Chapter 10 Is That You Making A Withdrawal?

The Bank of America lost at least $10 million to criminals. About 95 members of the loosely affiliated criminal gang behind the alleged fraud, including a bank employee, had stolen names, addresses, social security numbers, phone numbers, bank account numbers, driver’s license numbers, birth dates, email addresses, mother’s maiden names, PINs and account balances. It appears that this information was then used for identity theft. According to one victim, quoted in an LA Times story, the scammers ordered boxes of checks and had them delivered to a UPS outlet where they would then pick them up. They also allegedly contacted the victim’s telephone company and—to prevent Bank of America from warning the victim—re-routed calls to the scammers’ mobile phone.176

Online Banking

Online banking is incredibly easy and convenient. But it does come with certain risks. Just as you hear of people being robbed at ATMs or having their cards cloned, online banking is also vulnerable. Banking websites are likely hit by hacking attacks every single day. While that may be unsettling to hear, if hackers do steal money from your account, you will be protected since banks are liable for any stolen funds. Banks are not liable, however, for the personal information that a hacker might obtain, like your social security number, address, birth date and PIN.

The main issue people have with online banking is that of trust. They wonder if their transaction went through successfully or not. While the collection, storage and sharing of customer information is an important part of delivering banking products and services to consumers, the questions remain: How secure is online banking and the networks they use? How trustworthy are the people who handle the transactions? How easily can thieves hack into their systems? When you opened your online banking account, you received a privacy statement that read something like this one:

We understand that you expect us to maintain proper safeguards to protect confidential information you provide to us. The privacy of your information is protected not only by state and federal laws, but by our commitment to the protection of your financial information. We have established policies and procedures to help prevent misuse of that information. This statement has been prepared to explain to you what types of information we collect, how we use that information, and the circumstances under which we may share all or part of that information. Under no circumstances do we provide deposit or loan account personal information to third parties for the purpose of independent telemarketing or direct mail marketing of any non-financial products or services of those companies. We disclose information permitted or required by a variety of federal and state laws, as required to consummate your transaction, and as directed by you. Our strict policies to protect your information apply equally to current (active) accounts as well as inactive (closed) accounts, both loans and deposits.177

And here is the important part: “For complete details of how we use your information, refer to our bank’s PRIVACY POLICY”. Just like other sites where we do business, how many of us actually take the time to read the documents that tell us who the bank shares information with—and how much they share?

What Data Do Banks Share?

In most aspects of our lives, companies and marketers can freely collect details about us and sell them to whomever they like without restriction. Yet financial institutions, along with medical providers, are subject to U.S. laws limiting how they share our information. The U.S. Congress set limitations on financial institutions in the 1999 Gramm-Leach-Bliley Act.178 A decade later, federal agencies mandated that banks explain how they use a client’s personal data in a standardized privacy policy. Such rules make it easier to compare these practices than in many industries.

Lorrie Faith Cranor at Carnegie Mellon University thought it would be interesting to see if banks actually follow the law and see how they compare with each other. With help from her students, she analyzed 3,422 financial institutions. She found that practices vary widely, with many freely sharing some of our data, and 27 banks appearing to violate regulations on sharing information altogether.

Some banks use your data to market to you directly or through affiliates. Some, including major players such as Bank of America, Citi, Capitol One, Chase, Discover Bank and HSBC, allow non-affiliated outside companies to market to you. These banks allow customers to opt out of such marketing—but you have to know it takes place and then go through all the trouble of figuring out how to opt out.179

As financial institutions seek to replace revenue that was cut under the Durbin Amendment180—part of the financial overhaul that limits the fees banks can charge retailers—they are exploring new business avenues including selling your data. New technologies are making these marketing channels increasingly plausible. 181

Banks Face Risks Too

Most bank account thefts begin with a single malware developer who sells malicious software on an underground black market to hackers. Criminal hackers can buy tools to steal users’ bank account credentials, services to bring down websites, or viruses to infect computers. Once unsuspecting victims’ credentials or bank account information has been collected, hackers may resell that data to someone who repackages it in a useful way and redistributes it on the black market. 182

Banks and financial institutions are facing an increased need to ensure their transactions are secure. Banks are most vulnerable to four common types of attacks that hackers use to steal information from them and other online merchants. These include:

• Phishing. This involves clicking on a fake Internet link to a page that looks like it was set up by your bank. The fake link could look almost identical to the bank’s real homepage because the scammer has copied files from the real site. When searching for your bank on the Internet, you could get the fake site along with the real site and unknowingly click on the fake site. When you attempt to log in to your account, the site asks for information that the real site never would. It may ask not only for your name but also your account number, password, ATM PIN number or last digits of your debit card. Once you enter any of this sensitive data, the details are sent to the scammers. With your login details in hand—user name, password and personal identification number—they would be able to access your account and steal your money.
• Identity theft. Even if hackers don’t steal from your account, they can capture your personal information, such as your social security number and other identifying data, and steal your identity. That data could be used to create new accounts in your name or to hack into your other accounts.
• Keylogging. If you access your online banking site on public networks such as Internet cafes or public Wi-Fi, there is a chance that you could fall prey to keylogging. Hackers load software onto public networks to record your keystrokes and get your account details.
• Pharming. This might be a little more difficult for hackers to carry out, but it does happen. Pharming occurs when hackers are able to hijack a bank’s URL so that when you try to access your bank’s website, you get redirected to a bogus site that looks like the real thing. Once you access the bogus website, they have free rein to capture your account number, logon id, password and personal information.

A 2012 report revealed that close to 29% of all Internet users worldwide and 45% of Internet users in the North America, have accessed online banking sites. This represents roughly 423.5 million people.

As use of online banking expands, it has become an increasingly attractive target for hackers. In 2011, Citigroup revealed that more than 360,000 accounts were compromised in a hacking attack that left 3,400 accounts suffering losses of up to $2.7 million. Reuters reported that Iranian hackers had been targeting Citigroup, Bank of America and JPMorgan Chase with “denial of service” campaigns, making it difficult for customers to access their accounts.183

Denial-of-service attacks can be very disruptive because if a bank’s website is repeatedly shut down, the attacks can hurt its reputation, affect customer retention and cause revenue losses when customers cannot open accounts or conduct other business.

Barclay PLC and the U.K. banking regulator have launched investigations into allegations that information about thousands of the bank’s customers was stolen and sold to brokers. In the past, the U.K. regulator has fined banks for losing control of customer data. In 2010, a U.K. insurance unit of Zurich Financial Services was fined £2.27 million ($3.7 million) for losing the details of 46,000 customers. HSBC Holdings was fined around £3.2 million over a similar issue in 2009, when staff lost a compact disk containing thousands of customer records.184

Hacker attacks raise concerns about the safety and security of our online banking transactions. It is equally important for bank clients to secure their equipment themselves. Hackers, like all other predators, will attack the weakest link. Should you pay your bills online? Should you check your balance from your bank’s website? Should you transfer funds online? Yes, but use the same caution as you do with any other Internet site. Do not click links on emails or download anything from people you do not know or even from people you do know if the subject line looks dubious.

What Can You Do?

First, confirm your online bank’s legitimacy. The Federal Deposit Insurance Corp. has a tool that lets you search for banks whose deposits it insures. It is very easy to do this: go to the FDIC website, www.fdic.gov185, and look on the home page for an option that says “Bank Find.” Clicking on the link will take you to a page where you can type in your bank’s name and find out if it is FDIC insured. Also available at this site are the bank’s locations and history.

Be alert to the possibility of copycat websites. Be sure you do not fall prey to sites that use a name that is very similar to that of your online bank—for example, BankofAnerica.com or Citigrop.com. Misspellings in emails supposedly from your bank are a dead giveaway that the email isn’t legitimate. When you receive an email purporting to be from your bank, don’t click any links in the email. Instead, type in the URL of your bank in the address field of your browser and then log in when the site comes up. If your bank is really trying to contact you, you’ll likely find a message when you access your account. You can also call the number on the back of your credit card or on your latest bank statement.

Learn more about your bank’s security system. You should know how your bank encrypts your private information. When you are accessing the website, you should find a small lock or key icon to tell you that the site and your transactions are secure. You should be required to use PINs and passwords when you access your account online.

Finally, do not send personal information over email. Under no circumstances would your bank ask for personal data via email.

The most important way of protecting your Internet banking transaction is by using a user ID and password that you select. Be sure to keep them a secret. Try to memorize them and, if you need to maintain a written record of the codes, store them away from your computer in a secure place, not in your wallet, purse or Smartphone.

If your computer is left unattended and the browser is running with your user ID and password entered, anyone can gain access to your accounts. Lock your computer when you need to leave it. Change your password often; make it difficult to figure out. Do not use simple words or numbers in sequence. It is recommended that you use upper case and lower case letters along with numbers and symbols that are unique to you. Stay away from the obvious words and numbers like a family member’s birthday or name.

Protect your computer. Hacking attacks are not always directed at banks. Because many such attacks are directed at customers, you should have the latest virus and malware scanning software installed on your computer. You should also ensure that all the software you use on your computer has the latest security updates.

You should never get lazy when it comes to online banking. Some banking websites have an option that offers to “remember me on this computer.” Choosing this option would allow you to bypass some security questions if the bank’s system recognizes your IP address. The problem is that hackers can spoof your IP address and make your bank think that the hacker’s computer is really yours. Enabling this feature you will save you from answering additional security questions every time you log on, but it is much riskier. Keep your security measures strong so you won’t be the next hacking victim.

Here are some additional tips as provided by Naked Security, an award-winning newsroom with news, opinion, advice and research on computer security issues and the latest Internet threats:186

1. Choose an account with two-factor authentication, which is a process involving two stages to verify the identity of an entity trying to access services in a computer or in a network. Try to get a bank account that offers some form of two-factor authentication for online banking. These days many, but not all, banks offer a small device that can be used to generate a unique code each time you log in. This code is only valid for a very short period of time and is required in addition to your login credentials to gain access to your online account.
2. When setting up online banking, if your bank asks you to provide answers to some standard security questions, remember that the answer you give doesn’t have to be the real one. So you don’t have to answer “Thumper” to the name of your first pet—make it something else, as if it was a password. Use a password manager if you are concerned about how to remember everything!
3. Secure your computer and keep it up-to-date. Security software is essential these days, regardless of how you use your computer. At a minimum, make sure you have a firewall turned on and are running antivirus software. You’ll also want to keep your operating system and other software up to date to ensure that there are no security holes present.
4. Be wary of unsolicited phone calls that purport to be from your bank. While your financial institution may require you to answer a security question, they should never ask for passwords or PINs. They may ask for certain letters or numbers from them, but never the whole thing. If in doubt, do not be afraid to hang up and then call your bank back via a telephone number that you have independently confirmed as being valid.
5. It is always best practice to connect to your bank using computers and networks you know and trust. But if you need to access your bank online from remote locations, you might want to set up a VPN (Virtual Private Network) so that you can establish an encrypted connection to your home or work network and access your bank from there. Look for a small padlock icon somewhere on your browser and check the address bar; the URL of the site you are on should begin with “https.” Both act as confirmation that you are accessing your account over an encrypted connection.
6. It is also good practice to always log out of your online banking session when you have finished your business. This will lessen the chances of falling prey to session hijacking and cross-site scripting exploits. You may also want to take the extra precaution of setting up private browsing on your computer or Smartphone and set your browser to clear its cache at the end of each session.
7. Set up account notifications, if available. Some banks offer a facility for customers to set up text or email notifications to alert them to certain activities on their account. For example, if a withdrawal matches or exceeds a specified amount or the account balance dips below a certain point, then a message will be sent. Such alerts could give quick notice of suspicious activity in your account.
8. Monitor your accounts regularly. It should go without saying that monitoring your bank statement each month is good practice, but why wait a whole month to discover a discrepancy? With online banking, you have access 24/7, so take advantage of that and check your account on a regular basis. Look at every transaction since you last logged in and, if you spot any anomalies, contact your bank immediately.
9. If you are used to going to your bank via a regular address and the address of the site you land at is not the same name, you can be confident that you are not at the real site. Always double check to make sure that the site address is accurate.

Check Scams

Fake check scams are clever ploys designed to steal your money. You can avoid becoming a victim by recognizing how the scam works and understanding your responsibility for the checks that you deposit in your account.

Beware if someone you don’t know wants to pay you by check but wants you to wire some of the money back. It’s a scam that could cost you thousands of dollars.

There has been an alarming increase in check scams, with new variations cropping up to trick even discerning consumers. It could start with someone offering to buy something you advertised, such as a car, boat or even pedigree dogs. They may offer to pay you to do work at home or negotiate with you on an apartment rental. Or you may have received a check claiming it’s part of lottery money that has been deposited in a bank in your name. The possible scenarios are endless.

The key ingredient is that someone offers to send you a check, cashier’s check or money order that is in excess of the amount you require. There is always an overpayment. Then they ask you to wire transfer some or all of the money out of your account or use a money transfer service such as Western Union®.

Check fraud was the last thing on William Barker’s mind when he reviewed his bank account balance to make sure his monthly retirement check had been deposited. It had arrived safely, but he noticed something else: A check for $4,500 had been cashed. It bore his wife’s signature and a note that read “1984 motor home.” There was just one problem: William and his wife didn’t buy a 1984 motor home. When the doors of his bank opened that morning, Barker was there to dispute the transaction and begin the tedious process of recovering his money. Barker’s bank ultimately restored the funds to his account, but he and his wife are still on guard for suspicious activity on all their accounts.187

What Can You Do?

Here are some things you can do to keep your checks safe from thieves and keep your personal information between you and your bank:

1. Review your checking accounts regularly for suspicious activity and reconcile your bank statement every month.
2. Keep your checks in a secure location. Don’t leave them in a car, at work or out in the open at home.
3. Drop bills paid with checks at the post office instead of in your mailbox.
4. Avoid having new checks sent by mail; pick them up at the bank.
5. Do not include personal data on your check. That includes your social security number, driver’s license number, phone number and address.
6. Do not write your PIN number on your debit or ATM card or anywhere in your wallet or checkbook for a thief to find.
7. Shred old checks and bank statements before you throw them away.
8. Do not provide your bank information over the telephone

If you find a check has been fraudulently written on your account, be sure you do all four of these steps:

1. File a police report. You may need this for insurance purposes or to prove there was a theft.
2. Speak to the bank to dispute the check and close your account. You can open a new account and close your original account, which will prevent any additional transactions.
3. Place a 90-day alert on all three credit agencies, Equifax, TransUnion and Experian.
4. Go to the consumer assistance website ChexSystems to see if anyone has tried to open a new bank account with your personal information.188

If you have a complaint or problem involving a check written on, or deposited in an account at a national bank, and you cannot resolve the problem with the bank itself, contact the Office of the Comptroller of the Currency’s Customer Assistance Group by calling (800) 613-6743 or by sending an e-mail to: [email protected].

For mail-based scams, contact the U.S. Postal Inspector Service: by telephone at 1-888-877-7644; by mail at U.S. Postal Inspection Service, Office of Inspector General, Operations Support Group, 222 S. Riverside Plaza, Suite 1250, Chicago, IL 60606-6100; or via e-mail at https://postalinspectors.uspis.gov/forms/MailFraudComplaint.aspx.