Tuesday 25 March 2008

Hoax Emails - Internet Banking Fraud

In my time of collecting and monitoring SPAM I have noticed that I have not received many Internet Banking Fraud / Hoax emails. It might just be me but it seems a bit odd that the only one that I have received are for Internet Banking sites which I use. So, for example, I use ANZ Internet Banking and just today received my 3rd Internet Banking Hoax Email, this one was for ANZ.

So how do the fraudsters (server registered in Chile (.cl) ) know that I bank ANZ, and why don;t I get NAB, St George or Bank Brunei Email Hoaxes ? The answer is that they KNOW I bank ANZ.

What would be some ways they obtain this list ? I can certainly think of some. And I will add also, ways for the Banks to prevent it, and also for us to be mindful (as users).

Buying the list
At first you would hope it doesn't occur, but when you think about it, it is quite plausible. A high enough price put up entices someone with access to "sell" the list.

Imagine that of 100,000 emails sent out, only 100 people (.001%) provide their details. And if from this, the fraudsters were able to transfer an average of $500, that's a quick easy $50,000.

Of course, some accounts have $50,000 in them to start with, so the bounty is much more of course.

So let's go with $50,000. We can pay $5,000 to the list provider, all they have to provide is Email Addresses of valid customers, nothing more.

$5k is not a lot, but if it were sold for $5k to 3 "fraud" groups, then the insider pockets $15k.

A security breach is 90% of the time an insider job and is the one thing that banks must watch out for.

So who could be an insider ? Well simply put anyone with access to the email list.

This could be:
  • Anyone in IT with sufficient privileges (to the test, development, or production database).
  • Anyone in Marketing who can extract / export a list of email addresses for bulk email
  • Anyone in Customer Servicing with this type of access
  • The Vendor of the Banking System who is given the Database in original form for issue resolution (and of course then, any of the vendors employees)
So the insider is an issue. We know it, but it really is as scarey as that. So many IT systems are left open or "available" for reading but all users. I have certainly worked with my fair share that do.

Moving On, so, if it's not an insider job, how else could it be done ?

The ISP Proxy Server
All requests that I make from my ISP (ie: at home) are logged, not only my ISP at home, but at work also.

Might seem odd, but this data is worth money.

At the ISP, they just have to marry my email address and a list of known "banking" logon sites that I access, then they have a decent list. Of course it is not ALL users, but a big ISP (Telstra Bigpond in Australia) would be a nice size and, sadly, the bigger the ISP, the more un-suspecting the user will be and more likely to click on that link.

At a stretch
Virus / URL Logger / Spy
So this one is kind of logical, but probably not done. If there is software on my PC which is "logging" my surfing, they could use that. But if it's on my PC, then well, might as well log the logon to the internet banking site also.

So How do We Prevent it ?
I'll talk about us and the Bank.
For us

(a) Change banks to one which provides
(i) SMS Bank Pay Anyone Verification (With the CommonWealth Bank - not ANZ) for any new Pay Anyone Account not in my list, I need to verify it with an SMS code which is sent to my Mobile phone. That way, I must have my phone with my to pay anyone.

(ii) Secure ID Number Generators for login
HSBC in Australia and HSBC Commercial in the UK use these. A new number is generated every 60 seconds, and I need to supply my ID, password and this number to login.

Fraudsters won't target banks which use either of these (a,i or a,ii) , they either can't get in, or can't do anything once they are in.

(b) NEVER, EVER click on a link in an email for Internet Bank, for changing password, or for reactivating an account, or any activity. Go through your banks website directly, or ring them.

(c)
Change banks to someone that DOES provide good access.

For the banks

Where do you start ?

First - Secure internal Access

Perform a full audit of all access methods to the "customer data" at length. This will show holes on how data can come and go, and don't think that just stopping USB access will prevent a user from getting large lists of data out. Where there is a will, there is a way. a quick UUENCODE and a Cut'n'Paste to a pastebin.ca will dump data out in next to no time. If that doesn't seem plausible, what about some steganography ?

Second - Audit Access

Goes without saying, but you would be suprised. Audit all access to the data, so that if data does get out, you know when and by whom (hopefully).

Third - Provide Decent Security Features

It is almost ignorant for banks to NOT have a decent security feature such as SMS verification of Number Generator Fobs for use. They can tell us all they like what NOT to do, but really there are technologies out there which now prevent this type of attack from working, so just get to it an implement it.


There is MUCH more to be said on this topic, but that will get you thinking for now.

Current 5 booksmarks @ del.icio.us/pefdus