Hackers plunder bank accounts at unsuspecting small businesses and school districts

(08/10/2009)

By law, one single password is not enough protection for online banking. To guard against hacker incursions, banks are required to demand more ID when communicating securely with customers online. The Federal Financial Institutions Examination Council (FFIEC) requires that banks and credit unions only allow customers to access their accounts if they use at least one other identification factor in addition to the passwords.

Requiring that the customer enter a password is a layer of protection called "authentication"- ensuring that the customer is authentic. In addition, the financial institution must authenticate again by asking for at least one other piece of information. The information can be something the customer "is" such as a fingerprint, or something the customer "has" such as a physical key.

Malicious software now replaces old-fashioned confidence games, enabling hackers to empty bank accounts with ease. In the old days, con artists devised elaborate scams involving dropping envelopes full of money in front of the unwary, or promoting undeveloped swampland in Florida. The labor-intensive one-victim-at-a-time approach is outdated. Today, con artists infect hundreds or thousands of personal computers with key logging software, recording every key each Internet user taps. This way they collect information about bank account numbers and passwords.

Armed with confidential information, thieves plunder bank accounts at will, and rapidly, as unsuspecting small businesses and school districts around the United States are learning to their dismay.

"The cyber criminals have spotted a very high value yet very soft target" said Melih Abdulhayoglu, CEO of Comodo. "They inject…malicious executables into school districts' systems, and they take over their bank details and they siphon off money. It's a sad, sad, sad day," said Abdulhayoglu, when money from innocent organizations goes "straight into cyber criminals' pockets. We don't have to suffer at the hands of cyber criminals, all we need is prevention as the first line of defense."

Such prevention is available both for banking institutions and for their online depositors. Online depositors should protect their personal computers from malicious executable files, otherwise known as malware, by using top-quality firewall and antivirus software. Such software should prevent software such as keyloggers from installing itself in a computer.

When hackers stole $588,000 from Patco Construction Co. in Maine in May 2009, Patco's attorneys advised it to sue its bank for not requiring adequate authentication.

"The case is ongoing," said Abdulhayoglu. "Whoever wins, the lawsuit will still be expensive and time-consuming, and both sides will wish they could have prevented it. Unfortunately, it's difficult to stop a determined thief. But prevention-based software can often mitigate risk, making the Internet safer for us all."

Related topics:  Authentication and identity management   Hacking and intrusion prevention   Internet and Web security   Virus, Worm, Email security, spyware and malware 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources