BANKERSONLINE.COM MAIN PAGE             Print Friendly Version!    Email This Article!    Discuss NOW!
Special Edition
October 7, 2009

New threats being made against your customers expose your bank to increasing risks of loss. Customer logon credentials are being compromised. The case has never been stronger for educating your customers to help keep their accounts -- and your bank's funds -- secure.

We're publishing a Special Edition of Tech Talk today and disseminating it to all our briefing subscribers because of the alarming increase in the number and variety of cyberscams that are compromising sensitive customer information. We urge you to share this alert with all members of your staff and utilize the information to update your customer awareness and education programs.


ORDER TODAY
Payment Card Industry Data Security Policy Template
3 scam emails purport to be from FBI
The FBI has issued an alert to warn the public about phishing emails that purport to be from the the agency. There are three variations -- one claims to contain "Intelligence Bulletin No. 267"; another purports to be from the Department of Homeland Security and the FBI Counterterrorism Division; and the third claims to contain an FBI intelligence bulletin from the Weapons of Mass Destruction Directorate. KOCO, Oklahoma City, was among the media outlets covering the schemes. Watch its report, "FBI Warns of Email Fraud,". Access the October 5, 2009 Alert from the FBI about the phishing messages.

Scammers target social networking
October 1, the FBI posted a warning on its site about techniques used by fraudsters on social networking sites. In view of the fact that recent news reports have indicated that 17% of all recent Internet traffic involved social networking sites, such as Facebook and Twitter, it's no surprise that cybercriminals see them as an attractive conduit for their swindles. A video report from the Today Show at MSNBC.com demonstrates how logon credentials can be stolen in real time. The segment also describes how scammers abuse human emotions after hacking email and social networking accounts. In a revival of a scam seen in recent years, the accounts are used to send requests for emergency money to an alleged victim's relatives and friends, who are led to believe assistance is required immediately.
("Help! I'm in [insert name of a foreign country] and [describe calamity, such as my wallet was stolen] and I need any of my friends who are reading this and able to help to please [describe method of sending funds].)
Of course, any money sent is diverted into the scammer's hands. The video clip does a great job of driving home how clever and dangerous these scams are.

URLZone, a new threat
Trojan horse programs are not a new threat but there is a new version of one that is particularly good at what it does -- taking money from your bank. URLZone infects your customer's computer, accesses the customer's internet banking account and takes money. Here's the really scary part: it rewrites the statement pages so your customer doesn't see that the funds have been taken. It also doesn't empty the account, so the red flags are raised later, after the thieves are long gone. This Trojan also recognizes computers run by investigators and law enforcement and replies to queries with bogus information about the program to throw off an investigation. More can be read on this in CIO.

Email users targeted with new attacks
Data thieves have mounted a massive phishing attack on web-based email accounts. Hotmail, Gmail, Yahoo and AOL users all appear to be at risk. Logon credentials from 20,000 users have been published on the web. The total number of other users whose logon credentials have been compromised is not yet known, but because those are the most popular Web-based email accounts, it could be huge. TechWorld.com explains how webmail users are likely to have been duped into giving up user names and passwords.

CHECK OUT BOL's ID Fraud/Phishing Center

BOL's Security Tools Page

BOL's Anti-Phishing Blog

What has this got to do with us?
It is estimated that the average Internet user has at least twenty unique websites requiring logon credentials. Power users often have more. To reduce the burden of remembering multiple passwords and user names, many individuals will adopt a "universal identity" -- using the same login and password on as many sites as possible. Convenient? Yes, but highly unwise. If a user name/password combination gets compromised at one venue, thieves will try to use it at other sites to see what else it might unlock. If any of your online banking customers use the same password for Internet banking as for Gmail, Facebook and other websites, their accounts could be a risk.

In the FFIEC guidance "Authentication in an Internet Banking Environment," there is a mandate for customer awareness and education efforts. It states "[F]inancial institutions should evaluate their consumer education efforts to determine if additional steps are necessary. Management should implement a customer awareness program and periodically evaluate its effectiveness."

How do you evaluate the effectiveness of your customer awareness program? The guidance says methods include tracking the number of customers who report fraudulent attempts to obtain their authentication credentials (e.g., ID/password), the number of clicks on information security links on Web sites, the number of statement stuffers or other direct mail communications, the dollar amount of losses relating to identity theft, etc. (meaning they don't intend for this to be an all-inclusive list).

When the examiners (or the lawyer for a scammed customer who's now suing you) ask to see documentation of your customer awareness and education program, what will you have to show? If you are not actively engaged in awareness efforts, you need to start now. The cyber-landscape is dotted with danger and you need to help prepare your customers to navigate around the scams and schemes. As customers grow to depend on Internet banking convenience, bankers have to keep them aware of the risks by keeping their customer education efforts current in the face of continued and ever-changing threats to account security.

Case tests bank duties
A current Indiana court case, Shames-Yeakel v. Citizens Financial Bank, stresses the importance of the FFIEC guidance document. The plaintiffs had their logon credentials compromised. Thieves used the username and password of Ms. Shames-Yeakel to access the couple's home equity line to transfer $26,500 to their business checking account. From there, funds were transferred to a bank in Austria. Citizens maintains that the customers had the responsibility to protect their logon credentials and points to wording in its online banking agreement: "We will have no liability to you for any unauthorized payment or transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice." The Shames-Yeakels are suing Citizens because they believe the bank had not done enough to protect their customers.

The Shames-Yeakel case also argues that Citizens Bank didn't do enough for customer security because multi-factor authentication was not in place for all customers yet. It was in the works, so the bank recognized the need. But even this enhanced security alone may not be enough, as indicated by the case below.

Multi-factor authentication not a panacea
A Technology Review article explains that multi-factor authentication may be defeated. Ferma, a construction company, logged on to Internet banking. A "hitchhiker" went on that trip with them to the company's Internet bank. While Ferma's manager was paying bills, the hitchhiker transferred $447,000 of Ferma's money, despite the use of a one-time password and a token device with a six-digit code which changed every 30 or 60 seconds.

Awareness is critical to your threat defense
Your customers need to be aware of the risks of using Internet banking. They need to be reminded about password security, using a unique password account access, and keeping firewalls in use and anti-virus protection updated. Education about security threats can help you ramp up password security by enforcing a strong password requirement and periodic password changes. Review the 2005 FFIEC guidance document, and consider all of the ways you can keep the security message current and relevant for your customers. Public awareness of online banking risks and how to avoid them is the strongest weapon in your defense against losses in the Internet banking environment.

What if you could write down all your passwords
-- and still keep them safe?
Help your customers and staff protect the security and confidentiality of their passwords by giving them the

BankersOnline Digital Register Password Management System

Read all about it!

Just $29.95 for a pack of 25.


Subscribe to Tech Talk and BOL Tech Advisories

  In the Banker Store
ORDER TODAY
Bank Policy
Information Systems
Security Policy
Safeguarding Customer Information
Video Training
FACTA:
Responding to Identity Theft
ORDER TODAY
CD ROM Training
Last Minute Guide to
Multi-Factor Authentication
  Archived Articles on Technology and eBanking
You have access to archived Tech Talk pages and Tech Alerts on BankersOnline's
Technology & eBanking Archive page.
Plus, you'll find the latest technology and eBanking articles and guru Q&As there, too. You'll find many more related articles in our InfoVault.
  Support the vendors who support BOL!
Through their advertising and sponsorships on BOL and BOL Vendor Connect, companies offering banking products and services help to make this site possible. When you're looking for a supplier, give your business to companies who support BankersOnline.com. Find them now in Our Sponsors or BOL Vendor Connect.