Online Banking's Ticking Time Bomb...

In a story published today in FierceFinance IT, they take a look at the fact that the bad guys are focusing their efforts at online banking.  Here's the article,  along with some of my comments on why it's happening and how it can be prevented.  



Bottom line.  Based on the fact that online banking customers are instructed to "key in" (type) their online banking credentials, the online banking industry is a ticking time bomb. 



The only explosive growth the online banking community will see (unless they provide a genuinely secure authentication procedures) is that of the online banking Trojans...which are designed to completely drain accounts and completely destroy any trust associated with online banking.     



October 23, 2009 — 8:53am ET | By Jim Kim

Cyber thieves have been targeting banks in more and more creative ways, usually involving retail customers, but the really big thefts are victimizing small government accounts. A customer of M&T Bank, a small bank with 650 branches in the mid-Atlantic region, was victimized recently to the tune of $479,000. The Cumberland County Redevelopment Authority Staff alerted the bank last month that it couldn't access its online banking site.



Apparently, the issue was a virus that allows for keystroke capture.

Let's "key" in on that for moment, shall we?  The "Key Word" here being "keystroke capture."  Let me oversimplify this.  What procedure does online banking mandate for online banking customers to log-in to their account.  Is it by "keying" (typing) in their username and password?  It is, isn't it?



Consumers type their username, their password (and more often now, in a lame attempt to add an additional layer of security, some banks require their customers to "key" in other information, such as a mother's maiden name, the make of their first car, etc.



But the fact remains...if the online banking customer has a virus that allows for keystroke capture, then it doesn't matter if banks require their customers to "key in" (type) the answers to 100 questions, does it?  It will ALL BE CAPTURED.  Wouldn't it? Make sense?  It does, doesn't it? 



Back to the story...

"At the time of the incident, the customer was using a bank-issued ACH house token, which was designed to protect against unauthorized access, specifically from keystroke logging fraud attacks. Obviously, it didn't."


Which is why we created our SLIM device...it eliminates typing, thus keystroke logging (and phishing) enabling online banking customers to Swipe their Bank Issued Card and Enter their Bank Issued PIN to authenticate themselves.  We utilize "existing bank rails" to authenticate the user.  (If that process sounds familiar, it is because it's the same process used to access cash from an ATM.)  100% seamless transition.

The story continues...



The stolen funds were transferred to accounts set up by the hacker, using names of LLCs and individuals, at 11 domestic financial institutions. So far, more than $100,000 has been recovered.  

Editor's Note:  Guess what.  The SLIM would also "prevent" any stolen funds from being transferred "anywhere" ...until the online banking consumer demonstrated "intent" to "authorized" the transfer by "Swipinig their Card" and "Entering their PIN" a second time!  Talk about doubly protecting the consumer.

 

To review: If somehow (for instance, a pre-existing infection from Zeus, Clampi or the urlZone banking Trojans) the bad guys were able to get into an online banking customers account, they "WOULD NOT" (let me state that again) "WOULD NOT" be able to transfer funds "ANYWHERE"  (let me state that again) "ANYWHERE"...UNLESS THE BAD GUYS HAD THE CONSUMERS BANK ISSUED CARD AND THEIR BANK ISSUED PIN. 

Therefore, we eliminate keystroke logging, we eliminate phishing, and we eliminate the threat of unauthorized money transfers to money mules.  Sounds elegant and sounds like a great online banking promotion.  Get a free SLIM.  We'll even put your bank's logo on it.  Where can your bank get them? Email me: jfrank@homeatm.net

The story continues:





In addition, the Washington Post reports that Bullitt County, Kentucky lost $415,000 to criminals using malicious code on the county treasurer's computer. The program diverted the funds via transfer to more than two dozen so-called "money mules." Editor's Note:  Did I mention that our log-in procedure is "Bullitt Proof!  (safer than ATM access because there is no threat of skimmers, hidden camera's or "card trapping") 



Read more: http://www.fiercefinanceit.com/story/more-bank-fraud-targets-government-accounts/2009-10-23#ixzz0UmFN8bVx

Related articles by Zemanta

• Swipe Out Phishing! (pindebit.blogspot.com)


• 93% of Internet Users Shoud Ditch Online Banking (pindebit.blogspot.com)


• Online Banking Provide Opportunity to Rebuild Trust Between Banks and Consumers, Says MasterCard CFO (pindebit.blogspot.com)


• More on Soaring Online Bank Fraud (pindebit.blogspot.com)


• Garlik's UK Cybercrime Report 2009 Released (pindebit.blogspot.com)


• Online Banking Fraud Increases by 55% in the U.K. (pindebit.blogspot.com)


• Online Banking Requires Separate PC! (or a HomeATM) (pindebit.blogspot.com)


• Windows and Online Banking - Just Say No (pindebit.blogspot.com)


• Online Banking is Weak Week Continues (pindebit.blogspot.com)


• Online Banking Fraud in the UK Hits a New High (pindebit.blogspot.com)


• Washington Post Says Use Linux To Avoid Bank Fraud (linux.slashdot.org)


• $35 Promo to Online Bill Pay at Bank of America (pindebit.blogspot.com)