Identity theft, phishing, key loggers…

Despite what you hear, major banks have a more serious problem to contend with than on-line fraud – there is a lot more fraud happening inside the banks themselves, i.e. internal fraud. In a recent case, somewhat close to home, the bank in question acted rather naively and demonstrated that they are not geared up to deal with on-line security issues. I can say this because earlier this year I had to verify that my friend’s business PCs were not infected with any viruses or key loggers – they had just witnessed a large sum of money vanish from their business account via a transaction that apparently used their own credentials.

However, instead of the transaction being carried out from a PC located in Scotland, the transaction was carried out using a computer located in Sheffield (insofar as we could tell, the actual machine could easily have been elsewhere in the world – this is the concept of a zombie PC coming to the public eye.) The computer in Sheffield appeared to be using a cable modem and Blueyonder as their Internet Service Provider (ISP). Now this, in my opinion, is the first warning sign and one that the bank should have picked up on before committing the transaction and allowing it to complete. The business in question use a fixed IP address, therefore it is always the same address each and every time they use the bank’s on-line service.

Suddenly, out of the blue, this customer wants to transfer over 95% of their business account to an account that they have never used in the past. Clue number two: what sort of business transfers 95% or more of their account in one go? Clue number three: the destination account is unknown. Clue four: over 95% of all this business’ transactions are conducted via Scottish branches of the destination bank.

Worse than that, a few days later, the same bank and the same software was used to conduct another withdrawal, this time from a ‘deposit’ account that should never have allowed withdrawals of this size anyway. This time the PC was located outside of Scotland and was using AOL as their ISP. At this point, the business in question lost faith in the bank’s ability – the business owners had been accused of performing the initial fraudulent transaction themselves, for it to then happen a second time on an account that was meant for deposits only, cracked an egg on the bank’s face.

Luckily, the business in question had all their money returned rather quickly, which provided a clue that the problem was more internal than external. It is not uncommon for disgruntled employees to leave a bank, “walk off” with a handful of user login information, go to ground, then use it a few months after their departure. Indeed there are a few links at the end of this posting that confirm this happens, they make worrying reading.

Of course, had the bank been using a two-factor authentication mechanism, this kind of fraud would be virtually impossible to commit.

Why am I so hard on the bank in question? Well, in 2004, my bank were wise enough to notice that I had used my credit card in Plymouth, Aberdeen and Edinburgh within a few days of each other – this didn’t worry them too much, it was reasonable to expect me to have been in those three locations in the space of three days. However, on the fourth day, I happened to use the same card in Tenerife, a fact that when put in context with the other three days travel caused the bank to give me a call. They did authorise the transaction in Tenerife, and gave me an option for them to call me back. Once they had confirmed that all was well with my credit card, business continued as usual.

I’ve not really touched on phishing, in this post. Perhaps because I don’t believe that this was a phishing case. All signs are that it was an internal security issue, not the work of a rogue e-mail asking the business owners to login to the bank via a link in the said e-mail. Of course if you do receive such an e-mail, remember that the major UK banks will never ask you for your login details to be “repeated” in their entirety and remember that it’s always best to manual type in your bank’s URL.

Further Reading
PC security is not the first thing on the mind of a home user
Banks introduce transfer delays in drive to stamp out phishing
Victims of internet bank fraud will have to pay up