Key Loggers, Phishers Sock Consumers For $2.4 Billion

And the scams designed to purloin funds are increasingly coming from online channels such as spyware and phishing attacks, the research firm said.

Using data from an April, 2004, survey of 5,000 U.S. adults who use the Internet and e-mail, Gartner estimated that nearly 2 million Americans fell victim to checking account fraud in the last 12 months. The cost to banks and consumers: a staggering $2.4 billion in direct losses, or an average of $1,200 per victim.

"In most cases that are not inside jobs, thieves likely stole account numbers and passwords to get into accounts online or through telephone banking services," said Avivah Litan, a vice president and research director at Gartner.

Such techniques, which don't require face to face transactions, are booming. And banks are behind the curve. "In contrast to the credit card industry's fraud detection systems, methods for detecting fraudulent checking account access seem years behind," said Litan.

Unauthorized access to checking accounts, in which someone transfers money out of a customer's account illegally, grew the fastest in the past year, said Litan, with almost half (44 percent) of all reported incidents taking place in the last 12 months. Fraudulent credit card purchases, however, still account for the largest number of victims.

The top two methods scammers are using to lift bank account numbers are key loggers planted by spyware -- software typically loaded onto a computer without the consumer's knowledge -- and phishing attacks, e-mail messages that try to trick users into divulging financial information.

"What we're hearing from out clients is that key loggers are now just as prevalent as phishing attacks," said Litan.

Both spyware and phishing attacks are on a dramatic upswing. According to the Anti-Phishing Working Group, phishing attacks jumped 200 percent during April alone. Spyware is just as prevalent; anti-spyware vendor Webroot previously detected an average of 28 pieces of the software on each PC, and recently noted that one in three of the 1.5 million PCs it surveyed contained some sort of key logger.

Key loggers are tools designed to trap all keystrokes, including passwords, user names, and account numbers that consumers type in, then transmit the data to hacker servers.

"The problem with key loggers is that they're invisible," said Litan. "Phishing attacks are getting a lot of attention, but that's because the CEO probably got a phishing e-mail. But the CEO has no clue he may have a key logger on his machine. As soon as he or she figures that out, they'll start looking at spyware."

Although Latin estimates that spyware-related key loggers are "as big, if not a bigger, problem than phishing," banks and other financial organizations are doing little at the moment to combat the fraud.

"They're not doing a thing," she said. "But in all fairness, they don't own the desktop, so they're not the most logical distribution point for anti-key logger, anti-phishing defenses.

"I think it's more a Microsoft issue than anything," she added. "Who owns the desktop? Microsoft."

Litan called on banks to bolster their defenses against checking account fraud, and online fraud specifically.

"It will take time for financial services to develop sophisticated tools, but banks must implement stronger access controls to online and telephone banking systems," she said. Among the short-term solutions, she cited something called "shared-secret authentication," a tactic that acts as an additional level of security beyond the typical online username and password, both of which can be hijacked by key loggers or easily divulged by users fooled by phishing e-mails.

Shared-secret authentication can range from the simple -- the bank asking a rotating set of questions, such as "What's your pet's name?" and the customer responding -- to the more complex, such as USB-based tokens that must be plugged into the PC. Another technique is for the consumer to choose a photograph or upload one of his own; the image is stored in the bank's database as part of the customer profile, and during the log-on process, displayed. It must be verified by the user before access to the account is given. PassMark's system, said Litan, is a great example of such a shared-secret.

"A phishing attack can't trap these shared-secret authentications if they're done right, nor can key loggers," Litan said.

Long-term, more robust strategies must be implemented by banks and other financial service companies, including trusted third-party authentication and Caller ID-style e-mail authentication, such as the schemes in development at Microsoft and Yahoo.

"A challenge-response system [such as shared-secret] is a much better defense than passwords alone, and a good short-term solution," said Litan. "But in the longer term, banks need effective back-end tools to detect and stop checkingaccounts being hijacked."

For more on phishing, see CRN.

Copyright © 2004 The Associated Press. All rights reserved. The information contained in the AP News report may not be published, broadcast, rewritten or redistributed without the prior written authority of The Associated Press.