Being aware of online banking frauds

• Introduction
• Situation
• Examples
• Conclusion
• References

Introduction

We never stress enough the importance of implementing secure practices when it comes to online transactions. Nevertheless, we still regularly see major security breaches happening at banks. Recent events that ended up with banks being sued by their customers—or even, in one case, the opposite—spawn reflections concerning the reliability of some common practices.

Most security measures, be it on banking Web sites or else, start off with login credentials, namely a username and password combination. Choosing a good, hard to crack password—a combination of letters, numbers and special characters—is an important step towards protecting your account, but this effort is worthless if the information falls into the wrong hands.

Situation

The Anti-Phishing? Working Group reports that August 2009 has seen the highest number of phishing Web sites ever reported with more than 56,000, hijacking no less than 341 brands. Together, the financial and payment services industries account for 80% of the targeted sectors. So you absolutely have to stay aware of possible frauds.

Many phishing schemes involve sending the target an email that seems to be coming from a legitimate Web site. This fraudulent email usually invites the target to follow a link to a Web page mimicking the legitimate site's login page, and to enter his or her login credentials. Someone who falls into the trap and enters the information gives it to the fraudster. Sometimes, people will not even notice that they have fallen victim to a phishing scam, as they will still be redirected to their real account after entering their credentials on the false page.

Such schemes are the reason why many security firms keep telling everyone to never trust links contained in emails. Financial institutions and others are also well advised not to send their customers emails containing links asking for login credentials. Instead, they should invite them to visit their Web site on their own.

Examples

Sadly, not everyone has safe practices on the Web and the Michigan-based company Experi-Metal? Inc. (EMI) learned it the hard way last year after it has lost $560,000 following a fraud involving phishing. They are now suing their bank Comerica.

First off, the lawsuit states that Comerica made their customers vulnerable by regularly sending them emails containing a link to a page asking for credentials and some additional information. This practice was common for Comerica until 2008, and was used for renewing the security certificates of their customers. The bank then switched from SLL certificates to a kind of two-factor authentication that was, according to the lawsuit, considered a downgrade by many security specialists.

So when the EMI employee received an email apparently coming from Comerica and which contained a link to a page asking for credentials, he trusted it, as it seemed like a routine procedure from Comerica. Hence, the fraudster acquired EMI's login information. And since Comerica no longer used certificates to authenticate the computer accessing the account, he could make several wire transfers to various offshore bank accounts.

But phishing is not the only way to illegally access bank accounts. At first glance PlainsCapital? Bank appeared to have decent security: in order to process a payment / funds transfer, a client must enter his username and password, and also register his computer with an access code sent by email upon request. Nevertheless, it has also seen one of its U.S. customers' account being hijacked by unknown hackers last year. All the proper procedures were followed and everything seemed right for PlainsCapital?. But after the $801,495 fraud, the investigation found out that the email request had come from Italy and that the transfers had been processed from Romania, where ed Hillary Machinery Inc., the client, had no business interest.

PlainsCpaital? was not able to refund the total amount of the fraud to its client. But Hillary wants it all back and is saying that the bank was "ill-prepared to prevent" the fraud. PlainsCapital? now sues its client because it wants the court to assess that its security measures were adequate.

Actually, apart from the fact that these transfers consisted of unusually large amounts of money, there was no way to detect that they were initiated by fraudsters. In this case, they apparently took a more subtle approach for taking control of Hillary’s account then in the first example. Whereas the breach at Comerica could be attributed to human failure, the one at PlainsCapital? is more about a system flaw.

Conclusion

And these examples are but the beginning of the possible techniques, which can employ banking Trojans or other malware. So what we see is that hackers and fraudsters are constantly developing better techniques for dodging security measures. We are hearing more and more about multi-factor authentication (something you know, something you have, something you are), and implementing such systems is undoubtedly a step forward. But as previously explained, it is useless if there is no effective way to prevent man-in-the-middle intrusions.

So of course, banks still need to put up good protection to prevent most intrusions. But in case of a security breach, the best method is for the banks to detect and react quickly to unusual activity—what they failed to accomplish in the previous examples. As elaborate, "intelligent" and secure as computers get, some people will probably always be there to outsmart them. Active monitoring on the part of banks, just as information security professionals do in other sectors, undoubtedly remains a highly effective way to detect and counter fraudsters and hackers.

References

VIJAYAN, Jaikumar. ComputerWorld?, Michigan firm sues bank over theft of $560,000

MCGLASSON, Linda. Bank Information Security, Customer Sues Bank After Phishing Attack

MCGLASSON, Linda. Bank Information Security, Texas Bank Sues Customer After $800,000 Scam

Anti-Phishing? Working Group, Phishing Activity Trends Report - 3rd Quarter 2009

Experi-Metal Inc. vs. Comerica Inc.