- The Washington Times - Sunday, July 4, 2004

Consumers are flocking to Internet banking.

So are thieves.

Illegal access to bank accounts through “phishing” — using spoof e-mails and fake Web sites to fool people into divulging financial and personal data — has become one of the fastest-growing forms of identity theft in the country.

A new scam targeting financial services Web sites emerged two weeks ago. Criminals are trying to steal personal information by secretly downloading software through pop-up ads that will record keystrokes while consumers type. Security specialists warned that people who visit any of 50 financial Web sites targeted by the bug could have keystrokes recorded.

Online attacks threaten to undermine consumer confidence in Internet banking, said Jeff Ready, vice president of e-mail security at Tumbleweed Communications Corp., a Redwood City, Calif., software company that founded the Anti-Phishing Working Group.

“If the banking community doesn’t address this problem, they run the risk that people won’t bank online,” he said.

Phishing emerged last year as a common online attack against banks and electronic-commerce sites and now ranks as one of Internet banking’s chief threats.

Bank of America, Wells Fargo and Citibank are among the nation’s largest banks whose customers repeatedly receive the fake e-mails. EBay also is a common target.

In a phishing attack, Internet thieves send an e-mail to consumers asking them to click on a link that takes them to a Web site that appears to be their bank’s site. The fake site asks the e-mail recipient to update information such as passwords and account numbers.

Bank customers typically can tell they have been duped simply by looking at the Web address of the page to which they are forwarded, and they will realize they are no longer on their bank’s site, Mr. Ready said.

But many consumers fall for the scam.

About 1.9 million people reported their checking accounts were breached in the past year, accounting for $2.4 billion in fraud, Gartner Inc., a technology research firm in Stamford, Conn., found last month. An estimated 57 million people received a phishing e-mail last year.

A separate report confirms attacks are up.

Auditing firm Deloitte & Touche LLP found in May that 83 percent of the nation’s financial institutions acknowledged their computer systems had been attacked in the past year, up from 39 percent a year ago.

“They acknowledged that the threat is up and they need to make investments in security,” said Ted DeZabala, national leader for security services at Deloitte & Touche and an author of the report.

There were 1,197 phishing schemes in May, up from 28 in November, the first month the Anti-Phishing Group tracked the scam. Each scheme can result in up to 10 million e-mail messages being sent.

“The attacks are growing in quantity and severity. We’ve seen several examples that fraudsters are getting smarter,” said Naftali Bennett, chief executive at Cyota Inc., a New York firm that develops security software and tracks down phishers for banks.

One year ago, three-quarters of phishing attacks were domestic. Now, three-quarters are started abroad, Mr. Bennett said, making it more difficult to capture the people trying to steal information.

“Phishing is the perfect crime. It’s easy to launch. The risk of getting caught is very low, and the financial reward is very high,” he said.

It is not the only online attack consumers face. A new threat against online banking customers has emerged. Internet thieves are secretly downloading software through pop-up ads to record keystrokes as people type. The threat targeted users of Microsoft’s Internet Explorer.

A separate bug discovered a week earlier also targeted financial Web sites and allowed Internet thieves to record keystrokes.

The bug was discovered by the Sans Institute,a group of computer security professionals. An expert there wrote in a report released last week that it represents a “huge threat to the online financial industry.”

But Internet threats haven’t deterred consumers eager to embrace online banking for its convenience. ComScore Networks, a Reston company that measures consumer behavior, said last month 22 million users logged into accounts at the top 10 U.S. banks in the first quarter of 2004, up nearly 30 percent from a year earlier.

Banks are responding to the threats through industry groups such as Bits, a nonprofit consortium of financial companies based in the District that helps share information about phishing attacks, and the Financial Services Information Sharing and Analysis Center, a group in Reston gathering information about Internet threats.

More banks also are warning customers about scams like phishing. Bank of America, Citibank and Wells Fargo all have a link on their main Web pages informing people about e-mail fraud. Some banks cover the cost of personal losses caused by e-mail fraud.

“We are constantly looking for attacks in the virtual world. We have to be prepared for them,” said Don Rhodes, policy manager of the electronic strategies division of the American Bankers Association.

Banks get credit for aggressively defending themselves against online attacks and they have better technological defenses than many other industries, Mr. DeZabala said.

“The online threat is manageable, but it shouldn’t be looked at as if it will disappear,” he said.

LOAD COMMENTS ()

 

Click to Read More

Click to Hide