Cyber threats to bank accounts on the rise: Report

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cnbc.com/id/101290351

On the same day that news broke that 40 million customer account records
were stolen from retail giant Target, the regulator of the nation's largest
financial institutions warned that customers' financial information is
increasingly under assault in their banks as well.

On Thursday, the Office of the Comptroller of the Currency on Thursday, in
its Semiannual Risk Perspective, warned that "Cyber-threats continue to
increase in sophistication and frequency." The agency noted, "Known impacts
include … identity theft, fraud, and theft of intellectual property."

The report found that one new tactic employed by hackers is to target a
bank's home page with a so-called "denial of service" attack, in which
thousands of hacked computers try to log on to the website simultaneously,
thereby disabling it for regular customers' use.

While security experts are distracted by the DOS attack, the report found,
the hackers go after their real target by, for instance, draining customer
accounts through fraudulent wire transfers.

"It's an increasing problem," agreed Richard F. Cross, a former vice
president and director of bank security at Bank of New York, now a private
consultant. "You have to assume that the crooks are always one step ahead
of what the financial community is doing to protect itself."

The OCC cautioned that small banks appear to be more frequent targets of
hackers, because criminals perceive them as being less likely to have
strong security measures in place.

Cross said that in his experience, that tends to be true. "The problem
usually is with small community banks," he said. "I hate to say it, but
sometimes they don't want to spend the money."

Protection doesn't come cheap, the OCC found. While the tools necessary to
reduce the risk of a cyber attack are "readily available," according to the
report, "the costs and resources needed to manage the risks continue to
increase."

Banks that are at increased risk, the agency said, are early adopters of
new technologies, and banks that hire third parties to provide certain
information technology-related services, both of which create additional
risks that are difficult to measure and to manage.

The good news for consumers is that they can do a lot to protect
themselves. Most cases of identity theft and bank fraud begin with the
customer making the mistake of providing personal information, willingly or
unwillingly, to crooks—although they often won't know it until later.

One of the most common methods is through "phishing"—a technique in which
an official-looking email is sent to a bank customer either directly
soliciting account information or carrying a hidden computer virus that
will give hackers access to the customer's computer.

Cross cautioned that consumers can't rely solely on banks to protect
them—and have to be aware of everything they do while online.

"If an email comes in and it looks even a wee bit suspicious, you have to
ignore it," he said. "But people are busy. They see an email and they click
on it, then it's too late."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.