Internet Cafe

[rishi]

See my post #5 where I explain that.

It's absolutely foolproof.

The problem is that many countries (read: Banks) still use old fashioned internet-banking systems.

LaoPo

It's really not so much a question of banks being technologically "oldfashioned" in their choice of security systems.

Yes, for someone using a internet cafe in Thailand one-time passwords and physical devices creating these are definetely more secure. But for the vast majority of people, who log on to their Internet Banking system from their home or work PC, a personal password and a private/public key set-up is safe enough and much more convenient to use. And believe me, the customers do not want anything too complicated.

My own bank gives me an option of either set-up.

Sophon

Hi there,

I totally agree that those hand held devices that generate a ONE TIME USE password are incredibly secure! But most people don't have them.

I do not understand what you mean by

personal password and a private/public key set-up is safe

Could you please spell out exactly what you mean by that?

Thanks!

I know what the guy is talking about ... But frankly, wouldn't it be quite stupid to post details on various security measures on a public forum?

[RAZZELL]

Wouldn't it just be easier to buy a laptop???

[rishi]

Wouldn't it just be easier to buy a laptop???

Be sure not to have anything confident sitting in/on shared drives/folders.

[jimjom]

Thank's guy's for all your answer's.

After what i've heard i've decided i won't be using an internet cafe for my banking.

But that bring's up another question, should i buy a computer in LOS or buy a laptop in the UK?

Anyway thank's again,

Jimjom.

PS this website has been an excellent source of info for my upcoming adventure, long may it last.

[Rice_King]

Wouldn't it just be easier to buy a laptop???

Even if a person were to use their own laptop at an internet cafe, it is still possible they could be a victim of a packet sniffing application like THIS one running on the cafe's network.

The utility, Torpark that I mentioned earlier, should at a minimum, provide the user a secure web browser. For other internet applications, the user's data would pretty much be wide open.

--RK

[monochaser]

I knew a guy who was using a net cafe for his net banking. One day he checked his bank profile info and he found his home address was changed to an address in england. I told him about the keylogger thing and that likely it was a customer of the net cafe rather than the owner. He was oblivious to the whole keylogger thing

[francois]

hi'

all so called security solution for password safe etc ... are not as secure as you may say!

most of them have a turn around already, cracked or copied ...

just follow my advice, don't do private in non private!

ask a friend, you may use your laptop for this

and be sure that his home network is safe!

francois

[ROFL]

As everyone has said, just say NO to banking at an internet cafe.

That being said one feature my bank offers is that any time there is activity on my online account an email is sent to me. That goes for transactions and logins.

You can access this with your email, in fact you can set it up so that you get an sms from your email accont....sure that can get pretty crazy if you get lots of emails but Ive set up an email account just for my banking so I dont get spam or messages from anyone but the bank. That prevents me from getting an message every time someone sends me the latest whacky video to watch message.

One other good feature my bank has is that if I were to use a different computer I have to answer question about myself and then either acknowledge the computer as one I will use for online banking or if its just a one shot deal.

Nothings 100% full-proof, but using an unsecure computer or network is asking for trouble.

[LaoPo]

As everyone has said, just say NO to banking at an internet cafe.

You obviously didn't read my posts

LaoPo

[xyz]

As everyone has said, just say NO to banking at an internet cafe.

Shame! Not everyone said that.

[xyz]

If a keylogger gets your password for online banking, what harm exactly can they do?

The only way a keylogger can withdraw money from my account is to provide a valid name, an US phone number, and an US address to which a check would be mailed. I have 14 days after the check is mailed to orally stop payment, so there will be enough time to (1) detect this change in my account, (2) stop payment on the check, and (3) report this crime to the proper authorities. So, keyloggers can only harm themselves by this.

[Thaiquila]

If a keylogger gets your password for online banking, what harm exactly can they do?

The only way a keylogger can withdraw money from my account is to provide a valid name, an US phone number, and an US address to which a check would be mailed. I have 14 days after the check is mailed to orally stop payment, so there will be enough time to (1) detect this change in my account, (2) stop payment on the check, and (3) report this crime to the proper authorities. So, keyloggers can only harm themselves by this.

Yes, I brought up this detail before. I was wondering exactly what harm a keylogger could do if he took over an online banking account IF he was unable to set up a transfer to an outside account. Anyone who knows what they could do, please let us know. I have a feeling there are sophisticated identity theft methods where they could do harm. Of course, a keylogger could steal your info from a credit card transaction and spend like a madman before you found out, and in most cases you could get your money back, but not without a good bit of hassle and clearing up of identity theft types of issues. All in all, you really want to keep that info private.

[PMK]

Great tip on the Torpark program.

Thanks,

Peter

I have been in your situation JimJom. As a minimum, I carry a USB thumb drive that I have installed two utilities on. One is Torpark and the other is Password Safe . Both of these utilities are FREE.

From the Torpark FAQ:

Torpark can be used to circumvent censorship firewalls, like at work or in China. It can also be used to substitute a current proxy configuration, such as if a DNS server refuses to allow resolution of some domains. And best of all, if there are no key loggers secretly installed on the machine, nobody is going to know where you went, what you saw, who you spoke to, or what you said. It is all encrypted in a tunnel between your computer, and at least three others somewhere in the world. Only after your data has passed through the encrypted and constantly changing tunnel (a tor circuit) will it reach the internet as unencrypted. The data from surfing the internet goes through the same tunnel as well, passing back to you encrypted, where your computer uses Tor to decrypt it to the Torpark browser. When you need a secret and secure tunnel to surf the internet, Torpark is your mobile solution.

--RK

[Prasert]

I do it all the time....can't get wrong! Absolutely foolproof!

WHY?

My bank (Europe) has a so called e.dentifier given out to every single client.

Let me guess..........ABN Amro?

The idea behind this form of security is one-time passwords.

For each action (logging in or confirming transfers) you are sent a challenge code, you type it in on your token (in this example the e.dentifier) and the password (response code) appears on your token - and you type it in on the webpage.

Each response code (=password) can only be used one time only. After usage, these codes are completely useless to any keylogger.

If your bank uses this method, it's probably safe to do online banking on a public computer. Rebooting the computer before you do your banking is not a bad idea.

If your bank does not use one-time-passwords, do not do online banking on a public computer. It's worth buying a laptop and do it on your own equipment.

[Maestro]

I've seen (but not used) some internet banking systems where you need both a password and an access code that is generated by a small piece of hardware you carry around. The access code changes with time, and is only useful to login with for a couple of minutes.

A good point. The original poster does not tell us what login procedure his bank uses.

I am familiar with the system to which you refer and as far as I can see it would indeed thwart any attempts of a key logger to get access to my account.

With the limited information provided by the original poster, the only advice I can give him is to avoid Internet cafés for online banking.

---------------

Maestro

[LaoPo]

I do it all the time....can't get wrong! Absolutely foolproof!

WHY?

My bank (Europe) has a so called e.dentifier given out to every single client.

Let me guess..........ABN Amro?

The idea behind this form of security is one-time passwords.

For each action (logging in or confirming transfers) you are sent a challenge code, you type it in on your token (in this example the e.dentifier) and the password (response code) appears on your token - and you type it in on the webpage.

Each response code (=password) can only be used one time only. After usage, these codes are completely useless to any keylogger.

If your bank uses this method, it's probably safe to do online banking on a public computer. Rebooting the computer before you do your banking is not a bad idea.

If your bank does not use one-time-passwords, do not do online banking on a public computer. It's worth buying a laptop and do it on your own equipment.

Correct. I use the system on all my travels in the Far East, even from public internet cafes for payments. The system is NOT hackable with the one time only password-number-codes, wich you have to reconfirm with different (non-re-usable) pass-codes all the time, before the payment is actually transferred.

I repeat an earlier message:

Even in the case they would steal the e.dentifier AND my bankpass they would have to overcome a lot of hurdles:

1. get access to my bank-website -in my local language ( ) with my password AND accesscode...(complicated)

2. they would have to know my bankaccount-number

3. have to know (see 1) the language and the system HOW to transfer money; even for a hacker an extremely difficult operation.

If they make 1 or more mistakes, the bankcomputer will cut the 'operation'.

LaoPo

[nikster]

As everyone has said, just say NO to banking at an internet cafe.

You obviously didn't read my posts

LaoPo

But everybody _should_ say that.

I am a fulltime software engineer and I would never, ever use an internet cafe's computer to do my banking. The cafe's computer is basically compromised and untrustworthy. It can do _anything_. Not because the cafe's owner wants to steal from you but because he caught one of the zillions of viruses that manipulate the computer in any way they can. To give you an idea what's possible and what's already implemented in the latest most sophisticated viruses:

- Disable any and all anti-virus software. AV software is useless except for those people who really can't stop themselves from clicking on attachments in emails. Ok, also for those people who don't know how to disable the multitude of open ports that windows is listening on - there are programs which do that for you though so it's not that hard (Secure-IT for example).

- Display fake web pages. I agree that the devices that have one-time and time-dependent passcodes are the safest. HSBC has those. The process in detail:

-- You enter the internet address of your bank back home (wherever)

-- The virus detects that and redirects you to a fake website which looks exactly the same. The browser's address bar still displays the original site.

-- You enter your 5 super secure one time passcodes, the page displays an error

-- At this point, the virus could contact its home server which could transfer money out of your account within minutes. There are no known viruses out there that do that as of now, but its only a matter of time. The best they can do right now is capture the info and enter it manually which means passcodes that are good only for a few minutes will still be safe. It's not going to take long though, there is no technical reason they should not be able to automate these things.

PS: Bringing your own web browser certainly improves security but its still unsafe. For example if the virus installed a hidden proxy, bringing your browser won't help you at all. The virus is installed at a much deeper level where your computer decides which IP addresses to map a domain to.

To sum it up, the situation you are in is as follows: Imagine you have a friend, Joe, and all your communications to and from your bank must go through Joe. Joe is the machine you use for internet banking. Joe better be very trustworthy or you are screwed.

As for "security because it's a different language": Laughable, the hackers that installed the virus probably _are_ from your home country, or more likely, will sell the information to people who do speak your language. This is a global business.

Here's how to do it securely:

1 - Buy a Mac

2 - Connect the mac to the ethernet cable in the internet shop or WiFi.

It's 100% secure. There is not a single known virus for macs out there, and there won't be one any time soon. It's a bit harder to hack macs but the main reason it won't happen is that hackers will go for the low hanging fruit first and that will be windows with 98% market share.

Is $1300 you pay for a MacBook worth the security? Depends on your bank account, but for me, definitely.

If you must use a PC and don't know anything about computers, you can connect that to the internet in internet cafes too, but you have to install the firewall and keep it updated at all times and have an AV program that you keep updated at all times. In the end, it's probably safe but still more risky.

Edited June 7, 2006 by nikster

[peterjackson]

Hey

Just a little correction to the above post.....

It's 100% secure. There is not a single known virus for macs out there, and there won't be one any time soon. It's a bit harder to hack macs but the main reason it won't happen is that hackers will go for the low hanging fruit first and that will be windows with 98% market share.

Apparently the future is here now...... Mac Viruses and also the new threat for Macs as Windows gets more secure.....More Mac Attacks To Come

Regards

Peter

[nikster]

I do it all the time....can't get wrong! Absolutely foolproof!

WHY?

My bank (Europe) has a so called e.dentifier given out to every single client.

Let me guess..........ABN Amro?

The idea behind this form of security is one-time passwords.

For each action (logging in or confirming transfers) you are sent a challenge code, you type it in on your token (in this example the e.dentifier) and the password (response code) appears on your token - and you type it in on the webpage.

Each response code (=password) can only be used one time only. After usage, these codes are completely useless to any keylogger.

If your bank uses this method, it's probably safe to do online banking on a public computer. Rebooting the computer before you do your banking is not a bad idea.

If your bank does not use one-time-passwords, do not do online banking on a public computer. It's worth buying a laptop and do it on your own equipment.

Correct. I use the system on all my travels in the Far East, even from public internet cafes for payments. The system is NOT hackable with the one time only password-number-codes, wich you have to reconfirm with different (non-re-usable) pass-codes all the time, before the payment is actually transferred.

I repeat an earlier message:

Even in the case they would steal the e.dentifier AND my bankpass they would have to overcome a lot of hurdles:

1. get access to my bank-website -in my local language ( ) with my password AND accesscode...(complicated)

2. they would have to know my bankaccount-number

3. have to know (see 1) the language and the system HOW to transfer money; even for a hacker an extremely difficult operation.

If they make 1 or more mistakes, the bankcomputer will cut the 'operation'.

LaoPo

This system is indeed safe from currently available viruses / current hacks out there.

I would not be afraid that the e.identifier is stolen - that's really unlikely and can't be done at a large scale. Dangerous are only attacks that scale easily and that can be done over the internet, like a virus that grabs TAN codes and so on. There, it makes sense to expend time and effort for hackers. Large scale theft of e.identifers is not going to happen.

While the NSA could probably crack your e.identifier, the effort required isn't worth the gains.

One question: How long are the codes that you enter in the e.identifier, how many characters? Do you know anything about the encryption built in? I am guessing it's serious but I would like to know.

OK, I did come up with a plan to hack your super secure system. Imagine I wrote a virus that controls the computer in the internet cafe and you are using it. I am also familiar with ABN AMRO's system, easy enough.

Now, you go through all your steps with the challenge response system. You are correct that I can't change or hack these challenge response code, but how long are these codes? In order to be safe the challenge response code would have to encrypt the amount and destination of a money transfer, say.

If not - and I * BET * they don't do that - then I, as man in the middle, could just change the amount transferred and the destination account. So you transfer EUR 5000 to your Thai bank account, but I make it EUR 12000 (or whatever your single transaction limit is) to a russian account. You will never know because I control the display of your computer - I will display what you want to see. To the bank, I give other information, like the russian account # and 12000 or whatever your max. transfer amount is.

BTW - as software engineer, I can tell you that it would maybe take me a week or two to write a program that can do that, and incorporate it into one of the readily available and very sophisticated virus creation kits. I don't have to write the virus, I can just assemble it from existing pieces.

How likely is it that this will happen? Well - we don't know but it's pretty certian it will happen someday. Until then, you are perfectly safe.

My previous recommendation stands: Buy a Mac laptop and use that. It doesn't get more secure than that.

Edited June 7, 2006 by nikster

[silvero]

I agree, a AV and a firewall is an absolute must, whatever you are doing on the internet with a PC, a spyware program which monitors program installs and file changes e.g hosts file is also useful. You can get this software for free too so everyone should be using it.

The thing that scares me most about internet cafes in Thailand, is that the OS is usually completely open with no control on what users can and can't do.

That means you not only have to worry about tech-savvy net cafe operators being criminals (who knows but I'd tend to think that it was relatively rare), the previous user unwittingly installing virus/trojan/keylogger/[insert malware] (probably very common), but you also have to worry whether the shifty-looking guy sitting next to you is installing some uber-banking-theft program!

That's too much risk for me. Anyone with a mobile phone and a PC/notebook/PDA or even using some handsets alone can use GPRS to access the internet using a private connection for their financial stuff, it doesn't cost much to get set up and you can do it from anywhere. Anyone who doesn't know how and wants to just PM me and I'll point you in the right direction.

[nikster]

Hey

Just a little correction to the above post.....

It's 100% secure. There is not a single known virus for macs out there, and there won't be one any time soon. It's a bit harder to hack macs but the main reason it won't happen is that hackers will go for the low hanging fruit first and that will be windows with 98% market share.

Apparently the future is here now...... Mac Viruses and also the new threat for Macs as Windows gets more secure.....More Mac Attacks To Come

Yeah... that's FUD. Proof of concepts. "Potential" security weaknesses. There is not a single Virus for the Mac out in the wild as of this time. Read these articles again, and closely, and see what they say.

This information is dispersed frequently by Anti Virus Software companies. I believe they even sell AV software for macs. And I always wonder: Given that there is not a single known Virus for Mac out in the wild, what on earth are they selling this software for and who's buying it and why? Well, people who don't know and think "better safe than sorry", for example.

I repeat: As of this time, there are no known Viruses for Macs in the wild. There are numerous scare-mongering reports of how you could potentially write one. But if you wanted to do it for profit, for example to target online bankers, it would be a lot easier to take any known and well-working windows virus and modify it to your needs. It's questionable if a mac virus would spread properly. No one has done it. Until the time where there is an actual information-stealing mac virus out there, the fact remains: There is NO known Mac virus out in the wild.

As much as Symantec, Sophos, and MacAfee hate that.

On Mac, you have a potential and very small and completely unproven chance that someday there may be a virus. On Windows, you have literllly millions of viruses available *right now* with more being produced every day.

I am going to remain smug until someone can point me to a single mac virus. Please - give me the URL

[peterjackson]

Hey

I don't want to get into semantics are be pedantic here, but the report says .....''Therefore, it is correct to call OSX/Leap-A a virus ...''

If you can't concede that this is a fact, never mind. It is what it is. Regardless of your view or interpretation.

Regards

Peter

PS: I can't give you the URL for the NSA Staff handbook in pdf format for Menwith Hill, but it doesn't mean that is doesn't exist. You'll just have to believe me, that it does.

Edited June 7, 2006 by peterjackson

[nikster]

Hey

I don't want to get into semantics are be pedantic here, but the report says .....''Therefore, it is correct to call OSX/Leap-A a virus ...''

I want to point out that I said there is no known Mac virus out in the wild. Leap-A certainly doesn't propagate

Like I said, security companies have a vested interest to stir up fear in computer users.

Be assured that I will change my opinion as soon as there is the first serious attack on Macs. Until then, I will advice newbies that Macs are safe because the security issue which is very real and threatening on Windows is non-existent on Mac.

Anyway, not sure what the point is... the fact remains that when you have a Mac, you won't have a virus. I know loads of mac users and none of them run any kind of AV software. The problem doesn't exist on Mac. I don't say it's impossible. It just doesn't exist.

[Crushdepth]

- Display fake web pages. I agree that the devices that have one-time and time-dependent passcodes are the safest. HSBC has those. The process in detail:

-- You enter the internet address of your bank back home (wherever)

-- The virus detects that and redirects you to a fake website which looks exactly the same. The browser's address bar still displays the original site.

-- You enter your 5 super secure one time passcodes, the page displays an error

-- At this point, the virus could contact its home server which could transfer money out of your account within minutes. There are no known viruses out there that do that as of now, but its only a matter of time. The best they can do right now is capture the info and enter it manually which means passcodes that are good only for a few minutes will still be safe. It's not going to take long though, there is no technical reason they should not be able to automate these things.

Using a Mac may give good protection against viruses but it doesn't protect you against other kinds of attack. The redirect/phishing scenario above could easily be carried out by the cafe admin (or a hijacker) directly, no virus required. I have never met anyone that checks the certificates of 'secure' websites to see *who* they are actually securely connected to before entering their details, so they would almost certainly get away with it.

Now, you go through all your steps with the challenge response system. You are correct that I can't change or hack these challenge response code, but how long are these codes? In order to be safe the challenge response code would have to encrypt the amount and destination of a money transfer, say.

If not - and I * BET * they don't do that - then I, as man in the middle, could just change the amount transferred and the destination account. So you transfer EUR 5000 to your Thai bank account, but I make it EUR 12000 (or whatever your single transaction limit is) to a russian account. You will never know because I control the display of your computer - I will display what you want to see. To the bank, I give other information, like the russian account # and 12000 or whatever your max. transfer amount is.

Every online banking system I have seen is based on strong encryption so unless they bugger up implementation some how the odds of you being able to do this are extremely low. If they weren't the banks would be out of business in a few days.

Anyway, nothing is 100% safe.

[Maestro]

Every online banking system I have seen is based on strong encryption so unless they bugger up implementation some how the odds of you being able to do this are extremely low. If they weren't the banks would be out of business in a few days.

Too many banks still require only a username and password to log on and order transfers. Apparently, this information can easily be stolen with a key logger.

Crushdepth, what login procedure does your bank use?

--------------

Maestro

[LaoPo]

One question: How long are the codes that you enter in the e.identifier, how many characters? .

Steps:

1. put card in e.dentifier

2. log-in your personal code # 4 numbers which is encrypted

3. log-in to bank website with your membername (9 letters) + codenumbers (8 letters+2 numbers)

4. log-in with your bankaccountnumber (9 numbers)

5. log-in passcard number (3 numbers)

6. than put in code you receive from website into e.dentifier (1 time only) 8 numbers

7. than you get a respond code from e.dentifier and fill in on website

8. You are IN

9. make payments will a number of steps with 1-time steps with codes (numbers) and repeat that 2 or 3 times AND the website will ask for confirmations and re-confirmations all the time, with different codes.

(If a hacker would come that far, he would have to know HOW the banksystem for payments works (in a language he would not understand) and a foreign transfer (from my local country-bank to another foreign (-Thai-) bank is NOT carried out immediately but is checked by a separate 'desk' at the bank-headquarters;

i.e. money-transfers out-of-country are checked (government policy) , and, if any suspicious transfer, the client will be contacted first, before transmitting the amount.)

10 Log-out.

NOTE: a poster said that you could be transferred to a identical FAKE-website and ask for another code; this is very suspicious and NOBODY (clever) would follow that because it is not common policy of the bank.

IF the website is OUT of the air so to speak there is a notification on the mainpage that the website is out and you're asked to try at a later stage.

But, hey, why don't you ask or tell the bank their system is not fool-proof; they might give you a well-paid job!

LaoPo

[Crushdepth]

Too many banks still require only a username and password to log on and order transfers. Apparently, this information can easily be stolen with a key logger.

Crushdepth, what login procedure does your bank use?

Just a username and password over an 3DES-encrypted SSL connection It's enough for me as I don't do my banking in internet cafes, and I usually check the certificates when using someone else's network.

But if you need to use public internet facilities then I agree that a stronger system would be better.

[Prasert]

In addition to LaoPo's comments:

This system is indeed safe from currently available viruses / current hacks out there.

I would not be afraid that the e.identifier is stolen - that's really unlikely and can't be done at a large scale.

Would be useless too. Each and every e.dentifier is exactly the same!

The token calculates the response code with the information stored in the chip on the bankcard. This combination makes the e.dentifier more secure: the token is useless without the bankcard and can be exchanged with another e.dentifier in case it doesn't function anymore.

Redirecting traffic to the bank, displaying a bogus website and thus playing the man-in-the-middle: I've never seen it. Might be possible....... maybe if you're using a public computer in Nigeria

[Taggart]

I decided to put this here, since there are already some good posts related to security on this old thread. No, it didn't happen in an internet cafe, but the theft of a brokerage account happened while the guy was on a business trip to China from the U.S.

-----------------------------------------------------

MSNBC

Posted: Friday, January 5 at 04:00 am CT by Bob Sullivan

One moment Dave DeSmidt had $179,000 in his 401(k) retirement account, the next he had nothing. In an instant, 25 years of savings had disappeared.

With a few clicks, someone raided DeSmidt’s retirement account with J.P. Morgan & Co and ordered a full disbursement to a private checking account.

Then came the really bad news. While credit card and online banking accounts are legally protected in the event of fraud, DeSmidt’s brokerage account came with no such insurance. Two months after the theft, his balance still read $0.

With hacking of brokerage accounts increasing, the legal gap facing DeSmidt and other victims has regulators and critics debating the need for new consumer protections.

‘I don’t have a clue’

The theft was the shock of a lifetime for DeSmidt, who plans to retire in a few years with his wife in their Mukwonango, Wis., home.

"That was a pretty good chunk of what we were going to retire on," DeSmidt said. "I don't have a clue how it happened."

The theft occurred on Oct. 23, while DeSmidt was on assignment for his company in China, near Shanghai. Just before lunch, someone else logged onto J.P. Morgan's Web site from a computer connected to the Internet through Comcast Cable Communications in Cherry Hill, N.J., and entered DeSmidt's user ID and personal access code.

While DeSmidt slept on the other side of the world, his imposter found that he had a balance of $179,000.43 in his account. A few more clicks, and the DeSmidts’ linked checking account was changed to a Bank of America account and an electronic transfer of all available funds was requested.

A report by J.P. Morgan suggests the criminal was a bit anxious, perhaps disbelieving the good fortune of hacking such a valuable account. The imposter logged in again from the same computer 41 minutes later, at 1:06 p.m., and again at 11:30 p.m. to review the pending transaction.

The next day, the money was sent to Bank of America. The name on the checking account didn't match the name on the 401(k) account, but that discrepancy didn’t raise a red flag high enough to halt the transfer.

DeSmidt didn't know it yet, but a quarter century worth of savings and investment gains had just disappeared.

The theft wasn’t tax-efficient. Since DeSmidt isn't yet of retirement age -- he’s 57 -- there were severe penalties for the early 401(k) withdrawal, and J.P. Morgan held back about $35,800.09 to pay these taxes. Still, it was a good day's work for the hacker. The company sent the remaining balance -- $143,200.34 -- to an account under his or her control.

SEC: Brokerage attacks ‘on the rise’

Computer criminals have made the logical progression from credit card fraud to online bank attacks and now to big-ticket brokerage accounts, analysts say.

Hacker attacks on brokerage accounts make sense from a criminal’s point of view. Brokerage accounts tend to have higher balances, making them worthwhile targets. And while a six-figure transfer out of a checking account would surely trigger fraud pattern detection software, large transfers from brokerage accounts are fairly standard.

John Reed Stark, chief of the Securities and Exchange Commission’s Office of Internet Enforcement, acknowledged that online brokerage hacking is “on the rise” and warned of possible consequences for consumers.

With simple credit card fraud, customers need only call their bank and refuse to pay for an item, he said, but brokerage account hacking is much more dramatic.

“People need to understand this kind of fraud,” Stark said. “This is very serious stuff. … People wake up in the morning, look in their account, and their money is all gone.”

Stark said any consumers who have encountered brokerage account fraud should contact his office for assistance at [email protected].

Covering tracks

Criminals who target brokerage accounts clearly know their craft. A day after successfully transferring DeSmidt’s money out of the 401(k) account, the hacker started trying to cover his or her tracks.

On Oct. 25, logging in through an SBC Internet Services connection in San Francisco, the criminal deleted the Bank of America account information from DeSmidt's account. Four hours later, using a Cox Communications connection out of Atlanta, the hacker re-entered DeSmidt's original checking account information. Other than the zero balance, there were no obvious signs remaining of the hacker’s visits.

A few days later, DeSmidt checked his retirement balance online, as he does regularly, and spotted the theft. Then the paperwork nightmare began.

"This has been very stressful,” he said. “My wife is going crazy."

A flurry of e-mail, faxes and registered letters followed. JP Morgan ordered an investigation, and sent the results to DeSmidt on Dec. 1.

"J.P. Morgan concludes there was no external or internal breach of controls with the J.P. Morgan environment," the report said. "Access and authentication controls established within J.P. Morgan worked appropriately."

The report dismissed the possibility that the crime was an inside job, as the request came from outside computers and the criminal knew DeSmidt's user name and password.

The report's conclusion: "Investigation Status: Closed."

It wasn't clear to DeSmidt what that meant; the firm never said it wouldn't issue a refund. But he was stuck in limbo, awaiting further instructions.

Promised a refund

Two more weeks passed, and DeSmidt started to fear his retirement money was indeed gone for good. By the time he contacted MSNBC.com, he said he had written to every government agency he could think of to no avail and hadn’t been able to find a lawyer willing to take his case.

"I can find lots of attorneys that will defend me if I am the one accused of the crime," he wrote.

DeSmidt's story, however, had a happy ending.

When MSNBC.com contacted J.P. Morgan, the firm said its continuing investigation had borne fruit. Spokeswoman Mary Sedara said the stolen funds had been recovered and would be refunded in time for Christmas. The firm would even make good on any market gains DeSmidt missed out on while the money was missing, she said.

The story didn't have to end this way, though.

Few consumers appreciate the fact that, unlike credit card and checking account transactions, there are no federal consumer regulations specifically protecting consumers in the event of brokerage account hacking, said Gartner fraud analyst Avivah Litan. And with hackers targeting investment accounts more frequently, the legal loophole could leave investors with some ugly surprises.

'They need to protect the assets'

"This should be a call to action for the regulators," she said. "They are never going to protect against all the (criminal) methods. They need to protect the assets."

Both credit card transactions and electronic account transfers, such as online banking payments, are governed by Federal Reserve regulations that strictly limit consumers’ losses from theft. Consumers who report credit card fraud are only liable for $50; liability for fraudulent checking account transfers is capped at $500 if the consumer reports the theft within 60 days. Refunds for checking account thefts must generally be issued within 10 days.

The regulations are designed to boost confidence in the systems. But the Federal Reserve doesn't regulate investment firms, and the Securities and Exchange Commission doesn't mandate any similar protections for brokerage accounts.

And Desmidt's tale is hardly an anomaly. Last year, several trading firms revealed they were hit by hackers. E-trade, for example, reported in October that it had lost $18 million to crime rings based in Eastern Europe and Thailand.

Despite the lack of legal compulsion, some investment firms have taken to offering broad consumer protections anyway. Both e-trade and Charles Schwab offer credit-card style guarantees. Money stolen from Charles Schwab's Web site will be returned to consumers as long as the theft is reported in a timely way, said Schwab's Greg Gable.

'We want people to feel secure'

"There is a fundamental business need to do it," Gable said. "We don't want clients concerned about the safety of their assets. … We want people to feel secure."

Gable wouldn't say how many Schwab customers had asked for theft refunds, saying only such cases were "very rare."

Stark said that in every recent case of brokerage hacking he’s familiar with, consumers who complained have received full refunds. But the largesse is voluntary – unless the brokerage makes a clear promise like Schwab or e-Trade -- and it may not last forever.

“Firms are reimbursing everyone (who) has that kind of loss,” he said. “But they didn’t always do that (and) I don’t know how long they can continue doing it.”

Brokerage account hijacking has the attention of regulators, but at the same time criminals are getting cleverer. In late December, the SEC moved to stop a pump-and-dump scheme involving an Estonian firm.

The SEC said the firm's Russian owner earned $350,000 by purchasing penny stocks, then hacking into other investors' accounts and purchasing large blocks of the stock before selling his own shares at inflated prices.

Web-based investing scams have DeSmidt's attention, too. He is grateful JP Morgan promised to return his funds, but he's not about to let lightning strike twice. He told the company to shut down Web access to his accounts.

"I prefer to keep the account access only over the telephone for now," he said.

[Hmmm]

Option 1:

TorPark

Non-keyboard encrypted password storage and entry ...

http://www.roboform.com/pass2go.html

Option 2:

Software keylogger detectors, eg ...

http://dewasoft.com/privacy/kldetector.htm

http://www.spydex.com/advanced-anti-keylogger.html

http://www.snapfiles.com/get/kldetector.html

Also, look out for hardware key loggers ...

http://www.keyghost.com/sx/advantages.htm

Option 3:

Stay home