Back to Newsletters... March 2005 Newsletter

High Tech Theft

The following newsletter is provided to bring awareness about the seriousness of high tech theft and steps to protect oneself against fraud.

Why you should buy a cross cut paper shredder
Here are some simple solutions for solving or eliminating identity theft issues. Foremost among these solutions is to purchase a crosscut paper shredder. Use the crosscut paper shredder on all bank mailings received with those wonderful discount interest rates checks. Those checks in the hands of a thief could wreck your credit rating. A high quality cross cut paper shredder made by HSM, Dahle, Destroyit, Olympia, Intimus, or Kobra or the preferred national brands. Value will be best received when you allocate your budget in the neighborhood of $500.00 plus. Then you will be purchasing a paper shredder that will last for 10-12 years. Note that effective March 1, 2005, the MBM Destroyit paper shredders now come with a 10 year warranty on the cutting cylinders of the Destroyit brand. Intimus, Olympia, and Dahle offer similar high value warranties. This should be the best signal of the quality inherent in these high quality crosscut and stripcut paper shredders. All of these paper shredders are available at discount prices.

Call us at 800.203.0233 to discuss your paper shredder requirements.

Now on to more information on issues of identity theft and the means and procedures to protect yourself and your family.

First came word that an estimated 2 million people had had their checking accounts raided in the past year, with strong indications that online thieves were responsible for the majority of incursions. The research firm that conducted the study, Gartner, said checking-account theft was the fastest-growing financial fraud affecting consumers and is now second only to credit card theft (which affected nearly 6 million people in the last 12 months).

Then US-CERT, the government's computer security team, warned of an insidious new Internet hazard that could launch a stealth attack on your computer, allowing thieves to swipe bank account numbers, passwords and other private financial information.

If you haven't heard about this latest threat, it's chilling. It seems that hackers broke into the Web servers of large, trusted companies around the world -- US-CERT isn't revealing just which ones, but confirms that these were not just small or unknown sites -- and planted malicious code. Consumers visiting these trusted sites were secretly redirected to another Web site, hosted in Russia. That site surreptitiously downloaded software to the victims' computers, which allowed the thieves to copy bank account numbers, passwords and other private financial information.

This means, you don't need to click on an e-mail link, open an attachment or even visit a suspicious Web site to be infected. Before you know it, Boris and Natasha have everything they need to know to steal you blind.

Financial institutions could do more
US-CERT and other security experts believe they detected the scheme in time to prevent a large-scale attack, but there's no guarantee the criminals, or others like them, won't strike again. The thieves exploited security flaws in Internet Explorer and the Microsoft software that runs big Internet servers.

Financial institutions get their share of the blame, as well, for exposing customers to fraud. Banks don't use the same kind of fraud detection software on checking accounts that they use on credit card transactions to spot suspicious purchases, said Avivah Litan, vice president and research director at Gartner.

Banks, online bill payers and other financial sites also could make stolen IDs and passwords all but unusable, Litan said, if they would adopt "shared secret" technology. The customer would register her computer's "machine ID" with the bank so that thieves couldn't use another computer to pretend to be her; she would then choose a picture or question-and-answer set that would appear every time she logged in on the financial institution's site.

This would make online banking and bill paying slightly less convenient, since the customer couldn't use just any old computer to log onto her account. Given the risks of using public or borrowed computers for online financial transactions, though, that's probably not something you should be doing anyway.

Litan's interest in checking account fraud is more than academic, by the way; she's also a victim, and well knows the hassles such theft can cause.

Like most targets, she isn't exactly sure how her account was compromised, but suspects it happened the one time she used a debit card to buy something online. The thief used her account information to set up a PayPal account with himself as the payee.

The thief took a small amount to start -- just to "probe" the account and see if the theft would be noticed. Litan spotted the unauthorized payment almost immediately, but still had a heck of a time trying to convince PayPal to shut down the bogus account. She finally used one of her professional contacts at the company to intervene with its customer service department.

Plenty of open windows for thieves
Indeed, there are plenty of ways for thieves to access your checking account offline. Here are just a few:

  • Thieves can swipe your mail, pull out a check you've written, soak off the ink with nail-polish remover and write themselves a fat payday
  • They can steal your wallet and use your ATM, particularly if you wrote the PIN on your card (a big no-no -- but people still do it)
  • They can set up phony ATM machines, or devices that fit over legitimate ATMs, then record the information from the magnetic stripe along with your PIN

Then there's the possibility of an inside job: a bank employee with access to all your account numbers, user IDs and passwords who simply decides to help himself.

But there's strong circumstantial evidence that thieves are becoming more experienced at raiding accounts online, and that should concern anyone who uses online banking.

Consider that around 45% of adults with Internet access use the Web to bank or pay bills. Among those whose checking accounts had been raided, 70% were online finance users, Gartner said.

When bad guys go 'phishing,' you're on the line
The rise in checking-account hijacks also corresponds with the rise in "phishing" -- e-mails that purport to be from a financial institution but that route the user to a bogus site that collects their account numbers and passwords.

A Gartner study in May found that 92% of the known phishing attacks had occurred in the previous 12 months, with 76% occurring since October 2003. About 5% of the victims Gartner surveyed admitted providing sensitive account information in response to a phishing e-mail, and Gartner believes the percentage of victims fooled by this scam was probably higher.

Which brings us to the final weak link in the security chain: you and me. There's still a lot we need to do to protect ourselves while we wait for better security solutions, such as:

  • Don't expose yourself. Never use a public computer or wireless "hot spot" for financial transactions
  • Beef up your security. If you use Internet Explorer, Microsoft recommends cranking the security setting on your Internet browser up to "high" (you'll find it under the Tools menu; click on Internet Options and look for the security tab, then select Internet Zone). This may keep some Web sites from working properly, but you can make exceptions for trusted sites. Alternatively, use the Mozilla browser
  • Use a credit card for online purchases. Technically, debit cards with the Visa or MasterCard logo offer you the same no-liability coverage for fraud that credit cards give you, but you have to wait a few days for the bank to restore the money to your account. Better to have a middleman like a credit card company between a thief and your checking account
  • Don't click. You probably know by now not to open spam e-mails or download attachments from unknown sources. But e-mail links in instant messages, Web message boards and Internet relay chats (IRC) also can be malicious. If a financial institution sends you an e-mail relating to an "urgent problem" or other matter pertaining to your account, use the phone number printed on your statement to respond
  • Block pop-ups. Besides being incredibly annoying, pop-ups can be used to install hackers' software on your computer. Many Internet service providers now have pop-up software built in. Download the beta version of the Microsoft spyblocker. It is free and can be found at the Microsoft homepage
  • Monitor, monitor, monitor. You need to take a careful look at your bank and bill-pay transactions. Don't assume that odd $40 electronic transfer or check is a payment you just forgot about; it could be a scammer probing to see if the fraud will go unnoticed. With bill payment systems, review your payment history as well as your payee list to make sure there aren't any unauthorized transactions. The sooner you report the theft the better; after 60 days, the bank may be under no legal obligation to provide a refund
  • Stay up to date. Run Windows Update to keep current on the latest security patches. If you use Internet Explorer and have increased your security to "high," you'll need to follow the instructions on this link for the update to work properly
  • Inject some variety. Don't use the same user ID and passwords at different financial institutions. If you're asked to create a security question and answer, don't use one that's relatively easy to discover, such as your mother's maiden name
  • Inoculate yourself. Keep your virus software up-to-date and run frequent scans to check for problems

You could, of course, deal with the problem by simply not banking or paying bills online. But, as I mentioned earlier, that still doesn't eliminate your vulnerability to dishonest insiders or hackers who access bank databases.

Some thieves have even been able to view electronic impressions of victims' paper checks and devise new bogus checks that way.

Offline safety tips You can reduce your offline risk somewhat by:

  • Using gel pens to write checks. These inks can't be easily dissolved.
  • Purchase an industrial grade crosscut paper shredder. At a minimum, buy a MBM Destroyit 2400 crosscut paper shredder or a Dahle 20314 crosscut paper shredder or lastly, an Intimus 302 crosscut paper shredder
  • Think about purchasing a credit card paper shredder. The Intimus Simplex SE 1/8'' inch credit card shredder is very suitable for destroying those expired credit cards
  • Get a locking mailbox. Make theft of your checks more difficult by locking up your mail and delivering any outgoing checks directly to the post office (In other words, don't let them sit in your mailbox)
  • Monitor, monitor, monitor. Check your bank account statements religiously. Be alert for any unauthorized transaction, regardless of the size
  • Don't write down your password. Especially don't scribble the PIN on the ATM or debit card itself, or anywhere else in your wallet
  • Use your credit card for "out of sight" transactions. That waiter who disappears with your debit card could swipe it through a "skimmer," a handheld device that records the information on the magnetic stripe. They can do that with a credit card, too, but again, fixing a fraud problem is easier with a credit card than with a debit card