Skip to content
Tips for Tech

Tech Alert Briefing for 7/23/2003

Kinko's Keystroke Caper Underscores Need for Diligence

Using a $100 commercially available keystroke logging program, 25-year-old JuJu Jiang of Queens, New York stole over 450 online banking passwords during a two year period.Last week he pleaded guilty in federal court.

The scam began with Jiang installing a keyboard-sniffing program on public Internet terminals at thirteen Kinko's locations scattered throughout Manhattan.Unwitting Kinko's customers using the terminals then had their keystrokes logged as they accessed information.

Throughout a two-year period Jiang retrieved over 450 online banking usernames and passwords.With username and password information in hand, Jiang then used the victims' personal and financial information to open new accounts under their names.Jiang then transferred money from the victims' legitimate accounts into the new, fraudulent ones.

In this case, as well as in the Bugbear Virus warning we reported on earlier, keystroke recording programs and other types of spyware have been employed to steal personal information that is then used by the criminals to open fraudulent accounts.

According to another recent news report, South African police are currently investigating a theft carried out using computer spywareto gain access to the victims' computers and obtain the necessary information to access several Absa online bank accounts. The attackers then used the data obtained to carry out money transfers to fraudulent accounts. The theft has affected not only bank customers who saw money disappear from their accounts, but also Absa itself. The bank has had to compensate victims, many of which have decided to cancel their bank accounts.

Stealing of customer information via computer spyware as well as through social engineering means has resulted in a proliferation of identity theft.The upswing in ID theft underscores the importance of obtaining both documentary and non-documentary means of identifying your customer. To protect your institution follow our Action Steps below and, whenever possible, require the customer to be physically present to open accounts.

Specific Action Steps:

1.Limit your liability via contract:If you don't already have an electronic services agreement with your customers, get one.In it, you can place a duty on customers to safeguard their online user names and passwords, and indicate that the customer will be liable for losses stemming from their disregard of warnings relating to insecure storage of written password information, password sharing, or use of insecure, public computers.

2.Educate your customers about how to guard against risks: Your customers should be given very explicit guidance about how to protect their online banking accounts.Specifically, they should be told:
  1. Never share your online banking user name and password.Any individual who has your user name and password can successfully masquerade as you online and can access your accounts;
  2. Choose your password wisely.(Give them parameters for avoiding easy-to-guess passwords, or easily cracked passwords.)
  3. If you find it necessary to write down your user name and password, keep the information in a safe place, away from prying eyes.Do not leave it in an insecure spot where another person may view it.
  4. If you suspect that your user name and/or password may have been compromised, report it to the bank immediately.
  5. Change your password periodically.A password is like a piece of chewing gum.It should not be shared and it's best when fresh.
  6. Avoid accessing online banking through a public computer, such as one at a library or a cyber cafe where a malicious user may have installed a keystroke logging program or a password sniffer.It is virtually impossible to guarantee your transmission will be secure on such a machine.
  7. If you are going to access your online account on a machine that is accessible to other users, such as a roommate, coworker, or family member, take precautions:

    • If using Internet Explorer, before you access the bank's web site, go first to the menu bar at the top of the browser.Choose Tools/Internet Options.In the dialog box that appears, click on the Content tab.Then click on the "Auto Complete" button.Uncheck all auto complete buttons.
    • At the end of your session, click on Tools/Internet Options, and click on the button to "Delete Temporary Files".Then click OK.
    • Close the browser.
  8. Monitor your account frequently for any unauthorized transactions and report them to the bank immediately.


Related Training Resources, Products and Articles:

Products

  • Consider installing anti-keystroking software on in-house systems.
  • Privacy Police Sticky Notes
  • P.L.E.A.S.E. ID Reminder Cards
  • I.D. Checking Guides

    Training webinars through BOL Learning Connect:

  • The Art of Deception: Are YOU In Danger of Being `Conned`?
  • ID FRAUD Facts: What Every Bank MUST Know
  • Can your Information Security Program pass the test?
  • SAFEGUARDING CUSTOMER INFORMATION: Protecting against social engineering, identity theft, and pretext calling.
  • Protecting Customer Privacy

    Additional Articles



    Previous Tech Alerts:
    06/09/03Bug Bear Targets Banks
    06/05/03Rapidly Spreading Bugbear Virus Cause for Concern
    05/29/03Constructing an Effective Patch Management Program
    05/20/03Greetings From Microsoft Support! May We Infect Your System?
    05/12/03New Fizzer Worm Racing Throughout The Internet
    04/07/03New Report Details Efforts to Address Cyber Threats
    04/02/03Time to Step Up IT Security and Sendmail Vulnerability
    03/18/03Windows 2000 WebDAV Buffer Overflow Exploit Against IIS 5.0 - CRITICAL
    03/03/03Critical Vulnerability Discovered in Sendmail
    02/06/03Microsoft Releases Cumulative Patch for Internet Explorer Flaws It Lists as Critical
    01/26/03The Importance of Applying Patches
    01/23/03Microsoft and SUN release slew of Patches
    01/14/03New Worms Spreading through Email
    12/09/02Microsoft Issues Updated Cumulative Patch for IE
    11/13/02New e-greeting tactics pose serious threat
    11/01/02Critical patch released for Windows 2000, Windows XP
    10/21/02Microsoft Fixes Vulnerabilities: Releases Patches for SQL, Word and Excel
    10/03/02Bugbear Worm Gains Strength
    10/02/02Top 20 List of Internet Security Vulnerabilities Released
    09/02/02Microsoft Warns SysAdmins To Immediately Patch Identity Spoofing Flaw
    08/21/02Microsoft releases patch to fix "critical" vulnerability inWindows 2000 systems that allow unprivileged users to logonto them interactively
    08/09/02 Is Confidential Bank Information Walking Out Your Door?
    07/30/02 Microsoft Continues to Patch Flawed Software
    07/23/02 CERT advisory on PHP
    07/15/02 Outlook Users Employing PGP Encryption Program Vulnerable to Hacking
    07/11/02 Researchers Report Serious Flaw in IE
    06/27/02 Microsoft Releases Critical Patch for Windows Media Player
    06/18/02 CERT Warns of Critical Vulnerability in Apache Web Server
    06/12/02 Sports Fans Beware: World Cup Virus Bounces Around the Net
    06/07/02 Dead Man Tell No Passwords
    05/31/02 Microsoft Issues Critical Warning Regarding Exchange Server
    05/22/02 Microsoft SQL Spida Worm Slows Network Traffic
    05/15/02 Virus Hoax 'JDBGMGR.EXE' Spreading Rapidly Throughout Net
    04/25/02 Klez Worm Reels in Banks with its Bait
    04/11/02 Ten New Vulnerabilities Discovered in Microsoft IIS Server
    04/09/02 New Virus Hoax Circulating Around Net
    03/22/02 MyLife.B Virus Makes Its Way Around the Net
    03/21/02 Microsoft Updates Its Warning on Critical Windows Vulnerability
    03/14/02 New Virus (W32/Fbound-C) Spreading Rapidly in the Wild
    03/08/02 Unauthorized E-Mail Scam Attempts to Steer Unwitting Customers to Fraudulent Bank Web Site
    03/06/02 Klez-E Worm and W32.Gibe Virus Warnings
    03/01/02 CERT Issues Warning on PHP Scripting Language Flaw
    02/27/02 CERT Issues Warning on Internet Explorer and Outlook Flaw
    02/22/02 SNMP Patches and Detection Tools Available
    02/20/02 Email Address Belonging to Legitimate Security Site Hijacked to Deliver Dangerous Yarner Worm
    02/15/02 Mass Mailing Email Worm Compromises Word 2000 Security Settings
    02/13/02 SNMP VULNERABILITY
    02/07/02 Bloodhound Mass Mailing Worm and Managing Risks in Wireless Networks
    02/04/02 Microsoft Issues Collection of Security Fixes for Windows 2000
    01/31/02 Copycat Virus Unleashed
    01/30/02 Netscape Browser Vulnerable to Cookie Theft
    01/28/02 "My Party" Mass Mailing Worm
    01/18/02 IT Contingency Planning Guide, Information Security Checklist and Solaris Vulnerability
    01/15/02 Trojan.StartPage Alters Web Browsers
    01/12/02 New Internet Worm Gigger Masquerades as Microsoft Outlook Upgrade
    01/08/02 Microsoft Universal Plug and Play Vulnerability
    12/20/01 Holiday Themed Computer Virus Unleashed

  • First published on 07/22/2003

    Briefing type: 

    Banker Tools View All

    A collection of useful resources for various areas of the bank which have been developed by members of the BankersOnline staff or have been created and contributed by users of the BankersOnline site.

    Banker Tools

    Penalties View All

    Banker Store View All

    From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

    Banker Store

    hot right now

    image description

    Looking for effective, convenient training on a particular subject?

    BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

    Search Briefings

    Briefing Archives