This is an EXTREMELY important report for accountants and auditors. I have always advocated DAILY bank reconcilations of online accounts

We've made this too easy for the bad guys on so many levels. There is plenty of blame to go around, from the financial institutions themselves, to government, law enforcement on down to individual consumers.

I'm at a loss to try to explain why, other than to chock it up to plain old ignorance and/or laziness in taking security seriously. There seems to be a pass the buck mentality happening here instead of each entity truly doing their share to control and reduce the weaknesses in the system.

As consumers, we need to take proactive steps in securing our computers, using caution in every financial transaction and carefully monitoring all financial accounts for fraudulent activity. An ounce of prevention is worth a pound of cure!

Last year an FFIEC guidance for strong authentication on online bank accounts went into effect. Effectively, all banks are supposed to have two factor authentication for online banking customers. If appropriately implemented, this should have a dramatic effect on the ability of criminal to commit this kind of fraud.

Personally, I've seen only sporadic adoption of this guidance, and many that have seem to be trying to "get around the rules" and comply with a narrow reading of the guidance rather than the spirit of it which is to curtail the impact of online banking attacks on individual user accounts.

I would be interested in knowing whether this guidance is being enforced, especially regarding those banks where incidents occur - whether reported by customers or as required by the banks themselves. Similarly, it would be interested to see if there is a difference in the fraud at banks who do comply compared to those who do not.

It seems regulations are in place to deal with at least part of this issue, but either the system takes too long to "catch up" with violators, the rules are simply being violated, or perhaps the guidance needs to be strengthened.

There is not a sufficient amount of information available to users of Internet Protection programs on how to effectively configure a firewall as well as other means of protection. The inability of users to adequately configure their protective programs is due to ignorance of the intricacies of internet communications. This type of information should be readily available on the websites of the protection providers and should not be written in technical gobble-de-gook.

I received a bogus email which appeared to be from my bank. It was written in such a way that it almost fooled me into giving my bank access information. The bank logo and links looked exactly as if it were from my bank. Since these emails and web sites can be traced, we should have stiff penalties for these crimes, even if they originate outside the country. I do not think enough is being done to stop it.

regarding the gentleman's comment:
"Since these emails and web sites can be traced, we should have stiff penalties for these crimes, even if they originate outside the country."

this assumes that the owner of the web site is the perpetrator of the crime - more often than not the bad guys use other people's computers as their proxy - rarely are these people silly enough to use their own- as such prosecuting the "web site" owner would do nothing to discourage the bad guys

and of course the same for email..

Excellent work. Finally there is "publicly available" data from another country than the UK. (UK APACS has been publishing this data for years.)

One question: when looking at the first figure (the bar chart), I really wondered what the story is for 2004? If you are claiming a rapid rise of this type of incident, how are we to understand this when comparing 2007 (536 incidents) to 2004 (503 incidents)?

It reminds me of all the claims about rapidly rising costs of security breaches, while the CSI survey has been showing the exact opposite trend: steadily declining reported losses. Only last year was there a break in this trend, as respondents reported an increase in damages. Still, last years reported losses still pale in comparison to those reported in 2001.

But because this doesn't fit with the currently dominant narrative of rapidly rising online crime, which people try to explain away these figures. Mind you, the narrative might be correct, but I think these anomalies require a better explanation than they are currently getting.

So to sum up: what is the deal with 2004?

Is there anything the average consumer can do about this? How and to whom should we express our concern?

I have a hard-to-guess email address for commerce that I don't post anywhere (so I get spam about four times a year). Our computer uses a firewall, and we're smart about not visiting suspect websites. Our banking website uses one of those "identify your picture and password phrase" security features, and we don't save financial information on the desktop. Am I missing anything?

Excellent articles!

I use a Windows computer for online banking at my bank, BB&T. I am rather knowledgeable about computer security and take steps to protect my computer against infection, including the usual combination of a firewall and an anti-virus (updated daily). Also, I use a LUA [1].

My bank has a rather complicated policy about something it calls "wire transfer fraud." Suppose my computer became infected, and a hacker stole my money. Question: Would the bank pick up the tab, or would I have to absorb the loss?

[1] A so-called "Limited User Account" offers considerable hardening against infection, especially "drive-by downloads." Please see
http://blog.washingtonpost.com/securityfix/2006/05/the_importance_of_the_limited.html

Thomas L. Jones, PhD, Computer Science
Silver Spring

A detail left out is that payment card industry (PCI) data security standards are written to place all the burden on the merchant while the banks do nothing meaningful to upgrade the 1960's technology.

Technology exists today where every time you would use your card at a data connected store - your use number would change. The number would be visible on a super thin LCD or E-paper display on the card.

Thus every time you use your card, except on phone or web purchases, the number changes. If you chose, one could also add biometric info to the card.

The silly system in place today, makes simply copying the numbers off a card all that is needed to commit fraud.

Brian:

Thanks for this information, and for addressing the question of why you chose not to make the report available. I would have preferred that you had made it available, but at least we understand your reasoning.

SARs are one of the very few good sources of fraud data, and the closed-mouth policy of the regulators is frustrating for those looking to make risk management decisions based on something other than the say-so of Gartner press releases, in-house data, and facts gleaned from off-the-record conversations with colleagues.

I can tell you that this issue is directly related to user education and training. People want their computers to be as easy to operate as their television, and it isn't. Computers should be looked at like automobiles in todays data centric environment. If you aren't careful, you can hurt yourself and others.

I have seen bank customers targeted by trojans, whose users were compromised. True two factor authentication with something you have and something you know, like a token, is good but only if your computer or other endpoint is trusted. Even if you have a token, a thief could wait until you enter your "secure" two factor credentials, and THEN steal your money.

There needs to be accountability had by the finance industry, and software manufacturers. Demand action, because nothing will improve unless consumers demand better protection.

In the absence of trusted networks to conduct transactions, maybe finance companies should distribute "secure" virtual environments on a USB drive. Of course my management told me "no one" would bother with that!

Modern Trojans are detected only by a fraction of the anti-virus programs on the market, and even then, the AV often needs an update before it can detect the threat of the day. By that time, the Trojan is installed and includes a rootkit which makes it impossible to remove, except by a complete reformat.

The bottm line is that you shouldn't use Windows to do online banking. Use Linux, even if you have to dual boot. Linux is immune to the password-grabbing malware that infect Windows.

Wisdom follows, pay attention!

The defence is easy: no online transfers to anywhere in the former Soviet Union (the so called CIS states). No transfers to companies or persons that have slavic-sounding names. The vast majority of hackers and virus writers are russians, that is undeniable fact. No transfer to Brazil, because most of banking data stealing trojans are authored in Sao Paolo.

If customer wants to deal with ex-soviet or brazilian partner, kindly inform him/her to turn up in person at the counter to do the transaction or and submit an attorney counter-signed waiver that he/she is aware of risks and takes full reposibility for any losses.

Any pending transfer request to people or firm hispano-sounding name should be routed to client support and the alleged sender should be called and asked to veriy if he/she really wanted to do that. If you have manpower, do the same with communist china-bound transactions, because a lot of trojans are mad in PRC.

This protects the most basic right to have private property, and to be free of theft. Therefore racial discrimination is allowed, because having private property is a more basic right embedded in the Constitution, while racial issues were legislated only between 1860s to 1960s.

Let's face it, the russian hackers are as fierce in their war against USA, as the red commies of Stalin and Khruschev were. They want to ruin you. There is ample proof that russian hackers are controlled by Putin's Kremlin, US DoD contractor Secure Computing Inc. testified for that in court of law.

Ideally, the former Soviet Union should be purged and cut off from the net. Online crime would drop 2/3rd that very minute according to all statistics.

How can you use a computer for financial or other business purpose when you do not know what programming you are running or what that programming does?

The days of the Cowboy Programmer Rodeo need to come to and end. Computers should not be updated on the fly as they are now

all programming updates should be sent to the customers packaged ( such as with "zip" ) so they they can be deliberately installed using Setup.exe

Setup.exe should be the ONLY program allowed to be used to update the programming on a computer

all received packages of software updates should include digital signatures such as produced by PGP and these signatures should be verified automatically by setup.exe before any updating can begin

customers need to learn to PARTICIPATE in security. this means physically visiting a n agent for a Certificate Authority to present credentials and receive keys for Certificate Authorities which need to be required for setup.exe

perhaps setup.exe should only run with the computer system offline ( network disconnected or local log on )

But the Cowboy Programming Rodeo needs to come to an abrupt end

The report does not seem to square with what I consistently hear from banking industry insiders at security conferences. The number of incidents seems to be way too low.

This leads me to draw one of three conclusions:
a) Most of the online attacks are for less than $5,000.
b) There is under reporting occurring.
c) The fraud type classification misrepresents the actual fraud source (e.g., keystroke logger used to steal credit card info and that is reported as credit card fraud instead of computer fraud.)

Someone from a major bank want to anonymously clear this up? PLEASE!

@JK- Obviously, I don't know for sure, but I'd say it's likely that all three of your explanations could be true, not just one.

When the financial industry starts to focus on user security and not user authentication, solutions will being to emerge and they will probably not involve browser technology as we know it. It's clear that browsers were never designed for secure online banking and all the 2-factor authentication in the world won't change that.

Here's a very simple analogy that demonstrates how authentication is not security. Our country's physical borders have legal points of entry that require authentication. If you have the right credentials, they let you in. However, if you want to enter illegally, all you need to do is go down the road about 50 miles and walk across an un-secured point. Now, would anyone argue that improving the security of a border crossing points in Texas stop people from illegally entering the country elsewhere in that state? Surely not. Web browsers are similar to the southern border of the US in that they can support authentication but do not provide border security. The criminals understand this concept and leverage the openness of browser design in their well-crafted malware (that by the latest numbers posted by federal scientists, evades more than 60% of AV software).

Today's malware writers have pushed our weak model to its limits and we should thank them for showing us the blunder we all made in assuming we had a free ride with the browser. Banks should look for a better model and leave browsers to serving us up news and entertainment. They're great for that because nobody gets hurt!

While the efforts are new and not yet fully integrated, suppliers are begining to address the issue of protecting the customer from himself. An example of this is this type of offer from Panda Security "Panda Security for Internet Transactions - http://www.pandasecurity.com/usa/about/corporate-news/new-42.htm". These system must get better and integrate tighter into the back-end systems for credential deactivation, but it is a start.
For example, this particular solution does not do anything notable for Phishing or man-in-the-middle senarios.

We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.