Banks, Wall St. Feel Pinch from Computer Intrusion

An anonymous reader writes "Financial institutions and companies in the securities/futures business are reporting sizable increases in the amount of losses and suspicious activity attributed to computer intrusions and identity theft, says the Washington Post's Security Fix blog. The Post obtained a confidential report compiled by the FDIC which analyzed Suspicious Activity Reports from the 2nd Quarter of 2007. SARs are filed when banks experience fraud or fishy transactions that exceed $5,000. The bank insurance agency found that losses from computer intrusions averaged $29,630 each — almost triple the estimated loss per SAR during the same time period in 2006 ($10,536). According to the Post, 'The report indicates that the 80 percent of the computer intrusions were classified as "unknown unauthorized access — online banking," and that "unknown unauthorized access to online banking has risen from 10 to 63 percent in the past year."' Another set of figures analyzed by The Post looks at similar increases affecting the securities and futures industry."

Well, this is good ...

[ScrewMaster]

maybe this will force these idiots to upgrade their infrastructures and take network security seriously. That would probably help all of us in the long run.

beancounters and shortcuts

[galaad2]

That's what you get when you put beancounters in charge of computer security, a WHOLE LOT of shortcuts in the name of cost savings which lead ultimately to insecurity.

Re:Well, this is good ...

[ScrewMaster]

True, but I'm not necessarily talking about the end user ... there's a lot of money that could be well-spent on just securing their networks. Banks have money but like most corporations tend to be cheap when it comes to security. Hitting them in their pocketbooks like this may be just the kick in the pants they need to take the proper steps.

There are probably some ways that security could be improved from the end-user's perspective as well. I understand that in some countries (I don't know if any U.S. banks do this) users of Internet banking services have a hardware device that plugs into their PC to identify them. I don't know how well that works, never having used anything like that myself, but if implemented correctly it would at least cut down on password phishing schemes.

Re:p0wnd!

[Hatta]

Face to face is sometimes even less secure. All my credit union wants from me is an account number and name and they'll give me all the cash in my account. Not even a password or photoid. Of course, I'll take the risk of getting ripped off at a credit union over the guarantee of getting ripped off at a bank any time.

The problem is the user, not the security

[ironwill96]

The reason that these are going up is because of stupid users who see an e-mail from their bank (supposedly) that says "Alert, your account has been disabled until you login to this site and enter all of the information that we, as your bank would already know!". I think if we can focus on user education about phishing, and how banks will NEVER ask you for your username and password and account information via an e-mail, the number of fraudulent transactions would go down significantly. Since the main type listed was related to unauthorized online activity, it is because users are being stupid and giving out their username and password to phishing sites.

Now, you may say, "Just add more questions that only the user will know to their online banking logins!". The issue is, the phishers will just pull those same security questions from the banking site. I've even seen ones where they will have you do the initial login then they will login to your banking site and pass the actual security questions to you to answer, allowing them to completely bypass any security measures that your bank has setup. One thing that Chase does that might help a little bit is if you login to your online banking site from somewhere not already verified (different IP address) they will make you send an activation code to your Cell Phone or your registered account e-mail address before they will let you logon and do anything. This might help a little bit, but i'm sure the scammers will find a way around it. Also, those type of security measures are only implemented by large companies, leaving the smaller banks (and their customers) out in the cold when it comes to security.

So basically my point is, we shouldn't focus so much on network security measures as we should on user education. Network security is great, but when your users can be tricked into giving away their most personal information no amount of network security is going to protect them from themselves.

I have one of those RSA tokens

[xkr]

I paid $5.00 to paypal, including shipping. The little device fits on a keychain and generates a new six-digit code every 30 seconds. I simply add the six digits displayed to the end of my password when logging in. What is great, from the view of the web owners, is that there is no change to the visible user interface. It still looks like two fields: user-name and password.

This is genuine "two mode" authentication. Sure, if someone stole my computer AND my keychain the security is compromised. Or, if someone puts a gun to my head. But still, compared to current web login security, this system is a vast improvement.

All a bank has to do is say, "Here, this gizmo is free. And by the way, you have to use it if you want to do online banking." Managing these devices isn't any harder than managing ATM cards. Which people lose every day, and its not that big a deal.

If you read the article

[joeflies]

The article says that this is fraud commited by internal access to systems. It does not account for any fraud from access external to the business, i.e. phishing.

An RSA token is a terrible way to handle internal security for anything other than a VPN. Imaging typing in a one time password every single time you lock your computer, access an application, etc. It would drive most people to just leave their computers unlocked all the time and logged in.

Re:Well, this is good ...

[cetialphav]

ETrade is both a brokerage house and a bank. I don't know if other American banks offer RSA SecurID tokens. I'm a happy ETrade customer so I haven't investigated that. A quick google search makes it look like other banks offer this, too.

Re:Well, this is good ...

[jdigriz]

2 seconds of googling would have revealed ETrade Bank in addition to their brokerage. I just saved you those 2 seconds. You're welcome.

Re:Make ssn more secure!

[sydbarrett74]

Or how about legally forbidding use of SSN's for anything other than claiming social security benefits?

Re:Well, this is good ...

[caluml]

Use a mobile phone to text the user the second part of the authentication code. It's so simple, so easy, so cheap - and very effective.