As both a bank lawyer and a bank customer, I'm interested in the progress of banks in complying with the year-end deadline set by FFIEC guidance concerning dual authentication for online banking. I'm sure many readers who do their banking online have received communications from their financial institutions that address "new and improved security procudures" or "additional security protection" for your online banking safety. Banks are using the required implementation of additional security procedures as an opportuntiy to sell themselves to customers. There's nothing wrong with that, of course.
Unfortunately, it turns out that crooks are also using the new authentication requirements to reach out and touch the same customer base.
In a recent issue of The American Banker (unable to locate article online), it was revealed that cybercrooks have been using the requirements of some banks to require customers to enroll online in order to use enhanced security procedures as an opportunity to trick consumers into revealing their online passwords. SecureWorks Inc. of Atlanta revealed "that it has blocked several phishing Web sites that asked bank customers to enter personal data to enroll in security systems."
"We thought this latest phishing scam was extremely clever and quite ironic, considering the phishers used the dual authentication guidance, which was developed to protect online banking from fraud, to try and scam their victims," Erik Petersen, Secureworks' vice president of professional services said in a press release.
"Extremely clever and ironic" is something that Saturday Night Live could use a lot more of. In the realm of online fraud, it tends to be a lot less amusing.
Also recently, comes word (via, again, The American Banker), from an Israeli security firm about a "fundamental weakness in the system that banks use to keep debit card PIN codes secret while they are transported across bank networks – a flaw that they say could undermine the entire debit card system."
According to one of the authors of the Israeli firm's report, Odelia Moshe Ostrovsky:
her company shared the research with the Visa credit card association’s risk management team and other U.S. financial industry security experts six months ago, and recommended systemwide ATM network changes. But U.S. banks weren’t reacting fast enough to the risk, she said, so ARX decided to go public with its information and two weeks ago published a paper titled "The Unbearable Lightness of PIN cracking," which is now available on the Internet (in Adobe Acrobat format).
Kim Bruce, a spokeswoman for the Secret Service, confirmed that the agency had been in contact with ARX to discuss the paper’s findings, but declined to provide additional detail.
Industry sources quoted in the linked article play down the threat. Visa's spokesperson claimed that the flaw has been known for some time and that the threat posed is "minimal." Spokespersons for the American Bankers Association and BITS also dismissed the threat. Independent experts agreed with the report's authors that the threat is worrisome. Nevertheless, all experts seem to agree that "organized criminals are systematically attempting to subvert the ATM system and unscramble encrypted PIN traffic."
As I've observed previously, no matter how fast law enforcement and bank security administrators think that they're running, the criminals always seem to be running stride for stride with them and, occasionally, one step ahead.
Comments