Network News

X My Profile
View More Activity

Phishing Scam Spooked FBI Director Off E-Banking

In announcing a crackdown on "phishing" e-mail scams that netted one of the FBI's largest cyber crime cases ever, FBI Director Robert Mueller on Wednesday offered a candid revelation: A personal close call with a phishing scam has kept his family away from online banking altogether.

mueller.JPG

Addressing the Commonwealth Club of California in San Francisco, Mueller spoke at length about the insidiousness of cyber crime, and how cyber criminals had affected him personally.

Not long ago, the head one of our nation's domestic agencies received an e-mail purporting to be from his bank. It looked perfectly legitimate, and asked him to verify some information. He started to follow the instructions, but then realized this might not be such a good idea.

It turned out that he was just a few clicks away from falling into a classic Internet "phishing" scam--"phishing" with a "P-H." This is someone who spends a good deal of his professional life warning others about the perils of cyber crime. Yet he barely caught himself in time.

He definitely should have known better. I can say this with certainty, because it was me.

After changing all our passwords, I tried to pass the incident off to my wife as a "teachable moment." To which she replied: "It is not my teachable moment. However, it is our money. No more Internet banking for you!"

So with that as a backdrop, today I want to talk about the nature of cyber threats, the FBI's role in combating them, and finally, how we can help each other to keep them at bay.

Mueller's comments are an interesting contrast to the views expressed by the former director of the FBI's cyber division, James Finch, who said he wasn't going to let cyber thugs deprive him of the efficiencies and convenience that online banking have to offer.

The following is an excerpt from an interview I had with Finch last August:

Q: Do you do online banking?

A: Yes, I do.

Q: How long have you been doing that?

A: Maybe 10 years?

Q: And you don't get freaked out by what you see every day? I certainly do.

A: Yeah, so does my wife. I do online banking. I pay my bills online. I file my taxes online. I truly believe in the Internet. Do I believe it's a scary place? Without a doubt. I'm in law enforcement, and I run the cyber division for the FBI. I don't want to say that I'm so intimidated by the bad guys that I am going to allow them to dictate taking full advantage of what I consider to be the benefits of the Internet. Yes, there are people who are targeting online bank accounts on a regular basis, but not to the point where it's going to cause me to stop using it.

As a consumer, having your online banking account credentials stolen -- either via phishing or through password-stealing malicious software -- can be a harrowing experience, but it is usually not a costly one. The federal Electronic Funds Transfer Act ("Regulation E"), limits consumer liability for unauthorized transactions to $50, provided notice is given within 10 business days, or to $500 provided notice is given within 60 business days. Even so, retail banks often will work to make whole those customers who are victims of cyber fraud.

On the other hand, business that bank online enjoy hardly any such protection. The precise obligations of a commercial bank and their business customers are spelled out in the agreement that those companies sign, but generally business customers agree to notify their bank of any suspicious or unauthorized transactions on the same day that the transaction in question occurs. Even then, there is no guarantee that the bank will be able to block or reverse any fraudulent transfers.

Regardless of whether you bank online as a consumer or business customer, here are a few recommendations to help avoid becoming a victim of cyber thieves.

-Do not click on links or attachments in unsolicited e-mail.

-Junk any e-mail communications that claims to come from your bank alerting you that you need to sign in or update your information. Due to threats like phishing e-mails, few banks use this medium any more to communicate with customers. But If you find yourself wondering whether an e-mail you received really was about a problem with your account, pick up the phone and call your bank.

-Keep your computer, Web browser and other software up-to-date with the latest software security updates: Many data-stealing malware threats arrive via hacked Web sites that leverage outdated or insecure browser plug-ins.

-Keep a close eye on your checking and savings account balances. Notify your bank immediately of any suspicious charges.

A copy of Director Mueller's remarks is available here.

By Brian Krebs  |  October 8, 2009; 3:15 PM ET
Categories:  Fraud , From the Bunker , Safety Tips , U.S. Government  | Tags: fbi, online banking, phishing, robert mueller  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Latest FBI Crackdown on Phishing Targets 100 Defendants in U.S., Egypt
Next: Adobe Warns of Critical Threat to Reader, Acrobat Users

Comments

The problem with stopping your own internet banking is that the hackers are going straight to the banks servers, the credit card companies etc. I responded once to a phishing email and almost immediately realized i had screwed up. Had to change my account, etc. but no real damage. However I did have one of my credit card accounts hijacked. I'm close to returning to checks and cash. Just have not been pushed over the edge yet. Doing business on the internet feels like walking in a bad part of town anymore.

Posted by: tojo45 | October 8, 2009 4:00 PM | Report abuse

My SSN and two of my CCs have been compromised in the past 5 years, and most recently I received notice from my mail order Rx drug company that their records had been hacked into by computer data theives, so I was warned to check my credit bureau rcords for any unusual activity. I'm still after the SSA to correct my SS acount but I may not live long enough to accomplish it.

I never open a e-mail that I'm not sure about and I never respond to e-mails from banks like B of A or Chase asking to verify my account info. It's a big RED FLAG when I see that kind of request. However, I do almost all my checking, CC, investing and financial transactions on-line and change PWs on a regular basis, e.g., monthly. My advice is be aware, be defensive and don't trust anyone when yous back is turned - not even yourself, when it comes to working on the INTERNET.

Posted by: AZBROKER | October 8, 2009 5:53 PM | Report abuse

Of course, it's not just online banking that's the trouble here -- you can have your info stolen from checks, or from swiping a debit card through an unencrypted payment system at a brick and mortar (I was the victim of identity theft this way). But Mueller's candid comments should highlight that even the most savvy of us are at risk in the current environment, which needs more protection (I work for an online security co, VeriSign, so I see and hear this every day).

I'm surprised Mueller didn't check to see that the url bar was green, since most banks use extended validation ssl (I'm assuming he followed a link wherein he was asked to validate information, rather than being asked by the email itself, which is a far less common phishing strategy). And with his clout he should push for a bill to make EV SSL and maybe a few other protection technologies (two factor authentication, etc) mandatory for online financial institutions.

Posted by: josephadeo | October 8, 2009 6:05 PM | Report abuse

After changing all our passwords, I tried to pass the incident off to my wife as a "teachable moment." To which she replied: "It is not my teachable moment. However, it is our money. No more Internet banking for you!"
----------------------------------------
Ever notice how ANY TEACHABLE MOMENT is NEVER a novice computer users 'teachable moment?' And by NOVICE, I mean anyone who has ZERO interest in computer security, beyond perhaps having installed an anti-virus product.

Ever notice how wives and girlfriends, even if they are avid application users almost ALWAYS fall into that catagory

AND THEN THEY WONDER 'Dear, why haven't you said anything [of substance] to me today?'

Posted by: brucerealtor@gmail.com | October 9, 2009 12:48 AM | Report abuse

I guess after asking Rob P., by way of e-mail, about enough 'questionable situations,' the latest being 'Silicon India,' as distinguished from that lady from India with the silicon, he wisely responded, 'Bruce, if you have to ask me first, DON'T DO It!'

Well, Silicon India appears to be OK at least -- the other one I haven't found yet! LOL

Posted by: brucerealtor@gmail.com | October 9, 2009 12:55 AM | Report abuse

One other observation ---

How many forward obvious scams to

washingtonfield@ic.fbi.gov

If not, why not ???

Posted by: brucerealtor@gmail.com | October 9, 2009 1:15 AM | Report abuse

If it comes back 'rejected,' that MEANS a OVERLOAD, not a rejection -- so send it again a couple of minutes later.

Posted by: brucerealtor@gmail.com | October 9, 2009 1:17 AM | Report abuse

I get those phishing emails all the time. I just ignore them and delete them Problem solved.

Posted by: brewstercounty | October 9, 2009 5:32 AM | Report abuse


This sort of thing cracks me up, really it does. Why?

Maybe 10 years ago, I started being very cautious indeed when pulling money out of ATMs. Friends and family called me "paranoid". Within the year we got our first reports of "overlay ATMs" where criminals installed false-fronts over real ATMs and used them to capture combinations of card and password, and then made real withdrawals at real ATMs with real passwords and forged cards. That someone would try this eventually was obvious. Yet what is obvious to me is paranoia to most people. However, I did not lose any money, and many other people did. So who's "paranoid" and who's "stupid"? I still have my money.

Comparably with online banking, and even debit-card purchases at stores.

I pay cash even though I don't need to; I don't use credit cards and the debit card is a direct balance device that can't incur credit charges, and it's on an account that is specifically loaded beforehand with little more than I intend to spend. Paranoia? I don't know... but I do know I've had kids -- and African-national adults -- use their cellphones to try to capture my card numbers, taking photos over my shoulder as I stood at the clerk counter to pay for items. Since then, I am cash-only in person and very cautious about my online transactions.

The bizarre thing is this: I've had clerks be more than rude for me because I'm not helping them track my habits and assist their marketing -- and potentially enable stalkers/burglars -- by only ever paying with "plastic". I pay cash. I've even had clerks in bars tell me "since you don't pay with plastic we don't really know who you are, and so of course we're suspicious of you". This sort of mindset is what enables "phishing".

People have acquired the idea that all is well and good in the world of credit-cards and other charge/debit instrumentalities. It's not. Nobody should pay other than with cash or check if that is at all possible; in real-life situations such as bars or restaurants there is no substitute nor excuse to pay with anything other than cash, unless it's someone else's money you are risking, such as a business expense account. If you're shopping online, do it with a dedicated card on a dedicated account, debit-only. Anything else is rank idiocy.

My career is in information technology security and I assure you: the risks are profound and most people have not the least clue.

Posted by: thardman | October 9, 2009 7:14 AM | Report abuse

I still think Microsoft's abandonment of MS Money shows how afraid they are of a malicious Microsoft employee (working for Microsoft in another country [or an H1-B worker], perhaps) embedding some code to allow access to the end user's account information - perhaps at some future date opening an Internet port and transmitting the user access data...

Perhaps it has already been attempted and discovered somehow. It would have been a real wake-up call that would say..."time to get out of the money management business!"

Posted by: Sadler | October 9, 2009 8:49 AM | Report abuse

The surreptitious key stoke loggers is one thing but impulsively putting one's vital information via an email link is another. E-banking is so much more efficient than paper. I've caught mistakes and even fraud early via online banking. One time I saw a bill for $1800K to hotels.com. The name of the person was middle eastern/Indian. My full money was refunded and my account number was changed. I go through my bank account carefully once a week.

Thieves can steal mail from mailboxes. They can hack these banking sites directly for SSN and DOBs. People just need to be careful. Computer awareness has been beaten down our throats for years however, people are still very careless.

Posted by: jabreal00 | October 9, 2009 9:06 AM | Report abuse

Hmm. The "benefits of the Internet" with respect to on-line banking and bill-paying? This technologically savvy guy has got to learn a little about cost-benefit analysis.
If you pay an average of 12 bills a month via mail, that's about $70 in postage. And what's the benefit of other banking on-line? Saving a few minutes on a trip to the ATM or bank branch when you're already out doing other errands. And if you need cash you still have to go, of course. Are those meager benefits really worth putting all of your cash wealth at risk? I don't see it.

Posted by: nadie1 | October 9, 2009 9:37 AM | Report abuse

I'm having a hard time thinking that the FBI Director almost got caught by the most common phising scam in the world. Even my 90 year old in laws know better.

Posted by: redoil | October 9, 2009 9:38 AM | Report abuse

One of the features of Microsoft's Internet browser and also in Outlook Express is the status bar. When this is displayed, any time you put your cursor over a link, the addresss of that link is displayed in the status bar. You normally know what the internet address is of any online banking or bill pay sites are that you frequently use. When you place your cursor over a phishing scam link you will always see discrepancies in the address links that should clue you to the fact that something is "Phishy". I always view my status bar before clicking on any link in an email to ensure I am going to the site I should be and not being led astray by some scan. If you are expecting to go to "http://www.bankofamerica.com" but the address link in the status bar says something like "http://20.65.223.41/lllkys/bankofamerica.ca" you can pretty much assume something is wrong. Even when just surfing the web, I always view my status bar when clicking on links. This is probably the easiest way to ensure your security on your own. I've had my own PC business and have purchased thousands and thousands of dollars of equipment over the internet and have done online banking with several banks over the past 18 years only had one incident where someone tried charging $1.00 to my account whereas the bank immediately informed me of what was going on. It's a trick that online scammers use. They know if they can get a dollar out of your account, then their information is accurate and they can go back later and get what they want. Hope this helps you with phishing schemes.

Posted by: arthurrussell1 | October 9, 2009 11:01 AM | Report abuse

I bought a half a dozen netbooks. I'm thinking of using one for online banking only, plus personal finance and offline work. I will use a separate machine for e-mail, browsing and downloading files to an external drive.

I keep three accounts at the bank and keep very little in the checking account. Only that account number is "public". I add to the account as I spend or pay bills. I find the advantage of online banking is always knowing how much money is in your account. I visit my account at least 3 times a week.

Posted by: Beacon2 | October 9, 2009 11:07 AM | Report abuse

How surprising, when the FBI is full of computer-savvy people, like the ones who let SAIC run up a bill of more than $170 million for a computer system that was eventually discarded. Head of the FBI at the time? That's right, Robert Mueller. http://www.washingtonpost.com/wp-dyn/content/article/2006/08/17/AR2006081701485.html

Posted by: hairguy01 | October 9, 2009 12:33 PM | Report abuse

BruceRealtor--It isn't always women. All of us need to be alert at all times, online and off. My husband is an overconfident techie. But I'm the one who reads Brian Krebs and warns the husband what we need to implement. And years ago, when online banking scams barely existed, he got an online account with our major bank. I made him close it and replace it with an account at a small but solid bank we otherwise don't use. We put enough money in to pay our bills and if it's compromised, the damage is limited.

Posted by: neversaylie | October 9, 2009 2:25 PM | Report abuse

To Brucerealtor:
When you pick your women by their bust size or their docility, that's what you get. Pick for smart, you get smart. But then, they're with you...

Posted by: cab50151 | October 9, 2009 4:46 PM | Report abuse

For those who don't want to give up on the convenience of e-banking and the like altogether, one very well-advised habit is to always enter URLs into browsers explicitly. If people are educated in this and other easily-explained practices, the incidence of this kind of thing will drop.

One thing that would have to be part of this, though, is watching out for trick URLs that resemble real ones closely but are actually bogus.

In my own case, if I go to my bank's site, for example, I invariably enter the bank's home page URL and navigate from there. If you know your bank is at www.mybank.com and you stick with that, you're on good ground unless you're already infected with something like a keylogger.

Posted by: rhsimard | October 9, 2009 7:24 PM | Report abuse

I was tempted to do online banking, but soon realized there is nothing that hackers cannot hack. I have no financial information on line . We only use one CC for internet purchases. Sure that number could be hacked, but it's only one number. I pay most bills using automatic EFT's. The cost of a stamp for the rest lets me sleep better at night. I know there are other methods to gain financial info and SSN's, but I will not do things to make the hackers' thefts easier.

Posted by: Mcgruff1 | October 9, 2009 9:24 PM | Report abuse

The bad guys are just getting better. In case you had not yet heard of it, a new Trojan, URLZone, may be the "best" ever.

First, it steals your online banking credentials, enabling the cracker to wire money to his account. But, it also has coding so that when you log into your online bank account, it alters the HTML code sent to your browser so that you don't see the fraudulent transaction.

Be afraid. Be very afraid.

-- Michael Seese, author of "Scrappy Information Security"

Posted by: MichaelSeese | October 10, 2009 12:16 AM | Report abuse

It turns out that checks are significantly less secure than credit cards. The consumer protections in place for checks are much weaker than for credit cards (even closed accounts can be reactivated, you have a limited period of time to contest fraudulent activity, anti-fraud measures are weak, and your money is gone while you're arguing with your bank). Never use anything but credit cards for non-local payments (or maybe cashier's checks, but that's probably non-feasible for most people). For local payments, cash is an option. Checks are good never. Yes, it can be a pain to fight credit card fraud--but you are much better off fighting a charge than fighting to recover lost assets.

Posted by: SecurityLuddite | October 13, 2009 11:07 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company