Wednesday, May 20, 2009

FBI: U.S. Banks Have Lost "Hundreds of Millions" of Dollars to Cyberthieves

According to Reuters,  The FBI is reporting that cyberthieves  have stolen hundreds of millions of dollars from U.S. banks.   The bureau says one bank's security system was breached leading to a loss of $10 million in cash in one day and another lost $5 million which was enough to put it out of business.  Wow.  You would think that would be a story that would make the nightly news. 
You'd also think banks would be supremely interested in shoring up the holes in their security.  There's one that's easy to fix.  You know, that big gigantic hole called "username"/"password"?  The one which opens the door for "phishing, DNS Hijacking, Cloned Web Sites etc. 
Those types of attacks are on the rise and I guarantee you that you'll be reading or hearing about a "sophisticated and highly organized scheme" whereby a bank had their website's DNS hijacked and while unsuspecting online banking customers were busy "typing" in their "username" and "passwords" into a brilliantly cloned bank website, the fraudsters were busy going to the real website and taking control over banking accounts resulting in the loss of millions of dollars. 


Mark my words.  It's coming.  It's too easy to do, in fact,  it's already been done, just not on a grand scale yet.  When it happens I'll provide a hyperlink back to this post.  But it CAN be EASILY prevented! I'll Keep It Simple...If you "DON"T TYPE" the "Bad Guys" can't swipe.

Here's a scenario: The "Good Guys" do the Swiping.  Swipe your bank issued card, and enter your bank issued PIN into HomeATM's PCI 2.0 Certified PED and you've got yourself some 3DES End-to-End Encrypted, "Protected by DUKPT" 2FA secure log-in.  No phishing allowed!  Cloned Websites are useless AND you're enabled to do some secure online shopping, secure money transfers and more.  It's so simple its stupid simple. 

You know what I love?  It's when I hear an objection that goes something like this: "Oh...then we've got to get a device into all our online banking customers hands!"  Here's my standard response: "Well you did it with toasters throughout the 50's, 60's and early 70's before you moved on to other stuff and none of those promotional items did a thing to secure your banking.  Can you imagine back in the early 80's if banks had said, "Switch to electronic POS devices?"  Are you nuts?  Oh...then we'd have to get a device into the hands of every retailer.

I just don't get it.  It is what it is and what it is (the web browser space)...is insecure.  Hardware isn't an option...it's a necessity.

HomeATM (on a perfect 1.0 correlation) has replicated a brick and mortar transactions for the internet.  In the brick and mortar world, the retailers have the POS device because that's where consumers go to shop.  But where do consumers shop online?  Right, their computer.  So our PCI 2.0 Certified PIN Entry Device plugs into their laptop/PC and they've got their own personal POS device at home.  Same difference right?  Card Present, TRUE PIN Debit and Secure Two Factor Authenticated Log-In for online banking.  It doesn't get any simpler and it doesn't get any more secure than that.

Here's the Reuters story:
WASHINGTON, USA: U.S. banks have lost hundreds of millions of dollars to cyberthieves who have electronically broken into ATMs and forged electronic transfers, a top FBI agent said on Tuesday.

"Particularly in the last couple of years, the threats have spiked," said Shawn Henry, the agency's assistant director of its cyber division. "Attacks on our financial sector are significant, to the tune of hundreds of millions of dollars."

The bureau knew of one bank whose security system was breached and which lost $10 million in cash in a day, while another lost $5 million, enough to put it out of business.

"The bank was in business on Friday (and) was out of business on Monday," he said. Henry did not identify either bank.


President Barack Obama's proposed fiscal 2010 budget, announced in late February, included $355 million for the Department of Homeland Security to make private- and public-sector cyber infrastructure more resilient and secure.  The administration also said it would put "substantial" funding for cybersecurity efforts into the national intelligence program, but gave no details.

Obama had asked for a cybersecurity audit that was due in mid-April.

"The intent is to release that report," Henry said. "I think it's imminent, in the next couple of weeks."


When it comes out, the PIN Payments Blog will bring it to you here.  In the meantime, there's a Cyber War going on and the best defense is: Don't Type...Swipe.






Reblog this post [with Zemanta]

Disqus for ePayment News