Online Consumer Fraud Nets Hackers $120 Million in Three Months

March 14, 2010. By LAS Newswire

San Francisco, CA: According to the US Federal Deposit Insurance Corporation (FDIC), online banking scams and online consumer fraud cost companies and individuals more than $120 million during the third quarter of 2009.



FDIC examiner David Nelson claims that online banking fraud, which typically involves the electronic transfer of funds, has steadily risen since 2007, as the malware continues to grow more common and sophisticated.



Nelson says that even though banks have increased security on their websites, customers may have become complacent with the authentication process.



"Online banking customers are getting too reliant on authentication and on practicing layers of controls," he told BusinessWeek. "Commercial deposit accounts do not receive the reimbursement protection that consumer accounts have, so a lot of small businesses and nonprofits have suffered some relatively large losses."



Nelson says hackers typically target higher fun accounts and small businesses whose security controls might not be as stringent as a major corporation.



Avivah Litan, a financial analyst with Gartner, predicts that the problem will grow worse in the coming years, as password-stealing botnet programs are also on the rise.

Editor's Note:  May I suggest eliminating passwords, thus the threat from "password stealing" trojans.  Swipe your Card, Enter your PIN the same way you authentice yourself at an ATM and you're are all good. Until then, Avivah Litan is absolutely correct.  The problem will grow worse. 

Related articles by Zemanta

• FDIC: Hackers took more than $120M in three months (computerworld.com)


• Cybercrime losses almost double (go.theregister.com)


• Gartner: Online Banking Transactions Not Secure (pindebit.blogspot.com)


• How Dangerous is Online Banking?...asks MSN Money (pindebit.blogspot.com)


• Hackers Conquer "Some" Two-Factor Authentication (pindebit.blogspot.com)


• FBI Warns: Use a Separate Machine for Online Banking (pindebit.blogspot.com)

Avivah Litan Talks About the Dangers of Online Banking

Go to playlist and click the video number 2 in order to watch what Gartner Research distinguished analyst Avivah Litan has to say about the dangers of online banking..

80% of Phishing Attacks Use Hijacked Websites

I've blogged about this subject plenty of times over the last year, and my concern is specifically targeted towards the inherent weaknesses in the username/password systems used with online banking. If a consumer is tricked/phished into providing their username/ password, then the phisher is successful.

The average phishing attack results in a loss of $350 to a bank.

According to research firm,Gartner, banks, online payment organizations and other financial institutions are bearing most of the financial cost of phishing attacks. (A survey of nearly 4,000 US consumers revealed a 40% increase in the number of phishing victims in 2008 over the year before to five million.)

The average loss was $350 per phishing attack, but consumers said they had recovered 56% of their losses from the financial institutions involved. (That's $196 to the banks and $154 to the consumers) "The findings underline the fact that the war against phishing is far from over," said Avivah Litan, analyst at Gartner. (Yes, the very same Avivah Litan who says "never" enter your PIN on the Internet unless it's hardware based)

Guess what? The HomeATM "SafeTPIN" device would not only eliminate "phishing attacks" but it would also eliminate the threat of "cloned cards," "cloned bank sites", AND provide "True 2FA." for online banking customers.

HomeATM provides a very simple cure to this maliciousness. Use a PCI 2.0 certified SwipePIN device and require online banking users to swipe their bank issued card and enter their bank issued PIN. The data is encrypted and is NEVER in the clear. So, in the event a consumer is tricked into swiping and entering their PIN, as opposed to typing in their log-in credentials, the phisher has nothing.

And nothing is something banks should want phishers to have.

More Than 80% Of Phishing Attacks Use Hijacked, Legitimate Websites - DarkReading

More Than 80% Of Phishing Attacks Use Hijacked, Legitimate Websites
New research from the Anti-Phishing Working Group shows how phishers are better covering their tracks -- and what to do when phishers compromise your Website

May 27, 2009 | 04:23 PM
By Kelly Jackson Higgins
DarkReading

It used to be that researchers could sometimes track a phishing exploit by the notorious cybercrime ring behind it, like the Rock Phish gang, but no more: New research from the Anti-Phishing Working Group (APWG) has found that most phishers are setting up shop on legitimate Websites to be inconspicuous when they steal valuable information from victims.

In the second half of 2008, roughly 57,000 phishing attacks worldwide targeted a specific brand or organization, up from around 47,300 in the first half of 2008, according to a newly released report (PDF) from the APWG. The attacks were waged on 30,454 different domain names, only 5,591 of which were domains the phishers set up themselves. The rest were from legitimate Websites they had hijacked to carry out their exploits.

The average amount of time a phishing site was up: 52 hours, according to the report.

Continue Dark Reading

Related articles by Zemanta

• Nothing Phishy About PCI 2.0 Certified "Card Present 2FA" (pindebit.blogspot.com)
• BofA Targeted by Malicious Code Phishing Attack (pindebit.blogspot.com)
• Hackers swarm bank accounts (comsecllc.blogspot.com)
• 'Both Sides of the Mouth' Security Analysis (information-security-resources.com)
• Cybercrime (pindebit.blogspot.com)
• Torpig: "One of the Most Advanced Pieces of Crimeware ever Created".' (pindebit.blogspot.com)
• IBM Agrees with HomeATM...Hardware Required (pindebit.blogspot.com)

Wyndham Hotel Hack Followup

Here's a follow-up to the Wyndham Breach

It seems that the criminals not only were able to get guest names, credit card numbers and expiration dates,  but they also were able to steal the data from the card's magnetic stripe, Wyndham said.  That magnetic stripe information contains Track 1 and Track 2 data including the (CVV) code, "which is critical if the thieves want to make fake credit cards, according to Avivah Litan, an analyst with Gartner Research."

"That's the hot information," she said. "You can sell that information for much more on the black market." CVV codes were also taken in the high-profile Heartland Payment Systems and The TJX Companies credit card thefts.

When fraud is perpetrated using fake cards that include the CVV codes, the banks are responsible for the charges;

When they are able to obtain only the card numbers and expiration dates -- for example,online transactions NOT DONE by HomeATM -- then the retailer is responsible for the charges.

"The banking industry is all up in arms whenever bank stripe data is stolen," Litan said.  

As posted in "DumbPhoneded" the retailers should be up in arms everytime a transaction is conducted without the  Track 2 data being swiped.  Not only are they paying up to 100 basis points more, but in the face of increased fraud, they could lose their product and lose the money they thought they got for it.  Call that a double whammy, no cheese.

Related articles

• Major Data Breach Puts Millions At Risk (cbsnews.com)
• Heartland data breach could be bigger than TJX's (infoworld.com)

Will PIN Debit Become HomeATM's "Signature" Product?

Here's an interesting excerpt from American Banker in which they talk about PIN Debit vs. Signature Debit. The setting is restaurants, however, the point is still valiantly made why PIN Debit is the better of the two types and has a strong future as an Internet Payment Mechanism.

Mr. Rasori said VeriFone's research indicates that between 50% and 70% of all meals at sit-down restaurants are paid through signature debit transactions, which are significantly more expensive to the merchant than PIN debit payments.

According to Mr. Luria of Wedbush Morgan, the difference in transaction costs, depending on the restaurant's arrangement with its acquirer, can be "an order of magnitude." The typical transaction fee is 2.5% for a signature debit transaction and 1% for a PIN debit transaction. "These transactions are priced differently because of the risk," he said.

"A 'PIN card-present transaction' is the lowest-risk transaction you can do — that is why it is priced at the lowest level. For a signature debit or credit transaction, there is higher risk and higher pricing."

However, Mr. Rhodes' position assumes that the difference in transaction fees is matched by the difference in risk. Some industry analysts doubt that this is really the case.

Avivah Litan, a vice president with Gartner Inc., said that despite consumers' stated preference for PIN transactions, banks have been creating incentives for signature debit ones. "There are two reasons why banks like signature better," she said. "One is that they generate revenue through higher fees. Second, if a signature is forged, they can charge the amount of the transaction back to the merchant, but if a PIN is stolen, the bank is on the hook."

Mr. Bergeron says that in the long run he is not worried about efforts by banks to push signature debit over PIN debit. "Banks realize that increasing the size of the overall market is more lucrative than trying to squeeze extra fees out of a fixed market that faces increasing numbers of competitors," Mr. Bergeron said.

"One thing you can be sure of: Banks will always find a way to make money from handling transactions. The biggest issue for them is market share, so the more creative they can be in expanding the use of their cards, or the number of transactions they process, the better off they will be."

Related articles

• When it comes to banking, fees matter more than security, study says [via Zemanta]