McAfee Labs, a company that deals with internet security from malware and hackers, has announced that a ring of criminals intend to steal money from customers with accounts at major American banks. The operation even has a codename, “Project Blitzkreig,” and is rumored to go into effect this coming spring. The fact that this plan is now out in the open makes it more likely that the cyber attack won’t occur as predicted, but it still engenders public fear and concern that our money is vulnerable when deposited into the bank.
According to CNN Money, the following banks are being targeted: Chase, Fidelity, E*Trade, Charles Schwab, PayPal, Citibank, Wachovia, Wells Fargo, Capital One, Navy Federal Credit Union, and more. There may be many reasons to dissuade a potential customer from doing business with large financial institutions, but the threat of a cyber attack shouldn’t be one. Customers who see the potential for this kind of a crime as a reason for not doing their financial business over the internet are over-reacting, but that’s little comfort in the face of fear.
The banks are liable for any stolen funds as a result of cyber crime. Customers will not lose money. If this particular attack is carried out, despite the public awareness in advance, it would work by using customers’ own computers to access their own accounts to transfer small amounts of money. With millions of zombie computers operating, this adds up to a lot of stolen cash, but any one customer would, in theory, see only a small transaction. It’s riskier for the banks than for any one customer.
Banks are hit by cyber attacks every day, and are becoming more adept at preventing breaches of security. Only the big attacks hit the news. Banks are bombarded by security threats every day, and their systems are improving exponentially for detecting and dealing with these problems.
It’s fairly simple to ensure your account is not vulnerable to this particular attack. When logging into your bank account online, most banks allow you to “remember your computer.” You can then bypass a few security questions when the bank recognizes your computer’s IPv4 address, a unique identifier for each internet connection. Hackers can spoof your IPv4 address or even use malware to hijack your computer so you don’t even know it’s accessing your bank account. It’s best to disable the “remember your computer” feature. It’s a little bit of a pain, but it’s much more secure.
Be aware of social engineering. Email programs have become very adept at filtering out spam most of the time. You may still see emails that look very much like they are official, coming from your bank, asking you to visit the bank’s website and confirm some piece of information. In reality, the bank’s website is actually a hacker’s website, designed to look identical to the official site. Never enter your password or any other identifying information on a website that you’re accessing over an insecure connection.
Internet browsers now even identify the security certificate, so when you’re visiting a secure website that’s supposed to be operated by Chase, you can verify you’re safe. Click the security icon in your browser’s address bar for more information. Here is a screenshot of what that looks like with Chrome. (Click on the image to zoom in.)
You can make your passwords as long and as random as you like, but the complexity of a password is irrelevant if you hand it to a criminal willfully.
Stashing your money under your mattress is much less safe. When you don’t like dealing with banks because you already believe that these corporations are evil, stories like those that create fear are particularly resonant. News of major security threats seem confirm the skeptic’s opinion that money is only safe when it’s cold, hard cash, not bits in a bank’s computer. The threat of your house being robbed and criminals being able to find your hidden bills or walk away with your safe is much more likely than losing money due to cyber crime.
Many people seem to be taking this particular threat lightly, and that’s a good thing. “Let them come take my $1.50.” Perhaps a sign of the economic times, bank customers reacting to the news seem hopeful the criminals will forget their true intent or press the wrong button and deposit cash into these bank accounts.
If attacks like these ever get to the point of being engaged, the banks will know before you do. They could already solve the problem before the media confirms the plan for the attack has been executed. There is no way customers have their money at risk. Federal law requires that banks are liable in the event of a security breach, and there is no bank that wants to be liable for a potentially large amount, so the companies have a very strong incentive to be very proactive and protect their customers.
I may criticize banks often, but security is one area where the needs of the customers, shareholders, employees, and executives are completely aligned.
Does news of this planned cyber attack, Project Blitzkrieg, change the way you feel about banking online?