So... don't give your account info to organized crime, and don't use Outlook, and your risk is reduced by, what, 90%? And doing online banking from a Net cafe... I mean really.
At least some of these numbers seem wrong. If "nearly 2 million" people got ripped off last year, and "at least 1.8 million" people fell for phishing attacks, then why would keyloggers/viruses cause "up to half" of the account compromises? Did nearly a million people fall for phishing attacks and yet were too stupid to even get their account details correct? -J On Tue, Jun 15, 2004 at 12:08:21PM -0400, R. A. Hettinga wrote: > <http://www.msnbc.msn.com/id/5184077/> > > MSNBC > > Survey: 2 million bank accounts robbed > Criminals taking advantage of online banking, Gartner says > EXCLUSIVE > By Bob Sullivan > Technology correspondent > MSNBC > Updated: 4:25 a.m. ET June 14, 2004 > > Nearly 2 million Americans have had their checking accounts raided by > criminals in the past 12 months, according to a soon-to-be released survey > by market research group Gartner. Consumers reported an average loss per > incident of $1,200, pushing total losses higher than $2 billion for the > year. > > advertisement > Gartner researcher Avivah Litan blamed online banking for most of the problem. > > "There has been a big increase in the abuse of existing checking accounts," > Litan said. "What's really scary about it is right now there are no > back-end fraud detection solutions for it." > > The survey results, extrapolated from a telephone poll of 5,000 consumers > conducted in April, offer a rare glimpse at the state of bank fraud: > Financial institutions are tight-lipped about fraud losses. But Litan said > the study confirms comments she regularly hears from bank investigators. > > "The results are consistent with what banks are telling me. ... When I talk > to them, they all nod their heads that this is the area where they are > seeing the most fraud escalation," she said. > > 'Constant siege' > The trend neatly follows a sharp rise in so-called phishing e-mails, which > attempt to steal consumers' user names and passwords by imitating e-mail > from legitimate financial institutions. A Gartner study released in May > showed at least 1.8 million consumers had been tricked into divulging > personal information in phishing attacks, most within the past year. > > Phishing attempts designed specifically to steal bank information began to > skyrocket about 10 months ago, according to Dave Jevans, chair of the > Anti-Phishing Working Group. Overall, phishing e-mails have jumped 4,000 > percent in the past six months, and just last month, Citibank overtook eBay > as the most common target. The company faced an average of 16 attacks per > day, and 475 separate phishing attacks during April, an increase of nearly > 400 percent from March. > > Citibank didn't immediately return requests for comment. > > "It's working, there's no doubt about that...There's people who are under > constant siege now," Jevans said. "It's like people setting up fake ATMs > everywhere." > > Some days, banks are targeted dozens of times, which not only leads to > identity theft, but also jam-packed customer service telephone lines. > > "Clearly the issues are far more significant than anyone expected they > would be. Phishing and spoofing (setting up look-alike bank Web sites) are > really getting to people," said Larry Ponemon, founder of privacy think > tank Ponemon Institute, and a bank consultant. "It is an epidemic. It's a > very big problem." > > Creative ways to drain accounts > But phish isn't the only way criminals gain access to online bank accounts, > according to industry experts. Computer criminals are becoming increasingly > proficient at writing Trojan horse programs and keyloggers that steal > passwords and account information. Such secret malicious programs, which > exerts say are more widespread than many realize, could be the cause of up > to half the account takeovers, Litan speculated. > > Such programs can be installed on home users' computers through virus-laden > e-mails. People who do their online banking at public computers, such as at > Internet cafes, are also at risk from this kind of password swiping. > FREE VIDEO * Run at the bank > MSNBC.com's Bob Sullivan reports on online banking theft. > > NBC News > The Gartner survey found that more than 4 million consumers reported > suffering checking account takeovers at any time during recent years, with > half that number saying it had happened in the most recent 12-month span -- > indicating a sharp increase in the activity. > > While consumers who responded to the survey didn't know how the money was > moved out of their checking accounts -- fake ATM cards are another > possibility, for example -- Litan said she suspects a sharp rise in hackers > taking over online bank accounts is the likely cause. > > Criminals are using creative ways to transfer money out of hijacked > accounts, she said. > > "A couple of banks tell me (the criminals) set up a bill payment account, > then pay themselves," she said. > > Another method, said U.S. Postal Inspector Barry Mew, takes advantage of > the images of canceled checks made available to online bankers. Imposters > use them to create authentic-looking counterfeit checks; they have an added > air of legitimacy, since the check numbers are appropriately in series. > > Enough safeguards? > Online banking, including online bill paying, has spiked in popularity in > recent years, particularly as more financial institutions offer the service > for free. According to Gartner, 45 percent of the 141 million U.S. adults > who use the Internet pay bills online. Consumers like the convenience and > banks like the operating savings. > > But not everyone is comfortable banking online, and Gartner's study > confirms some of that group's worst fears: that accounts can be tapped into > by criminals. > > "They should be afraid," Litan said. "The banks should be requiring more > than just passwords to use online banking. They all know they have to do > something, but they are all afraid to take the first step." > > Identity theft expert Rob Douglas described the study results as > "blockbuster," and said banks may be forced to re-think the way they are > giving consumers access to checking accounts online. > > "They may say it's because customers are not practicing the appropriate > safeguards," he said. "But when it comes to online banking, they are not > doing a good enough job of educating customers what to watch out for. > Someone is making a lot of money." > > Litan said the industry was reeling in part because there is no software > designed to detect unusual checking account withdrawal patterns, outside of > software that looks for money laundering, which doesn't catch simple > unauthorized withdrawals. > > Most credit card users are familiar with industry software called Falcon, > which alerts issuers when out-of-the-ordinary purchases are attempted. Such > software will often cause a card issuer to call a consumer and ask > questions like, "Are you really in London buying a diamond necklace right > now?" > > There's no similar product for online banking, Litan said. > > Still, there are simpler solutions banks could implement to protect > themselves and consumers. One idea is a "shared secret" -- a picture that > consumers would give to a bank, which would then appear each time the > consumer visited the bank's site, confirming it was the authentic corporate > Web site and not a "spoof" site controlled by a hacker. > > "There's a lot at stake here," Litan said. "And there's a lot that banks > can do." > > Limited window for refunds > In most cases, analysts say, consumers are eventually refunded the money > they lose. Federal regulations governing electronic transfers, known as > Regulation E, requires banks to refund the money as long as consumers > notify the institution within 60 days of receiving their bank statement. > But outside the 60-day window, banks are under no obligation to issue > refunds. > > Fact File > Know your rights > > Regulation E protects consumers when they are hit by electronic financial fraud > > * > What's covered > > * > Consumer liability > > * > What consumers should do > > * > What banks are required to do > > * > For more information > > Consumers have well-defined rights with respect to fraudulent electronic > transfers, and should generally be able to obtain refunds with little > hassle. The rights are spelled out in what's known as "Reg-E," or the > Federal Reserve Board's Regulation E. The Fed was authorized to draw up the > regulation by the Electronic Funds Transfer Act of 1979. The regulation > covers all manner of transfers into and out of bank accounts outside of > paper checks, including the use of debit cards. It does not cover credit > card transactions. > > * Print this > > Many banks don't make consumer rights clear enough, said George Tubin, an > analyst at Tower Group. He praised Bank of America, Citibank, and Wells > Fargo for offering credit-card style "zero liability" policies on their > online banking products. > > "Until a bank is comfortable enough with their product to say you're > covered, how can consumers feel comfortable?" he said. > > Betty Reese, a spokeswoman for Bank of America, said her firm simply > requires consumers to report any fraud on "a timely basis." She decline to > disclose fraud statistics. > > Still, getting a refund can be inconvenient, and there are scattered > reports of banks not making the process easy. And ultimately, all > consumers pay when banks increase fees to recoup their losses. > > The new Gartner results "are staggering numbers," said Jim Bruene, editor > and founder of the Online Banking Report. > > "If that's true, we are really facing a monster problem," he said. "It's > something that could have been anticipated by the banks. ... There should > be and will be more controls in place." > > -- > ----------------- > R. A. Hettinga <mailto: [EMAIL PROTECTED]> > The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> > 44 Farquhar Street, Boston, MA 02131 USA > "... however it may deserve respect for its usefulness and antiquity, > [predicting the end of the world] has not been found agreeable to > experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
