Phishing for Numbers

Many financial institutions now have procedures in place to watch for phishing expeditions and to shut them down when detected. Now it is time to expand your thoughts on when and why your customer would give up confidential information, such as a Social Security Account Number, and bank information.

Yes, customers may feel giving this information is warranted on your site, even if you've never asked for it before. And you should have informed them by now of what you will and won't ask for, as a means to mutual protection. So who else may want it? How about the Social Security Administration? Customers who depend on this deposit each month may be more than willing comply with a request, so their income isn't disrupted.

The SSA is warning consumers about a phishing scam that is doing what financial institutions have been seeing for years now, to their site. Consumers are redirected to a phony site that asks for their confidential information, including bank account numbers.

As you educate your customers, don't limit precautions to requests from your bank. Think outside the box. The perpetrators who want your customers money will go to any extreme when they believe there is cost justification. And if none of these scams worked, they wouldn't exist. Protect your customers, your employees and your institution, educate.

Three Most Common Cyber Threats Today

Alex Shipp, senior anti virus technologist at MessageLabs, outlined the top three common cyber threats today. He was speaking at the "RSA Conference 2006," a meeting focused around data security.

1. Remote control code for zombie networks. A worm infects a computer and then control of that machine can be taken remotely. When enough machines are under their control they call this organized network a botnet. Botnets of 5,500 machines rent for about $350 a week and are used by those sending spam, launching phishing attacks, looking to steal confidential information, etc.
   
2. Phishing scams. These are the official looking emails that want a victim to click a link for example, and to enter logon information to their baking site, PayPal or eBay information and similar confidential, financial information.
   
3. Bank-stealing Trojans. Third on the list and raising the threat level is this new Trojan which doesn't care about usernames, passwords, random codes or pictures. As banks are increasing the security level of online authentication, the cyber-crooks are responding with a Trojan that waits for the customer to logon to the real site, and then just transfers the money out of the account. These Trojans are programmed for specific banks. But more are being added.
   

The first line of defense is the user. Customers need to NOT open email attachments they're not expecting and do not trust. They also need to NOT enter information when they have not verified that they're on the web site they think they are. This isn't always easy. Gone are the days of poor spelling, grammar and silly looking duplicate web sites. They need to keep their firewalls up, and up to date and the same holds true for their anti-virus and spyware protections. Your customers need to keep this foremost in their minds, and you have a responsibility to keep it in yours, and theirs as well. The aggravation and loss you reduce may be your own.

Firewalls Up, Security On

This is no time to become complacent over computer security and banks need to continually remind customers of this. Software that is written to commit crimes, "crimeware" if you will, such as identity theft, is growing. From November to December 2005 the number of sites used to distribute crimeware nearly doubled to 7,197. This is according to a report issued recently by the Anti-Phishing Working Group (APWG).

David Jevans, APWG Chairman, said, "The speed, precision and massive scale by which the phishers were able to identify and exploit this vulnerability for criminal enterprise highlights the fact that the eCrime industry has reached a level of efficiency that has the potential to threaten the larger online economy."

The recent Windows Meta File vulnerability made it easier for these malicious programs. Your bank should have executed its patch management program already by downloading, and installing the software to fill this hole. Microsoft releases patches the first Tuesday of each month. More often if necessary. Have you reminded your customers to install all security patches?

It was a Trojan horse that a gang of hackers in Brazil used to steal money. On February 15, 200 police there executed 65 arrest warrants in Campina Grande and six other states. These hackers used the Trojan horse to obtain bank account numbers, user names and passwords to steal $6.38 million.

The leader, a 19 year old, was one of those arrested. Five of the gang members arrested were minors. Police are still looking for 24 more members.

And closer to homes in the US, everything old is new again. I remember when scammers would make evening calls and tell the person on the other end that "you won if your Visa account starts with the number 4." The other scam was if your MasterCard started with a "5" and yes, they all do.

Spear phishing expeditions in Salt Lake City, Utah have increased. This is a phishing attack with a narrow market. Mountain America Credit Union customers received an email that they were automatically enrolled in the Verified by Visa program. Many customers have heard about this and know that it promotes security. The email however, revives part of the old scam and tells them the first five digits of the card that is now in the program. Yes, they all have those same first five numbers, but the customers don't know that and this adds legitimacy to the email. Adding even more validity is that the site the email links the customer to, so that they can activate the new security feature, has Secure Socket Layer (SSL) security. We've mentioned this before on BOL and while it isn't common yet, it is happening. So the customer sees the "gold lock" in the browser and the "https" in the web address and believes they are in a valid site.

Multi-Factor Authentication is Getting Hot

2006 promises to be another busy year for those involved in information technology, internet banking, security and compliance. Add to this that bankers wear many hats and more and more we're seeing a cross-over as one field of expertise touches the others. Technology is blending more of our tasks into one another's space. Multi-factor authentication is one more example of this.

Depending on the size and infrastructure of your financial institution you may be involved in multi-factor authentication of your e-banking customers. The days of a username and password to log on will disappear, and for good reason. Examiners know that err is human, but to really suffer a loss, takes a computer. Well, it is something like that.

The Chicago FDIC recently held a conference call on this topic. The regulators in general are concerned that institutions are not doing enough to protect themselves and their depositors. Often bankers will cite the weakest link in e-banking security as the customer. While that may be true, it doesn't dramatically change the risks you have if your system is breached because of it, or if you pay many dollars in claims for unauthorized transactions. You still lose. At best customers get frightened and abandon this effective delivery channel. Again, the institution will be the loser.

On October 12, 2005 the FFIEC released Guidance that financial institution's need to be more aware of, and acting on. This Guidance emphasizes that transaction capabilities in e-banking raise the risk level of these accounts. Concurrent with this risk, accessibility needs to be raised a notch from where it is. Authentications should be based on
• Something the user knows (e.g., password, PIN);
• Something the user has (e.g., ATM card, smart card); and
• Something the user is (e.g., biometric characteristic, such as a fingerprint).

The FDIC noted that most institutions were aware of the guidance but getting little done. This apathy is based on waiting for vendors to provide answers. That may not be good enough. You have to complete your own risk assessment. You need to determine what layered approach you want and what security processes work best for your customer base. Key fobs may be an answer, but that could be more costly than some others. Passwords and verifications input with a mouse pointer may be the most cost effective, but could be compromised with new technologies. You need to integrate your chosen processes, involve the varied departments within your institution (those mentioned above) and understand why it is necessary to mitigate the identified risks. Then you have to communicate this with your customers (perhaps adding Marketing to this mix), so they understand and more readily accept the changes. Regulators are seeing an over-reliance on vendors for the answers.

A strong evaluation of your systems, including telephone and IVR delivery is required. The time to start is now.

Internet ID Theft Fewer, But Losses are Up

Javelin Strategy and Research is releasing a report that depicts some new numbers on internet related fraud and identity theft.

Basic points:

• When the source of the identity theft is known, only 9 percent is derived from hacking, viruses and phishing.
  
  
• Perhaps some of this decline is attributed to the targeted phishing expeditions. And as perpetrators improve their methodologies, they are improving their ill-gotten gains as the average loss has more than doubled from $2,897 to $6,432.
  
  
• Lost and stolen wallets containing credit and debit cards are the source for 30 percent of the cases. Dumpster diving is on the decline, down 14 percent.
  
  
• More fraudulent activity is conducted over the telephone in a more traditional means, than through a modem. Telephone fraud accounts for 70 percent.
  
  
• The days the stolen information is used varies by the method in which it was taken.
  
  
  • Phishing - 173 days
    
  • Known perpetrators - 134 days (these are family, friends, in-home employees, etc.)
    
  • Lost/stolen cards - 75 days
    

Your customers must still be on guard and recognize deals that are too good to be true, odd messages requesting confidential information, watching for secured web sites to conduct transactions, using shredders and following precautions when on the telephone, especially on calls they did not initiate.