As Americans improve their computer skills and grow more comfortable
with banking over the Internet, the hackers, phishers and other
fraudsters are honing their nefarious skills as well.
The Federal Trade Commission received 301,835 fraud complaints and
214,905 identity theft complaints in 2003. Bank fraud accounted for 17
percent -- more than 36,000 -- of the identity theft complaints. That
represents just the victims who actually filed a complaint with the
agency. The FTC estimates there were 10 million identity theft victims
that year.
The hacker component:
In a 2003 survey of financial institutions around the world, 39
percent of respondents said their computer systems had been
"compromised" in some way the previous year.
The financial services industry has always been a target. "People go
where the money is," says Ted DeZabala of New York's Deloitte &
Touche, the company that conducted the survey.
"What they want to get at is the mother lode, the internal system, so
they can get many customers simultaneously. If someone gets into a
major institution's system, he's looking for information about a lot
of customers. People should be concerned that there is a risk. The
network age is upon us -- information is king and people will go after
that."
The human dimension:
Other areas of concern are the third parties with whom banks do
business. Those companies have your personal information -- how secure
are their computers? What about the people who work for the banks and
affiliated companies?
"Third parties and employee access are a major challenge," DeZabala
says. "Any uncontrolled access point to a bank is vulnerable. The
(banks) themselves need to put certain levels of control in place and
they need to enforce their policies on third parties. There is a lot
of effort being put toward shoring up those controls."
"When an employee is terminated, they have to be eliminated from the
system and passwords have to be updated."
Concerns about online safety are a key reason why many consumers still
shy away from online banking, according to Larry Freed, CEO at ForeSee
Results in Ann Arbor, Mich.
"For the most part, it's fear of the unknown. When my dad got an ATM
card, he threw it out. He didn't think it seemed secure. Why do so
many people just take money out of ATMs and don't make deposits? It's
because they don't know where their money goes when they slide it into
that black hole. The banks need to educate people on the security
risk."
Phishing for information:
It would be hard to fault consumers who are hesitant about banking or
making other financial transactions online. Hardly a week goes by
without a news report on a computer virus, worm or phishing attack
that makes the Internet seem like a risky place to move your money.
Phishing is when account holders receive an e-mail that purports to
come from the customer's bank, brokerage firm, credit card company,
etc. Customers are told to click on a link within the e-mail and
update their personal information. Often, the phisher is looking for
the Social Security number or the credit card number with expiration
date and PIN.
Unsuspecting consumers click on the link and are taken to a Web site
that often looks legitimate. They enter their personal information and
soon find their identity has been used fraudulently, their bank
account emptied or big bills have been racked up on their credit card.
Dan Maier of the Anti-Phishing Working Group, an association open to
financial institutions, online retailers, law enforcement agencies and
computer experts, says phishers are far more successful than
spammers. "We've heard of response rates ranging up to 5
percent of bank customers responding to the e-mails. One bank said $4
million had been drained from accounts over a period of a couple of
days. Early on, amateurs, hackers and spammers were among those who
had gone to the dark side. More and more the attacks are professional
and widespread. Once an attack is launched, the bank has to shut down
the source -- the Web site -- as soon as possible. Then it has to
notify their customers."
"Banks are getting better at the shut-down part, but there are
challenges," says Maier. "Sometimes the site is hosted overseas by
Web-hosting sites that specialize in anonymous hosting and protect
against law enforcement shutdowns. So they may be actively hindering
shutdowns."
Frank Trotter, CEO at EverBank, an online bank that
opened in January 2000, says security against phishing and other
online attacks has been a major issue since day one.
Modern bank robbery: