score: 2, Informative

      My work implemented 2-factor authentication for remote email access. Everybody I've spoken with agrees with me that it has drastically reduced their amount of remote email access. In other words, greater security at the cost of productivity. This is why you should not let network security make their own decisions in a vacuum - they will choose security at the expense of everything else. These studies that state losses from computer security are worthless without equally credible studies of the losses from more draconian security, in terms of direct expenses and lost productivity, and annoyed customers that go somewhere else.

    12. Re:Well, this is good ... by caluml · · Score: 2, Insightful

      Use a mobile phone to text the user the second part of the authentication code. It's so simple, so easy, so cheap - and very effective.

      --
      Get your own free personal location tracker
    13. Re:Well, this is good ... by TheRaven64 · · Score: 2

      I understand that in some countries (I don't know if any U.S. banks do this) users of Internet banking services have a hardware device that plugs into their PC to identify them It doesn't plug into the computer, that would leave it vulnerable if the machine were compromised. It looks like those pocket calculators that everyone was handing out for publicity in the '80s and implements one-time passwords. Inside is a ROM chip with a secret number in it. The bank's site gives you a number, you enter it into the keypad, and then read the result of some permutation on the secret value and the number from the bank and enter it into the site. You can then access the site and anyone who has control over your computer at that moment can steal your money. If they are just logging, then they get nothing usable because that pass code won't be valid again for a long time.

      The MoD has been using this kind of thing for a long time. They're starting to trickle down to the consumer now. You can also use something similar on *NIX systems using opie and a bit of custom code on a programmable calculator.

      --
      I am TheRaven on Soylent News
  2. p0wnd! by Anonymous Coward · · Score: 2, Funny

    No shit baby! Time to switch back to FACE TO FACE. what a concept.

    1. Re:p0wnd! by Hatta · · Score: 3, Insightful

      Face to face is sometimes even less secure. All my credit union wants from me is an account number and name and they'll give me all the cash in my account. Not even a password or photoid. Of course, I'll take the risk of getting ripped off at a credit union over the guarantee of getting ripped off at a bank any time.

      --
      Give me Classic Slashdot or give me death!
  3. beancounters and shortcuts by galaad2 · · Score: 5, Insightful

    That's what you get when you put beancounters in charge of computer security, a WHOLE LOT of shortcuts in the name of cost savings which lead ultimately to insecurity.

    --
    root@127.0.0.1
    1. Re:beancounters and shortcuts by zappepcs · · Score: 4, Interesting

      It's not just bean counters. Many businesses went into the computer services side of their business with either no knowledge of the risk, went into it before the risks were known, or simply made bad decisions. Now, they have to have the computer side of their business to compete and they are finding out what dangers lie inside pandora's box, even as they try to put the lid back on.

      Intrusion detection systems are how old? Who really is the enemy as far as the computer system can tell? If you don't know, or are not sure of the answer, you have something in common with the people that have to make decisions with the security of your financial information. I'm not saying that it's a total lost cause, but think about it, have you heard of CSO CIO or CISO? These are the guys that are supposed to make such decisions. Does your bank have any of those positions? Oh wait, is it really the bank that is fully to blame? Did your login get compromised by some software on the 'build-a-better-model-airplane' website?

      Better yet, did the bank's EDI software get compromised because one of their partners has an IT guy that watches porn at work during the grueling month-end process?

      The truth is that a secure system cannot trust anyone or anything. Getting to your money in a secure system will not be easy, and will be a deterrent to using computerized banking. That is just how it is. Ever since there were banks, people have been trying to rob them. Security issues should not be news. What is news is that the banks and financial institutions are reporting that they are having trouble with security in a time when just about the entire industry has been hurt by the sub-prime issue? I smell a kind of rat here.

      --
      Support NYCountryLawyer RIAA vs People
    2. Re:beancounters and shortcuts by wbean · · Score: 2

      One thing that Chase does that might help a little bit is if you login to your online banking site from somewhere not already verified (different IP address) they will make you send an activation code to your Cell Phone or your registered account e-mail address before they will let you logon and do anything.


      The trouble with this is that your IP address changes all the time when your are travelling and there are lots of parts of the world where my (international GSM) phone doesn't work.
  4. In other news... by mnemocynic · · Score: 3, Funny

    Nigerian millionaires not fulfilling their promises to send large amounts of money to banks.

  5. Example of identity theft by Anonymous Coward · · Score: 2, Funny

    Whoever found cos(s + t) = cos s cos t - sin s sin t didn't protect his identity and now it's all over the web. Sickening.

  6. The problem is the user, not the security by ironwill96 · · Score: 4, Insightful

    The reason that these are going up is because of stupid users who see an e-mail from their bank (supposedly) that says "Alert, your account has been disabled until you login to this site and enter all of the information that we, as your bank would already know!". I think if we can focus on user education about phishing, and how banks will NEVER ask you for your username and password and account information via an e-mail, the number of fraudulent transactions would go down significantly. Since the main type listed was related to unauthorized online activity, it is because users are being stupid and giving out their username and password to phishing sites.

    Now, you may say, "Just add more questions that only the user will know to their online banking logins!". The issue is, the phishers will just pull those same security questions from the banking site. I've even seen ones where they will have you do the initial login then they will login to your banking site and pass the actual security questions to you to answer, allowing them to completely bypass any security measures that your bank has setup. One thing that Chase does that might help a little bit is if you login to your online banking site from somewhere not already verified (different IP address) they will make you send an activation code to your Cell Phone or your registered account e-mail address before they will let you logon and do anything. This might help a little bit, but i'm sure the scammers will find a way around it. Also, those type of security measures are only implemented by large companies, leaving the smaller banks (and their customers) out in the cold when it comes to security.

    So basically my point is, we shouldn't focus so much on network security measures as we should on user education. Network security is great, but when your users can be tricked into giving away their most personal information no amount of network security is going to protect them from themselves.

    --
    "To strive, to seek, to find, and not to yield." - Tennyson
    1. Re:The problem is the user, not the security by Detritus · · Score: 2, Interesting
      That doesn't do a damn thing to protect people from zero-day exploits and compromised web sites that try to take advantage of vulnerabilities in user's systems. Part of not getting infected is education and keeping systems updated, but part of it is dumb luck. You can do everything right and still get infected.

      I would like to see operating systems that offer the option of only executing code that has been digitally signed. Banks should give their customers authentication devices. This can be as simple as a sheet of paper with a table of authentication codes.

      --
      Mea navis aericumbens anguillis abundat
  7. Only a USA problem? by 25albert · · Score: 5, Informative

    Isn't this problem limited to the USA because their banks use only user/password for authentication?

    I know the procedures for 5 or 6 banks in 3 different European countries, and all of them require a lot more to authenticate me.

    The 3 procedures are:

    * Bank 1 (the simplest, and first system I have seen, some 10 years ago).
    - authenticate with user id (unrelated to name or account number) and password
    - be prompted to enter a one-time number from a list which I received by postal (registered) mail (it asks for the number at row x, column y)

    All other banks have long moved to something like the 2 others:

    * Bank 2.
    - put a special card received from the bank into a special calculator also received from the bank and enter password
    - enter user id (unrelated to name or account number) on bank web site
    - receive a one-time 6 digit number and type it into the special calculator
    - the calculator gives an 8 or 10 alphanumeric one-time password to enter into the web form

    * Bank 3.
    - I can't remember the details, but as with bank 2, there is a special device and procedure to follow involving password, user id, device id and one-time numbers exchanged between the device and the bank's site.

    - On top of that, the bank sends me an email every time I connect, with the date, time, the IP address from which I connected, and the money operations performed if any.

    1. Re:Only a USA problem? by TheRaven64 · · Score: 3, Interesting

      - On top of that, the bank sends me an email every time I connect, with the date, time, the IP address from which I connected, and the money operations performed if any. So, when I phone them up after intercepting this email, and they say 'please can you confirm the last transaction on your account' to get them to give me a new phone banking password, I'll know the answer. Actually, my US bank asked me this as a question. I didn't know the answer (that was why I was phoning them) so the helpful person told me the answer and then transferred me to someone else who would ask the same question. I was astonished, and very glad I don't keep much money in the US.
      --
      I am TheRaven on Soylent News
  8. I have one of those RSA tokens by xkr · · Score: 4, Insightful
    I paid $5.00 to paypal, including shipping. The little device fits on a keychain and generates a new six-digit code every 30 seconds. I simply add the six digits displayed to the end of my password when logging in. What is great, from the view of the web owners, is that there is no change to the visible user interface. It still looks like two fields: user-name and password.

    This is genuine "two mode" authentication. Sure, if someone stole my computer AND my keychain the security is compromised. Or, if someone puts a gun to my head. But still, compared to current web login security, this system is a vast improvement.

    All a bank has to do is say, "Here, this gizmo is free. And by the way, you have to use it if you want to do online banking." Managing these devices isn't any harder than managing ATM cards. Which people lose every day, and its not that big a deal.

    --
    I will create a sig when innovation restarts in the U.S.
    1. Re:I have one of those RSA tokens by Rick17JJ · · Score: 2

      I have one of those $5 PayPal security keys on my keychain. To pay by PayPal or access my account, I am asked first for my password and then asked for the current six-digit code from the security key. The six-digit code changes every 30 seconds.

      As for on-line banking, I have never signed up for that because of my concerns about security. If a local bank ever started using two-factor authentication with a security key, I would gladly give on-line banking a try. Until then, I am not interested.

      I frequently receive fake email messages claiming to be from PayPal, Amazon.com or various banks. They typically say someone has been added to my account and ask me to click on the link and log-in and check on the details. When I hold the cursor over the link without clicking, it shows me a complicated looking URL from a foreign country at the bottom of the screen. I have never actually clicked on the link to go to to their fake websites.

      As for on-line banking, personally, I would prefer to not do it from a heavily used family Windows computer which is used by children and teenagers. It is likely to have already been compromised from lots of heavy careless use. I prefer the idea of using a separate lightly used, but well maintained, Linux or Mac OS X computer just for that purpose. I am a middle aged Linux user myself, by the way.

      PayPal Security Key

  9. Does nothing for man in the middle attacks ... by Pinky's+Brain · · Score: 2, Interesting

    My own bank uses such a device, but they have been hit by bank specific trojans which simply let you authenticate a different transaction while you thought you were authenticating your own.

    The only solution is a separate device less easily owned than a PC which displays all the transaction details. Mobile phones would work (would be nice if they used better cryptography, but even without it's a lot more difficult to exploit on a large scale without physical presence).

  10. If you read the article by joeflies · · Score: 2, Insightful
    The article says that this is fraud commited by internal access to systems. It does not account for any fraud from access external to the business, i.e. phishing.

    An RSA token is a terrible way to handle internal security for anything other than a VPN. Imaging typing in a one time password every single time you lock your computer, access an application, etc. It would drive most people to just leave their computers unlocked all the time and logged in.

  11. Make ssn more secure! by Tmack · · Score: 2, Interesting
    The fact that simply knowing someone's ssn (for US peoples, of course) can expose them to all sorts of credit fraud is dumb. Granted, the system was created back before any of this online stuff was even imagined, but it is well overdue for a revamp. First, expand it past the 3-2-4 digit number. With the current population, 33% *should* be in active use by live people right now. Numbers are probably already being re-issued, and will soon lead to numbers being shared if its not expanded, which will only complicate things further.

    What is needed, if they want to keep the system at least a little similar, is to simply add a PIN. Keep the pin separate, never printed, just like a PIN for a bank card. The PIN must be used for opening any account or using the SSN in any manner an ID thief might. For general use only ssn is required, same as it is today. This alone would cut back on ID theft, as it would break the current method of "ssn + name = free$$" by requiring a PIN that only the original holder of the SSN should know, rather than requiring a simple to find number and some info thats publicly available.

    Tm

    Tm

    --
    Support TBI Research: http://www.raisinhope.org
    1. Re:Make ssn more secure! by sydbarrett74 · · Score: 2, Insightful

      Or how about legally forbidding use of SSN's for anything other than claiming social security benefits?

      --
      'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman