05:26 PM

Internet-Based Scammers Take $2.4B Toll On Consumers

Research firm Gartner says a growing number of the scams are coming from online channels such as key loggers and phishing attacks.

Internet-based scammers illegally accessing checking accounts ripped off consumers to the tune of $2.4 billion in the last 12 months, research firm Gartner said on Tuesday.

And the scams designed to purloin funds are increasingly coming from online channels such as spyware and phishing attacks, the research firm said.

Using data from an April 2004 survey of 5,000 U.S. adults who use the Internet and E-mail, Gartner estimated that nearly 2 million Americans fell victim to checking-account fraud in the last 12 months. The cost to banks and consumers: $2.4 billion in direct losses, an average of $1,200 per victim.

"In most cases that are not inside jobs, thieves likely stole account numbers and passwords to get into accounts online or through telephone-banking services," said Avivah Litan, a VP and research director at Gartner.

Such techniques, which don't require face-to-face transactions, are booming. And banks are behind the curve. "In contrast to the credit-card industry's fraud-detection systems, methods for detecting fraudulent checking account access seem years behind," Litan said.

Unauthorized access to checking accounts, in which someone transfers money out of a customer's account illegally, grew the fastest in the past year, Litan said, with 44% of all reported incidents taking place in the last 12 months. However, fraudulent credit-card purchases still account for the largest number of victims.

The two most-common methods scammers use to lift bank-account numbers are key loggers planted by spyware--software typically loaded onto a computer without the consumer's knowledge--and phishing attacks, E-mail messages that try to trick users into divulging financial information.

"What we're hearing from our clients is that key loggers are now just as prevalent as phishing attacks," Litan said.

Both spyware and phishing attacks are on a dramatic upswing. According to the Anti-Phishing Working Group, phishing attacks jumped 200% during April alone. Spyware is just as prevalent; anti-spyware vendor Webroot Software Inc. previously detected an average of 28 pieces of the software on each PC, and recently noted that one in three of the 1.5 million PCs it surveyed contained some sort of key logger.

Key loggers are tools designed to trap all keystrokes, including passwords, user names, and account numbers that consumers type in, then transmit the data to hacker servers.

"The problem with key loggers is that they're invisible," Litan said. "Phishing attacks are getting a lot of attention, but that's because the CEO probably got a phishing E-mail. But the CEO has no clue he may have a key logger on his machine. As soon as he or she figures that out, they'll start looking at spyware."

Although Litan estimates that spyware-related key loggers are "as big, if not a bigger, problem than phishing," banks and other financial organizations are doing little at the moment to combat the fraud.

"They're not doing a thing," she said. "But in all fairness, they don't own the desktop, so they're not the most logical distribution point for anti-key logger, anti-phishing defenses.

"I think it's more a Microsoft issue than anything," she added. "Who owns the desktop? Microsoft."

Litan called on banks to bolster their defenses against checking-account fraud, and online fraud specifically.

"It will take time for financial services to develop sophisticated tools, but banks must implement stronger access controls to online- and telephone-banking systems," she said. Among the short-term solutions, she cited something called "shared-secret authentication," a tactic that acts as an additional level of security beyond the typical online user name and password, both of which can be hijacked by key loggers or easily divulged by users fooled by phishing E-mails.

Shared-secret authentication can range from the simple--the bank asking a rotating set of questions, such as "What's your pet's name?" and the customer responding--to the more complex, such as USB-based tokens that must be plugged into the PC. Another technique is for the consumer to choose a photograph or upload one of his own; the image is stored in the bank's database as part of the customer profile, and during the log-on process, displayed. It must be verified by the user before access to the account is given. PassMark Security LLC's system of identifying images, Litan said, is a great example of such a shared-secret program.

"A phishing attack can't trap these shared-secret authentications if they're done right, nor can key loggers," Litan said.

Long-term, more robust strategies must be implemented by banks and other financial-service companies, including trusted third-party authentication and Caller ID-style E-mail authentication, such as the schemes in development at Microsoft and Yahoo.

"A challenge-response system [such as shared-secret] is a much better defense than passwords alone, and a good short-term solution," Litan said. "But in the longer term, banks need effective back-end tools to detect and stop checking accounts being hijacked."

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.