You read the newspaper? READ THIS!
GASTONIA, N.C. — When he logged on to his Ameritrade account earlier this year, George Rodriguez caught a cybercrook in the act of cleaning out his retirement nest egg.
He watched, horrified, as the intruder in quick succession dumped $60,000 worth of shares in Disney, American Express, Starbucks and 11 other blue-chip stocks, then directed a deposit into the online account of a stranger in Austin.
"My entire portfolio was being sold out right before my eyes," recalls Rodriguez, 41, a commercial real estate broker who alerted Ameritrade in time to stop the trades.
Rodriguez had just experienced a tech-savvy consumer's worst nightmare. But it's the reality of the digital world we live in: Everyone is now at risk of becoming the victim of an Internet-based crime — even folks who stay offline. And, once victimized, you can face more trouble than you might imagine.
Many consumers and small-business owners naively believe online transactions are safe if they use a firewall, keep anti-virus software updated and follow security tips posted on banking websites.
Not so, Internet security experts and federal regulators say. "What banks don't tell you is how easy it is to bypass those protections, and how prolific the threat is, because then you wouldn't do online banking," says Peter Vogt, a board member of Information Systems Security Association, an international group of tech security professionals.
Over the past two years, banks, credit card companies and credit agencies have made everything from changing a billing address to extending credit and transferring large sums easy to do online.
That has created fresh opportunities for swindlers and hackers, say dozens of banking and Internet-security executives, analysts, consultants, researchers and regulators interviewed by USA TODAY over the past four months.
Federal regulators are cognizant of the biggest blind spot: To gain access to most online bank accounts, you need nothing more than a user name and a password.
Bank of America told USA TODAY that it plans to require extra log-on steps for all Internet customers by early next year. It will become the first major U.S. bank to add another level of authentication, as banking and tech-security experts debate how to best balance convenience and security.
The Federal Financial Institutions Examinations Council last month called on all banks to toughen log-on procedures by the end of 2006. But the council, a consortium of five federal banking agencies, stopped short of specifying how to do that.
"No one knows what the right answer is yet," says Unisys banking security consultant John Pironti.
'They said it was safe'
The case of small-businessman Joe Lopez, closely watched in banking and legal circles, has emerged as a microcosm of e-commerce at a crossroads.
The bootstrap founder of Ahlo, a thriving Miami-based ink and toner cartridge wholesale business, Lopez says he opened a Bank of America online business account in October 2003 after being cajoled by bank representatives on more than 20 different visits to his local branch. "They said it was safe," Lopez, 42, recalls from his office in a gritty industrial neighborhood.
In April 2004, moments after logging on to his online account at work, Lopez spotted an entry revealing that someone had executed an electronic transfer of $90,348.65 to Parex Bank in Riga, Latvia. Lopez knew no one in Latvia. "I thought I was going to vomit," he recalls.
The next day, according to bank records, a mysterious figure named Yanson Arnold withdrew $20,000 in cash from Parex Bank, leaving $70,348.65 behind. Arnold has not been heard from since.
Secret Service investigators later discovered someone had slipped a Trojan — a small bit of malicious code — past the firewall and anti-virus software Lopez assumed kept his computer protected. The Trojan, called Coreflood, had captured and transmitted Lopez's user name and password to a data thief, who probably sold it to Arnold or his associates.
Bank of America disavowed responsibility, prompting Lopez to sue the bank in federal court in Miami to get his money back. "We fully investigated his claims and determined that all of our internal protocols and security measures were in place," says Shirley Norton, a Bank of America spokeswoman.
In its defense, the bank has invoked an obscure section of the Uniform Commercial Code, state laws governing commercial contracts, which banks helped draft. It limits liability in delivering online services to businesses if certain safeguards are in place.
Norton says the bank considers Lopez a business customer doing commercial transactions, not a consumer doing household banking. Consumers are protected by federal laws that limit their fraud losses in most cases to $50. They must report discrepancies promptly and generally be able to show wrongdoing.
"It's a bank's way of saying, 'It's the customers' fault,' " says Gail Hillebrand, a senior attorney at Consumers Union.
Legal experts say BofA's stance makes sense. It is refusing to expose itself to liability arising from the countless malicious programs that infest PCs used by small companies, over which the bank has no control. Such exposure could force financial institutions to curtail online services being pitched to small firms, a promising growth area.
No trial date has been set for the case. If BofA prevails, it will reinforce the Uniform Commercial Code as a legal rampart financial institutions can use to fend off similar lawsuits. "Making Lopez whole could open BofA to settling lots of other breaches, and that adds up to a lot of money," says Mark Budnitz, a law professor at Georgia State.
Meanwhile, Lopez, now a First Bank of Miami customer, faxes wire-transfer requests to the bank using a form letter. He follows up with a phone call. "No more online transactions for me, man," he says.
Stealthy exploits
While financial industry executives acknowledge the Internet's security pitfalls, they say they have been mindful of minimizing risks to consumers and small businesses. Of the $1.3 trillion in transactions done with Visa credit cards in 2004, only 0.05%were fraudulent, the same level as 2003, and down from 0.07%in 2002. Visa does not break out online transactions.
"Online banking is safe and getting safer," says Doug Johnson, senior policy analyst at the American Bankers Association.
Indeed, consumer financial fraud has been around as long as checking accounts and credit cards, and banks already do plenty to stop fraud. But e-commerce has opened virgin criminal frontiers. "In the past, everything was much more traceable," says Gartner banking analyst Avivah Litan. "Now you can open 10,000 (bogus) accounts in the time it used to take to open one, all in a faceless Internet." Stopping mailbox thieves and check kiters in the physical world is one thing. But modeling the threat posed by crime groups using the Internet to commit fraud electronically, on a global scale, has proved to be much more complex.
For one thing, electronic thievery is difficult to measure. When crooks get away with an online scam, banks often misclassify the pilfered funds as uncollectible debt. That masks the level of online fraud, says Litan, while "making it easier for the criminals to escape the law."
What's more, there is little urgency for banks to measure cybercrime precisely. Online banking services are still in a nascent phase, representing less than $200 billion of the trillions of dollars of transactions banks handle each year.
Coreflood could have gotten on Lopez's PC several different ways. It is one of many tried-and-true tools ID thieves use to harvest user names, passwords, Social Security numbers, account numbers and other personal data.
Anti-virus, anti-spyware and firewall defenses offer limited protection, primarily blocking the known malicious programs relentlessly blasting across the Internet, seeking unprotected PCs.
But elite identity data thieves have shifted to smaller-scale, more stealthy exploits, often aimed at compromising 1,000 or so PCs a day, says Joe Hartmann, director of anti-virus research at Trend Micro. Over time they can infect millions of machines but go completely undetected.
Some specialist hackers focus on finding new ways to attach Trojans to free, downloadable music, pornography and gambling files found across the Internet. Others hide Trojans on popular websites or in e-mail attachments. Downloading a tainted file, visiting a contagious Web page or opening a viral attachment can load a Trojan.
Meanwhile, phishing scammers seem to have endless creativity when it comes to crafting e-mail to trick even computer-savvy individuals into divulging sensitive account information at counterfeit websites. The best and brightest coders can make good money deploying "SQL Injection" attacks. These are aimed at tricking a Web page linked to a company database into giving up sensitive employee and customer data.
Low-tech heists work, too. Larcenous company insiders can get paid top dollar to assist in pilfering directly from company databases. For his new book, The Insider, A True Story: Sometimes Security is About Keeping An Eye On Those We Trust Most, Dan Verton examined network traffic at 50 large companies and government agencies.
In two days spent at each organization, he found 6,000 instances of names, Social Security numbers, credit card numbers, tax ID numbers, private health care information, payroll data and bank account information being transmitted, without authorization, to unknown locations on the Internet or to private e-mail accounts.
cont.....
He watched, horrified, as the intruder in quick succession dumped $60,000 worth of shares in Disney, American Express, Starbucks and 11 other blue-chip stocks, then directed a deposit into the online account of a stranger in Austin.
"My entire portfolio was being sold out right before my eyes," recalls Rodriguez, 41, a commercial real estate broker who alerted Ameritrade in time to stop the trades.
Rodriguez had just experienced a tech-savvy consumer's worst nightmare. But it's the reality of the digital world we live in: Everyone is now at risk of becoming the victim of an Internet-based crime — even folks who stay offline. And, once victimized, you can face more trouble than you might imagine.
Many consumers and small-business owners naively believe online transactions are safe if they use a firewall, keep anti-virus software updated and follow security tips posted on banking websites.
Not so, Internet security experts and federal regulators say. "What banks don't tell you is how easy it is to bypass those protections, and how prolific the threat is, because then you wouldn't do online banking," says Peter Vogt, a board member of Information Systems Security Association, an international group of tech security professionals.
Over the past two years, banks, credit card companies and credit agencies have made everything from changing a billing address to extending credit and transferring large sums easy to do online.
That has created fresh opportunities for swindlers and hackers, say dozens of banking and Internet-security executives, analysts, consultants, researchers and regulators interviewed by USA TODAY over the past four months.
Federal regulators are cognizant of the biggest blind spot: To gain access to most online bank accounts, you need nothing more than a user name and a password.
Bank of America told USA TODAY that it plans to require extra log-on steps for all Internet customers by early next year. It will become the first major U.S. bank to add another level of authentication, as banking and tech-security experts debate how to best balance convenience and security.
The Federal Financial Institutions Examinations Council last month called on all banks to toughen log-on procedures by the end of 2006. But the council, a consortium of five federal banking agencies, stopped short of specifying how to do that.
"No one knows what the right answer is yet," says Unisys banking security consultant John Pironti.
'They said it was safe'
The case of small-businessman Joe Lopez, closely watched in banking and legal circles, has emerged as a microcosm of e-commerce at a crossroads.
The bootstrap founder of Ahlo, a thriving Miami-based ink and toner cartridge wholesale business, Lopez says he opened a Bank of America online business account in October 2003 after being cajoled by bank representatives on more than 20 different visits to his local branch. "They said it was safe," Lopez, 42, recalls from his office in a gritty industrial neighborhood.
In April 2004, moments after logging on to his online account at work, Lopez spotted an entry revealing that someone had executed an electronic transfer of $90,348.65 to Parex Bank in Riga, Latvia. Lopez knew no one in Latvia. "I thought I was going to vomit," he recalls.
The next day, according to bank records, a mysterious figure named Yanson Arnold withdrew $20,000 in cash from Parex Bank, leaving $70,348.65 behind. Arnold has not been heard from since.
Secret Service investigators later discovered someone had slipped a Trojan — a small bit of malicious code — past the firewall and anti-virus software Lopez assumed kept his computer protected. The Trojan, called Coreflood, had captured and transmitted Lopez's user name and password to a data thief, who probably sold it to Arnold or his associates.
Bank of America disavowed responsibility, prompting Lopez to sue the bank in federal court in Miami to get his money back. "We fully investigated his claims and determined that all of our internal protocols and security measures were in place," says Shirley Norton, a Bank of America spokeswoman.
In its defense, the bank has invoked an obscure section of the Uniform Commercial Code, state laws governing commercial contracts, which banks helped draft. It limits liability in delivering online services to businesses if certain safeguards are in place.
Norton says the bank considers Lopez a business customer doing commercial transactions, not a consumer doing household banking. Consumers are protected by federal laws that limit their fraud losses in most cases to $50. They must report discrepancies promptly and generally be able to show wrongdoing.
"It's a bank's way of saying, 'It's the customers' fault,' " says Gail Hillebrand, a senior attorney at Consumers Union.
Legal experts say BofA's stance makes sense. It is refusing to expose itself to liability arising from the countless malicious programs that infest PCs used by small companies, over which the bank has no control. Such exposure could force financial institutions to curtail online services being pitched to small firms, a promising growth area.
No trial date has been set for the case. If BofA prevails, it will reinforce the Uniform Commercial Code as a legal rampart financial institutions can use to fend off similar lawsuits. "Making Lopez whole could open BofA to settling lots of other breaches, and that adds up to a lot of money," says Mark Budnitz, a law professor at Georgia State.
Meanwhile, Lopez, now a First Bank of Miami customer, faxes wire-transfer requests to the bank using a form letter. He follows up with a phone call. "No more online transactions for me, man," he says.
Stealthy exploits
While financial industry executives acknowledge the Internet's security pitfalls, they say they have been mindful of minimizing risks to consumers and small businesses. Of the $1.3 trillion in transactions done with Visa credit cards in 2004, only 0.05%were fraudulent, the same level as 2003, and down from 0.07%in 2002. Visa does not break out online transactions.
"Online banking is safe and getting safer," says Doug Johnson, senior policy analyst at the American Bankers Association.
Indeed, consumer financial fraud has been around as long as checking accounts and credit cards, and banks already do plenty to stop fraud. But e-commerce has opened virgin criminal frontiers. "In the past, everything was much more traceable," says Gartner banking analyst Avivah Litan. "Now you can open 10,000 (bogus) accounts in the time it used to take to open one, all in a faceless Internet." Stopping mailbox thieves and check kiters in the physical world is one thing. But modeling the threat posed by crime groups using the Internet to commit fraud electronically, on a global scale, has proved to be much more complex.
For one thing, electronic thievery is difficult to measure. When crooks get away with an online scam, banks often misclassify the pilfered funds as uncollectible debt. That masks the level of online fraud, says Litan, while "making it easier for the criminals to escape the law."
What's more, there is little urgency for banks to measure cybercrime precisely. Online banking services are still in a nascent phase, representing less than $200 billion of the trillions of dollars of transactions banks handle each year.
Coreflood could have gotten on Lopez's PC several different ways. It is one of many tried-and-true tools ID thieves use to harvest user names, passwords, Social Security numbers, account numbers and other personal data.
Anti-virus, anti-spyware and firewall defenses offer limited protection, primarily blocking the known malicious programs relentlessly blasting across the Internet, seeking unprotected PCs.
But elite identity data thieves have shifted to smaller-scale, more stealthy exploits, often aimed at compromising 1,000 or so PCs a day, says Joe Hartmann, director of anti-virus research at Trend Micro. Over time they can infect millions of machines but go completely undetected.
Some specialist hackers focus on finding new ways to attach Trojans to free, downloadable music, pornography and gambling files found across the Internet. Others hide Trojans on popular websites or in e-mail attachments. Downloading a tainted file, visiting a contagious Web page or opening a viral attachment can load a Trojan.
Meanwhile, phishing scammers seem to have endless creativity when it comes to crafting e-mail to trick even computer-savvy individuals into divulging sensitive account information at counterfeit websites. The best and brightest coders can make good money deploying "SQL Injection" attacks. These are aimed at tricking a Web page linked to a company database into giving up sensitive employee and customer data.
Low-tech heists work, too. Larcenous company insiders can get paid top dollar to assist in pilfering directly from company databases. For his new book, The Insider, A True Story: Sometimes Security is About Keeping An Eye On Those We Trust Most, Dan Verton examined network traffic at 50 large companies and government agencies.
In two days spent at each organization, he found 6,000 instances of names, Social Security numbers, credit card numbers, tax ID numbers, private health care information, payroll data and bank account information being transmitted, without authorization, to unknown locations on the Internet or to private e-mail accounts.
cont.....
All Categories
Finance
423
Communications
153
Food & Drink
451
Relationships
146
Spirituality
54
Gaming
246
Career
167
Health & Medical
2882
Environment
49
Home & Family
880
Others
673
Software
297
Automotive
122
Arts & Crafts
361
Book Reviews
42
Self Improvement
192
Computers
352
Education
431