*NEWS*CYBER CROOKS BREAK INTO ONLINE ACCT

  • 536716a_green_sweep_web_banner_902x17712
  • mse-big-banner-new-03-17-2016-416716a-tonernews-web-banner-mse-212
  • futor_902x177v7-tonernew
  • Print
  • 05 02 2016 429716a-cig-clearchoice-banner-902x177
  • 161213_banner_futorag_902x177px
  • banner-01-26-17b
  • ink-direct-banner-902-x-177-v-1-2-big-banner-03-23-2017
  • 2toner1-2
  • cartridgewebsite-com-big-banner-02-09-07-2016
  • 4toner4
Share

*NEWS*CYBER CROOKS BREAK INTO ONLINE ACCT

 user 2005-11-11 at 10:28:00 am Views: 55
  • #14575

    Cyber crooks break into online accounts with ease
    GASTONIA,
    N.C. – When he logged on to his Ameritrade account earlier this year,
    George Rodriguez caught a cybercrook in the act of cleaning out his
    retirement nest egg.

    He
    watched, horrified, as the intruder in quick succession dumped $60,000
    worth of shares in Disney, American Express, Starbucks and 11 other
    blue-chip stocks, then directed a deposit into the online account of a
    stranger in Austin.
    “My entire portfolio was being sold out right
    before my eyes,” recalls Rodriguez, 41, a commercial real estate broker
    who alerted Ameritrade in time to stop the trades.
    Rodriguez had
    just experienced a tech-savvy consumer’s worst nightmare. But it’s the
    reality of the digital world we live in: Everyone is now at risk of
    becoming the victim of an Internet-based crime – even folks who stay
    offline. And, once victimized, you can face more trouble than you might
    imagine.
    Many consumers and small-business owners naively believe
    online transactions are safe if they use a firewall, keep anti-virus
    software updated and follow security tips posted on banking websites.
    Not
    so, Internet security experts and federal regulators say. “What banks
    don’t tell you is how easy it is to bypass those protections, and how
    prolific the threat is, because then you wouldn’t do online banking,”
    says Peter Vogt, a board member of Information Systems Security
    Association, an international group of tech security professionals.
    Over
    the past two years, banks, credit card companies and credit agencies
    have made everything from changing a billing address to extending
    credit and transferring large sums easy to do online.
    That has
    created fresh opportunities for swindlers and hackers, say dozens of
    banking and Internet-security executives, analysts, consultants,
    researchers and regulators interviewed by USA TODAY over the past four
    months.
          Exploiting accounts         
    Federal regulators are
    cognizant of the biggest blind spot: To gain access to most online bank
    accounts, you need nothing more than a user name and a password.
    Bank
    of America told USA TODAY that it plans to require extra log-on steps
    for all Internet customers by early next year. It will become the first
    major U.S. bank to add another level of authentication, as banking and
    tech-security experts debate how to best balance convenience and
    security.
    The Federal Financial Institutions Examinations Council
    last month called on all banks to toughen log-on procedures by the end
    of 2006. But the council, a consortium of five federal banking
    agencies, stopped short of specifying how to do that.
    “No one knows what the right answer is yet,” says Unisys banking security consultant John Pironti.
    ‘They said it was safe’
    The
    case of small-businessman Joe Lopez, closely watched in banking and
    legal circles, has emerged as a microcosm of e-commerce at a crossroads.
    The
    bootstrap founder of Ahlo, a thriving Miami-based ink and toner
    cartridge wholesale business, Lopez says he opened a Bank of America
    online business account in October 2003 after being cajoled by bank
    representatives on more than 20 different visits to his local branch.
    “They said it was safe,” Lopez, 42, recalls from his office in a gritty
    industrial neighborhood.
    In April 2004, moments after logging on to
    his online account at work, Lopez spotted an entry revealing that
    someone had executed an electronic transfer of $90,348.65 to Parex Bank
    in Riga, Latvia. Lopez knew no one in Latvia. “I thought I was going to
    vomit,” he recalls.
    The next day, according to bank records, a
    mysterious figure named Yanson Arnold withdrew $20,000 in cash from
    Parex Bank, leaving $70,348.65 behind. Arnold has not been heard from
    since.
    Secret Service investigators later discovered someone had
    slipped a Trojan – a small bit of malicious code – past the firewall
    and anti-virus software Lopez assumed kept his computer protected. The
    Trojan, called Coreflood, had captured and transmitted Lopez’s user
    name and password to a data thief, who probably sold it to Arnold or
    his associates.
    Bank of America disavowed responsibility, prompting
    Lopez to sue the bank in federal court in Miami to get his money back.
    “We fully investigated his claims and determined that all of our
    internal protocols and security measures were in place,” says Shirley
    Norton, a Bank of America spokeswoman.
    In its defense, the bank has
    invoked an obscure section of the Uniform Commercial Code, state laws
    governing commercial contracts, which banks helped draft. It limits
    liability in delivering online services to businesses if certain
    safeguards are in place.
    Norton says the bank considers Lopez a
    business customer doing commercial transactions, not a consumer doing
    household banking. Consumers are protected by federal laws that limit
    their fraud losses in most cases to $50. They must report discrepancies
    promptly and generally be able to show wrongdoing.
    “It’s a bank’s way of saying, ‘It’s the customers’ fault,’ ” says Gail Hillebrand, a senior attorney at Consumers Union.
    Legal
    experts say BofA’s stance makes sense. It is refusing to expose itself
    to liability arising from the countless malicious programs that infest
    PCs used by small companies, over which the bank has no control. Such
    exposure could force financial institutions to curtail online services
    being pitched to small firms, a promising growth area.
    No trial date
    has been set for the case. If BofA prevails, it will reinforce the
    Uniform Commercial Code as a legal rampart financial institutions can
    use to fend off similar lawsuits. “Making Lopez whole could open BofA
    to settling lots of other breaches, and that adds up to a lot of
    money,” says Mark Budnitz, a law professor at Georgia State.
    Meanwhile,
    Lopez, now a First Bank of Miami customer, faxes wire-transfer requests
    to the bank using a form letter. He follows up with a phone call. “No
    more online transactions for me, man,” he says.
    Stealthy exploits
    While
    financial industry executives acknowledge the Internet’s security
    pitfalls, they say they have been mindful of minimizing risks to
    consumers and small businesses. Of the $1.3 trillion in transactions
    done with Visa credit cards in 2004, only 0.05%were fraudulent, the
    same Level as 2003, and down from 0.07%in 2002. Visa does not break out
    online transactions.
    “Online banking is safe and getting safer,” says Doug Johnson, senior policy analyst at the American Bankers Association.
    Indeed,
    consumer financial fraud has been around as long as checking accounts
    and credit cards, and banks already do plenty to stop fraud. But
    e-commerce has opened virgin criminal frontiers. “In the past,
    everything was much more traceable,” says Gartner banking analyst
    Avivah Litan. “Now you can open 10,000 (bogus) accounts in the time it
    used to take to open one, all in a faceless InternET
    More than half
    of Bank of America’s retail banking customers also bank online. A look
    at the top five online banks by estimated number of customers (in
    millions):
    Stopping mailbox thieves and check kiters in the physical
    world is one thing. But modeling the threat posed by crime groups using
    the Internet to commit fraud electronically, on a global scale, has
    proved to be much more complex.
    For one thing, electronic thievery
    is difficult to measure. When crooks get away with an online scam,
    banks often misclassify the pilfered funds as uncollectible debt. That
    masks the level of online fraud, says Litan, while “making it easier
    for the criminals to escape the law.”
    What’s more, there is little
    urgency for banks to measure cybercrime precisely. Online banking
    services are still in a nascent phase, representing less than $200
    billion of the trillions of dollars of transactions banks handle each
    year.
    Coreflood could have gotten on Lopez’s PC several different
    ways. It is one of many tried-and-true tools ID thieves use to harvest
    user names, passwords, Social Security numbers, account numbers and
    other personal data.
    Anti-virus, anti-spyware and firewall defenses
    offer limited protection, primarily blocking the known malicious
    programs relentlessly blasting across the Internet, seeking unprotected
    PCs.
    But elite identity data thieves have shifted to smaller-scale,
    more stealthy exploits, often aimed at compromising 1,000 or so PCs a
    day, says Joe Hartmann, director of anti-virus research at Trend Micro.
    Over time they can infect millions of machines but go completely
    undetected.
    Some specialist hackers focus on finding new ways to
    attach Trojans to free, downloadable music, pornography and gambling
    files found across the Internet. Others hide Trojans on popular
    websites or in e-mail attachments. Downloading a tainted file, visiting
    a contagious Web page or opening a viral attachment can load a Trojan.
    Meanwhile,
    phishing scammers seem to have endless creativity when it comes to
    crafting e-mail to trick even computer-savvy individuals into divulging
    sensitive account information at counterfeit websites. The best and
    brightest coders can make good money deploying “SQL Injection” attacks.
    These are aimed at tricking a Web page linked to a company database
    into giving up sensitive employee and customer data.
    Low-tech heists
    work, too. Larcenous company insiders can get paid top dollar to assist
    in pilfering directly from company databases. For his new book, The
    Insider, A True Story: Sometimes Security is About Keeping An Eye On
    Those We Trust Most, Dan Verton examined network traffic at 50 large
    companies and government agencies.
    In two days spent at each
    organization, he found 6,000 instances of names, Social Security
    numbers, credit card numbers, tax ID numbers, private health care
    information, payroll data and bank account information being
    transmitted, without authorization, to unknown locations on the
    Internet or to private e-mail accounts.
    Verton says his findings
    suggest similar breaches may be taking place at an epidemic level
    across e-commerce, with insiders diverting vast amounts of valuable
    data to criminal circles.
    In short, if our personal information
    resides in any database anywhere, it can become a target, even if you
    prefer to write checks and patronize bricks-and-mortar banks and stores.
    ‘This stuff happens’
    Apart
    from data thieves, another kind of crook specializes in converting the
    stolen ID data into goods and cash, using the Internet as a
    communications and distribution network.
          Surge in attacks         
    Phishing: 73 million adults say they’ve received at least 50 phishing e-mails in the last 12 months.
    Spyware: 80% of consumer PCs are infected with spyware.
    Blended attacks: 63% of large companies say their main security concern is the increasing complexity of cyberattacks.
    Corporate
    losses: 639 of 700 companies and government agencies surveyed lost $31
    million worth of proprietary data and spent $43 million to clean up
    computer viruses.
    Consumer risk: 13% of all Internet users have had
    a member of their household victimized by identity thieves, and 41% say
    they are buying less online due to security threats.
    Sources:
    Gartner Research, June 2005; Web root, 2005 State of Spyware report;
    Deloitte 2005 Global Security Survey; CSI/FBI 2005 Computer Crime and
    Security Survey; Conference Board Research Center, 2005.
    “The market
    is becoming more sophisticated,” says Jim Melnick, former analyst for
    the Defense Intelligence Agency, now director of threat intelligence at
    security firm iDefense. “There’s more differentiating of roles and
    services to streamline and accelerate cybercriminal activity.”
    The
    most widely cited measure of cybercrime activity comes from a
    2-year-old Federal Trade Commission consumer survey, the first of its
    kind, which placed the number of Americans victimized by identity
    thieves at 10 million in 2003, with consumers losing $5 billion and
    businesses $48 billion.
    The FTC plans to redo its identity theft
    survey early next year, and the results are expected to reinforce
    anecdotal evidence that cybercrime has intensified.
    George
    Rodriguez, the North Carolina commercial real estate broker, doesn’t
    need a government study to tell him the threat is increasing. When
    Rodriguez spotted a cybercrook attempting to transfer proceeds from his
    Ameritrade portfolio to a consumer account at Bank of America, he
    quickly called authorities to cut short the stock trades before they
    were settled.
    But the experience left him wondering what might have
    happened if he had been on vacation or simply not using his computer
    that day.
    A local detective identified the BofA account owner as Kevin Maguire, a 53-year-old corporate travel manager from Austin.
    Contacted
    by USA TODAY, Maguire said he “has no idea” what happened to his bank
    account. He says BofA informed him of the incident, but said little
    else. “They just told me this stuff happens,” Maguire says.
    Investigators
    say cyberthieves probably intended to use Maguire’s compromised account
    to launder Rodriguez’s cash. To misdirect authorities, thieves
    typically transfer funds a number of times culminating in a cash
    withdrawal.
    Dealing with the fallout of a cybercrime can be
    frustrating. Most banks espouse policies of making restitution to
    consumers who fall prey to online fraud, if the crime is reported
    within 60 days.
    But that is not uniform. Ameritrade, which declined
    comment to USA TODAY, told Rodriguez in a short letter that it would
    unravel the bogus stock trades “as a one-time courtesy to you. …
    Going forward, you are responsible for any transactions placed in your
    account.”
    “They treated me as if I screwed up,” Rodriguez says, looking at the letter, shaking his head