Bank customers know to shield their ATM passwords from prying eyes. But
with the rise of online banking, computer users may not realize
electronic snoops might be peeking over their shoulder every time they
type.
In a twist on online fraud, hackers and identity thieves are infecting
computers with increasingly sophisticated programs that record bank
passwords and other key financial data and send them to crooks over the
Internet.
That's what happened to Tim Brown, who had account information swiped out of the PC at his Simi Valley store.
"It's scary they could see my keystrokes," said Brown, owner of Kingdom Sewing & Vacuum. "It freaks me out."
Brown learned of the scam only after security researchers stumbled onto
a computer harvesting information from hundreds of PCs and felt
compelled to alert some of the people who had the most data exposed.
Realizing he was lucky to get the call last month, Brown changed his
passwords and is hoping for the best.
"This
even staggered us," said Alex Eckelberry, president of Sunbelt Software
Inc., which found that the so-called keylogger program installed itself
in a way most antivirus software could not block. "Online institutions
now have to assume that the account holder may have been compromised."
Such security breaches are on the rise, even as other sorts of Internet scams decline.
Security experts attribute the new approach to rising savvy among both computer users and crooks.
Many users, for instance, know not to reply to unsolicited "phishing"
e-mails requesting financial information, even if the requests appear
to have been sent by a bank. The number of reported phishing attacks
fell in July from June, according to the Anti-Phishing Working Group,
which is backed by most of the biggest U.S. banks and Internet service
providers.
But the number of programs aimed at stealing passwords more than doubled in the same period.
"We're seeing explosive growth in 'crimeware,' " said Peter Cassidy,
the working group's secretary general. "It's really galloping."
Consumers are increasingly jittery: 42% say security concerns have
caused them to change their electronic shopping habits, according to
research firm Gartner Inc.
Banks and other institutions,
though, encourage online transactions because they are cheaper than
branch visits or calls to a customer service center.
The
keylogging programs can install themselves after computer users open
faked e-mails, instant messages or even advertisements on mainstream
websites. Then they record everything typed on a computer — or just
what's typed during user visits to specified financial sites. Such
information is sometimes sent to the hackers in neat bundles, with a
column for the relevant financial website followed by columns for the
user's log-in name and password.
So far, such purloined
information has been used to access accounts one by one, by
impersonators who withdraw or transfer cash. In Brazil, authorities
have arrested scores of people they accuse of using the
password-stealing program Bancos, which mimics online bank interfaces,
to loot more than $30 million from banks.
But recently thieves
have been working to automate more of the process, potentially enabling
attacks on thousands of accounts simultaneously.
One
financial institution has already seen attempted withdrawals that
occurred in alphabetical order by the names of customers, said Amir
Orad, executive vice president at Cyota, which provides antitheft
services to many of the biggest banks. He declined to identify the
business.
Bank industry officials said they wouldn't discuss any such attacks.
At Corillian Corp., one of the largest developers of online banking
programs, Chief Security Executive Jim Maloney said he had detected one
criminal testing the validity of "10 or 20 accounts" within a minute
from a single computer, strongly suggesting an automated verification
system. Those tests, he speculated, were a prelude to choosing which
accounts to target or to sell information on.
In one
especially alarming case, security experts last fall found a program
planted on personal computers to intervene whenever the user logged on
to an electronic payment site called E-Gold, based on the Caribbean
island of Nevis.
Instead of just recording the password and
other data for some future attempt at fraud, the software — dubbed
Grams — immediately "cleans out an account and transfers it," said
Jason Milletary, an analyst with the CERT Coordination Center, the
chief U.S. team responding to computer security breaches.
E-Gold Chairman Douglas Jackson said he didn't know the exact number of
compromised accounts, putting it at "dozens" to "the low hundreds." He
said company policy was not to reimburse the victims. "Somebody could
rip themselves off and try to get the money back," Jackson said. "It's
very hard to tell if there's truly been a third party."
Variants of the Grams software have targeted U.S. banks and other
financial institutions as well, said Nathan Johns, chief of information
technology at the Federal Deposit Insurance Corp., which guarantees
bank deposits in case of insolvency. He declined to give details.
In July, the FDIC strongly encouraged U.S. banks to evaluate the risks
from computer fraud, educate their consumers and consider adding new
measures, such as devices that generate new numeric passwords every 60
seconds.
Some banks complained that the inconvenience of such devices would cost them customers, but the FDIC differed.
"Although consumers are certainly interested in convenience, they are
also very concerned about the security of their accounts," the agency
wrote.
"We're looking at this as a sort of wake-up call for the industry, indicating they've got to act," Johns said.
So far, according to many experts, the arms race is favoring the bad guys.
Last week, UC Berkeley researchers reported that a $10 microphone near
a keyboard could, with sophisticated analysis of the sounds made by
different keys, reveal most of what was being typed — enough that the
researchers could guess 90% of five-character passwords within 20
tries.
And analysts said con artists had mimicked each bank industry innovation.
As more customers grew too frightened to respond even to legitimate
mail, for example, CitiBank began including partial account numbers in
its communications to prove their legitimacy. Thieves took advantage by
using pilfered credit card numbers in messages to each account holder,
posing as banks and asking for more data.
The British bank
Barclays, among other businesses, responded to keylogger attacks by
presenting a graphic display of letters or numbers and asking users to
peck out a password with mouse clicks instead of keystrokes, which can
be recorded more easily.
By late July, cyber-cons were
delivering more programs that take a picture of what's on a computer
screen each time a mouse gets clicked.
"The industry has helped the bad guys," Cyota's Orad said.
Many security experts say that a physical means for authenticating
customers, such as $40 password devices given to each, would be a major
help in reducing fraud. But schemes like the one used against E-Gold
defeat that protection, since the theft occurs as the victim is typing.
Other banks are pursuing more elaborate systems, such as one that
requires telephone calls to customers who depart from their banking
patterns.
Still unresolved is who bears the financial
responsibility when electronically purloined account information is
used to steal money.
The FDIC says banks are usually on the
hook, but some banks disagree. Bank of America is among a minority that
offers guarantees to most customers even though they say they don't
have to do so.
But a computer and copier supply business in
Miami, Ahlo Inc., has sued Bank of America in a closely watched case,
saying the bank negligently encouraged Ahlo to do business online and
then stood by as fraudsters made off with more than $90,000 through a
wire transfer to Latvia.
Bank of America has asked the judge
to dismiss the suit, arguing that it isn't responsible for Ahlo's
failure to protect its computers from malicious software. Bank
spokeswoman Shirley Norton said the guarantee didn't apply because Ahlo
was a business customer instead of a consumer.
Some analysts
say that financial institutions will be better served by competing on
the basis of security. With 80% of adults online worried about identity
theft, banks are "losing a battle of confidence," said Forrester
Research Inc. analyst Jonathan Penn. "Security needs to come out of the
closet."
*
(BEGIN TEXT OF INFOBOX)
Protecting yourself
A new breed of software can record a computer user's keystrokes,
including bank passwords and credit card numbers, and send the data to
thieves over the Internet. Some programs are nearly undetectable. Here
are tips for safer computing:
• Keep your operating system up to date. On PCs, use the automatic-update feature in Microsoft Windows.
• Install an Internet firewall.
• Use and update your anti-virus software.
• Install a program that scans your computer for spyware and run
it weekly. Spyware scanners include Spybot Search & Destroy,
Ad-Aware by Lavasoft, Spy Sweeper by Webroot Software and PestPatrol by
Computer Associates.
• Never click on Web links embedded in an e-mail; instead, type the address into your browser.
• Consider switching your Web browser from Internet Explorer to
Firefox, which has fewer critical and unpatched security holes.
• Change your passwords regularly.
• If possible, keep sensitive information off computers connected to the Internet.
• If your PC has been compromised, volunteers at websites such as http://www.spywarewarrior.com and http://www.spywareinfo.com
can help repair your machine. Consider switching credit cards and bank
accounts and ordering a credit freeze from the three major credit
bureaus, Experian, Equifax and TransUnion.
Sources: SpywareWarrior, Sunbelt Software, Counterpane, Times research.
