Entries Tagged "banking"

Page 15 of 18

Class Break of Citibank ATM Cards

There seems to be some massive class break against Citibank ATM cards in Canada, the UK, and Russia. I don’t know any details, but the story is interesting. More info here.

EDITED TO ADD (3/6): More info here, here, here, and here.

EDITED TO ADD (3/7): Another news article.

From Jake Appelbaum: “The one unanswered question in all of this seems to be: Why is the new card going to have any issues in any of the affected countries? No one from Citibank was able to provide me with a promise my new card wouldn’t be locked yet again. Pretty amazing. I guess when I get my new card, I’ll find out.

EDITED TO ADD (3/8): Some more news.

Posted on March 6, 2006 at 2:44 PMView Comments

The Terrorist Threat of Paying Your Credit Card Balance

This article shows how badly terrorist profiling can go wrong:

They paid down some debt. The balance on their JCPenney Platinum MasterCard had gotten to an unhealthy level. So they sent in a large payment, a check for $6,522.

And an alarm went off. A red flag went up. The Soehnges’ behavior was found questionable.

And all they did was pay down their debt. They didn’t call a suspected terrorist on their cell phone. They didn’t try to sneak a machine gun through customs.

They just paid a hefty chunk of their credit card balance. And they learned how frighteningly wide the net of suspicion has been cast.

After sending in the check, they checked online to see if their account had been duly credited. They learned that the check had arrived, but the amount available for credit on their account hadn’t changed.

So Deana Soehnge called the credit-card company. Then Walter called.

“When you mess with my money, I want to know why,” he said.

They both learned the same astounding piece of information about the little things that can set the threat sensors to beeping and blinking.

They were told, as they moved up the managerial ladder at the call center, that the amount they had sent in was much larger than their normal monthly payment. And if the increase hits a certain percentage higher than that normal payment, Homeland Security has to be notified. And the money doesn’t move until the threat alert is lifted.

The article goes on to blame something called the Bank Privacy Act, but that’s not correct. The culprit here is the amendments made to the Bank Secrecy Act by the USA Patriot Act, Sections 351 and 352. There’s a general discussion here, and the Federal Register here.

There has been some rumbling on the net that this story is badly garbled—or even a hoax—but certainly this kind of thing is what financial institutions are required to report under the Patriot Act.

Remember, all the time spent chasing down silly false alarms is time wasted. Finding terrorist plots is a signal-to-noise problem, and stuff like this substantially decreases that ratio: it adds a lot of noise without adding enough signal. It makes us less safe, because it makes terrorist plots harder to find.

Posted on March 6, 2006 at 10:45 AMView Comments

Caller ID Spoofing

What’s worse than a bad authentication system? A bad authentication system that people have learned to trust. According to the Associated Press:

In the last few years, Caller ID spoofing has become much easier. Millions of people have Internet telephone equipment that can be set to make any number appear on a Caller ID system. And several Web sites have sprung up to provide Caller ID spoofing services, eliminating the need for any special hardware.

For instance, Spoofcard.com sells a virtual “calling card” for $10 that provides 60 minutes of talk time. The user dials a toll-free number, then keys in the destination number and the Caller ID number to display.

Near as anyone can tell, this is perfectly legal. (Although the FCC is investigating.)

The applications for Caller ID spoofing are not limited to fooling people. There’s real fraud that can be committed:

Lance James, chief scientist at security company Secure Science Corp., said Caller ID spoofing Web sites are used by people who buy stolen credit card numbers. They will call a service such as Western Union, setting Caller ID to appear to originate from the card holder’s home, and use the credit card number to order cash transfers that they then pick up.

Exposing a similar vulnerability, Caller ID is used by credit-card companies to authenticate newly issued cards. The recipients are generally asked to call from their home phones to activate their cards.

And, of course, harmful pranks:

In one case, SWAT teams surrounded a building in New Brunswick, N.J., last year after police received a call from a woman who said she was being held hostage in an apartment. Caller ID was spoofed to appear to come from the apartment.

It’s also easy to break into a cell phone voice mailbox using spoofing, because many systems are set to automatically grant entry to calls from the owner of the account. Stopping that requires setting a PIN code or password for the mailbox.

I have never been a fan of Caller ID. My phone number is configured to block Caller ID on outgoing calls. The number of phone numbers that refuse to accept my calls is growing, however.

Posted on March 3, 2006 at 7:10 AM

Unfortunate Court Ruling Regarding Gramm-Leach-Bliley

A Federal Court Rules That A Financial Institution Has No Duty To Encrypt A Customer Database“:

In a legal decision that could have broad implications for financial institutions, a court has ruled recently that a student loan company was not negligent and did not have a duty under the Gramm-Leach-Bliley statute to encrypt a customer database on a laptop computer that fell into the wrong hands.

Basically, an employee of Brazos Higher Education Service Corporation, Inc., had customer information on a laptop computer he was using at home. The computer was stolen, and a customer sued Brazos.

The judge dismissed the lawsuit. And then he went further:

Significantly, while recognizing that Gramm-Leach-Bliley does require financial institutions to protect against unauthorized access to customer records, Judge Kyle held that the statute “does not prohibit someone from working with sensitive data on a laptop computer in a home office,” and does not require that “any nonpublic personal information stored on a laptop computer should be encrypted.”

I know nothing of the legal merits of the case, nor do I have an opinion about whether Gramm-Leach-Bliley does or does not require financial companies to encrypt personal data in its purview. But I do know that we as a society need to force companies to encrypt personal data about us. Companies won’t do it on their own—the market just doesn’t encourage this behavior—so legislation or liability are the only available mechanisms. If this law doesn’t do it, we need another one.

EDITED TO ADD (2/22): Some commentary here.

Posted on February 21, 2006 at 1:34 PMView Comments

Proof that Employees Don't Care About Security

Does anyone think that this experiment would turn out any differently?

An experiment carried out within London’s square mile has revealed that employees in some of the City’s best known financial services companies don’t care about basic security policy.

CDs were handed out to commuters as they entered the City by employees of IT skills specialist The Training Camp and recipients were told the disks contained a special Valentine’s Day promotion.

However, the CDs contained nothing more than code which informed The Training Camp how many of the recipients had tried to open the CD. Among those who were duped were employees of a major retail bank and two global insurers.

The CD packaging even contained a clear warning about installing third-party software and acting in breach of company acceptable-use policies—but that didn’t deter many individuals who showed little regard for the security of their PC and their company.

This was a benign stunt, but it could have been much more serious. A CD-ROM carried into the office and run on a computer bypasses the company’s network security systems. You could easily imagine a criminal ring using this technique to deliver a malicious program into a corporate network—and it would work.

But concluding that employees don’t care about security is a bit naive. Employees care about security; they just don’t understand it. Computer and network security is complicated and confusing, and unless you’re technologically inclined, you’re just not going to have an intuitive feel for what’s appropriate and what’s a security risk. Even worse, technology changes quickly, and any security intuition an employee has is likely to be out of date within a short time.

Education is one way to deal with this, but education has its limitations. I’m sure these banks had security awareness campaigns; they just didn’t stick. Punishment is another form of education, and my guess it would be more effective. If the banks fired everyone who fell for the CD-ROM-on-the-street trick, you can be sure that no one would ever do that again. (At least, until everyone forgot.) That won’t ever happen, though, because the morale effects would be huge.

Rather than blaming this kind of behavior on the users, we would be better served by focusing on the technology. Why does the average computer user at a bank need the ability to install software from a CD-ROM? Why doesn’t the computer block that action, or at least inform the IT department? Computers need to be secure regardless of who’s sitting in front of them, irrespective of what they do.

If I go downstairs and try to repair the heating system in my home, I’m likely to break all sorts of safety rules—and probably the system and myself in the process. I have no experience in that sort of thing, and honestly, there’s no point trying to educate me. But my home heating system works fine without my having to learn anything about it. I know how to set my thermostat, and to call a professional if something goes wrong.

Computers need to work more like that.

Posted on February 20, 2006 at 8:11 AMView Comments

Check Washing

Check washing is a form of fraud. The criminal uses various solvents to remove data from a signed check—the “pay to” name, the amount—and replace it with data more beneficial to the criminal: his own name, a larger amount.

This webpage—I know nothing about who these people are, but they seem a bit amateurish—talks about check fraud, and then gives this advice to check writers:

WHAT TYPE OF PEN TO USE WHEN WRITING A CHECK:

If you are a ballpoint pen lover, switch to black ink when security is important. Among water-based inks, remember that gels are the most impervious. But when you’re writing checks to pay the monthly bills, only one type of ink, the kind in gel pens, has been found to be counterfeit proof to acetone or any other chemical used in “check washing.” Most ballpoint and marker inks are dye based, meaning that the pigments are dissolved in the ink.

Based on recent ink security studies, we highly recommend that you use a gel pen, like the Uniball 207 that uses gel ink that contains tiny particles of color that are trapped into the paper, making check washing a lot more difficult. The pen sells for about $2. Personally I sign all my checks and important documents with one. But if you don’t want to switch, do not hesitate to to use your favorite fountain pen. Just fill it with ink in one of the more durable colors and enjoy!

I just wish they footnoted this statistic, obviously designed to scare people:

Check washing takes place to the tune of $815 million every year in the U.S. And it is increasing at an alarming rate.

Posted on February 8, 2006 at 7:57 AMView Comments

Korea Solves the Identity Theft Problem

South Korea gets it:

The South Korean government is introducing legislation that will make it mandatory for financial institutions to compensate customers who have fallen victim to online fraud and identity theft.

The new laws will require financial firms in the country to compensate customers for virtually all financial losses resulting from online identity theft and account hacking, even if the banks are not directly responsible.

Of course, by itself this action doesn’t solve identity theft. But in a vibrant capitalist economic market, this action is going to pave the way for technical security improvements that will effectively deal with identity theft.

The good news for the rest of us is that we can watch what happens now.

Posted on December 14, 2005 at 7:14 AMView Comments

Identity Theft Over-Reported

I’m glad to see that someone wrote this article. For a long time now, I’ve been saying that the rate of identity theft has been grossly overestimated: too many things are counted as identity theft that are just traditional fraud. Here’s some interesting data to back that claim up:

Multiple surveys have found that around 20 percent of Americans say they have been beset by identity theft. But what exactly is identity theft?

The Identity Theft and Assumption Deterrence Act of 1998 defines it as the illegal use of someone’s “means of identification”—including a credit card. So if you lose your card and someone else uses it to buy a candy bar, technically you have been the victim of identity theft.

Of course misuse of lost, stolen or surreptitiously copied credit cards is a serious matter. But it shouldn’t force anyone to hide in a cave.

Federal law caps our personal liability at $50, and even that amount is often waived. That’s why surveys have found that about two-thirds of people classified as identity theft victims end up paying nothing out of their own pockets.

The more pernicious versions of identity theft, in which fraudsters use someone else’s name to open lines of credit or obtain government documents, are much rarer.

Consider a February survey for insurer Chubb Corp. of 1,866 people nationwide. Nearly 21 percent said they had been an identity theft victim in the previous year.

But when the questioners asked about specific circumstances—and broadened the time frame beyond just the previous year—the percentages diminished. About 12 percent said a collection agency had demanded payment for purchases they hadn’t made. Some 8 percent said fraudulent checks had been drawn against their accounts.

In both cases, the survey didn’t ask whether a faulty memory or a family member—rather than a shadowy criminal—turned out to be to be the culprit.

It wouldn’t be uncommon. In a 2005 study by Synovate, a research firm, half of self-described victims blamed relatives, friends, neighbors or in-home employees.

When Chubb’s report asked whether people had suffered the huge headache of finding that someone else had taken out loans in their name, 2.4 percent—one in 41 people—said yes.

So what about the claim that 10 million Americans are hit every year, a number often used to pitch credit monitoring services? That statistic, which would amount to about one in 22 adults, also might not be what it seems.

The figure arose in a 2003 report by Synovate commissioned by the Federal Trade Commission. A 2005 update by Synovate put the figure closer to 9 million.

Both totals include misuse of existing credit cards.

Subtracting that, the identity theft numbers were still high but not as frightful: The FTC report determined that fraudsters had opened new accounts or committed similar misdeeds in the names of 3.2 million Americans in the previous year.

The average victim lost $1,180 and wasted 60 hours trying to resolve the problem. Clearly, it’s no picnic.

But there was one intriguing nugget deep in the report.

Some 38 percent of identity theft victims said they hadn’t bothered to notify anyone—not the police, not their credit card company, not a credit bureau. Even when fraud losses purportedly exceeded $5,000, the kept-it-to-myself rate was 19 percent.

Perhaps some people decide that raising a stink over a wrongful charge isn’t worth the trouble. Even so, the finding made the overall validity of the data seem questionable to Fred Cate, an Indiana University law professor who specializes in privacy and security issues.

“That’s not identity theft,” he said. “I’m just confident if you saw a charge that wasn’t yours, you’d contact somebody.”

Identity theft is a serious crime, and it’s a major growth industry in the criminal world. But we do everyone a disservice when we count things as identity theft that really aren’t.

Posted on November 16, 2005 at 1:21 PMView Comments

Fraudulent Stock Transactions

From a Business Week story:

During July 13-26, stocks and mutual funds had been sold, and the proceeds wired out of his account in six transactions of nearly $30,000 apiece. Murty, a 64-year-old nuclear engineering professor at North Carolina State University, could only think it was a mistake. He hadn’t sold any stock in months.

Murty dialed E*Trade the moment its call center opened at 7 a.m. A customer service rep urged him to change his password immediately. Too late. E*Trade says the computer in Murty’s Cary (N.C.) home lacked antivirus software and had been infected with code that enabled hackers to grab his user name and password.

The cybercriminals, pretending to be Murty, directed E*Trade to liquidate his holdings. Then they had the brokerage wire the proceeds to a phony account in his name at Wells Fargo Bank. The New York-based online broker says the wire instructions appeared to be legit because they contained the security code the company e-mailed to Murty to execute the transaction. But the cyberthieves had gained control of Murty’s e-mail, too.

E*Trade recovered some of the money from the Wells Fargo account and returned it to Murty. In October, the Indian-born professor reached what he calls a satisfactory settlement with the firm, which says it did nothing wrong.

That last clause is critical. E*trade insists it did nothing wrong. It executed $174,000 in fraudulent transactions, but it did nothing wrong. It sold stocks without the knowledge or consent of the owner of those stocks, but it did nothing wrong.

Now quite possibly, E*trade did nothing wrong legally. There may very well be a paragraph buried in whatever agreement this guy signed that says something like: “You agree that any trade request that comes to us with the right password, whether it came from you or not, will be processed.” But there’s the market failure. Until we fix that, these losses are an externality to E*Trade. They’ll only fix the problem up to the point where customers aren’t leaving them in droves, not to the point where the customers’ stocks are secure.

Posted on November 10, 2005 at 2:40 PMView Comments

Scandinavian Attack Against Two-Factor Authentication

I’ve repeatedly said that two-factor authentication won’t stop phishing, because the attackers will simply modify their techniques to get around it. Here’s an example where that has happened:

Scandinavian bank Nordea was forced to shut down part of its Web banking service for 12 hours last week following a phishing attack that specifically targeted its paper-based one-time password security system.

According to press reports, the scam targeted customers that access the Nordea Sweden Web banking site using a paper-based single-use password security system.

A blog posting by Finnish security firm F-Secure says recipients of the spam e-mail were directed to bogus Web sites but were also asked to enter their account details along with the next password on their list of one-time passwords issued to them by the bank on a “scratch sheet”.

From F-Secure’s blog:

The fake mails were explaining that Nordea is introducing new security measures, which can be accessed at www.nordea-se.com or www.nordea-bank.net (fake sites hosted in South Korea).

The fake sites looked fairly real. They were asking the user for his personal number, access code and the next available scratch code. Regardless of what you entered, the site would complain about the scratch code and asked you to try the next one. In reality the bad boys were trying to collect several scratch codes for their own use.

The Register also has a story.

Two-factor authentication won’t stop identity theft, because identity theft is not an authentication problem. It’s a transaction-security problem. I’ve written about that already. Solutions need to address the transactions directly, and my guess is that they’ll be a combination of things. Some transactions will become more cumbersome. It will definitely be more cumbersome to get a new credit card. Back-end systems will be put in place to identify fraudulent transaction patterns. Look at credit card security; that’s where you’re going to find ideas for solutions to this problem.

Unfortunately, until financial institutions are liable for all the losses associated with identity theft, and not just their direct losses, we’re not going to see a lot of these solutions. I’ve written about this before as well.

We got them for credit cards because Congress mandated that the banks were liable for all but the first $50 of fraudulent transactions.

EDITED TO ADD: Here’s a related story. The Bank of New Zealand suspended Internet banking because of phishing concerns. Now there’s a company that is taking the threat seriously.

Posted on October 25, 2005 at 12:49 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.