Expert Slams Online Bank On ID Fraud
from the yes,-but... dept
Earlier this week we mentioned the case of a South African bank where several accounts were wiped out, after a scammer sent a spam with some keylogger software attached to it. A few people unknowingly installed the software, and had their account info snagged by the scammer. Now, a “security expert” is criticizing the bank for this. The fact that there really was nothing the bank could do doesn’t seem to enter into the picture. The bank wasn’t hacked. It was due to things that happened on each individual’s computer. And, the bank has responded by restoring the money to the accounts. Blaming the bank doesn’t seem fair. The one point that does make sense is that it would have been better if the bank had a more stringent security policy that required a smartcard or some biometric reader. Unfortunately, almost no one has a smartcard reader or biometric reader at home – so no banks will require such a thing, since it pretty much guarantees that no one will use their online banking service (and, that they’ll go to another bank that makes it easier). Yes, security should be better, but it’s hard to see how the bank was at fault in this case.
Comments on “Expert Slams Online Bank On ID Fraud”
Social Hack...
Mike, while I agree the bank couldn’t have been responsible, and really didn’t have anything to do with the social hack, there is something you mentioned before that I think needs to be addressed here.
How did the social engineer target the individuals of the bank? If it was purely fishing, then customers of other banks would have received similar emails and trojans, but it appears (at least from reading the articles,) that the social engineer targeted specific customers of the bank in question, through emails none-the-less.
My bank knows my email address, partly because I gave it to them as part of the effort of obtaining an account with them, but also because I occasionally send emails to them about problems I have while banking with them. They keep some sort of record of customers’ email addresses, because occasionally I get “unsolicited” email from them as well.
However, until I just announced it on a public website, nobody other than my bank or I knew that they had my email address. And even though I have given this information out, most people probably still don’t know which bank I have my account at.
So what I am saying, is that somehow this engineer has already hacked enough into the bank to obtain a listing of customer’s email addresses. And that is the banks problem. They have somehow, through negligence or otherwise, allowed someone to use their records to send directed emails to their customers.