Wednesday, July 28, 2004
Phishing Isn't New, But the Phishermen Are Getting Better
Phishing stories are very common these days, in the US and aborad. Gartner's Avivah Litan released a survey last April indicating that nearly 1.8 million Americans were duped by fraudulent emails and released confidential information, including credit card numbers, to thieves.
MailFrontier Inc. tested 1,000 consumers by showing them a mix of email messages, both real and fake (for phishing). 28% of the phished messaged were identified as being valid. What's more, legitimate messages were confused with fakes. So the risks are double edged in that you may unwittingly provide confidential information or expose your computer to a virus and at the same time you may skip an important message from a customer.
Just a few years ago these fake messages had poor grammar, spelling and were easily detected as trash just on visual observation. But the "phishers" are providing a higher quality messages and they are getting difficult to distinguish. I personally received one this week which was confusing. When I saw it on my PC, I was able to distinguish it as a fake but I initially received it on my BlackBerry and it looked as though it was from my ISP and that perhaps spam was being sent from my PC. It was a fake message and following the instructions to rid myself of this would likely have created a major problem. With a home network, this issue will be discussed with others who may fall for this, "trying to do the right thing". The same holds true for your networks in the bank, at your home or your customers. Each user can be the weakest link as one infected PC can infect the others.
What is your Phish IQ? Test yourself at MailFrontier. I had to try several times to get to this site. But this may be a training exercise worth employing with your users.
These phishing expeditions are on the rise. The Anti-Phishing Working Group shows a 19% increase from Mat to June. Larger banks with larger customer bases are primary targets. Citibank had nearly 500 separate attacks in one month, First USA showed a 67% increase and US Bank (also referenced by Ken Golliher in the threads) was up 50%.
An important note here is to ensure that users are educated and that information is communicated. Two old adages are still applicable today. "There is no such thing as a free lunch." Customers need to understand the orphan in Nigeria did not select them out of everyone in the world to help him get his millions out of the country and that Cashier's Check for $12,000 more than the purchase price of the bicycle is not good, forget the Reg. CC terminology of "it cleared". And "if you didn't initiate the call, don't give out your SSN or bank account number." Make sure customers know that you are NOT asking for this in an email. This is why you have a secured site for Internet banking.
Phishing stories are very common these days, in the US and aborad. Gartner's Avivah Litan released a survey last April indicating that nearly 1.8 million Americans were duped by fraudulent emails and released confidential information, including credit card numbers, to thieves.
MailFrontier Inc. tested 1,000 consumers by showing them a mix of email messages, both real and fake (for phishing). 28% of the phished messaged were identified as being valid. What's more, legitimate messages were confused with fakes. So the risks are double edged in that you may unwittingly provide confidential information or expose your computer to a virus and at the same time you may skip an important message from a customer.
Just a few years ago these fake messages had poor grammar, spelling and were easily detected as trash just on visual observation. But the "phishers" are providing a higher quality messages and they are getting difficult to distinguish. I personally received one this week which was confusing. When I saw it on my PC, I was able to distinguish it as a fake but I initially received it on my BlackBerry and it looked as though it was from my ISP and that perhaps spam was being sent from my PC. It was a fake message and following the instructions to rid myself of this would likely have created a major problem. With a home network, this issue will be discussed with others who may fall for this, "trying to do the right thing". The same holds true for your networks in the bank, at your home or your customers. Each user can be the weakest link as one infected PC can infect the others.
What is your Phish IQ? Test yourself at MailFrontier. I had to try several times to get to this site. But this may be a training exercise worth employing with your users.
These phishing expeditions are on the rise. The Anti-Phishing Working Group shows a 19% increase from Mat to June. Larger banks with larger customer bases are primary targets. Citibank had nearly 500 separate attacks in one month, First USA showed a 67% increase and US Bank (also referenced by Ken Golliher in the threads) was up 50%.
An important note here is to ensure that users are educated and that information is communicated. Two old adages are still applicable today. "There is no such thing as a free lunch." Customers need to understand the orphan in Nigeria did not select them out of everyone in the world to help him get his millions out of the country and that Cashier's Check for $12,000 more than the purchase price of the bicycle is not good, forget the Reg. CC terminology of "it cleared". And "if you didn't initiate the call, don't give out your SSN or bank account number." Make sure customers know that you are NOT asking for this in an email. This is why you have a secured site for Internet banking.
Monday, July 19, 2004
Checking account fraud is increasing. Your bank needs to be aware if this is happening in your market and has to be prepared to answer questions. These "talk-offs" provide consistent and accurate answers from the bank when a customer asks a question such as "what do you mean, just anyone can electronically take money out of my account and you don't have to verify that I authorized it?"
Last May a lawsuit was filed by the FTC. There was an attempt to withdraw $12MM from 90,000 different bank accounts. Pharmacycards.com appears to have gotten the ability to create ACH transactions and had a somewhat dated list of account numbers. They debited $139 at a time from bank accounts. The list wasn't current and an estimated 70% of the transactions bounced because the data was now incorrect. But $3.5MM in transactions were valid enough to pay. Consumers and their banks were the losers in this scam.
There is consideration now to make the merchant's bank responsible for unauthorized drafts, by the FRB. It is hoped that this would take "KYC" to a higher level and reduce these fraudulent transactions. In the meantime, someone has to explain to the customer why this happened and when they'll get their money back. This is a large scam, but not unique to pharmacycards.com. Others are doing this too. Remember, customers trust their bank. Be prepared to discuss these questions with the right answers. Education is also prevention. Make your customers aware of the threats and teach them to protect their private banking information. It isn't a 100% guarantee of safety, but is may be better than we are seeing now.
Last May a lawsuit was filed by the FTC. There was an attempt to withdraw $12MM from 90,000 different bank accounts. Pharmacycards.com appears to have gotten the ability to create ACH transactions and had a somewhat dated list of account numbers. They debited $139 at a time from bank accounts. The list wasn't current and an estimated 70% of the transactions bounced because the data was now incorrect. But $3.5MM in transactions were valid enough to pay. Consumers and their banks were the losers in this scam.
There is consideration now to make the merchant's bank responsible for unauthorized drafts, by the FRB. It is hoped that this would take "KYC" to a higher level and reduce these fraudulent transactions. In the meantime, someone has to explain to the customer why this happened and when they'll get their money back. This is a large scam, but not unique to pharmacycards.com. Others are doing this too. Remember, customers trust their bank. Be prepared to discuss these questions with the right answers. Education is also prevention. Make your customers aware of the threats and teach them to protect their private banking information. It isn't a 100% guarantee of safety, but is may be better than we are seeing now.
Monday, July 12, 2004
.Phishing Scams continue to target bank customers
Phishing scams are on the rise and although only the largest institutions have been targets so far that is no guarantee that smaller institutions will not also become targets soon. Scammers are getting more creative and brazen as their targets become more sophisticated in recognizing and detecting the phish. This phish plays on customers motivation to avoid fees on their account.
Customer Education Is Key
A simple message from your institution to your customers may help to reduce fraud and avert potential losses from phishing scams. Warnings can be in the form of a message on your website or a mention in a statement stuffer or brochure mailed along with your customer's statement. Informing customers of exactly how your institution will communicate with them and what information will be requested of them is a good starting point for your customer education campaign.
Phishing scams are on the rise and although only the largest institutions have been targets so far that is no guarantee that smaller institutions will not also become targets soon. Scammers are getting more creative and brazen as their targets become more sophisticated in recognizing and detecting the phish. This phish plays on customers motivation to avoid fees on their account.
Customer Education Is Key
A simple message from your institution to your customers may help to reduce fraud and avert potential losses from phishing scams. Warnings can be in the form of a message on your website or a mention in a statement stuffer or brochure mailed along with your customer's statement. Informing customers of exactly how your institution will communicate with them and what information will be requested of them is a good starting point for your customer education campaign.
Thursday, July 01, 2004
Bank Robberies Getting BAD
In earlier entries in this blog, we covered the "caught on tape" robbery that just went down in Washington, and told about the fatal shooting of a teller in Tulsa. Wonder if there's any slow-down in sight? Sure doesn't look like it. In one particularly sad recent case in Columbus, Georgia, a 25-year old bank teller has been charged with playing a role in the armed robbery of the bank where he worked. The robber used a gun to take nearly $150,000 from two bank employees loading one of the bank's ATMs. Details of the teller's involvement were not revealed.
Here is just a SAMPLE of the bank robberies (and captures) that have taken place this week. We wish we could say this was all of them. It's not -- by a long shot.
Monday:
Wachovia Bank, Duluth, Georgia. Middle-aged white guy in a ball cap makes off with $9,852. (Who let that out?) More.
Farmers & Mechanics Bank, Willingboro, PA. Suspect used a note which indicated he was armed, and wore a baseball cap. More.
SouthTrust Bank, Birmingham, AL. Two men, one armed with a gun. Fled in pickup. More.
Tuesday:
HSBC branch, Tonawanda, NY. Armed with a note, wearing a hat, in and out with the money. More.
Centra Bank, Inwood, WV. Dress of choice: camouflage scarf over head and face. More.
Texas Bank, Willow Park, TX. Forced employees and customer to lie on the floor. Wore a sock cap or ski mask. More.
Pinnacle National Bank, Green Hills, TN. Robber used semiautomatic handgun. Had on a ball cap. More.
Wednesday:
AmSouth Bank, North Chattanooga, TN. Note robbery. Casually dressed, relaxed looking, white guy in his 30s.
FleetBank, Berlin, NY. Fat white dude pased a note, robbed the bank, then tied up two female bank employees before making his getaway. What was he wearing? A baseball cap, of course. More.
SunTrust Bank. Atlanta, GA. Yet another ballcap-wearing robber. Used a threatening note. Is believed to have robbed three Wachovia branches recently. More.
Austin gets hit AGAIN. Chase Bank robbed. More.
Bank of Tuscaloosa, Tuscaloosa, AL. Love this. News story reports that "a man" robbed the bank with a note and fled on foot. No picture of him in this story, no description whatsoever. But the news station helpfully adds "Anyone who knows who or where the man is should call the Tuscaloosa Police Department." Yeah, right. I wouldn't be waiting for that phone to ring. More.
Great Southern National Bank, Hattiesburg, MS. A robber who claimed to have a gun robbed the bank and left on foot. More.
BB&T, Charlotte, NC. Creep fired several shots, but left empty-handed after trying to rob the bank. The police were alerted by a silent panic button. Then they got a call when someone heard shots. Finally the teller called. The would-be robber was wearing a wig and sunglasses, and isi still on the lam. More.
CAUGHT!
Honolulu. The uncle bandit (who's believed to have robbed seven banks) is nabbed. More.
Versaille, IL. Stupid robber shows up at the bank wearing a stocking over his face. Guess what? The bank had a buzz-in system on their door, and the employees wouldn't unlock the door to let him in. He was quickly apprehended. (And he wasn't a newbie, either. This 70-year old man had previously served time in prison for bank robbery!) More.
Seattle, WA. Nondescript white guy who wore a ball cap, was plain vanilla in appearance and MO, was caught after robbing 9 banks. Authorities had dubbed him the "Average Joe" bank robber. More.
Bank One, Indianapolis, IN. After the bank was robbed, an employee was able to follow the robber and give police a good description of the getaway vehicle. More.
Citizens Bank, Saginaw, MI. Lack of preparation. Don't you love it? His intended getaway vehicle was a bicycle. Alas, it had a flat tire, and a former branch employee who witnessed the young man fleeing the bank became a hero when she dialed 911 from her cell phone and followed the bandit as he abandoned his bike and attempted to flee on foot. .More.
While no robbery is a laughing matter for those directly affected who have been terrorized by the bandit or bandits in a specific situation, there are certainly some cases that, from the outside, bring a chuckle. One is the case of the 43-year old bank robber in Pennsylvania who foiled his own escape by fainting when the teller left him standing alone at the counter! More.
In earlier entries in this blog, we covered the "caught on tape" robbery that just went down in Washington, and told about the fatal shooting of a teller in Tulsa. Wonder if there's any slow-down in sight? Sure doesn't look like it. In one particularly sad recent case in Columbus, Georgia, a 25-year old bank teller has been charged with playing a role in the armed robbery of the bank where he worked. The robber used a gun to take nearly $150,000 from two bank employees loading one of the bank's ATMs. Details of the teller's involvement were not revealed.
Here is just a SAMPLE of the bank robberies (and captures) that have taken place this week. We wish we could say this was all of them. It's not -- by a long shot.
Monday:
Wachovia Bank, Duluth, Georgia. Middle-aged white guy in a ball cap makes off with $9,852. (Who let that out?) More.
Farmers & Mechanics Bank, Willingboro, PA. Suspect used a note which indicated he was armed, and wore a baseball cap. More.
SouthTrust Bank, Birmingham, AL. Two men, one armed with a gun. Fled in pickup. More.
Tuesday:
HSBC branch, Tonawanda, NY. Armed with a note, wearing a hat, in and out with the money. More.
Centra Bank, Inwood, WV. Dress of choice: camouflage scarf over head and face. More.
Texas Bank, Willow Park, TX. Forced employees and customer to lie on the floor. Wore a sock cap or ski mask. More.
Pinnacle National Bank, Green Hills, TN. Robber used semiautomatic handgun. Had on a ball cap. More.
Wednesday:
AmSouth Bank, North Chattanooga, TN. Note robbery. Casually dressed, relaxed looking, white guy in his 30s.
FleetBank, Berlin, NY. Fat white dude pased a note, robbed the bank, then tied up two female bank employees before making his getaway. What was he wearing? A baseball cap, of course. More.
SunTrust Bank. Atlanta, GA. Yet another ballcap-wearing robber. Used a threatening note. Is believed to have robbed three Wachovia branches recently. More.
Austin gets hit AGAIN. Chase Bank robbed. More.
Bank of Tuscaloosa, Tuscaloosa, AL. Love this. News story reports that "a man" robbed the bank with a note and fled on foot. No picture of him in this story, no description whatsoever. But the news station helpfully adds "Anyone who knows who or where the man is should call the Tuscaloosa Police Department." Yeah, right. I wouldn't be waiting for that phone to ring. More.
Great Southern National Bank, Hattiesburg, MS. A robber who claimed to have a gun robbed the bank and left on foot. More.
BB&T, Charlotte, NC. Creep fired several shots, but left empty-handed after trying to rob the bank. The police were alerted by a silent panic button. Then they got a call when someone heard shots. Finally the teller called. The would-be robber was wearing a wig and sunglasses, and isi still on the lam. More.
CAUGHT!
Honolulu. The uncle bandit (who's believed to have robbed seven banks) is nabbed. More.
Versaille, IL. Stupid robber shows up at the bank wearing a stocking over his face. Guess what? The bank had a buzz-in system on their door, and the employees wouldn't unlock the door to let him in. He was quickly apprehended. (And he wasn't a newbie, either. This 70-year old man had previously served time in prison for bank robbery!) More.
Seattle, WA. Nondescript white guy who wore a ball cap, was plain vanilla in appearance and MO, was caught after robbing 9 banks. Authorities had dubbed him the "Average Joe" bank robber. More.
Bank One, Indianapolis, IN. After the bank was robbed, an employee was able to follow the robber and give police a good description of the getaway vehicle. More.
Citizens Bank, Saginaw, MI. Lack of preparation. Don't you love it? His intended getaway vehicle was a bicycle. Alas, it had a flat tire, and a former branch employee who witnessed the young man fleeing the bank became a hero when she dialed 911 from her cell phone and followed the bandit as he abandoned his bike and attempted to flee on foot. .More.
While no robbery is a laughing matter for those directly affected who have been terrorized by the bandit or bandits in a specific situation, there are certainly some cases that, from the outside, bring a chuckle. One is the case of the 43-year old bank robber in Pennsylvania who foiled his own escape by fainting when the teller left him standing alone at the counter! More.
Email May Not Be As Private As You Think
A decision handed down yesterday by the U.S. Court of Appeals for the 1st Circuit in the case of U.S. v. Councilman has some potentially startling applications for anyone who sends or receives email with sensitive or confidential information.
Councilman's company sold rare and out-of-print books. It offered book dealers email accounts, too. What the book dealers didn't know was that Councilman was exploiting their use of the email accounts to gather competitive intelligence about their needs. He did this by having a computer program written that would copy all incoming email to the book dealers from rival Amazon.com and allow him to read it without their knowledge.
The opinion here deals with the issue of whether Councilman's conduct violated the federal Wiretap Act. In a 16 page majority opinion, the 1st Circuit agrees with the trial court that it did not violate that statute becaue the statute requires the communication to be "intercepted," and the court took the position that since the email was in electronic storage, it was not intercepted. The Act, written before the Internet gained such huge popularity, simply does not squarely fit facts such as these. (The dissenting judge explains, in a 37 page dissent, why he strongly disagrees. . .)
Where is YOUR email stored? Who could possibly have access to it during that storage period? Knowing that, at least under this court's reasoning, a cybersnooper who reads your email from storage could not be successfully prosecuted under the Wiretap Act, it becomes even more important to contractually prohibit prying eyes with strong contract language and severe penalties for violation.
Here are some thoughts about the case from other members of the BOL Team:
JOHN: As we know, courts of appeals aren’t necessarily the “last word” on topics like this. The finding seems a little bit of a stretch, and could be overturned.
But, this isn’t the Ninth Circuit, is it?
Another potential problem for banks would be outsourced firewalls. Couldn’t it be argued that messages are stored there at least momentarily before running thru the filter and out the door?
MICHELE: Hmm --- that is scary. Several things come to mind.
If it is not illegal to read private transmissions so long as they continue
to go to the intended person that puts at risk any institution that uses
a 3rd party outsourced provider for their mail services -- and there are
a lot of banks that do that. Even if a bank was using a sophisticated third-party outsourcer and had privacy clauses in place, what about smaller institutions that allow mail to go through a local ISP? -- that is an even worse scenario.
It really seems to me that this can't stick -- that there will be some
change to the law -- I am sure there are lots of other possibilities
that would leave people feeling very unsafe and exposed.
ANDY: It says that if information passes over your machine and is stored, you have the ability to review it. It should scare everyone. Does this give (in
this case Councilman) the authority to review all your email that he
had, even for a moment, and the attachments, even when they're encrypted?
Does this give law enforcement the ability to get his records, and thereby
get your records? Would this apply, and I'm sure it would, to Gmail, Yahoo,
MSN, etc. and offsite storage businesses as well as web hosts? You only
thought you had a secret password protected section of your website.
GEORGE: WOW -- well, at a minimum, it seems to me that if a financial institution
outsources their email, the ISP could look at email on the server without
penalty.
Another thought comes to mind. If the servers are outsourced, does this
ruling allow the ISP, or server owner, to snoop through all the files
without consequence?
On the other hand, this seems like a loophole that will quickly be plugged.
Just because the Wiretap Act can't be used as a defense doesn't render the
activity acceptable. And, not knowing the specific arrangement that this guy
had with his customers, I don't know if outsourcers would have the same
freedom (not knowing what the standard contract language is in ISP
agreements).
A decision handed down yesterday by the U.S. Court of Appeals for the 1st Circuit in the case of U.S. v. Councilman has some potentially startling applications for anyone who sends or receives email with sensitive or confidential information.
Councilman's company sold rare and out-of-print books. It offered book dealers email accounts, too. What the book dealers didn't know was that Councilman was exploiting their use of the email accounts to gather competitive intelligence about their needs. He did this by having a computer program written that would copy all incoming email to the book dealers from rival Amazon.com and allow him to read it without their knowledge.
The opinion here deals with the issue of whether Councilman's conduct violated the federal Wiretap Act. In a 16 page majority opinion, the 1st Circuit agrees with the trial court that it did not violate that statute becaue the statute requires the communication to be "intercepted," and the court took the position that since the email was in electronic storage, it was not intercepted. The Act, written before the Internet gained such huge popularity, simply does not squarely fit facts such as these. (The dissenting judge explains, in a 37 page dissent, why he strongly disagrees. . .)
Where is YOUR email stored? Who could possibly have access to it during that storage period? Knowing that, at least under this court's reasoning, a cybersnooper who reads your email from storage could not be successfully prosecuted under the Wiretap Act, it becomes even more important to contractually prohibit prying eyes with strong contract language and severe penalties for violation.
Here are some thoughts about the case from other members of the BOL Team:
JOHN: As we know, courts of appeals aren’t necessarily the “last word” on topics like this. The finding seems a little bit of a stretch, and could be overturned.
But, this isn’t the Ninth Circuit, is it?
Another potential problem for banks would be outsourced firewalls. Couldn’t it be argued that messages are stored there at least momentarily before running thru the filter and out the door?
MICHELE: Hmm --- that is scary. Several things come to mind.
If it is not illegal to read private transmissions so long as they continue
to go to the intended person that puts at risk any institution that uses
a 3rd party outsourced provider for their mail services -- and there are
a lot of banks that do that. Even if a bank was using a sophisticated third-party outsourcer and had privacy clauses in place, what about smaller institutions that allow mail to go through a local ISP? -- that is an even worse scenario.
It really seems to me that this can't stick -- that there will be some
change to the law -- I am sure there are lots of other possibilities
that would leave people feeling very unsafe and exposed.
ANDY: It says that if information passes over your machine and is stored, you have the ability to review it. It should scare everyone. Does this give (in
this case Councilman) the authority to review all your email that he
had, even for a moment, and the attachments, even when they're encrypted?
Does this give law enforcement the ability to get his records, and thereby
get your records? Would this apply, and I'm sure it would, to Gmail, Yahoo,
MSN, etc. and offsite storage businesses as well as web hosts? You only
thought you had a secret password protected section of your website.
GEORGE: WOW -- well, at a minimum, it seems to me that if a financial institution
outsources their email, the ISP could look at email on the server without
penalty.
Another thought comes to mind. If the servers are outsourced, does this
ruling allow the ISP, or server owner, to snoop through all the files
without consequence?
On the other hand, this seems like a loophole that will quickly be plugged.
Just because the Wiretap Act can't be used as a defense doesn't render the
activity acceptable. And, not knowing the specific arrangement that this guy
had with his customers, I don't know if outsourcers would have the same
freedom (not knowing what the standard contract language is in ISP
agreements).
