The spread of financial services offered on the Web has led to an increasing number of hacking incidents, which put customer accounts, data and money at risk.
The latest problem was reported on Nov. 5 when the hacking group Anonymous claimed to have stolen the passwords to 28,000 PayPal accounts. The group said its actions were its way to celebrate Guy Fawkes Day. PayPal denied the incident had occurred. Maybe it didn’t, but companies are often slow to report hacking incidents.
Two weeks before that, the bookseller Barnes & Noble reported that credit card info was stolen from 63 stores around the country. The stolen info was used to make illicit purchases, the company said.
Before the Barnes & Noble attack, there was … oh, never mind, the list goes on and on.
Gary Raphael, senior vice president and national director, Risk Consulting Group for ACE Private Risk Services, says, “Hackers are growing ever more sophisticated in compromising the networks and data files of institutions.”
In general, Rapahel says, “When dealing with public and private institutions that ask for sensitive information, always ask if providing such information is necessary, if there is a less sensitive alternative, and how they plan to use and protect the information.”
Raphael says, “Examples of such institutions are medical services providers, schools, and charities. In one recent case, it was found that certain charitable organizations were providing the Social Security numbers of donors in the organizations’ tax filings, which were open to the public.”
This is potentially dangerous he says, because “Criminals could potentially use such information along with other information they may have acquired to gain access to financial accounts of those individuals.”
More of his security recommendations can be found as you read AdvisorOne’s 8 Massive Hack Attacks Aimed at Financial Data slideshow.
(Check out more Risk Management stories at AdvisorOne.)
1) 1994: Citibank, $10 million
By modern standards, the Russian hackers who gained access to Citibank’s computer system in New York thought on a small scale. They moved $10 million by wiring it to accounts around the world. Alas, the software engineer, Vladimir Levin, who worked from his apartment in St. Petersburg, Russia, and his six accomplices were arrested. All but $400,000 was recovered and Levin was sentenced to three years in U.S. federal prison on charges on conspiracy to commit wire, bank and computer fraud.
Raphael’s advice: “Transact business online only through a secure communication environment. Do not send instructions or sensitive information via regular email to your institution or advisor. Regular email can be hacked relatively easily.
“In addition, fraudsters are growing more adept at gleaning personal information from social media sites and other sources to send fictitious but very believable email messages to financial advisors. The emails could include instructions to transfer funds to fraudulent accounts set up in your name. If you have established a pattern of sending instructions via email, the financial advisor will be more likely to fall for a fraudulent email.”
2) 2005: CardSystems Solutions
This case brought the security of credit card data to the public’s attention as never before. In June 2005, it was reported that data relating to 40 million credit-card accounts had been stolen. CardSystems had processed the data for major credit companies, including Visa MasterCard and American Express. It turned out the data had been held in an unencrypted form, which violated CardSystems’ contract with the companies.
The fallout was swift. Within days, the company lost its accounts and by October it was sold. The FTC found that millions in fraudulent purchases were made by the thieves. A settlement required Pay By Touch, the company’s new owner, to be audited for 20 years to ensure security standards were met. There is no evidence of any arrests in the case.
Raphael’s advice: “Use different passwords and different challenge questions with different institutions. Most institutions also include challenge questions as part of the login process. The variation will help limit your vulnerability if one of your institutions is successfully hacked.”
3) 2006: Heartland Payment Systems & Others
The CardSystems hack might have been the biggest of its time, but it paled in comparison to the information stolen from about 130 million credit and debit cards by the so-called TJX Hacker.
The hacker was identified as Alberto Gonzalez, a Miami man who was 28 when he was indicted in 2009. Gonzalez and his accomplices stole information from Heartland, TJX Office Systems, 7-Eleven and other businesses. He received 20 years in prison. Despite expressing remorse when he was convicted, he later sought to withdraw his guilty plea claiming that in his role as Secret Service informant the government had directed him to commit the crimes.
4) 2011: Sony PlayStation
Playing videogames at home might seem a fun, and safe, way to pass some time. Seventy million PlayStation owners found out it wasn’t quite as safe as they thought when hackers breached the system and stole personal data, including credit-card data. As if that wasn’t bad enough, Sony discovered that 25 million customers who had played games at Sony Online Entertainment also had their information stolen. Police in Spain arrested three suspects in the case in September 2011.
Raphael’s advice: “Choose strong passwords, such as those with 120+ bit strength, when setting up online account access. These tend to be passwords with 20 characters or more, using upper and lower case letters, numerals and special characters. Avoid using birthdays, family names, or other information easily associated with you. One trick is to think of an easy to remember sentence and then use the first letters of each word, with a few numerals and special characters thrown in.”
5) 2011: Hong Kong Stock Market
As if investors don’t have enough to worry about, hackers forced the Hong Kong Stock Exchange to suspend trading in seven companies when they hacked the news section of the exchange’s website, which publishes corporate filings. The companies included HSBC, Cathay Pacific Airways and the Hong Kong Exchanges & Clearing, which runs the bourse. Each had just released price-sensitive information earlier in the day. No arrests have been reported.
6) 2011: Nasdaq
Trading might not have been halted, but news that hackers had been finding their way through various parts of the Nasdaq’s computer system was unsettling, to say the least. The Wall Street Journal reported that breaches had occurred repeatedly over a year’s time, although the Nasdaq’s trading platform was unscathed. At first, the exchange said the hackers were apparently just looking around. Then it said malware had been planted in one area that was probably intended to infect visitor’s computers. Later reports that the attack was more wide-ranging led the federal National Security Agency to open an investigation. No results have been reported.
7) 2012: Bank of America, PNC, JPMorgan Chase, Wells Fargo, U.S. Bank
Over several days in September, a massive (the largest ever according to CNN.com) denial of service attack made online banking virtually impossible for customers of five financial large institutions. The attacks, which don’t involve hacking into secure areas of computer systems, resulted in embarrassment for the banks and inconvenience for customers.
Raphael’s advice: “If a financial institution has been hacked, the institution will likely recommend steps its clients can take to protect themselves. These steps could include changing user names, passwords, and challenge questions–even closing and reopening accounts. If a client has used the same user name, passwords and challenge questions with other institutions, he or she should consider changing them, too. The clients could further protect themselves by more frequently running credit reports, placing a fraud alert on their credit record, closely monitoring fund transfers and account balances, and engaging an identity theft prevention/restoration service, such as ID Resolution LLC.”
8) 2012: Bank of America, JPMorgan Chase and Citigroup
It’s probably not a huge surprise that foreign governments that want to inflict damage on the U.S. might attack federal websites and those of major companies. That’s apparently what happened in October when it was reported that the three big banks had been hacked by Iran, or by hackers working on behalf of the country. Iran denied the allegations and there is no word if any damage was caused or secrets stolen.
Check out more Risk Management stories at AdvisorOne including: