Tech Alert Briefing for 7/23/2003
Kinko's Keystroke Caper Underscores Need for Diligence
Using a $100 commercially available keystroke logging program, 25-year-old JuJu Jiang of Queens, New York stole over 450 online banking passwords during a two year period.Last week he pleaded guilty in federal court.
The scam began with Jiang installing a keyboard-sniffing program on public Internet terminals at thirteen Kinko's locations scattered throughout Manhattan.Unwitting Kinko's customers using the terminals then had their keystrokes logged as they accessed information.
Throughout a two-year period Jiang retrieved over 450 online banking usernames and passwords.With username and password information in hand, Jiang then used the victims' personal and financial information to open new accounts under their names.Jiang then transferred money from the victims' legitimate accounts into the new, fraudulent ones.
In this case, as well as in the Bugbear Virus warning we reported on earlier, keystroke recording programs and other types of spyware have been employed to steal personal information that is then used by the criminals to open fraudulent accounts.
According to another recent news report, South African police are currently investigating a theft carried out using computer spywareto gain access to the victims' computers and obtain the necessary information to access several Absa online bank accounts. The attackers then used the data obtained to carry out money transfers to fraudulent accounts. The theft has affected not only bank customers who saw money disappear from their accounts, but also Absa itself. The bank has had to compensate victims, many of which have decided to cancel their bank accounts.
Stealing of customer information via computer spyware as well as through social engineering means has resulted in a proliferation of identity theft.The upswing in ID theft underscores the importance of obtaining both documentary and non-documentary means of identifying your customer. To protect your institution follow our Action Steps below and, whenever possible, require the customer to be physically present to open accounts.
Specific Action Steps:
1.Limit your liability via contract:If you don't already have an electronic services agreement with your customers, get one.In it, you can place a duty on customers to safeguard their online user names and passwords, and indicate that the customer will be liable for losses stemming from their disregard of warnings relating to insecure storage of written password information, password sharing, or use of insecure, public computers.
2.Educate your customers about how to guard against risks: Your customers should be given very explicit guidance about how to protect their online banking accounts.Specifically, they should be told:
- Never share your online banking user name and password.Any individual who has your user name and password can successfully masquerade as you online and can access your accounts;
- Choose your password wisely.(Give them parameters for avoiding easy-to-guess passwords, or easily cracked passwords.)
- If you find it necessary to write down your user name and password, keep the information in a safe place, away from prying eyes.Do not leave it in an insecure spot where another person may view it.
- If you suspect that your user name and/or password may have been compromised, report it to the bank immediately.
- Change your password periodically.A password is like a piece of chewing gum.It should not be shared and it's best when fresh.
- Avoid accessing online banking through a public computer, such as one at a library or a cyber cafe where a malicious user may have installed a keystroke logging program or a password sniffer.It is virtually impossible to guarantee your transmission will be secure on such a machine.
- If you are going to access your online account on a machine that is accessible to other users, such as a roommate, coworker, or family member, take precautions:
- If using Internet Explorer, before you access the bank's web site, go first to the menu bar at the top of the browser.Choose Tools/Internet Options.In the dialog box that appears, click on the Content tab.Then click on the "Auto Complete" button.Uncheck all auto complete buttons.
- At the end of your session, click on Tools/Internet Options, and click on the button to "Delete Temporary Files".Then click OK.
- Close the browser.
- Monitor your account frequently for any unauthorized transactions and report them to the bank immediately.
Related Training Resources, Products and Articles:
Training webinars through BOL Learning Connect:
- Making Sure Your Customer Authentication Method is Commercially Reasonable
- Secure Passwords
- Cracking and Hacking:Are you doing enough for your network security?
- Customer Identification: Passwords For Account Information By Phone
- Customer Selected Passwords: Are We Liable?
Previous Tech Alerts:
06/09/03Bug Bear Targets Banks
06/05/03Rapidly Spreading Bugbear Virus Cause for Concern
05/29/03Constructing an Effective Patch Management Program
05/20/03Greetings From Microsoft Support! May We Infect Your System?
05/12/03New Fizzer Worm Racing Throughout The Internet
04/07/03New Report Details Efforts to Address Cyber Threats
04/02/03Time to Step Up IT Security and Sendmail Vulnerability
03/18/03Windows 2000 WebDAV Buffer Overflow Exploit Against IIS 5.0 - CRITICAL
03/03/03Critical Vulnerability Discovered in Sendmail
02/06/03Microsoft Releases Cumulative Patch for Internet Explorer Flaws It Lists as Critical
01/26/03The Importance of Applying Patches
01/23/03Microsoft and SUN release slew of Patches
01/14/03New Worms Spreading through Email
12/09/02Microsoft Issues Updated Cumulative Patch for IE
11/13/02New e-greeting tactics pose serious threat
11/01/02Critical patch released for Windows 2000, Windows XP
10/21/02Microsoft Fixes Vulnerabilities: Releases Patches for SQL, Word and Excel
10/03/02Bugbear Worm Gains Strength
10/02/02Top 20 List of Internet Security Vulnerabilities Released
09/02/02Microsoft Warns SysAdmins To Immediately Patch Identity Spoofing Flaw
08/21/02Microsoft releases patch to fix "critical" vulnerability inWindows 2000 systems that allow unprivileged users to logonto them interactively
08/09/02 Is Confidential Bank Information Walking Out Your Door?
07/30/02 Microsoft Continues to Patch Flawed Software
07/23/02 CERT advisory on PHP
07/15/02 Outlook Users Employing PGP Encryption Program Vulnerable to Hacking
07/11/02 Researchers Report Serious Flaw in IE
06/27/02 Microsoft Releases Critical Patch for Windows Media Player
06/18/02 CERT Warns of Critical Vulnerability in Apache Web Server
06/12/02 Sports Fans Beware: World Cup Virus Bounces Around the Net
06/07/02 Dead Man Tell No Passwords
05/31/02 Microsoft Issues Critical Warning Regarding Exchange Server
05/22/02 Microsoft SQL Spida Worm Slows Network Traffic
05/15/02 Virus Hoax 'JDBGMGR.EXE' Spreading Rapidly Throughout Net
04/25/02 Klez Worm Reels in Banks with its Bait
04/11/02 Ten New Vulnerabilities Discovered in Microsoft IIS Server
04/09/02 New Virus Hoax Circulating Around Net
03/22/02 MyLife.B Virus Makes Its Way Around the Net
03/21/02 Microsoft Updates Its Warning on Critical Windows Vulnerability
03/14/02 New Virus (W32/Fbound-C) Spreading Rapidly in the Wild
03/08/02 Unauthorized E-Mail Scam Attempts to Steer Unwitting Customers to Fraudulent Bank Web Site
03/06/02 Klez-E Worm and W32.Gibe Virus Warnings
03/01/02 CERT Issues Warning on PHP Scripting Language Flaw
02/27/02 CERT Issues Warning on Internet Explorer and Outlook Flaw
02/22/02 SNMP Patches and Detection Tools Available
02/20/02 Email Address Belonging to Legitimate Security Site Hijacked to Deliver Dangerous Yarner Worm
02/15/02 Mass Mailing Email Worm Compromises Word 2000 Security Settings
02/13/02 SNMP VULNERABILITY
02/07/02 Bloodhound Mass Mailing Worm and Managing Risks in Wireless Networks
02/04/02 Microsoft Issues Collection of Security Fixes for Windows 2000
01/31/02 Copycat Virus Unleashed
01/30/02 Netscape Browser Vulnerable to Cookie Theft
01/28/02 "My Party" Mass Mailing Worm
01/18/02 IT Contingency Planning Guide, Information Security Checklist and Solaris Vulnerability
01/15/02 Trojan.StartPage Alters Web Browsers
01/12/02 New Internet Worm Gigger Masquerades as Microsoft Outlook Upgrade
01/08/02 Microsoft Universal Plug and Play Vulnerability
12/20/01 Holiday Themed Computer Virus Unleashed
First published on 07/22/2003