Category Archives: Banking Industry

Phishing Scams and your bank

phishing

“Your information security program is only as strong as your weakest link” said  Linda McGlasson of Bank Info Security.

“That weakest link is your customer or your employee sitting at a screen, deciding whether to click on that link that popped up in their instant messaging screen, or direct message box on Twitter, or visit that site that offers free ringtones (and malware as a bonus).“

Recently 10 US financial institutions in California, New York, Pennsylvania and Wisconsin receiving fraudulent text messages or automated phone calls.

On September 28, 2009, the 1st Federal Credit Union of central Pennsylvania reported that it received calls from customers about text messages claiming that their cards were blocked.

Similarly on October 2 phishers sent text messages to mobile phones in the Omaha area, claiming their bank card had been deactivated. Inclded were instructions to call an 877 number to reactivate it. At least one customer lost several hundred dollars.

“Once he changed his PIN, somebody went in and withdrew the money,” said Richard Patterson, president of Greater Omaha Federal Credit Union.

A very convincing automated phone call phishing scam directly named the Liberty Bank.

“Your card has been suspended because we believe it was accessed by a third party. Please press 1 now to be transferred to our security department” the recording, before liting an impressive array of details designed to sound official.

Customers who pressed “1” were asked to enter their credit/debit card number and personal identification number.

“There will be some losses,” Liberty Bank Vice President Jill Hitchman said. “Charges started showing up almost immediately after our customers gave away their card numbers.”

Of course, Liberty responsibly warns its customers to “never reply to email, pop-up messages or phone callers that ask for your personal or financial information. LIBERTY BANK WILL NEVER ask you to disclose your password or pin”.

Spam works because about one out of six respond to messages suspect are spam survey data by the Messaging Anti-Abuse Working Group, an anti-spam trade organization (MAAWG).

A record five million new malware threats were detected in third quarter of 2009 according to the Cloud Security firm, Panda Security. Trojans accounted for 71 percent of all new malware between July and September 2009s bots and other malware are morphing rapidly.

Globally 59% of computers are infected  states Panda.

Obviously we need to keep our viral security up to date. This is why Bank Info Security recommends regular, preferably quarterly, programs to remind their customers of secure banking practices.

The problem is that people are the weakest lin. Even normally cautious people may once in a while press a link they normally would ignore.

Since, most of us are not rocket scientists perhaps give oursleves a reality check. Perhaps we should put ourselves through a similar audit of our email and web habits.

People need to be trained to obtain a drivers license so perhaps we need to begin to train people in the rules of internet safety said Linda McGlasson.

She suggests the first very basic tips:

  • Keep your operating system up to date with the latest patches;
  • Update your anti-virus and anti-spyware regularly, if not daily;
  • Install a firewall on your PC;
  • Don’t click on links in emails that are from unknown origins (or known origins for that matter).
Advertisements

European ATM Crimes Increasing

security12

ATM attacks rose 149% on 2008 in Europe and annual cash machine losses approach EUR 500 million states ENISA, the European Network and Information Security Agency.

ATM burglaries and physical attacks have also seen an increase by 32% over the last 12 months from ram raids and explosions to the use of rotary saws, thermal lances and diamond drills.

“ATMs are attractive to criminals because they contain bank notes, while the bank cards themselves give thieves access to customers’ bank accounts,” said Mr. Andrea Pirotti, Executive Director at ENISA.

ATM numbers have increased in Europe by 6% last year to almost 400,000. Seventy-two percent of European ATMs are located in just five countries: UK, Spain, Germany, France and Italy. Many ATM’s are in remote locations such as convenience stores, airports and petrol stations.

Criminals prefer take money directly ATM’s after obtaining pin numbers using a wide range of techniques from ‘shoulder surfing’ to complex skimming techniques. During 2008, 10,302 skimming incidents were reported in Europe.

“This can involve the usage of a small spy camera, a false PIN overlay and even fake machines; while increasingly Blue Tooth wireless technology is used to transmit card and PIN details to a nearby laptop computer” states ENISA.

[UNSET]

“ATM crime is likely to become even more attractive as the latest generation of ATMs is designed to dispense other services and products such as phone top ups and stamps” he said.

Organised criminal gangs have also extracted money by trapping and then retrieving users’ cards, stopping withdrawals in the middle of a transaction and completing them later or even trapping cash in the machine.

PIN and account information has been obtained by sophisticated phishing techniques and hacking into bank computer systems and web sites, states ENISA.

“Most ATM crime is focused on exploiting the human element and card holders must be more aware of the risks they are exposed to and how to prevent fraud occurring” said Pirotti. “Information security has, for too long, been focusing on technical solutions to maximise protection.”

“The first line of defence against ATM crime is increasing awareness of the risks” so that users can take simple precautions such as shielding their PIN when entering it and by keeping alert to any signs of tampering or suspicious activity at an ATM.”

The ENISA suggests a few Golden Rules to offer maximum protection with minimum effort.

ENISA Golden Rules

  • Choosing an ATM Machine
  • Don’t use ATMs with extra signage or warnings
  • Try to use ATMs inside banks
  • Don’t use freestanding ATMs
  • Physical surroundings
  • Use an ATM which is in clear view and well lit
  • Be cautious of strangers and check they are at a reasonable distance away

Making Operations

  • Pay careful attention to the front of the machine for tampering
  • Pay attention to the card reader for signs of additional devices
  • Look carefully for differences or unusual characteristics of the ATM’s PIN pad
  • Look out for extra cameras
  • Protect your PIN by standing close to the ATM and shielding the key pad
  • Report confiscated cards immediately
  • Beware of ATMs that don’t dispense cash and non-bank ATMs that don’t charge fees

Statement Reviews

  • Frequently review your account statements
  • Report any suspicious activity immediately

(‘ATM Crime: Overview of the European situation and golden rules on how to avoid it’.)

Cybercrime Hits Smaller Business

security1

Heartland Payment Systems, Radisson Hotels and Network Solutions have made news because of data breaches. In 2008 285 million records were compromised according to the 2009 Data Breach Investigations Report by the Verizon Business Investigative Response Team.

However, the Federal Deposit Insurance corporation (FDIC) reports that online crime is attacking small and medium sized businesses and fraudulently draining funds from their bank accounts.

In a recent podcast with Doug Johnson Senior Policy Analyst for the American Bankers Association noted that although it is hard “get a fix on the exact number” “law enforcement and institutions have really seen the exploit migrate from large businesses to small businesses”.

Smaller businesses may not be aware of this type of fraud or know how to protect themselves.

Johnson recommends authentication at the business customer level and educating customers about how to protect themselves.

“It starts very cagily by the fraudsters, mostly from Eastern Europe, doing some social intelligence associated with the business” said Johnson “ so they might know who the CFO is, or they might know who someone in HR is or what have you, or in IT.”

“Then they will send an email, which might be a Microsoft update for instance, or some other thing, which that particular individual would be aware of. The CFO might get something that purportedly is coming from the Better Business Bureau, for instance, things of that nature.”

In other words, an email that looks legitimate or expected may be a bait.

security-breach

Recently, the Rippoff Report pointed out that Two-thirds used the sender’s name to gauge whether a mail was spam, 45% looked at the subject line and 22% use “visual indicators.” About 3% relied on the time a message was sent to judge if it was legitimate.

As technology improves judging an email on visual clues can be problematic.  Businesses obviously need to avoid clicking links in these emails.

“I think that it is not unusual for business customers to in their busy day not even think about the emails that they are clicking on” he said.

Chris Novak, managing principal at Verizon Business Investigative Response Team describes online security as a “kind of cat and mouse game “ requiring vigilance over a continually evolving threat.

Mr Novak has investigated criminal and civil data breaches for over a decade.

“I think the biggest thing is the evolution of malware. We are seeing that the malware is getting more advanced, and the hackers — particularly the organized crime groups – they actually have development teams” he said.

“Some of the malware is purposely built just for one specific victim environment, and the hackers have the capability to do that.”

Novak expresses concern that people think there are just a few types of malware that viral protection can handle.

“Malware is evolving rapidly with added capabilities that may frighten some people he said.

“The key piece if really making sure that you stay up on the latest and greatest threat information to know what you need to do protect yourself.”

Fortunately the recent big name security breaches demonstrated that event monitoring and log analysis revealed what was happening in 82% of cases. To be effective this requires a combination of people, processes and technology.

Novak expressed concern that people have developed an over reliance on technology.

“The problem with a lot of that is, like most technology, it is pre-configured to understand certain things and detect certain threats, but for the most part it is based on what’s been programmed into and how it has been configured.”

“In a lot of cases, you need a backup to technology of those appliances with people resources that can look at it and kind of do sanity check on it and say ‘You know what, this doesn’t look right. Someone logged into their bank account 7000 times today, and that is probably a problem.’ Sometimes the technology picks up things like that, and sometimes it doesn’t.”

Data can be moved in and out of an environment so quickly, which is why monitoring is so important.

“The biggest breaches that we’ve ever investigated took place in 24-to-48 hours. That’s all the hacker needed, depending on how organized they were.”

The Bank Fee Rippoff

bank fees

Consumers are watching their spending more closely and increasingly trying to avoid bank fees.
More individuals are paying bills at bank or credit union web sites than at individual biller web sites according to a Javelin Strategy & Research Report and consumers sensitive to fees are prone to switching banks.
Eight out of 10 online households now conduct online banking according to Javelin, fueling a desire for efficient but integrated online banking, bill pay, personal finance management tools and expedited payments.
For the first time, more consumers paid bills via bank sites than biller-direct sites, stated James Van Dyke, President and Founder of Javelin Strategy & Research.
“But many banks and credit unions have been slow to upgrade, which has created a wide gap in online capabilities and usage when comparing the nation’s biggest banks to smaller banks.”

The 2009 Online Banking and Bill Payment Forecast revealed:

  • Six in ten of online households bank online weekly, a 12% increase from 2008.
  • Seven in ten of online households pay bills online monthly, up from 64% in 2008.
  • 83 million households will bank online by 2014.
  • Smaller banks are struggling to keep up with bigger banks online.
  • Bank fees are the main reason people switch financial providers.
  • Consumer demand is building for online personal finance management tools that consolidate money-monitoring capabilities offered by free web sites with those offered by banks and credit unions.

In the USA, “The playing field is dominated by Bank of America, Citi, JPMorgan Chase and Wells Fargo, which have set the bar high for what consumers can expect from a full-service online-banking operation,” Mark Schwanhausser, Research Analyst at Javelin said.

“Nearly six out of 10 customers paid a bill online through these titans” stated Mr. Schwanhausser  of the USA market “which is significantly higher than the number of consumers that paid bills online at regional banks, community banks, and credit unions.”

Bank Fees have increasingly driven bank profits

A statistical survey designed by Professor George Easton of Emory University for 2,014 banks, savings institutions and credit unions in the United States by Moebs $ervices revealed how bankers have used fees to exploit those hit by the recession in the USA:

  • 44.5% of all banks and credit unions have overdraft income greater than net income.
  • The national median for overdraft fees increased from $25.00 in 2008 to $26.00 in 2009.
  • This is the first time overdraft fees have increased in a recession.
  • Higher overdraft fees were led by Wall Street Banks, with assets greater than $50B, charging $35.00 per overdraft.
  • Some national retail merchants charge more than $35 for a bad check exceeding even the Wall Street Banks.
  • Wall Street Banks overdraft fees are 78.5% of what a Pay Day Lender would charge.
  • 85.9% of all depositories offering overdrafts allow the consumer to opt out at any time.
  • Less than 1 out of 5 depositories pay large items first when processing checks nightly.

However, The FDIC Study of Bank Overdraft Programs revealed that less than 14% of all bank customers pay over 93% of the overdraft fees. This suggests financial management can prevent most charges. However, those financially disadvantaged, or have difficulties understanding financial jargon, have fewer options.
However, most banks (75.1 percent) automatically enrolled customers in automated overdraft programs but usually permitted to affirmatively opt out of the program stated the FDIC.
The pursuit for low fee banking has been felt internationally.
“Although banks have always charged fees for overdrawing your account, they have been struggling with the negative publicity every since the Reserve Bank revealed the banks reaped $1.2bn through penalty fees last year,” Canstar Cannex financial analyst Peter Arnold said. Australia’s national population is only 22 million.

The National Australia Bank of Australia decided to axe its overdrawn fee is part of its efforts to improve its relationships with customers.  Other banks followed.
“Many credit unions and building societies give you a period of grace – say 5 days – to rectify the error and they seem to charge a fee only as a last resort,” Arnold said of the Australian market.
In addition, credit unions ($15.49) and building societies ($19.57) charge on average much lower fees than the four major banks ($33.33) and the other banks ($26.90).
However, James Middleweek managing director of consumer compensation law firm Financial Redress told Brokernews the UK was “light years ahead of Australia” when it comes to consumer protection and activism.
“Penalty charges are on the point of being outlawed in general in the UK,” he said.

How Can You Avoid Bank Fees

Open an account with a reasonable balance. Some banks charge less fees on accounts over a minimum balance.
When opening an account make certain that the bank details are thoroughly explained to you.Are there monthly fees or ATM charges. Obtain written documentation of the account fees.
Go over the details of your account when it is opened. Talk to the person who opens your account. Do ATM fees apply? Do monthly charges apply below a certain balance? Document the conversation in case you have to deal with the branch later.
Monitor Your Account. Perhaps online access is the best way to do this. Or is a monthly statement mailed to you more suitable? Make certain there are no mistakes on your account. Are there any fees you did not expect? Check them out.
Ensure your keep the minimum balance in your account. It is good financial discipline to keep a buffer of a few hundred dollars in your account.
A zero balance or an ATM purchase rejected for insufficient funds can result in an overdraft fee (at least in the USA).
If your account goes below an agreed minimum you will instantly be charged a fee.