A Trojan horse may be behind an online banking scam that has cost at least two Winnipeg customers thousands of dollars.
The Winnipeg Police Service last month was investigating two cases where money was transferred unknowingly from bank accounts. One family charges that $2,500 was taken from their account, and a retired teacher in April reported that $2,000 was removed from his account without his knowledge.
The department also has information pertaining to five other individuals who lost money to the same scam.
So far the police investigation is focused on a man who recently emigrated to Canada from an undisclosed locale in Eastern Europe. However, the police would not comment further for fear it would compromise its investigation.
According to computer security experts, such incidents are not isolated. Online banking scams and identity theft are proliferating in this country.
While Canadian e-banking customers have yet to see a surge in identity theft similar to that in the U.S., the banks say the onus is on consumers and enterprises to protect themselves.
An investigator at one of Canada’s largest banks agreed that the two Winnipeg cases are by no means unique. “A lot of the time it is not reported (except to the banks) because the victims are reimbursed,” he said. “As long as they get their money, they don’t care.” When asked for numbers, he said in the last two months there were roughly 100 cases of fraudulent withdrawals from client accounts at Canadian financial institutions. A fraud specialist, who focuses on Internet banking, agreed with the investigator’s assessment. “A hundred is about right.” Several banks were contacted but would not comment. “It is not information that we would share,” one spokesperson said.
Some online fraud attempts are caught before the money is actually transferred using sophisticated detection systems designed to catch unusual behaviour. An example would be a user suddenly transferring money from a Vancouver IP address, when all previous activity was from a Montreal IP address.
Many of the individual withdrawals were for $1,000 or less — the maximum one-time e-mail transfer allowed at most Canadian banks.
Robert Garigue, chief information security officer with BMO Financial Group, said some online transfers may be held momentarily to give the bank an opportunity to run some “heuristics over them” to ensure the transfer is not fraudulent. He wouldn’t specify the exact nature of the heuristics, citing security concerns.
But even with the relatively few occurrences compared to other fraud attempts, the investigator said it is still a big issue since “it ties up resources.”
Garigue said the bank would likely reimburse fraud victims but he had a word of advice. “If you are going to be doing things that are of value to you like, let’s say, online transactions or holding your Quicken accounts at home…it becomes an integral component to your economic life and…you have to motivate yourself to go and do the basics.”
The fraud specialist said he suspects the majority of online fraud victims did not have up-to-date operating system patches or security software. Educating end-users on security best practices is the key to reducing online bank fraud, he said.
Still, the difference in rates of fraud activity in Canada versus the U.S. is striking. “If you look at identity theft in Canada, there were 13,000 incidents last year, up from 8,000 the year before. In the United States there [were] half a million and that [difference is] because Canadian banks really got it together early on. The cost of fraud is huge so the [banks] want to make sure it’s taken care of. You’ve got five major banks in Canada — there’s over 5,000 in the United States,” said Rosaleen Citron, CEO of security provider WhiteHat Inc. in Toronto.
According to 2002 statistics from NFO CFgroup, approximately 25 per cent of Canadian adults have banked online. For households with Internet access and defined as “regular” users by StatsCan in 2002, just over half banked online. At Scotiabank, about half of its customers use online banking on a “semi-regular” basis, said senior vice-president, Robert Grant.
A 2002 Ipsos-Reid survey found that 61 per cent of Internet users had purchased antivirus software, though it had no statistics on whether the users kept it up-to-date. About 50 per cent of users who access the Symantec Corp. security check Web site to check the status of their antivirus software do not have current signature files, said Michael Murphy, Canadian country manager for Symantec.
Keystroke logging is the most frequently used tactic for crooks targeting banking information, said Tom Slodichak, chief security officer of WhiteHat. Most antivirus software today is designed to block them (as well as many Trojans) but, like a virus, to be stopped it has to have a signature.
“Although a Web session with their financial institution is usually encrypted, the keystroke logger intercepts the keystrokes before any encryption occurs, so they will get all the information — the account numbers, the names, the passwords or PINs or whatever they need to impersonate that [individual],” he said.
Additionally, “phishing” expeditions — where users are directed to a mirror site of their bank, for example, and asked to input personal information — have become more common. Usually the users are lured to the mirror site via e-mail after being sent a phony message telling them to log on to the site because they need to update their information, for example.
The prevailing attitude among the banks surveyed by ComputerWorld Canada — the Royal Bank of Canada (RBC), the BMO Financial Group (BMO), Scotiabank and TD Group Financial Services (TD) and the Canadian Imperial Bank of Commerce (CIBC) — is that the bank’s primary role is to educate customers about Internet security and identity theft.
In fact, only one of the banks — Scotiabank, which would not divulge the results — has done a survey of its online customers to see what percentage use up-to-date antivirus and firewall technologies, although RBC is planning on doing a survey later this month, said Judi Levita, a spokesperson for RBC in Toronto.
“Customer education is far more important than knowing about individual cases. It requires daily vigilance on the part of the bank to educate our customers, and we do that through our safe computing processes, which is prominently accessible on our Web site at all times,” said Sharon Hodder, vice-president of Internet services at Scotiabank in Toronto.
Hodder declined to comment whether any Scotiabank customers have been duped out of money through Internet scams.
The banks have mounted campaigns to teach the public about Internet security. For example, all five major institutions have varying degrees of information on their Web sites ranging from instructing users how to get antivirus and firewall applications to security tips, updates and identity theft information. The security information is generally linked at the bottom of the main Web page and is listed in very small font.
The exception is CIBC, which has no literature on its Web site about antivirus or firewalls. Its security section contains information about updating Web browsers, clearing a cache, cookies and enabling Java. However, that is about to change. CIBC spokesperson Rob McLeod said the bank will be updating its security section on its Web site to include information about firewalls and antivirus plus more safe computing guidelines.
TD recently partnered with Symantec to provide a 90-day free trial of the security vendor’s Norton antivirus and personal firewall. At the end of the trial Symantec offers the products at a discounted price to TD’s online banking subscribers, said TD spokesperson Simon Townsend in Toronto. RBC has previously partnered with Montreal’s Zero-Knowledge Systems Inc. for antivirus, but there is no offer now for subscribers, although it does offer a free one-year subscription for Zero Knowledge’s Freedom firewall technology.
The next release of Microsoft Corp.’s Windows XP will have its firewall technology turned on by default, and it will be a more robust product, according to the company.
Levita said RBC provides comprehensive information about safe computing practices and how to prevent financial fraud, but some RBC customers have fallen victim to identity theft.
“We have about a quarter of a million clients log in to online banking every week and we have had incidents where clients have engaged in high-risk activities and as a result have had their computers compromised. Anyone who is online needs to be aware that there are less-than-scrupulous people out there and they need to take precautions,” Levita said.
Murphy says Canadian banks have been conservative in their response to user security needs. “They’d sooner go in pairs to the dance. No one wants to arrive early…(but) I think TD is trying to take a leadership position” with its offering, he said.
But even that may have limited success stopping some scams. Back in November 2003, hackers sent out mass e-mails hoping to targeting legitimate bank customers from Toronto-based BMO and Montreal-based Mouvement des Caisse Desjardins. The phishing e-mails told consumers to click on a link to verify e-mail addresses, customer numbers, passwords and memorable data.
BMO, which learned of the scam from customers, contacted the Internet service provider hosting the spoof site, which immediately shut it down. Mouvement des Caisse Desjardins tracked down an Internet service provider in Pennsylvania and had it close the other spoofed site.
“It’s clear that phishing and the incidences of identity theft is growing and it’s a concern,” said BMO’s Garigue. “We see lots of activities on the Internet of organizations trying to collect people’s identity by spoofing that looks official, whether it’s eBay, a bank or a municipality. They ask people to send in user names and passwords and usually you’re redirected to the official site, but on the way the Trojan collected your name and password, and that is occurring a lot.”
In fact, Garigue said BMO has been asking the antivirus/antispam vendors to add functionality to their software to catch phishing e-mails, which in essence are spam. As it stands now antispam software does not catch phishing e-mails, though it is technically feasible for it to do so, Murphy said.
There’s been an increase in these activities because networks are becoming more secure — there’s a lot more security at the endpoints with firewalls and strong authentication from the service provider, Garigue said. Additionally, Web sites are designed better nowadays and are more impervious to break-ins, so criminals are finding it easier to target the consumer than the bank, he said.
When asked about the prospect of the banks scanning user computers to check for up-to-date antivirus software, both Garigue and Scotiabank’s Hodder said that would be a violation of a user’s privacy. Additionally, CIBC’s McLeod indicated that the bank also does not plan to conduct system checks.
Overall, WhiteHat’s Citron said the banks have done a great job in securing their networks.
“The Canadian banks are probably the best in the world when it comes to security,” she said. “They have taken the big bank vaults from the 1940s and moved it out to the Internet.”