As featured in The Wall Street Journal, Money Magazine, and more!

Privacy and Security


McAfee Labs, a company that deals with internet security from malware and hackers, has announced that a ring of criminals intend to steal money from customers with accounts at major American banks. The operation even has a codename, “Project Blitzkreig,” and is rumored to go into effect this coming spring. The fact that this plan is now out in the open makes it more likely that the cyber attack won’t occur as predicted, but it still engenders public fear and concern that our money is vulnerable when deposited into the bank.

According to CNN Money, the following banks are being targeted: Chase, Fidelity, E*Trade, Charles Schwab, PayPal, Citibank, Wachovia, Wells Fargo, Capital One, Navy Federal Credit Union, and more. There may be many reasons to dissuade a potential customer from doing business with large financial institutions, but the threat of a cyber attack shouldn’t be one. Customers who see the potential for this kind of a crime as a reason for not doing their financial business over the internet are over-reacting, but that’s little comfort in the face of fear.

The banks are liable for any stolen funds as a result of cyber crime. Customers will not lose money. If this particular attack is carried out, despite the public awareness in advance, it would work by using customers’ own computers to access their own accounts to transfer small amounts of money. With millions of zombie computers operating, this adds up to a lot of stolen cash, but any one customer would, in theory, see only a small transaction. It’s riskier for the banks than for any one customer.

Banks are hit by cyber attacks every day, and are becoming more adept at preventing breaches of security. Only the big attacks hit the news. Banks are bombarded by security threats every day, and their systems are improving exponentially for detecting and dealing with these problems.

It’s fairly simple to ensure your account is not vulnerable to this particular attack. When logging into your bank account online, most banks allow you to “remember your computer.” You can then bypass a few security questions when the bank recognizes your computer’s IPv4 address, a unique identifier for each internet connection. Hackers can spoof your IPv4 address or even use malware to hijack your computer so you don’t even know it’s accessing your bank account. It’s best to disable the “remember your computer” feature. It’s a little bit of a pain, but it’s much more secure.

Be aware of social engineering. Email programs have become very adept at filtering out spam most of the time. You may still see emails that look very much like they are official, coming from your bank, asking you to visit the bank’s website and confirm some piece of information. In reality, the bank’s website is actually a hacker’s website, designed to look identical to the official site. Never enter your password or any other identifying information on a website that you’re accessing over an insecure connection.

Internet browsers now even identify the security certificate, so when you’re visiting a secure website that’s supposed to be operated by Chase, you can verify you’re safe. Click the security icon in your browser’s address bar for more information. Here is a screenshot of what that looks like with Chrome. (Click on the image to zoom in.)

You can make your passwords as long and as random as you like, but the complexity of a password is irrelevant if you hand it to a criminal willfully.

Stashing your money under your mattress is much less safe. When you don’t like dealing with banks because you already believe that these corporations are evil, stories like those that create fear are particularly resonant. News of major security threats seem confirm the skeptic’s opinion that money is only safe when it’s cold, hard cash, not bits in a bank’s computer. The threat of your house being robbed and criminals being able to find your hidden bills or walk away with your safe is much more likely than losing money due to cyber crime.

Many people seem to be taking this particular threat lightly, and that’s a good thing. “Let them come take my $1.50.” Perhaps a sign of the economic times, bank customers reacting to the news seem hopeful the criminals will forget their true intent or press the wrong button and deposit cash into these bank accounts.

If attacks like these ever get to the point of being engaged, the banks will know before you do. They could already solve the problem before the media confirms the plan for the attack has been executed. There is no way customers have their money at risk. Federal law requires that banks are liable in the event of a security breach, and there is no bank that wants to be liable for a potentially large amount, so the companies have a very strong incentive to be very proactive and protect their customers.

I may criticize banks often, but security is one area where the needs of the customers, shareholders, employees, and executives are completely aligned.

Does news of this planned cyber attack, Project Blitzkrieg, change the way you feel about banking online?

Photo: Flickr
CNN

{ 7 comments }

Now that Facebook is a public company, it’s under pressure by its shareholders and investors to show that it has a plan to generate revenue. The company’s latest plan is to expand its system for virtual payments — the use of credits to buy add-ons to games — to include direct, real payments.

Facebook seems to be as much a part of a young person’s life as email had become for the slightly older generation. Since the company is so ubiquitous without any legitimate competing social networking website with an audience of customers as wide as its own, it’s hard to see how this plan will fail. The company’s executives are betting on the willingness for the site’s users to provide credit card information in order to seamlessly pay for who-knows-what online in their own currencies, with Facebook taking a nice cut from every transaction. (After all, there’s no competition in this space, and probably no regulation applies, so Facebook could take as big of a percentage of each transaction as they want.)

FacebookWith 900 million users worldwide, Facebook only needs a small percentage of users accepting this new technology in order to build a significant revenue source. In fact, if this catches on well enough, there’s no reason Facebook couldn’t become one of the most profitable businesses in the world. I wonder how history will look back on those of us who said Facebook’s IPO at $35 or so a share was wildly overpriced. It’s true that most of the 900 million users globally do not have access to credit cards, but this is probably only a temporary barrier. Access to credit will eventually grow in developing nations, but even if it doesn’t grow quickly, Facebook can surely find a way to serve users who want to spend their cash.

There is a general feeling in the media that people over-share on social media websites like Facebook, and a very vocal minority wonders why people are willing to share the most intimate details in their lives with a computer database that churns the information and presents it to marketers as a goldmine of data enabling companies to better sell their products. People wonder why someone would take things they create, like photographs, music, and essays, and provide the right for Facebook to keep this information and redistribute it in any form the company determines might increase profits for its shareholders.

If you use Facebook in this way and don’t see any sign of it dissipating, it makes sense to own some shares. that way, the company might be profiting on the details of your life, but you will, too.

Back to the issue of credit cards, up until this point, users have shared quite a bit of personal information with Facebook despite the company’s many gaffs related to privacy. The sharing of credit card numbers, however, needs to be held up to a higher scrutiny. A database of the world’s credit cards could wreak havoc in the wrong hands. And like companies that offer barely-visible subscriptions, such as those that perpetrate the trial offer scam, Facebook could easily take advantage of the less financially-savvy selection of users who might not notice their Facebook credit card charges or who might notice the charges but not consider how the expenses add up over time.

If you’ve purchased anything online in the past, Facebook will find a way to offer exclusive products that are interest to you, and linking your credit card to Facebook may be the only way to acquire whatever it is you desire. Facebook could easily emulate iTunes, Amazon, Spotify, and other revenue-generating sites. They could emulate Target and Wal-Mart, companies that offer unique products only available in their respective stores. The more I think about it, the more inevitable I think Facebook’s success will be with this plan. There just aren’t enough users willing to protest Facebook’s grab for credit card numbers for dissent to make a difference.

Will you provide your credit card number to Facebook to make it simple to buy products online? It’s hard to answer this question until Facebook shows what they have to offer, but it’s inevitable that a company as large as Facebook will be able to determine exactly what their users want and offer it to those users in a way they can’t acquire it elsewhere.

{ 10 comments }

After a few years of testing this new security feature, Vanguard has begun rolling out voice pattern recognition technology for security. According to the representative I spoke to today, this feature will be available for Flagship customers first, and all customers will eventually follow. Voice recognition adds another layer of security to your financial accounts, and I’m impressed with it so far.

When you call a Vanguard representative to discuss your account, they ask a security question to verify your identity. They may ask your pet’s name, your high school mascot, or some other piece of information a stranger might not know. This isn’t very secure; a friend or family member could easily know the answers to many of the questions typically used for security verification. It is much more difficult to fool voice pattern recognition. Even a digital recording of your voice will not have the same acoustic properties that can be detected over the phone.

Voice Pattern WaveformThe biggest benefit of this level of security is that it eliminates the need for Medallion signature guarantees for most financial transactions for which they were previously required. Signature guarantees can be a hassle; for a financial institution that conducts is business mostly online and over the phone, you might need to visit a local bank or credit union with identification in order to secure a signature guarantee, and then it will take some time to send the signature guarantee to Vanguard.

To enable voice recognition today, call a Vanguard representative today. You’ll be asked to repeat a passphrase several times: “At Vanguard, my voice is my password.” The security system will analyze your voice, which will act as a secure key. After confirming that you’re ready to begin using voice recognition as a security check, the new technology will be activated for you with your next call to Vanguard.

After entering your Social Security number via your phone’s keypad as usual, will be prompted to speak the passphrase. It sounds like this technology could be easily fooled through recording, or to be ineffective depending on the quality of your phone line, but it’s much more secure and accurate than the existing system.

If your security check through voice recognition fails when you call, you will be asked to answer a security question. This fallback can solve any issues if you’re in a noisy room, for example, but that reduces the level of security.

Would you use voice pattern recognition to verify your identity for financial transactions?

Photo: altemark

{ 5 comments }

The fourth largest bank in the United States by assets, Wells Fargo, admitted last week that many of its customers received statements with other customers’ banking information included. In this security breach, those affected might have received a statement with a stranger’s account number, transaction detail, and in some cases, Social Security number. Other affected customers might have had their information compromised, with their details included on other customers’ statements, without their knowledge.

Wells Fargo through its spokesman Josh Dunn blamed the error on a “malfunctioning printer.”

Wells FargoThe biggest threat is that with an account name and number, and a bank’s routing number which is public information, anyone can easily print a check. When presented, if the signature isn’t checked, could result in a withdrawal from the compromised customer’s account. For those whose Social Security numbers have been shared, the potential fraud could be worse.

My first reaction is to encourage customers to turn off paper statements opting instead for online statements only, but that won’t prevent every potential bank error. Online statements are much more secure than mailed statements.

If you’ve been affected, I would suggest changing your account number at Wells Fargo. This may be a significant process, particularly if you have direct deposit enabled or automated debits scheduled with outside vendors. It will be worth the effort, however, to ensure the compromised account number is no longer linked to you. If you Social Security number has been shared with a stranger, you should contact one of the credit reporting bureaus to freeze your credit. Your Social Security number can be used to open accounts in your name, using your credit history, so by working with the credit agencies you can opt to be notified if anyone tries to open a new line of credit.

Considering Wells Fargo’s error, the bank should offer to pay for credit monitoring services for affected customers.

Is this extra motivation for moving your money out of a big bank? There are many reasons to switch to a credit union, but this may not be a reason on its own. Mistakes like this one can happen at any institution, regardless of the company’s size.

I’ve used Wells Fargo for my primary banking services, ever since Wells Fargo acquired Wachovia, since Wachovia acquired First Union, since First Union acquired CoreStates, since Philadelphia National Bank merged with New Jersey National Bank forming CoreStates Financial Corporation.

If you’re a Wells Fargo customer, do you plan to close your account after this incident?

Photo: MoneyBlogNewz
BusinessWeek (AP)

{ 8 comments }

Updated: Hackers Steal Credit Card Numbers From 360,000 Citi Customers

by Luke Landes

The latest big business security breach affected Citigroup and about 1 percent of the company’s credit card customers. Hackers were able to access the customer database, finding customers’ names, credit card numbers, and email addresses free for the taking. The hackers were not able to gain access to other personal information, like Social Security numbers, card ... Continue reading this article…

14 comments Read the full article →

Facial Recognition and Billboards

by Smithee

I have a fascinated/disgusted relationship with targeted advertisements. On one hand, I’ve seen enough Playtex commercials in my lifetime that I could probably draw you their logo from memory, and I’ve never been in the position to decide, “should I buy the Playtex version, or a different brand?” All those ads in my face have ... Continue reading this article…

3 comments Read the full article →

Lie to Yourself for Better Security

by Smithee

This week, TechCrunch made a big to-do by publishing internal Twitter business documents that they apparently received from an enterprising hacker. The access to multiple networks apparently began when the hacker accessed the GMail account of the wife of a co-founder. If you, like Twitter employees, store any sensitive information in your Google Docs, or ... Continue reading this article…

0 comments Read the full article →

Facial Recognition is for More Than Your Photos

by Smithee

Most of the time when you hear the term “facial recognition,” it’s used by people trying to attract you to a new digital camera, or software, or a plugin for Facebook. On an individual level, it’s little more than a way to help your camera focus, or group and search your photos. But if you’re ... Continue reading this article…

1 comment Read the full article →

Livin’ it Up: Young Philly Couple Charged With Identity Theft

by Luke Landes

Jocelyn Kirsch and Edward K. Anderton live in Philadelphia but they’ve been spending their time in Paris, London, Hawaii, and Seattle thanks to their neighbors. The neighbors aren’t quite as happy, however. The two were using their expensive apartment to assist in stealing the identities of the other people living in their building as well ... Continue reading this article…

16 comments Read the full article →

Be Aware of ATM Card Skimming

by Luke Landes

In New York City, police have arrested two men accused of using card skimmers to steal account numbers and PINs from a Bank of America branch, taking $2,500 from ATMs. Many people wouldn’t spot a card skimmer attached to an ATM, so these photos can help people be more aware of what to look for. ... Continue reading this article…

3 comments Read the full article →