Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security The Almighty Buck

Banks, Wall St. Feel Pinch from Computer Intrusion 90

Posted by Soulskill from the only-going-to-get-worse dept.
An anonymous reader writes "Financial institutions and companies in the securities/futures business are reporting sizable increases in the amount of losses and suspicious activity attributed to computer intrusions and identity theft, says the Washington Post's Security Fix blog. The Post obtained a confidential report compiled by the FDIC which analyzed Suspicious Activity Reports from the 2nd Quarter of 2007. SARs are filed when banks experience fraud or fishy transactions that exceed $5,000. The bank insurance agency found that losses from computer intrusions averaged $29,630 each — almost triple the estimated loss per SAR during the same time period in 2006 ($10,536). According to the Post, 'The report indicates that the 80 percent of the computer intrusions were classified as "unknown unauthorized access — online banking," and that "unknown unauthorized access to online banking has risen from 10 to 63 percent in the past year."' Another set of figures analyzed by The Post looks at similar increases affecting the securities and futures industry."
This discussion has been archived. No new comments can be posted.

Banks, Wall St. Feel Pinch from Computer Intrusion More

Banks, Wall St. Feel Pinch from Computer Intrusion

Comments Filter:

  • Re:Well, this is good ... (Score:4, Informative)

    by Frosty Piss ( 770223 ) on Sunday February 24, 2008 @01:23PM (#22535944)
    The problem is, user easy verses security. At a certain point of "security" people will choose not to because it's way too much of a hassle. And, there will always be a way around it.

  • Re:Well, this is good ... (Score:4, Informative)

    by abigor ( 540274 ) on Sunday February 24, 2008 @01:35PM (#22536044)
    Actually, the article gives some examples of how the thefts occur, and it's normally not from network intrusions - rather, it's from things like a coworker in an office installing trojans on people's machines and stealing their passwords when they go to do online banking during their lunch hours or whatever.

    How do you protect against this sort of thing? The banks have certain heuristics that deal with detecting fraudulent transactions, but this really seems like one of those cases where what you know (passphrase) + who you are (biometrics) would go a long way towards a solution.

  • Re:Well, this is good ... (Score:5, Informative)

    by Crafack ( 16264 ) on Sunday February 24, 2008 @01:35PM (#22536046)
    I'm in IT Operations for a bank in EU.

    We spend a sizeable amount of both time and money securing systems against outside access.

    The problem as reported in TFA is in the end-user zone. Malware, trojans etc. are used to steal identities og businesses or persons.

    True, most of these problems could be mitigated (for now) if the banks switched to some kind of one-time-pad system, but apparently for now the cost of the system are greater than losses due to attacks. /Crafack

  • Re:Well, this is good ... (Score:3, Informative)

    by abigor ( 540274 ) on Sunday February 24, 2008 @02:17PM (#22536410)
    I think some European banks actually have systems a bit like what you describe. My friend has an account with a Dutch bank, and he has this little device that generates a unique passcode each time he wants to do any banking. I'm not really sure how it works, but its one-time-padness makes end user fraud a lot more difficult - you'd have to physically steal the device, its PIN, plus his actual banking password.

  • Re:Well, this is good ... (Score:4, Informative)

    by cetialphav ( 246516 ) on Sunday February 24, 2008 @02:38PM (#22536600)

    If they implemented those RSA tokens that spit out a new number every 60 seconds, they could stop almost all the phishing scams. Yet they refuse to do anything to actually even offer the more secure option. I'd pay for the RSA token out of my own pocket if it meant my money would be more secure.
    Actually, some banks do this. ETrade [etrade.com], for example, provides the RSA tokens. If security were really that important to customers, the banks would respond. But most customers are not security savvy enough to even know what to ask. The mere concept of the RSA token goes completely over the head of most people. What the banks need to do is to take the lead in trying to educate consumers about security issues so that consumers can make more informed choices, but that is a difficult, thankless task that most of them don't want to do. The bottom line is that customers are not leaving banks in droves to go to competitors with better security even though there actually exists competitors with better security. Or to put it another way, providing better security provides only a marginal business advantage, whereas better interest rates provide a huge business advantage.

  • Only a USA problem? (Score:5, Informative)

    by 25albert ( 874307 ) on Sunday February 24, 2008 @02:50PM (#22536708)
    Isn't this problem limited to the USA because their banks use only user/password for authentication?

    I know the procedures for 5 or 6 banks in 3 different European countries, and all of them require a lot more to authenticate me.

    The 3 procedures are:

    * Bank 1 (the simplest, and first system I have seen, some 10 years ago).
    - authenticate with user id (unrelated to name or account number) and password
    - be prompted to enter a one-time number from a list which I received by postal (registered) mail (it asks for the number at row x, column y)

    All other banks have long moved to something like the 2 others:

    * Bank 2.
    - put a special card received from the bank into a special calculator also received from the bank and enter password
    - enter user id (unrelated to name or account number) on bank web site
    - receive a one-time 6 digit number and type it into the special calculator
    - the calculator gives an 8 or 10 alphanumeric one-time password to enter into the web form

    * Bank 3.
    - I can't remember the details, but as with bank 2, there is a special device and procedure to follow involving password, user id, device id and one-time numbers exchanged between the device and the bank's site.

    - On top of that, the bank sends me an email every time I connect, with the date, time, the IP address from which I connected, and the money operations performed if any.

  • Re:Well, this is good ... (Score:3, Informative)

    by timeOday ( 582209 ) on Sunday February 24, 2008 @06:09PM (#22538840)
    My work implemented 2-factor authentication for remote email access. Everybody I've spoken with agrees with me that it has drastically reduced their amount of remote email access. In other words, greater security at the cost of productivity. This is why you should not let network security make their own decisions in a vacuum - they will choose security at the expense of everything else. These studies that state losses from computer security are worthless without equally credible studies of the losses from more draconian security, in terms of direct expenses and lost productivity, and annoyed customers that go somewhere else.

Slashdot Top Deals

"A car is just a big purse on wheels." -- Johanna Reynolds

Close