Install

Get the latest updates as we post them — right on your browser

. Last Updated: 07/27/2016

Thieves Hack Their Way Into Online Accounts

LOS ANGELES -- Bank customers know to shield their ATM passwords from prying eyes. But with the rise of online banking, computer users may not realize electronic snoops might be peeking over their shoulder every time they type.

In a twist on online fraud, hackers and identity thieves are infecting computers with increasingly sophisticated programs that record bank passwords and other key financial data and send them to crooks over the Internet.

That's what happened to Tim Brown, who had account information swiped out of his PC. "It's scary they could see my keystrokes," said Brown.

"This even staggered us," said Alex Eckelberry, president of Sunbelt Software, which found that the so-called keylogger program installed itself in a way most anti-virus software could not block. Such security breaches are on the rise, even as other sorts of Internet scams decline.

Many users, for instance, know not to reply to unsolicited "phishing" e-mails requesting financial information, even if the requests appear to have been sent by a bank.

But the number of programs aimed at stealing passwords more than doubled in the same period.

The keylogging programs can install themselves after computer users open faked e-mails, instant messages or even advertisements on web sites. Then they record everything typed on a computer -- or just what's typed during user visits to specified financial sites. Such information is sometimes sent to the hackers in neat bundles, with a column for the relevant financial web site followed by columns for the user's login name and password.

So far, such purloined information has been used to access accounts one by one, by impersonators who withdraw or transfer cash.

But recently, thieves have been working to automate more of the process, potentially enabling attacks on thousands of accounts simultaneously.

Automated Attacks

One financial institution has already seen attempted withdrawals that occurred in alphabetical order by the names of customers, said Amir Orad, executive vice president at Cyota, which provides anti-theft services to banks. He declined to identify the business.

At Corillian, one of the largest developers of online banking programs, chief security executive Jim Maloney said he had detected one criminal testing the validity of "10 or 20 accounts" within a minute from a single computer, strongly suggesting an automated verification system. Those tests, he speculated, were a prelude to choosing which accounts to target or to sell information on.

In one especially alarming case, security experts last fall found a program planted on personal computers to intervene whenever the user logged on to an electronic payment site called E-Gold, based on the Caribbean island of Nevis.

Instead of just recording the password and other data for some future attempt at fraud, the software -- dubbed Grams -- immediately "cleans out an account and transfers it," said Jason Milletary, an analyst with the CERT Coordination Center, the chief U.S. team responding to computer security breaches.

E-Gold chairman Douglas Jackson said he did not know the exact number of compromised accounts, putting it between "dozens" and "the low hundreds." He said that company policy was not to reimburse the victims. "Somebody could rip themselves off and try to get the money back," Jackson said. "It's very hard to tell if there's truly been a third party."

Variants of the Grams software have targeted other financial institutions as well, said Nathan Johns, chief of information technology at the U.S. government's Federal Deposit Insurance Corp., which guarantees bank deposits in case of insolvency. He declined to give details.

In July, the FDIC strongly encouraged U.S. banks to evaluate the risks from computer fraud, educate their consumers and consider adding new measures, such as devices that generate new numeric passwords every 60 seconds.

Some banks complained that the inconvenience of such devices would cost them customers, but the FDIC differed."Although consumers are certainly interested in convenience, they are also very concerned about the security of their accounts."

Bad Guys Take Lead

So far, according to many experts, the arms race is favoring the bad guys.

Last week, researchers at the University of California, Berkeley, reported that a $10 microphone near a keyboard could, with sophisticated analysis of the sounds made by different keys, reveal most of what was being typed -- enough that the researchers could guess 90 percent of five-character passwords within 20 tries.

And analysts said that con artists had mimicked each bank industry innovation.

As more customers grew too frightened to respond even to legitimate mail, for example, Citibank began including partial account numbers in its communications to prove their legitimacy. Thieves took advantage by using pilfered credit card numbers in messages to each account holder, posing as banks and asking for more data.

British bank Barclays responded to keylogger attacks by presenting a graphic display of letters or numbers and asking users to peck out a password with mouse clicks instead of keystrokes, which can be recorded more easily.

By late July, cyber-cons were delivering more programs that take a picture of what's on a computer screen each time a mouse gets clicked.

Many security experts say that a physical means for authenticating customers, such as $40 password devices given to each, would be a major help in reducing fraud. But schemes like the one used against E-Gold defeat that protection, since the theft occurs as the victim is typing.

Other banks are pursuing more elaborate systems, such as one that requires telephone calls to customers who depart from their banking patterns.

Still unresolved is who bears the financial responsibility when electronically purloined account information is used to steal money. The FDIC says banks are usually on the hook, but some banks disagree. Bank of America is among a minority that offer guarantees to most customers even though they say they do not have to do so.

But Ahlo, a computer and copier supply business in Miami, has sued Bank of America in a closely watched case, saying the bank negligently encouraged Ahlo to do business online and then stood by as fraudsters made off with more than $90,000 through a wire transfer to Latvia.