Back in October, Robert S. Mueller III, the director of the Federal Bureau of Investigation, disclosed that he was almost taken in, by an online banking scam. He received a phishing e-mail, which appeared to come from his bank, asking him to verify his account. It was a well-crafted scam, and he came very close to falling for it. This, from someone who should be up on this sort of thing.
The obvious conclusion from the story is that online banking can be very dangerous. Mr. Mueller, for example, no longer does ithis wife won't let him. Yet, a recent article in the New York Times came to the exact opposite conclusion.
On November 28th, Randall Stross described Mr. Mueller's story, then wrote "Im not convinced, however, that online banking carries the high risk that Mr. Mueller implies. I know that as ordinary computer users, we are offered unlimited bait from phishers. But I'm not particularly worried: I'm not on the hook for losses from fraudmy bank is."
The techie side of phishing
Phishing starts with an e-mail message, so I'll start there, too.
A point that can't be repeated too often is that you can't trust the displayed From address in an e-mail message. Forging the From address is trivially easy. Many times I've read advice to treat e-mails one way if you know who it's from and another way if you don't. The fact is, you never really know who its from. Techies can read the internal e-mail headers and get a good idea of where it came from, but there's no playbook for this.
To get your userid/password, a phishing e-mail message takes you to a Website run by bad guys. How do you know if the Website is legit? Techies might notice, but many non-techies wouldn't. For one thing, you can't tell by looking. Its a simple thing to replicate the look and feel of any Website, so the counterfeit one can easily look exactly like the real one.
The scam Website will have a different domain name, but again, non-techies probably won't notice because they don't know the rules for domain names.
One of many domain-related tricks is to include the legit domain name in a longer version of itself. For example, assume you bank with an organization called "bank24" and were on the receiving end of a phishing e-mail that linked to www.onlinebankingbank24.com or www.bank24online.com or accountverify-bank24.com. Many, if not most computer users (yes, that means Mac users too) would trust that these Websites were associated with bank24. No rule says they are.
Another way bad guys can trick people is to use a different suffix. For example, wsj.com is the Wall Street Journal. But, what about wsj.biz? Looks legit, but it has nothing to do with the newspaper at all. For more on this, see my 2008 blog posting Can you trust the Wall Street Journal's domains?
There are many approaches to being forewarned that you are on a bad Website. None are perfect. That said, my favorite is Web of Trust. The company tries to rate all Websites, an obviously unattainable goal. Still, they come close enough to make installing their Web browser plug-in worthwhile. There is one version of the software for Internet Explorer and another version for Firefox users. The Firefox extension works on all versions of Windows, Mac OS X, and Linux.
WOT ratings are visible in two ways. The software adds a button to your Web browser that turns green on good Websites, red on bad ones, and an indeterminate gray on sites they don't yet have a rating for. Unfortunately the color change affects only a very small part of the button and is hard to see.
You are more likely to run into the WOT ratings next to the links in search engine results. It puts a green circle next to links to Websites with a safe rating, red circles next to bad Websites, and a hard to see gray circle with a question mark next to sites it's unsure about. Far better to be warned before heading off to a malicious Web site. WOT's circles can also found in popular Webmail systems.
Not worried yet? Are you too savvy to be tricked by a generic phishing e-mail? Perhaps. But all phishing e-mails aren't generic and some don't include obvious giveaways, such as poor grammar and misspellings. High-class phishing messages are referred to as spear phishing. The FBI describes it thusly:
"Instead of casting out thousands of e-mails randomly hoping a few victims will bite, spear phishers target select groups of people with something in commonthey work at the same company, bank at the same financial institution, attend the same college, order merchandise from the same Website, etc. The e-mails are ostensibly sent from organizations or individuals the potential victims would normally get e-mails from, making them even more deceptive."
And there is an even higher form of spear phishing. Bad guys have been known to customize a message to a specific high-value individual. That is, not only will it appear to come from a known person, the body of the message will discuss very specific work-related issues. While normal phishing scams are designed to trick anyone, if you are important enough, you may be the target of phish specifically designed to trick you, and only you.
Perhaps the most egregious aspect of the New York Times article is the focus on phishing, as if it was the only online threat. Far from it. Even someone who is not scammed can have their bank account drained by malicious software (malware) running on their computer.
Over the last few months, the Security Fix column at washingtonpost.com has had a series of articles about businesses that suffered serious losses due to online banking. Any business conducting online banking would be well advised to read these articles. Highly recommended.
Unlike phishing, malware is a Windows-only thing. What to do about it? How can you defend yourself, your computer, and your accounts? Opinions vary, but more than a few techies suggest not doing any online banking from a Windows computer.
I first argued this is August (Consider Linux for Secure Online Banking) and then again in October (Windows and Online Banking: A Dangerous Mix). Brian Krebs (author of the Security Fix articles) came to the same conclusion in October:
"An investigative series I've been writing about organized cyber crime gangs stealing millions of dollars from small to mid-sized businesses has generated more than a few responses from business owners who were concerned about how best to protect themselves from this type of fraud. The simplest, most cost-effective answer I know of? Don't use Microsoft Windows when accessing your bank account online. "
This may seem extreme, but the bad guys are very sophisticated and the losses can be substantial. Other techies that suggest avoiding Windows for online banking are ZDNet blogger Adrian Kingsley-Hughes and Michael Kassner at TechRepublic.com.
Mr. Stross, the author of the article in question, is a business professor. I mention this as background to the issue of "two-factor authentication" a security measure discussed in the article. It sounds great on paper, and he makes it seem like a great thing in the article. Simply put, it refers to security schemes that require the end user (you) to provide both something they know and something they have.
What's not mentioned in the article is that this no longer offers protection on Windows computers. New strains of malware wait quietly in the background for the end user to logon to a financial Website legitimately. No need to steal passwords. After logging on, the Web browser is hijacked to do the bidding of the bad guys and money gets transferred. Not even biometric scans can fend off this type of attack since the problem is with the computer, not with the end user.
The financial side
Another huge mistake (in my opinion) with the Times' article is the failure to make a distinction between consumers and businesses. Each operates under a very different set of online banking rules.
Stross has consumers in mind when he writes "I could not find any online financial service and I checked brokerage firms as well as banks that stops short of promising to make a victimized customer whole. "
But, as Brian Krebs recently wrote:
" ... there are important differences in the bank-to-bank transfers as they relate to consumers vs. ACH transfers between businesses. The primary difference is that consumers generally aren't liable for fraud that occurs with their online banking credentials. Businesses, however, assume basically all of the risk from banking online. There are some simple and free security precautions that businesses can take to insulate themselves from this type of fraud, but they have to know to take them."
On top of this, the consumer protections have their own fine print.
Chase customers that read the Online Banking Guarantee will see that they are protected if they inform Chase within two days of discovering fraudulent transactions. Two days. What if you get a bank statement in the mail on Monday, open it on Friday and call Chase on Friday? Is that the same day you discovered it or does the clock start ticking on Monday?
Chase, like other banks, also imposes requirements on the customer. How many Chase customers realize that the bank will not cover losses resulting from "Failing to completely exit the service when you're done with your session or away from your computer" or if you are "negligent [in the] handling of your User ID and Password." Who proves this? And how?
The Online Banking Security Guarantee for the Bank of America ends with a "Your responsibilities" section that says the guarantee applies "when you notify the bank within 60 days of the transaction first appearing on your statement." Great.
It also says, "You should always guard your Online ID and Passcode from unauthorized use. If you share this information with someone, all transactions they initiate with the information are considered as authorized by you..." This begs the question of exactly what is considered "guarded"?
What if someone watches over your shoulder as you enter a password? Or, if someone simply guesses your password? Is using an obvious password, such as your kids name, considered not guarding it sufficiently? It's not hard to imagine a lawyer arguing that by choosing "password" as their password a customer did not, in fact, guard it from guessing attacks.
Have you ever walked away from a computer, perhaps for a bathroom break, while it was logged on to an online banking site? If you do, don't expect the bank to cover any losses. Much like Chase, Bank of America, spells out your responsibility
"Not leaving your computer unattended during an Online Banking session. It's easy to protect your information by signing off from Online Banking when you are finished with each session. To ensure cached copies of your Online Banking Web pages are cleared, always close your browser after signing off."
The bank's position is understandable, but as an online banking customer, it is your responsibility not only to log off, but to also close your Web browser. If you don't ?
And, where do phishing scams fit into this? Not to mention DNS poisoning attacks. In both cases, victims enter their userid/password at a scam Website. The banks say that if you give someone your password, you're liable for the money they transfer out. Is this considered giving someone your password?
Citibank's protection is called SafeWeb. Their customers may want to review what SafeWeb does not cover in the second footnote at the bottom. It's a long list.
Some online banking defensive tactics
One thing that becomes obvious after reading the Security Fix articles is that there is a big difference between banks. One case of theft involved multiple outbound transfers, all just under $10,000, all in the space of a minute or two and all to payees that had never been used before. Lots of red flags, yet the bank saw nothing wrong.
Obviously, anyone doing online banking needs to take some defensive steps.
One possibility is white listing. If your bank allows for this, configure things so that payments can only be made to payees that have been pre-authorized. This should stop both online and offline fraud.
Passive alerts don't prevent the fraud, but can prevent the loss of money. Any bank offering online banking should be able to send you an e-mail message and/or a text message when certain activities occur in your account. Perhaps you'd like to be notified of every debit. Or, if that's too much, see if you can be notified of every debit over a certain dollar amount. Another approach is to be notified any time your account balance falls below a threshold you set.
One thing to look out for however, is modifying alerts. If malware can be smart enough to make transfers on its own, it can't be long until it's also smart enough to disable your alerts. Hopefully, your bank alerts you to any change in the configuration of alerts themselves.
And, there is nothing like the human touch. Anyone with considerable money in an online bank account, should probably check the balance frequently. I don't know that there is one right answer to how frequently, but once a month is surely not often enough.
Finally, consider not putting all your eggs in one basket by having more than one bank account. If possible, have an offline account and an online one, keeping as little money as possible in the online account.
It's a shame this is necessary, but anyone who has read enough horror stories of companies that lost money online, will gladly trade some convenience for the added safety.
Michael Horowitz is a regular columnist for eSecurityPlanet.com. Read more of his columns here.