Cyber crooks break into online accounts with ease
By Byron Acohido and Jon Swartz,
Thu Nov 3, 9:29 AM ET
When he logged on to his Ameritrade account earlier this year, George Rodriguez caught a cybercrook in the act of cleaning out his retirement nest egg.
He watched, horrified, as the intruder in quick succession dumped $60,000 worth of shares in Disney, American Express, Starbucks and 11 other blue-chip stocks, then directed a deposit into the online account of a stranger in Austin.
"My entire portfolio was being sold out right before my eyes," recalls Rodriguez, 41, a commercial real estate broker who alerted Ameritrade in time to stop the trades.
Rodriguez had just experienced a tech-savvy consumer's worst nightmare. But it's the reality of the digital world we live in: Everyone is now at risk of becoming the victim of an Internet-based crime - even folks who stay offline. And, once victimized, you can face more trouble than you might imagine.
Many consumers and small-business owners naively believe online transactions are safe if they use a firewall, keep anti-virus software updated and follow security tips posted on banking websites.
Not so, Internet security experts and federal regulators say. "What banks don't tell you is how easy it is to bypass those protections, and how prolific the threat is, because then you wouldn't do online banking," says Peter Vogt, a board member of Information Systems Security Association, an international group of tech security professionals.
Over the past two years, banks, credit card companies and credit agencies have made everything from changing a billing address to extending credit and transferring large sums easy to do online.
That has created fresh opportunities for swindlers and hackers, say dozens of banking and Internet-security executives, analysts, consultants, researchers and regulators interviewed by USA TODAY over the past four months.
Federal regulators are cognizant of the biggest blind spot: To gain access to most online bank accounts, you need nothing more than a user name and a password.
Bank of America told USA TODAY that it plans to require extra log-on steps for all Internet customers by early next year. It will become the first major U.S. bank to add another level of authentication, as banking and tech-security experts debate how to best balance convenience and security.
The Federal Financial Institutions Examinations Council last month called on all banks to toughen log-on procedures by the end of 2006. But the council, a consortium of five federal banking agencies, stopped short of specifying how to do that.
"No one knows what the right answer is yet," says Unisys banking security consultant John Pironti.
'They said it was safe'
The case of small-businessman Joe Lopez, closely watched in banking and legal circles, has emerged as a microcosm of e-commerce at a crossroads.
The bootstrap founder of Ahlo, a thriving Miami-based ink and toner cartridge wholesale business, Lopez says he opened a Bank of America online business account in October 2003 after being cajoled by bank representatives on more than 20 different visits to his local branch. "They said it was safe," Lopez, 42, recalls from his office in a gritty industrial neighborhood.
In April 2004, moments after logging on to his online account at work, Lopez spotted an entry revealing that someone had executed an electronic transfer of $90,348.65 to Parex Bank in Riga, Latvia. Lopez knew no one in Latvia. "I thought I was going to ," he recalls.
The next day, according to bank records, a mysterious figure named Yanson Arnold withdrew $20,000 in cash from Parex Bank, leaving $70,348.65 behind. Arnold has not been heard from since.
Secret Service investigators later discovered someone had slipped a Trojan - a small bit of malicious code - past the firewall and anti-virus software Lopez assumed kept his computer protected. The Trojan, called Coreflood, had captured and transmitted Lopez's user name and password to a data thief, who probably sold it to Arnold or his associates.
Bank of America disavowed responsibility, prompting Lopez to sue the bank in federal court in Miami to get his money back. "We fully investigated his claims and determined that all of our internal protocols and security measures were in place," says Shirley Norton, a Bank of America spokeswoman.
In its defense, the bank has invoked an obscure section of the Uniform Commercial Code, state laws governing commercial contracts, which banks helped draft. It limits liability in delivering online services to businesses if certain safeguards are in place.
Norton says the bank considers Lopez a business customer doing commercial transactions, not a consumer doing household banking. Consumers are protected by federal laws that limit their fraud losses in most cases to $50. They must report discrepancies promptly and generally be able to show wrongdoing.
"It's a bank's way of saying, 'It's the customers' fault,' " says Gail Hillebrand, a senior attorney at Consumers Union.
Legal experts say BofA's stance makes sense. It is refusing to expose itself to liability arising from the countless malicious programs that infest PCs used by small companies, over which the bank has no control. Such exposure could force financial institutions to curtail online services being pitched to small firms, a promising growth area.
No trial date has been set for the case. If BofA prevails, it will reinforce the Uniform Commercial Code as a legal rampart financial institutions can use to fend off similar lawsuits. "Making Lopez whole could open BofA to settling lots of other breaches, and that adds up to a lot of money," says Mark Budnitz, a law professor at Georgia State.
Meanwhile, Lopez, now a First Bank of Miami customer, faxes wire-transfer requests to the bank using a form letter. He follows up with a phone call. "No more online transactions for me, man," he says.
While financial industry executives acknowledge the Internet's security pitfalls, they say they have been mindful of minimizing risks to consumers and small businesses. Of the $1.3 trillion in transactions done with Visa credit cards in 2004, only 0.05%were fraudulent, the same level as 2003, and down from 0.07%in 2002. Visa does not break out online transactions.
"Online banking is safe and getting safer," says Doug Johnson, senior policy analyst at the American Bankers Association.
Indeed, consumer financial fraud has been around as long as checking accounts and credit cards, and banks already do plenty to stop fraud. But e-commerce has opened virgin criminal frontiers. "In the past, everything was much more traceable," says Gartner banking analyst Avivah Litan. "Now you can open 10,000 (bogus) accounts in the time it used to take to open one, all in a faceless Internet."
Stopping mailbox thieves and check kiters in the physical world is one thing. But modeling the threat posed by crime groups using the Internet to commit fraud electronically, on a global scale, has proved to be much more complex.
For one thing, electronic thievery is difficult to measure. When crooks get away with an online scam, banks often misclassify the pilfered funds as uncollectible debt. That masks the level of online fraud, says Litan, while "making it easier for the criminals to escape the law."
What's more, there is little urgency for banks to measure cybercrime precisely. Online banking services are still in a nascent phase, representing less than $200 billion of the trillions of dollars of transactions banks handle each year.
Coreflood could have gotten on Lopez's PC several different ways. It is one of many tried-and-true tools ID thieves use to harvest user names, passwords, Social Security numbers, account numbers and other personal data.
Anti-virus, anti-spyware and firewall defenses offer limited protection, primarily blocking the known malicious programs relentlessly blasting across the Internet, seeking unprotected PCs.
But elite identity data thieves have shifted to smaller-scale, more stealthy exploits, often aimed at compromising 1,000 or so PCs a day, says Joe Hartmann, director of anti-virus research at Trend Micro. Over time they can infect millions of machines but go completely undetected.
Some specialist hackers focus on finding new ways to attach Trojans to free, downloadable music, pornography and gambling files found across the Internet. Others hide Trojans on popular websites or in e-mail attachments. Downloading a tainted file, visiting a contagious Web page or opening a viral attachment can load a Trojan.
Meanwhile, phishing scammers seem to have endless creativity when it comes to crafting e-mail to trick even computer-savvy individuals into divulging sensitive account information at counterfeit websites. The best and brightest coders can make good money deploying "SQL Injection" attacks. These are aimed at tricking a Web page linked to a company database into giving up sensitive employee and customer data.
Low-tech heists work, too. Larcenous company insiders can get paid top dollar to assist in pilfering directly from company databases. For his new book, The Insider, A True Story: Sometimes Security is About Keeping An Eye On Those We Trust Most, Dan Verton examined network traffic at 50 large companies and government agencies.
In two days spent at each organization, he found 6,000 instances of names, Social Security numbers, credit card numbers, tax ID numbers, private health care information, payroll data and bank account information being transmitted, without authorization, to unknown locations on the Internet or to private e-mail accounts.
Verton says his findings suggest similar breaches may be taking place at an epidemic level across e-commerce, with insiders diverting vast amounts of valuable data to criminal circles.
In short, if your personal information resides in any database anywhere, it can become a target, even if you prefer to write checks and patronize bricks-and-mortar banks and stores.
'This stuff happens'
Apart from data thieves, another kind of crook specializes in converting the stolen ID data into goods and cash, using the Internet as a communications and distribution network.
"The market is becoming more sophisticated," says Jim Melnick, former analyst for the Defense Intelligence Agency, now director of threat intelligence at security firm iDefense. "There's more differentiating of roles and services to streamline and accelerate cybercriminal activity."
The most widely cited measure of cybercrime activity comes from a 2-year-old Federal Trade Commission consumer survey, the first of its kind, which placed the number of Americans victimized by identity thieves at 10 million in 2003, with consumers losing $5 billion and businesses $48 billion.
The FTC plans to redo its identity theft survey early next year, and the results are expected to reinforce anecdotal evidence that cybercrime has intensified.
George Rodriguez, the North Carolina commercial real estate broker, doesn't need a government study to tell him the threat is increasing. When Rodriguez spotted a cybercrook attempting to transfer proceeds from his Ameritrade portfolio to a consumer account at Bank of America, he quickly called authorities to cut short the stock trades before they were settled.
But the experience left him wondering what might have happened if he had been on vacation or simply not using his computer that day.
A local detective identified the BofA account owner as Kevin Maguire, a 53-year-old corporate travel manager from Austin.
Contacted by USA TODAY, Maguire said he "has no idea" what happened to his bank account. He says BofA informed him of the incident, but said little else. "They just told me this stuff happens," Maguire says.
Investigators say cyberthieves probably intended to use Maguire's compromised account to launder Rodriguez's cash. To misdirect authorities, thieves typically transfer funds a number of times culminating in a cash withdrawal.
Dealing with the fallout of a cybercrime can be frustrating. Most banks espouse policies of making restitution to consumers who fall prey to online fraud, if the crime is reported within 60 days.
But that is not uniform. Ameritrade, which declined comment to USA TODAY, told Rodriguez in a short letter that it would unravel the bogus stock trades "as a one-time courtesy to you. ... Going forward, you are responsible for any transactions placed in your account."
"They treated me as if I screwed up," Rodriguez says, looking at the letter, shaking his head.
Copyright Â© 2005 USA TODAY, a division of Gannett Co. Inc.