Saturday, May 2, 2009

BofA Targeted by Malicious Code Phishing Attack


I have been, and will continue to, blog about the enormous risk involved with "typing" vs. "swiping."  Here's yet another recent example (the phishing story below) of why I do what I do.   It shows how obsolete the "Username: Password:" authentication is.  It simply "amazes" me that financial institutions in the USA continue to use them for logging on to their websites.  

Again...here's a common-sensical approach to protecting both the bank and bank customers from phishing attacks, DNS Hijacking, Cloned Websites, and more.  The best part is it's easy as one-two-three, and two of them are already in place!

1. The "bank" issues a "bankcard"  the customer "possesses" the bankcard.

2. The"bank" issues a "PIN" the customer "possesses" the PIN

There's only ONE step missing:

3. The "bank" issues a SwipePIN device and the customer "possesses" it. 

Thus, in order to provide a "secure" 2FA (two factor authentication) encrypted log-in environment all they need is one more piece of the puzzle.  A PCI 2.0 Certified Magstripe Reader with PIN Entry Device.  So send them one, along with a note that says: 

"In a move designed to protect the financial information of our valued customers, we have vastly upgraded the security of our online banking website.  Enclosed you will find a PCI 2.0 Certiified Magnetic Card Reader with a Built-In PIN Pad.  It simply plugs into your USB port and is immediately ready for use.  No software or drivers are needed.

Beginning June 1st, online banking customers will be required  to log-in by swiping your bank issued ATM Debit card and entering your PIN.  This device provides our customers with 100% end-to-end encryption of your cardholder data and in addition to logging on to our site, this device will also enable you to securely transfer money from your account to any other account (see money transfer instruction, included) and purchase items online by simply swiping your card and entering your PIN
just as you do in a retail environment.

That's it.  Simple as one-two-three. The missing piece of the puzzle.

Think about it.  Why do banks issue a card and a PIN?  So you can swipe it and enter the PIN.  So what's with the Username Password stuff?  It needs to change.

Until then, you'll continue to read posts like the one below.  Oh, and did I mention that the average phishing attack comes at a cost of $350.00 and ours costs $12? (see below at end of article or in a post entitled:  Something Phishy About Banks Not Using 2FA from HomeATM)

One thing is for sure...(see graphic below right) Malicious Code isn't going away...

Banking / Finance Alerts
Scam / Fraud / Hoax Alerts
Source: TrendMicro

Complete item: http://blog.trendmicro.com/invoice-spam-finds-new-target-worldpay/

Description: After spam runs related to UPS, FedEx, and Western Union, another form of invoice spam strikes again!


We caught a new invoice spam that is purportedly from WorldPay, a division of the Royal Bank of Scotland that specializes in handling secure online payments from all over the world.

The spammed email message informs users that their transaction with Amazon Inc. has been successfully processed by WorldPay.   The said email contains a .ZIP file, which holds a malicious file named WorldPay_NR9712.exe. This file is detected by Trend Micro as TSPY_ZBOT.BEO through the Smart Protection Network. TSPY_ZBOT.BEO downloads a configuration file from a remote site. This file contains a list of bank-related Web sites, which the spyware monitors in the Internet browser address bars.

The URLs listed in the downloaded configuration file may change at any time. As of this writing, the file contains links to the legitimate sites of Bank of America.

When a user accesses any of the listed banks site URLs, the spyware logs keystrokes to capture data entered in login boxes, including sensitive banking information such as user names and passwords.

The gathered information is saved in a file, which is then sent to a remote site through HTTP post.

Editor's Note:  One more thing.  Our device would cost banks $12.00 and save them $100's "per" phishing attack.

This from Gartner Research:


According to research firm,Gartner, banks, online payment organizations and other financialinstitutions are bearing most of the financial cost of phishingattacks.  (A survey of nearly 4,000 US consumers revealed a 40% increase in the number of phishing victims in 2008 over the year before to five million.) 

The average loss was $350 per phishing attack, but consumers said they had recovered 56% of their losses from the financial institutions involved.  (That's $196 to the banks and $154 to the consumers)  "The findings underline the fact that the war against phishing is far from over," said Avivah Litan, analyst at Gartner.  (Yes, the very same Avivah Litan who says "never" enter your PIN on the Internet unless it's hardware based)
Guess what?  The HomeATM "SafeTPIN" device would not only eliminate "phishing attacks" but it would also eliminate the threat of "cloned cards," "cloned bank sites", AND provide "True 2FA." for online banking customers. 

Additional benefits include empowering online banking customers with the ability to perform:

  • Person to Person Money Transfers,
  • Bill Payment Online (with "True PIN" vs. PINless Debit)
  • Secure online transactions with online retailers.
As I said, I don't mean tooversimplify WHY they banks should investigate our solution further,but sometimes the simplest things in life are the best...aren't they?  Where am I wrong here?


E-Secure-IT
https://www.e-secure-it.com

 Related articles by the PIN Payments News Blog

Fraudsters Go Postal! USPS Probes Breach


USPS Probes Security Breach - CBS News


Data Companies Issue New Warnings About Breach That Could Lead To Potential Compromise Of Credit Cards

(CBS) CBS News has learned of another data breach potentially compromising the personal information of thousands of people. Companies Lexis Nexis and Investigative Professionals have notified up to 40,000 people whose “sensitive and personally identifiable” information may have been viewed by individuals who should not have had access.

The United States Postal Inspection Service is investigating a data breach at both companies that resulted in sensitive information being used in a crime. Those individuals have been notified.

Sources tell CBS News that the data breach is linked to a Nigerian Scam artist who used the information to incur fraudulent charges on victims’ credit cards.

Peter Rendina, a spokesman for the Postal Inspectors Service said that of the 40,000 individuals whose information was accessed, up to 300 were compromised and used to obtain fraudulent credit cards
.

Continue Reading at CBS


Reblog this post [with Zemanta]

Disqus for ePayment News