75 Percent of Bank Websites have Security Flaws

The University of Michigan surveyed more than 200 bank websites and found that 75 percent had a flaw that could contribute to a loss of money or identity.

While the survey was done in 2006, it is only recently being published. And these are not software patch issues. The problems identified involve the flow and design of the websites themselves. Issues could be that a secure log-on box is requesting information on an unsecure page. While they note that some of these problems may have been resolved, there are still many issues that place customers at risk today.

The study also uses FDIC reports that reflect a 150 percent increase in SARs filed for computer intrusion. At an estimated $30,000 loss per incident, this equates to a $16 million loss in the second quarter of 2007 (the period the FDIC reported on) alone.

The design flaws that the survey was looking for included:
* Placing secure login boxes on insecure pages
* Putting contact information and security advice on insecure pages
* Having a breach in the chain of trust
* Allowing inadequate user IDs and passwords
* E-mailing security-sensitive information insecurely

It may be time to review your website and see where you stand.

For more, read the article on the University of Michigan News Service.

FTC Settles "Wal-Mart Shopping Spree" for $28 Million

Brian K. MacGregor was the architect of the "Wal-Mart Shopping Spree" scam and he is now paying the price. Several of his companies were involved in a scam where consumers were tricked into disclosing bank account information. The consumers were promised shopping sprees at Wal-Mart, Macy's, movie tickets or vouchers for free gas. Items were promised for free, but with a shipping and handling fee to be paid by the consumer. Some thought they were paying monthly fees for a program membership.

Macgregor violated the FTC Act and Telemarketing Sales Rules. As a consequence, a fine representing the money paid in the scheme, $28.2 Million is to be paid. The participants are also barred from participating in this type of activity in the future.

Consumers who had money taken by any of the corporate defendants without their express informed consent may send a letter to: Federal Trade Commission, attn.: Faye Chen Barnouw or Jennifer M. Brennan, 10877 Wilshire Blvd., Suite 700, Los Angeles, CA 90024. The letter should identify which company took money from them, include the dates and amounts of the withdrawals, and contain any supporting documentation. Consumers who have already sent this information to the FTC do not need to resubmit it. Consumers seeking more information about this case may call the case hotline number: 202-326-2090.

More information is available on the FTC web site.

Your Check is In the Mail

The economic stimulus payments are starting to be sent. Email scams are frequent and it is worth reminding your customers of some facts. The IRS already has their information. There is no need to respond to any email requests for verification, or to direct deposit it versus sending a check. The IRS is using the same method of refunding for the stimulus payments as was selected by the taxpayer for any 2007 refund. If they opted for a check, a check will be sent to that address. If the taxpayer opted for direct deposit, that is where the stimulus payment will be sent.

Are your tellers and CSRs prepared to field your customers questions:

• Will the bank tell me the money is in my account?
  
• What if I have closed the account I had for my refund, but have a new account with you now?
  
• How much am I getting?
  
• When will my check be sent?
  

You should be prepared with resources and talk-offs for your staff.

Need to calculate your stimulus payment?
http://www.irs.gov/app/espc/

Want to know when payments are scheduled for delivery?
http://www.irs.gov/irs/article/0,,id=180250,00.html

Where the Phishing is Best

Symantec, the security software company, released its, "The State of Phishing" report. In February, the most popular of attacks were seeking money through fraudulent tax refunds.

Also of note, 84 percent of fraud activity was directed at the finance industry. Key targets were banking sites and e-commerce in general. 13 percent was targeted at information services where sending spam was the desired use of that information.

On a brighter note, the number of unique sites used for phishing fell 1.8 percent in February 2008 as compared to the month before.

You have an IRS refund, and someone wants it.

Even before the Economic Stimulus package was approved, scammers were sending emails wanting to verify consumers personal information to process their refunds. It is a scam and the emails are continuing to come.

The Federal Trade Commission has issued a warning to consumers advising them that the IRS and Social Security Administration do not collect refund or rebate information by telephone or email. This is a phishing attempt to get personal information over the phone or a phony website. This information could then be used to facilitate identity theft.

Urge your customers to keep their confidential information confidential. Consumers should not provide this information over the web and certainly not to someone who calls them. Even if the caller provides a number to call them back, consumers should verify that the number is correct. These scammers are known to provide fake call-back numbers that just ring in their offices, just like they'll provide false website addresses.

Watch Out for a Valentine's Day Storm

The FBI issued a warning that the Storm Virus may be attached to to St. Valentine's Day e-cards. The reader will have a link to click and that will take them to a malicious site where the virus can infect the readers computer.

If you are not expecting an e-card or don't know the sender, don't open the card.

The FBI asks that if you have received this, or a similar e-mail, please file a complaint at www.ic3.gov.

CAN SPAM Enforcement

You may not know the name Alan Ralsky or the names of the other ten defendants indicted with him, but there is a strong chance they know you...or at least your email address. Ralsky and ten others have been indicted in possibly the largest criminal spam and electronic fraud case in our history. They sent millions of spam messages every day including many of those pump and dump messages many of us received. This will represent enforcement of the CAN SPAM law as well as conspiracy, electronic mail fraud, mail fraud and wire fraud..