The spread of financial services offered on the Web has led to an increasing number of hacking incidents, which put customer accounts, data and money at risk.
The latest problem was reported on Nov. 5 when the hacking group Anonymous claimed to have stolen the passwords to 28,000 PayPal accounts. The group said its actions were its way to celebrate Guy Fawkes Day. PayPal denied the incident had occurred. Maybe it didn’t, but companies are often slow to report hacking incidents.
Two weeks before that, the bookseller Barnes & Noble reported that credit card info was stolen from 63 stores around the country. The stolen info was used to make illicit purchases, the company said.
Before the Barnes & Noble attack, there was … oh, never mind, the list goes on and on.
Gary Raphael, senior vice president and national director, Risk Consulting Group for ACE Private Risk Services, says, “Hackers are growing ever more sophisticated in compromising the networks and data files of institutions.”
In general, Rapahel says, “When dealing with public and private institutions that ask for sensitive information, always ask if providing such information is necessary, if there is a less sensitive alternative, and how they plan to use and protect the information.”
Raphael says, “Examples of such institutions are medical services providers, schools, and charities. In one recent case, it was found that certain charitable organizations were providing the Social Security numbers of donors in the organizations’ tax filings, which were open to the public.”
This is potentially dangerous he says, because “Criminals could potentially use such information along with other information they may have acquired to gain access to financial accounts of those individuals.”
More of his security recommendations can be found as you read AdvisorOne’s 8 Massive Hack Attacks Aimed at Financial Data slideshow.
(Check out more Risk Management stories at AdvisorOne.)
1) 1994: Citibank, $10 million
By modern standards, the Russian hackers who gained access to Citibank’s computer system in New York thought on a small scale. They moved $10 million by wiring it to accounts around the world. Alas, the software engineer, Vladimir Levin, who worked from his apartment in St. Petersburg, Russia, and his six accomplices were arrested. All but $400,000 was recovered and Levin was sentenced to three years in U.S. federal prison on charges on conspiracy to commit wire, bank and computer fraud.
Raphael’s advice: “Transact business online only through a secure communication environment. Do not send instructions or sensitive information via regular email to your institution or advisor. Regular email can be hacked relatively easily.
“In addition, fraudsters are growing more adept at gleaning personal information from social media sites and other sources to send fictitious but very believable email messages to financial advisors. The emails could include instructions to transfer funds to fraudulent accounts set up in your name. If you have established a pattern of sending instructions via email, the financial advisor will be more likely to fall for a fraudulent email.”
2) 2005: CardSystems Solutions
This case brought the security of credit card data to the public’s attention as never before. In June 2005, it was reported that data relating to 40 million credit-card accounts had been stolen. CardSystems had processed the data for major credit companies, including Visa MasterCard and American Express. It turned out the data had been held in an unencrypted form, which violated CardSystems’ contract with the companies.
The fallout was swift. Within days, the company lost its accounts and by October it was sold. The FTC found that millions in fraudulent purchases were made by the thieves. A settlement required Pay By Touch, the company’s new owner, to be audited for 20 years to ensure security standards were met. There is no evidence of any arrests in the case.