Survey: 2 million bank accounts robbed
Shorty
Manchester, UK Icrontian
This is good stuff... Info and links at the bottom of this article for contacts if you ever have your account robbed by hackers.
Bob Sullivan
Technology correspondent
MSNBC
Updated: 4:25 a.m. ET June 14, 2004
Criminals taking advantage of online banking, Gartner says
Nearly 2 million Americans have had their checking accounts raided by criminals in the past 12 months, according to a soon-to-be released survey by market research group Gartner. Consumers reported an average loss per incident of $1,200, pushing total losses higher than $2 billion for the year.
Gartner researcher Avivah Litan blamed online banking for most of the problem.
"There has been a big increase in the abuse of existing checking accounts," Litan said. "What's really scary about it is right now there are no back-end fraud detection solutions for it."
The survey results, extrapolated from a telephone poll of 5,000 consumers conducted in April, offer a rare glimpse at the state of bank fraud: Financial institutions are tight-lipped about fraud losses. But Litan said the study confirms comments she regularly hears from bank investigators.
"The results are consistent with what banks are telling me. ... When I talk to them, they all nod their heads that this is the area where they are seeing the most fraud escalation," she said.
'Constant siege'
The trend neatly follows a sharp rise in so-called phishing e-mails, which attempt to steal consumers' user names and passwords by imitating e-mail from legitimate financial institutions. A Gartner study released in May showed at least 1.8 million consumers had been tricked into divulging personal information in phishing attacks, most within the past year.
Phishing attempts designed specifically to steal bank information began to skyrocket about 10 months ago, according to Dave Jevans, chair of the Anti-Phishing Working Group. Overall, phishing e-mails have jumped 4,000 percent in the past six months, and just last month, Citibank overtook eBay as the most common target. The company faced an average of 16 attacks per day, and 475 separate phishing attacks during April, an increase of nearly 400 percent from March.
Citibank didn't immediately return requests for comment.
"It's working, there's no doubt about that...There's people who are under constant siege now," Jevans said. "It's like people setting up fake ATMs everywhere."
Some days, banks are targeted dozens of times, which not only leads to identity theft, but also jam-packed customer service telephone lines.
"Clearly the issues are far more significant than anyone expected they would be. Phishing and spoofing (setting up look-alike bank Web sites) are really getting to people," said Larry Ponemon, founder of privacy think tank Ponemon Institute, and a bank consultant. "It is an epidemic. It's a very big problem."
Creative ways to drain accounts
But phish isn't the only way criminals gain access to online bank accounts, according to industry experts. Computer criminals are becoming increasingly proficient at writing Trojan horse programs and keyloggers that steal passwords and account information. Such secret malicious programs, which exerts say are more widespread than many realize, could be the cause of up to half the account takeovers, Litan speculated.
Such programs can be installed on home users' computers through virus-laden e-mails. People who do their online banking at public computers, such as at Internet cafes, are also at risk from this kind of password swiping.
The Gartner survey found that more than 4 million consumers reported suffering checking account takeovers at any time during recent years, with half that number saying it had happened in the most recent 12-month span -- indicating a sharp increase in the activity.
While consumers who responded to the survey didn't know how the money was moved out of their checking accounts -- fake ATM cards are another possibility, for example -- Litan said she suspects a sharp rise in hackers taking over online bank accounts is the likely cause.
Criminals are using creative ways to transfer money out of hijacked accounts, she said.
"A couple of banks tell me (the criminals) set up a bill payment account, then pay themselves," she said.
Another method, said U.S. Postal Inspector Barry Mew, takes advantage of the images of canceled checks made available to online bankers. Imposters use them to create authentic-looking counterfeit checks; they have an added air of legitimacy, since the check numbers are appropriately in series.
Enough safeguards?
Online banking, including online bill paying, has spiked in popularity in recent years, particularly as more financial institutions offer the service for free. According to Gartner, 45 percent of the 141 million U.S. adults who use the Internet pay bills online. Consumers like the convenience and banks like the operating savings.
But not everyone is comfortable banking online, and Gartner's study confirms some of that group's worst fears: that accounts can be tapped into by criminals.
"They should be afraid," Litan said. "The banks should be requiring more than just passwords to use online banking. They all know they have to do something, but they are all afraid to take the first step."
Identity theft expert Rob Douglas described the study results as "blockbuster," and said banks may be forced to re-think the way they are giving consumers access to checking accounts online.
"They may say it's because customers are not practicing the appropriate safeguards," he said. "But when it comes to online banking, they are not doing a good enough job of educating customers what to watch out for. Someone is making a lot of money."
Litan said the industry was reeling in part because there is no software designed to detect unusual checking account withdrawal patterns, outside of software that looks for money laundering, which doesn't catch simple unauthorized withdrawals.
Most credit card users are familiar with industry software called Falcon, which alerts issuers when out-of-the-ordinary purchases are attempted. Such software will often cause a card issuer to call a consumer and ask questions like, "Are you really in London buying a diamond necklace right now?"
There's no similar product for online banking, Litan said.
Still, there are simpler solutions banks could implement to protect themselves and consumers. One idea is a "shared secret" -- a picture that consumers would give to a bank, which would then appear each time the consumer visited the bank's site, confirming it was the authentic corporate Web site and not a "spoof" site controlled by a hacker.
"There's a lot at stake here," Litan said. "And there's a lot that banks can do."
Limited window for refunds
In most cases, analysts say, consumers are eventually refunded the money they lose. Federal regulations governing electronic transfers, known as Regulation E, requires banks to refund the money as long as consumers notify the institution within 60 days of receiving their bank statement. But outside the 60-day window, banks are under no obligation to issue refunds.
Many banks don't make consumer rights clear enough, said George Tubin, an analyst at Tower Group. He praised Bank of America, Citibank, and Wells Fargo for offering credit-card style "zero liability" policies on their online banking products.
"Until a bank is comfortable enough with their product to say you're covered, how can consumers feel comfortable?" he said.
Betty Reese, a spokeswoman for Bank of America, said her firm simply requires consumers to report any fraud on "a timely basis." She decline to disclose fraud statistics.
Still, getting a refund can be inconvenient, and there are scattered reports of banks not making the process easy. And ultimately, all consumers pay when banks increase fees to recoup their losses.
The new Gartner results "are staggering numbers," said Jim Bruene, editor and founder of the Online Banking Report.
"If that's true, we are really facing a monster problem," he said. "It's something that could have been anticipated by the banks. ... There should be and will be more controls in place."
FACT FILE #1 Your ID's been stolen. Now what?
Step 1: Protect your finances
Contact the fraud departments of each of the three major credit bureaus.
Get a copy of your credit report, which is free to ID theft victims. Ask that your file be flagged with a "fraud alert tag" and a "victim's statement." That will limit the thief’s ability to open new credit accounts, as new creditors will call you before granting credit, generally. Insist, in writing, that the fraud alert remain in place for seven years, the maximum, according to PrivacyRights.org.
Credit bureaus
Equifax
1-800-525-6285
www.equifax.com Experian
1-888-397-3742
www.experian.com TransUnion
1-800-680-7289
www.tuc.com
Step 2: File a police report
You will need a police report to dispute unauthorized charges and for any insurance claims. Be persistent; your local police department may suggest that this isn’t necessary, because they don’t want the paperwork hassle. Also, fill out an online ID Theft complaint with the Federal Trade Commission or call 1-877-ID-THEFT.
That enters your case in the FTC’s “Consumer Sentinel” database, a nationwide list of ID theft cases which can be used by law enforcement officers to find patterns and catch criminals.
Step 3: Close all compromised accounts
The list may be wider than you realize. This includes accounts with banks, credit card companies and other lenders, and phone companies, utilities, ISPs, and other service providers. Dispute all unauthorized charges – The FTC offers a sample dispute letter on its Web site. Disputes may require a sworn statement and a police report. The FTC also offers a form affidavit which can be used for the sworn statement at www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf .
More help
More detailed 17-step plan to follow if your ID is stolen
www.privacyrights.org/identity.htm
“When bad things happen to your good name” – FTC document full of sample dispute letters and other recovery procedures.
www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
U.S. Department of Justice ID Theft kit
www.usdoj.gov/criminal/fraud/idtheft.html
Identity Theft Resource Center
www.idtheftcenter.org
Organizing your ID theft case – good paperwork is key
www.privacyrights.org/fs/fs17b-org.htm
ID theft laws vary by state – here’s a list of state laws
www.consumer.gov/idtheft/federallaws.html#statelaws
Michigan State University School of Criminal Justice ID Theft page
www.cj.msu.edu/~outreach/identity
Fact File #2 Know your rights
Regulation E protects consumers when they are hit by electronic financial fraud
• What's covered
• Consumer liability
• What consumers should do
• What banks are required to do
• For more information
Consumers have well-defined rights with respect to fraudulent electronic transfers, and should generally be able to obtain refunds with little hassle. The rights are spelled out in what's known as "Reg-E," or the Federal Reserve Board's Regulation E. The Fed was authorized to draw up the regulation by the Electronic Funds Transfer Act of 1979. The regulation covers all manner of transfers into and out of bank accounts outside of paper checks, including the use of debit cards. It does not cover credit card transactions.
What's covered
Any transfer initiated through an "electronic terminal, telephone, computer, or magnetic tape for the purpose of ordering, instructing, or authorizing a financial institution to debit or credit an account." These include point-of-sale transfers, automated teller machine transfers, direct deposits or withdrawals of funds, transfers initiated by telephone, and transfers resulting from debit card transactions, whether or not initiated through an electronic terminal.
Consumer liability
When a debit card or other "acccess device" is lost, such as an online banking password, consumer liability is capped at $50 for those who notify banks within two business days. Consumers who notify the bank within 60 days have their liability capped at $500. After 60 days, if the consumer doesn't inform the bank, any charges which occur become the consumers' responsibility. If no access device is lost, and fraudulent charges mysteriously appear on a consumer's account, the liability clock begins when the bank notifies its customer of the activity, usually through regular monthly statements.
What consumers should do
The quicker the bank is notified, the better. Reg-E says consumers can notify banks in person, by telephone, or in writing -- the notice is considered given, even if bank employees don't acknowledge receipt of it. A certified letter is probably the best bet; that way you have a copy in case the bank challenges you on the issue of timely notification.
What banks are required to do
Banks must investigate disputed charges within 10 days, and report results to the consumer within three days. Errors must be fixed within one day. If the investigation cannot be completed within 10 days, banks must issue a provisional credit to the consumer for the disputed amount, less $50.
Submitted by: gtghm
Source: MSNBC Interactive
Bob Sullivan
Technology correspondent
MSNBC
Updated: 4:25 a.m. ET June 14, 2004
Criminals taking advantage of online banking, Gartner says
Nearly 2 million Americans have had their checking accounts raided by criminals in the past 12 months, according to a soon-to-be released survey by market research group Gartner. Consumers reported an average loss per incident of $1,200, pushing total losses higher than $2 billion for the year.
Gartner researcher Avivah Litan blamed online banking for most of the problem.
"There has been a big increase in the abuse of existing checking accounts," Litan said. "What's really scary about it is right now there are no back-end fraud detection solutions for it."
The survey results, extrapolated from a telephone poll of 5,000 consumers conducted in April, offer a rare glimpse at the state of bank fraud: Financial institutions are tight-lipped about fraud losses. But Litan said the study confirms comments she regularly hears from bank investigators.
"The results are consistent with what banks are telling me. ... When I talk to them, they all nod their heads that this is the area where they are seeing the most fraud escalation," she said.
'Constant siege'
The trend neatly follows a sharp rise in so-called phishing e-mails, which attempt to steal consumers' user names and passwords by imitating e-mail from legitimate financial institutions. A Gartner study released in May showed at least 1.8 million consumers had been tricked into divulging personal information in phishing attacks, most within the past year.
Phishing attempts designed specifically to steal bank information began to skyrocket about 10 months ago, according to Dave Jevans, chair of the Anti-Phishing Working Group. Overall, phishing e-mails have jumped 4,000 percent in the past six months, and just last month, Citibank overtook eBay as the most common target. The company faced an average of 16 attacks per day, and 475 separate phishing attacks during April, an increase of nearly 400 percent from March.
Citibank didn't immediately return requests for comment.
"It's working, there's no doubt about that...There's people who are under constant siege now," Jevans said. "It's like people setting up fake ATMs everywhere."
Some days, banks are targeted dozens of times, which not only leads to identity theft, but also jam-packed customer service telephone lines.
"Clearly the issues are far more significant than anyone expected they would be. Phishing and spoofing (setting up look-alike bank Web sites) are really getting to people," said Larry Ponemon, founder of privacy think tank Ponemon Institute, and a bank consultant. "It is an epidemic. It's a very big problem."
Creative ways to drain accounts
But phish isn't the only way criminals gain access to online bank accounts, according to industry experts. Computer criminals are becoming increasingly proficient at writing Trojan horse programs and keyloggers that steal passwords and account information. Such secret malicious programs, which exerts say are more widespread than many realize, could be the cause of up to half the account takeovers, Litan speculated.
Such programs can be installed on home users' computers through virus-laden e-mails. People who do their online banking at public computers, such as at Internet cafes, are also at risk from this kind of password swiping.
The Gartner survey found that more than 4 million consumers reported suffering checking account takeovers at any time during recent years, with half that number saying it had happened in the most recent 12-month span -- indicating a sharp increase in the activity.
While consumers who responded to the survey didn't know how the money was moved out of their checking accounts -- fake ATM cards are another possibility, for example -- Litan said she suspects a sharp rise in hackers taking over online bank accounts is the likely cause.
Criminals are using creative ways to transfer money out of hijacked accounts, she said.
"A couple of banks tell me (the criminals) set up a bill payment account, then pay themselves," she said.
Another method, said U.S. Postal Inspector Barry Mew, takes advantage of the images of canceled checks made available to online bankers. Imposters use them to create authentic-looking counterfeit checks; they have an added air of legitimacy, since the check numbers are appropriately in series.
Enough safeguards?
Online banking, including online bill paying, has spiked in popularity in recent years, particularly as more financial institutions offer the service for free. According to Gartner, 45 percent of the 141 million U.S. adults who use the Internet pay bills online. Consumers like the convenience and banks like the operating savings.
But not everyone is comfortable banking online, and Gartner's study confirms some of that group's worst fears: that accounts can be tapped into by criminals.
"They should be afraid," Litan said. "The banks should be requiring more than just passwords to use online banking. They all know they have to do something, but they are all afraid to take the first step."
Identity theft expert Rob Douglas described the study results as "blockbuster," and said banks may be forced to re-think the way they are giving consumers access to checking accounts online.
"They may say it's because customers are not practicing the appropriate safeguards," he said. "But when it comes to online banking, they are not doing a good enough job of educating customers what to watch out for. Someone is making a lot of money."
Litan said the industry was reeling in part because there is no software designed to detect unusual checking account withdrawal patterns, outside of software that looks for money laundering, which doesn't catch simple unauthorized withdrawals.
Most credit card users are familiar with industry software called Falcon, which alerts issuers when out-of-the-ordinary purchases are attempted. Such software will often cause a card issuer to call a consumer and ask questions like, "Are you really in London buying a diamond necklace right now?"
There's no similar product for online banking, Litan said.
Still, there are simpler solutions banks could implement to protect themselves and consumers. One idea is a "shared secret" -- a picture that consumers would give to a bank, which would then appear each time the consumer visited the bank's site, confirming it was the authentic corporate Web site and not a "spoof" site controlled by a hacker.
"There's a lot at stake here," Litan said. "And there's a lot that banks can do."
Limited window for refunds
In most cases, analysts say, consumers are eventually refunded the money they lose. Federal regulations governing electronic transfers, known as Regulation E, requires banks to refund the money as long as consumers notify the institution within 60 days of receiving their bank statement. But outside the 60-day window, banks are under no obligation to issue refunds.
Many banks don't make consumer rights clear enough, said George Tubin, an analyst at Tower Group. He praised Bank of America, Citibank, and Wells Fargo for offering credit-card style "zero liability" policies on their online banking products.
"Until a bank is comfortable enough with their product to say you're covered, how can consumers feel comfortable?" he said.
Betty Reese, a spokeswoman for Bank of America, said her firm simply requires consumers to report any fraud on "a timely basis." She decline to disclose fraud statistics.
Still, getting a refund can be inconvenient, and there are scattered reports of banks not making the process easy. And ultimately, all consumers pay when banks increase fees to recoup their losses.
The new Gartner results "are staggering numbers," said Jim Bruene, editor and founder of the Online Banking Report.
"If that's true, we are really facing a monster problem," he said. "It's something that could have been anticipated by the banks. ... There should be and will be more controls in place."
FACT FILE #1 Your ID's been stolen. Now what?
Step 1: Protect your finances
Contact the fraud departments of each of the three major credit bureaus.
Get a copy of your credit report, which is free to ID theft victims. Ask that your file be flagged with a "fraud alert tag" and a "victim's statement." That will limit the thief’s ability to open new credit accounts, as new creditors will call you before granting credit, generally. Insist, in writing, that the fraud alert remain in place for seven years, the maximum, according to PrivacyRights.org.
Credit bureaus
Equifax
1-800-525-6285
www.equifax.com Experian
1-888-397-3742
www.experian.com TransUnion
1-800-680-7289
www.tuc.com
Step 2: File a police report
You will need a police report to dispute unauthorized charges and for any insurance claims. Be persistent; your local police department may suggest that this isn’t necessary, because they don’t want the paperwork hassle. Also, fill out an online ID Theft complaint with the Federal Trade Commission or call 1-877-ID-THEFT.
That enters your case in the FTC’s “Consumer Sentinel” database, a nationwide list of ID theft cases which can be used by law enforcement officers to find patterns and catch criminals.
Step 3: Close all compromised accounts
The list may be wider than you realize. This includes accounts with banks, credit card companies and other lenders, and phone companies, utilities, ISPs, and other service providers. Dispute all unauthorized charges – The FTC offers a sample dispute letter on its Web site. Disputes may require a sworn statement and a police report. The FTC also offers a form affidavit which can be used for the sworn statement at www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf .
More help
More detailed 17-step plan to follow if your ID is stolen
www.privacyrights.org/identity.htm
“When bad things happen to your good name” – FTC document full of sample dispute letters and other recovery procedures.
www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
U.S. Department of Justice ID Theft kit
www.usdoj.gov/criminal/fraud/idtheft.html
Identity Theft Resource Center
www.idtheftcenter.org
Organizing your ID theft case – good paperwork is key
www.privacyrights.org/fs/fs17b-org.htm
ID theft laws vary by state – here’s a list of state laws
www.consumer.gov/idtheft/federallaws.html#statelaws
Michigan State University School of Criminal Justice ID Theft page
www.cj.msu.edu/~outreach/identity
Fact File #2 Know your rights
Regulation E protects consumers when they are hit by electronic financial fraud
• What's covered
• Consumer liability
• What consumers should do
• What banks are required to do
• For more information
Consumers have well-defined rights with respect to fraudulent electronic transfers, and should generally be able to obtain refunds with little hassle. The rights are spelled out in what's known as "Reg-E," or the Federal Reserve Board's Regulation E. The Fed was authorized to draw up the regulation by the Electronic Funds Transfer Act of 1979. The regulation covers all manner of transfers into and out of bank accounts outside of paper checks, including the use of debit cards. It does not cover credit card transactions.
What's covered
Any transfer initiated through an "electronic terminal, telephone, computer, or magnetic tape for the purpose of ordering, instructing, or authorizing a financial institution to debit or credit an account." These include point-of-sale transfers, automated teller machine transfers, direct deposits or withdrawals of funds, transfers initiated by telephone, and transfers resulting from debit card transactions, whether or not initiated through an electronic terminal.
Consumer liability
When a debit card or other "acccess device" is lost, such as an online banking password, consumer liability is capped at $50 for those who notify banks within two business days. Consumers who notify the bank within 60 days have their liability capped at $500. After 60 days, if the consumer doesn't inform the bank, any charges which occur become the consumers' responsibility. If no access device is lost, and fraudulent charges mysteriously appear on a consumer's account, the liability clock begins when the bank notifies its customer of the activity, usually through regular monthly statements.
What consumers should do
The quicker the bank is notified, the better. Reg-E says consumers can notify banks in person, by telephone, or in writing -- the notice is considered given, even if bank employees don't acknowledge receipt of it. A certified letter is probably the best bet; that way you have a copy in case the bank challenges you on the issue of timely notification.
What banks are required to do
Banks must investigate disputed charges within 10 days, and report results to the consumer within three days. Errors must be fixed within one day. If the investigation cannot be completed within 10 days, banks must issue a provisional credit to the consumer for the disputed amount, less $50.
Submitted by: gtghm
Source: MSNBC Interactive
0
Comments
Gobbles