A Trojan horse may be responsible for an online banking scam that has cost at least two Winnipeg customers thousands of dollars.
The Winnipeg Police Service this week is investigating two cases where money was transferred unknowingly from bank accounts. One family charges that $2,500 has been taken from their account and a retired teacher in April reported $2,000 removed from his account without his knowledge. The department also has information pertaining to five other individuals who lost money with the same scam.
So far the police investigation is focused around a man who recently emigrated to Canada from an unidentified locale in Eastern Europe. However the police would not comment further for fear it would compromise their investigation.
According to computer security experts, online banking scams and identity theft are proliferating in this country. While Canadian e-banking customers have yet to see a surge in identity theft similar to the U.S., the banks say the onus is on consumers and enterprises to protect themselves.
“If you look at identity theft in Canada, there were 13,000 incidents last year up from 8,000 the year before. In the United States there was half a million and that [difference is] because Canadian banks really got it together early on. The cost of fraud is huge so the [banks] want to make sure it’s taken care of. You’ve got five major banks in Canada — there’s over 5,000 in the United States,” said Rosaleen Citron, CEO of WhiteHat Inc. in Toronto. “[The U.S. banks] don’t have the co-ordination and the governing rules and regulations the Canadian banks have put on themselves.”
Keystroke loggers are the most frequently used tactic for crooks targeting banking information, said Tom Slodichak, chief security officer of WhiteHat Inc. in Toronto.
“Although a Web session with their financial institution is usually encrypted, the keystroke logger intercepts the keystrokes before any encryption occurs, so they will get all the information — the account numbers, the names, the passwords or PINs or whatever they need to impersonate that [individual],” he said.
Additionally, “phishing” expeditions — where users are directed to a mirror site of their bank, for example, and asked to input personal information — have become more common. Usually the users are lured to the mirror site via e-mail — they are sent a phony message telling them to log on to the site because they need to update their information, for example.
Fortunately, these scams are something enterprise users don’t really have to worry about, Slodichak said.
“The enterprise is fairly well-protected. We’ve seen a real resurgence of back-to-basics philosophy on the part of IT departments where they’re now practicing pro-active patch management — as soon as a patch is announced companies are patching systems — and this is in light of damages from virus-related activities in the last year or so,” he said.
The next step is ensuring antivirus applications are updated often, he added.
However, the home user remains largely unprotected and less-inclined to engage in good security practices, Citron said.
“It’s a question of educating the masses because the enterprise’s largest threat comes from unpatched and non-virus-protected computers out in the home,” Slodichak said. Employees working at home with insecure computers may unknowingly pass on malicious code to their companies.
The prevailing attitude among the banks surveyed by IT World Canada — the Royal Bank of Canada (RBC), the BMO Financial Group (BMO), Scotiabank and TD Group Financial Services (TD) and the Canadian Imperial Bank of Commerce (CIBC) — is that the bank’s primary role is to educate customers about Internet security and identity theft.
“Customer education is far more important than knowing about individual cases. It requires daily vigilance on the part of the bank to educate our customers and we do that through our safe computing processes, which is prominently accessible on our Web site at all times,” said Sharon Hodder, vice-president of Internet services at Scotiabank in Toronto.
Citron agrees. “The problem you’re dealing with is not the amount of security the bank is putting up. Remember the bank isn’t the one that is being affected here — it’s the home user and they’re being caught before they even connect to the bank,” she said.
Hodder declined to comment whether any Scotiabank customers have been duped out of money through Internet scams.
The banks have mounted educational campaigns to teach the public about Internet security threats. For example, all five major Canadian banks — RBC, BMO, Scotiabank, CIBC and TD — have varying degrees of information on their Web sites ranging from instructing users how to get antivirus and firewall applications to security tips, updates and identity theft. However, the security information is generally linked at the bottom of the main Web page and is listed in very small font. The exception is CIBC which has no literature on its Web site about antivirus or firewalls. Its security section contains information about updating Web browsers, clearing a cache, cookies and enabling Java. However, that is about to change. CIBC spokesperson Rob McLeod said the bank will be updating its security section on its Web site to include information about firewalls and antivirus plus more safe computing guidelines.
TD has partnered with Symantec Corp. to provide a 90-day free trial of the security vendor’s Norton antivirus and personal firewall. At the end of the trial Symantec offers the products at a discounted price to TD’s online banking subscribers, said TD spokesperson Simon Townsend in Toronto.
RBC has previously partnered with Zero-Knowledge Systems Inc. firms for antivirus but there is no offer now for subscribers.
Judi Levita, a spokesperson for RBC in Toronto said the bank provides comprehensive information about safe computing practices and how to prevent financial fraud but some RBC customers have fallen victim to identity theft.
“We have about a quarter of million clients log in to online banking every week and we have had incidents where clients have engaged in high-risk activities and as a result have had their computers compromised. Anyone who is online needs to be aware that there are less than scrupulous people out there and they need to take precautions,” Levita said.
Back in November 2003 hackers sent out mass e-mails hoping to targeting legitimate bank customers from Toronto-based BMO and Montreal-based Mouvement des Caisse Desjardins. The e-mails told consumers to click on a link to verify e-mail addresses, customer numbers, passwords and memorable data.
BMO, which learned of the scam from customers, contacted the Internet service provider hosting the spoof site, which immediately shut it down. Mouvement des Caisse Desjardins tracked down an Internet Service Provider (ISP) in Pennsylvania and had it close the other spoofed site.
“Its clear that phishing and the incidences of identity theft is growing and its a concern,” said Robert Garigue, CSO at BMO in Toronto. “We see lots of activities on the Internet of organizations trying to collect people’s identity by spoofing that looks official, whether its eBay, a bank or a municipality. They ask people to send it user names and passwords and usually you’re redirected to the official site but on the way the Trojan collected your name and password and that is occurring a lot.”
There’s been an increase in these activities because networks are becoming more secure — there’s a lot more security at the endpoints with firewalls and strong authentication from the service provider, he said. Additionally, Web sites are designed better nowadays and are more impervious to break-ins so criminals are finding it easier to target the consumer than the bank, Garigue said.
When asked about the prospect of the banks scanning user computers to check for up-to-date antivirus software both Garigue and Scotiabank’s Hodder said that would be a violation of a user’s privacy. Additionally, CIBC’s McLeod indicated that the bank also does not plan to execute conduct system checks.
Overall, WhiteHat’s Citron said the banks have done a great job in securing their networks.
“The Canadian banks are probably the best in the world when it comes to security,” she said. “They have taken the big bank vaults from the 1940s and moved it out to the Internet. So they have probably the largest groups of anti-fraud, anti-criminal groups that you can imagine and they meet regularly — these guys have really got it going on.”