Keep thieves out of your bank account

By Liz Pulliam Weston

2004 was not a good year for fans of online banking.

First came word that an estimated 2 million people had had their checking accounts raided in the past year (click here for the story), with strong indications that online thieves were responsible for the majority of incursions. The research firm that conducted the study, Gartner, said checking-account theft was the fastest-growing financial fraud affecting consumers and is now second only to credit card theft (which affected nearly 6 million people in the last 12 months).

Then US-CERT, the government's computer security team, warned of an insidious new Internet hazard that could launch a stealth attack on your computer, allowing thieves to swipe bank account numbers, passwords and other private financial information.

If you haven't heard about this latest threat, it's chilling. It seems that hackers broke into the Web servers of large, trusted companies around the world -- US-CERT isn't revealing just which ones, but confirms that these were not just small or unknown sites -- and planted malicious code. Consumers visiting these trusted sites were secretly redirected to another Web site, hosted in Russia. That site surreptitiously downloaded software to the victims' computers, which allowed the thieves to copy bank account numbers, passwords and other private financial information.

This means, you don't need to click on an e-mail link, open an attachment or even visit a suspicious Web site to be infected. Before you know it, Boris and Natasha have everything they need to know to steal you blind.

Financial institutions could do more

US-CERT and other security experts believe they detected the scheme in time to prevent a large-scale attack, but there's no guarantee the criminals, or others like them, won't strike again. The thieves exploited security flaws in Internet Explorer and the Microsoft software that runs big Internet servers. (Microsoft is publisher of MSN Money).

Financial institutions get their share of the blame, as well, for exposing customers to fraud. Banks don't use the same kind of fraud detection software on checking accounts that they use on credit card transactions to spot suspicious purchases, said Avivah Litan, vice president and research director at Gartner.

Banks, online bill payers and other financial sites also could make stolen IDs and passwords all but unusable, Litan said, if they would adopt "shared secret" technology. The customer would register her computer's "machine ID" with the bank so that thieves couldn't use another computer to pretend to be her; she would then choose a picture or question-and-answer set that would appear every time she logged in on the financial institution's site.

This would make online banking and bill paying slightly less convenient, since the customer couldn't use just any old computer to log onto her account. Given the risks of using public or borrowed computers for online financial transactions, though, that's probably not something you should be doing anyway.

Litan's interest in checking account fraud is more than academic, by the way; she's also a victim, and well knows the hassles such theft can cause.

Like most targets, she isn't exactly sure how her account was compromised, but suspects it happened the one time she used a debit card to buy something online. The thief used her account information to set up a PayPal account with himself as the payee.

The thief took a small amount to start -- just to "probe" the account and see if the theft would be noticed. Litan spotted the unauthorized payment almost immediately, but still had a heck of a time trying to convince PayPal to shut down the bogus account. She finally used one of her professional contacts at the company to intervene with its customer service department.

Plenty of open windows for thieves

Personally, I love the convenience of conducting my finances online. I know that there are risk/reward tradeoffs to virtually every human endeavor, and that moving my banking offline wouldn't eliminate my vulnerability.

Indeed, there are plenty of ways for thieves to access your checking account offline. Here are just a few:

• Thieves can swipe your mail, pull out a check you've written, soak off the ink with nail-polish remover and write themselves a fat payday.

• They can steal your wallet and use your ATM, particularly if you wrote the PIN on your card (a big no-no -- but people still do it).

• They can set up phony ATM machines, or devices that fit over legitimate ATMs, then record the information from the magnetic stripe along with your PIN.

Then there's the possibility of an inside job: a bank employee with access to all your account numbers, user IDs and passwords who simply decides to help himself.

 1 | 2 | next >