Saturday, August 29, 2009

FDIC: Online Banking Flawed

Online crime is increasingly hitting small and mid-size companies in the U.S., draining those entities' bank accounts through fraudulent transfers. The problem has gotten so bad that a financial services group recently sent out a warning about the trend, and the Federal Deposit Insurance Corporation (FDIC) issued an alert today.

"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," says a bulletin sent on Aug. 21 to member financial institutions by the Financial Services Information Sharing and Analysis Center, (FS-ISAC). The FS-ISAC is part of the government-private industry umbrella working with the Department of Homeland Security and Treasury Department to share information about critical threats to the country's infrastructure. The member-only alert described the problem and told its members to implement many of the precautions and monitoring currently used to detect consumer bank and credit card fraud.

The FS-ISAC notice -- and subsequent media attention -- in turn prompted the FDIC alert to warn banking institutions about this kind of fraud. The Threat

The FDIC traces the fraud to compromised login credentials on online banking websites. Over the past year, the FDIC says, it has detected an increase in the number of reports and the amount of losses resulting from unauthorized electronic fund transfers (EFTs), such as automated clearing house (ACH) and wire transfers.

Continue Reading at Bank Info Security

Special Alert from the FDIC:  (whom I think needs to learn more about our 2FA 3DES DUKPT E2EE PCI 2.x HomeATM)

Special Alerts


August 26, 2009

SUBJECT: Fraudulent Electronic Funds Transfers (EFTs)
The Federal Deposit Insurance Corporation is aware of an increased
number of fraudulent EFT transactions resulting from compromised login

Federal Deposit Insurance Corporation (FDIC) is alerting financial
institutions that provide Web-based payment origination services for
business customers to increased reports of fraudulent EFT transactions
resulting from compromised login credentials. Over the past year, the
FDIC has detected an increase in the number of reports and the amount
of losses resulting from unauthorized EFTs, such as automated clearing
house (ACH) and wire transfers. In most of these cases, the fraudulent
transfers were made from business customers whose online business
banking software credentials were compromised.

commercial EFT origination applications are being targeted by malicious
software, including Trojan horse programs, key loggers and other
spoofing techniques, designed to circumvent online authentication
methods. Illicitly obtained credentials can be used to initiate
fraudulent ACH transactions and wire transfers, and take over
commercial accounts.

These types of malicious code, or "crimeware," can
infect business customers' computers when the customer is visiting a
Web site or opening an e-mail attachment.

Some types of crimeware are
difficult to detect because of how they are installed and because they
can lie dormant until the targeted online banking session login is
initiated. These attacks could result in monetary losses to financial
institutions and their business customers if not detected quickly.

institutions and technology service providers can refer to the
following guidance for additional information on authentication and
information security for high-risk transactions:

FFIEC Guidance Authentication in an Internet Banking Environment

Authentication in an Internet Banking Environment Frequently Asked Questions

FFIEC Information Security Examination Handbook - PDF 866k (PDF Help)

FFIEC Retail Payment Systems Examination Handbook


FDIC Guidance on Mitigating Risks from Spyware

Consumers who want to learn more about computer security and online scams can find additional information at and

Businesses and local government agencies can find cyber security resources at

about cyber-fraud incidents and other fraudulent activity may be
forwarded to the FDIC's Cyber-Fraud and Financial Crimes Section, 550
17th Street, N.W., Room F-4004, Washington, D.C. 20429, or transmitted
electronically to
Questions related to federal deposit insurance or consumer issues
should be submitted to the FDIC using an online form that can be
accessed at

For your reference, FDIC Special Alerts may be accessed from the FDIC's website at To learn how to automatically receive FDIC Special Alerts through e-mail, please visit

Online Banking Insecure...Only 1 Bank Rated Excellent

Online Banking's Innate Security Flaws

Consumer rights organization Which? has criticized the online banking systems of some of Britain's biggest lenders, labelling them insecure in a new report released today.

Abbey and Halifax were singled out as particularly poor. Halifax has one of the least secure log-in procedures of the ten online
banks we looked at. It asks for three pieces of information to confirm
a customer’s identity.

"As each entry is typed in full, this makes the
information vulnerable" to a simple keylogger, a virus that sits on a
computer and tracks every keystroke with the aim of collecting

The same two banks, along with HSBC and First Direct, were also found to have no visible security controls for money transfers. Which? Computing also found significant differences in how well money transfers appear to be protected. Abbey, First Direct,
Halifax and HSBC have no visible security controls for money transfers,
so if a banking session is hijacked, a criminal can enter the amount
they want to.

Which? also found that users of Abbey, Alliance & Leicester, HSBC and Halifax are not immediately logged out after a session, leaving them vulnerable if they use online banking on a shared computer.  Alliance & Leicester and HSBC were rated as 'average', while First Direct, Lloyds TSB, Nationwide, NatWest and RBS were given a 'good' rating.

Barclays was the only one of the 10 banks surveyed to get a rating of 'excellent'. The company requires all its online customers to use a "two-factor authentication" (2FA) system involving a PINsentry device which generates a one-time password for each session.

Tony Dyhouse, director of the government-backed Cyber Security Knowledge Transfer Network, said that banks face a difficult challenge in trying to balance security with convenience.

Editor's Note:  PINSentry is a great device for 2FA log-in, but keep in mind it's ONLY function is as an authenticator.  By contrast, HomeATM utilizes 2FA for log-in, but  it also enables consumers to conduct financial transactions (including money transfers) in real-time with 100% 2FA 3DES DUKKPT End-to-End (Zone 1-5) Encryption.  

Which? would you rater have at your bank?

41% of Americans Say No to Online Banking Citing Security Fears15 Jun 2009 by (John B. Frank)  

"Compared with younger consumers, preboomers, who are 63 or older, are more explicit in their reasons for not using online banking - they are comfortable with other channels, such as the branch, and they are worried about the security ...
HomeATM - 

Reblog this post [with Zemanta]

Disqus for ePayment News