In the past year, several federal agencies and industry associations representing banks and electronic payments firms have issued warnings and held seminars about the growing threat of corporate account takeovers, but state and federal agencies are so overburdened that they have to triage cases, focusing merely on cyber attacks that involve huge losses, are links to organized crime, or are national security threats.
Experts say skilled cyber criminals have been using a powerful combination of social engineering techniques and computer malware to break into accounts of small to midsized American religious organizations, charities, municipalities and school districts nationwide.
The victims tend to lack the sophisticated security systems found in large corporations and financial firms.
No one knows how much the thieves are depleting because the crimes frequently go non-reported by businesses for fear of harming their reputations, incurring law-enforcement investigations against themselves, and inviting media exposure.
The Federal Deposit Insurance Corp. (FDIC) used to issue reports on the problem, but that task has been turned over to the FBI.
Consumers are generally indemnified against non-authorized charges on their bank-issued credit cards, which banks are bonded against identity-theft pilfering (typically called: "stealing" according to the Ten Commandments, and termed: "thievery" elsewhere thoughout Holy Scripture), and they have 60 days to notify banks of improper withdrawals from their bank accounts. Businesses, however, generally have only two workdays to reverse an unauthorized withdrawal. A number of lawsuits have been filed over who's at fault when accounts are hacked; most settle with undisclosed terms.
One company discovered that robbers had infiltrated their payments database and used customized software to drain an employee's account. That company had no choice but to shut down its online payments and won't restore the system until an outside company with security expertise can be hired to run it. The cost hasn't been determined yet.
One police investigator assigned to that case said that overseas hackers made about $14,000 in purchases from about 50 accounts before they could be closed. He said the goods were sent all over the country, as well as overseas. Typically, "money mules" would buy gift cards to launder the cash. Any merchandise purchased could be returned for refunds or sold. The cash would then be wired overseas, with the mules keeping a cut of 8 to 10 percent.
Cyber criminals often rely on automated programs to find unprotected computers and plant harmful software, which can turn infected computers into a network of drones called "botnets." To get around defenses like anti-virus software and firewalls, hackers will send out "phishing" e-mails to entice the recipients to visit infected websites, open infected files or view photos that plant harmful code, including keyloggers, on their computers.
In one case, hackers broke into digital warehouses that store images of executed checks and printed off an estimated $9 million in counterfeits. Like other scams, it also relied on a network of money mules.
Hackers also alter legitimate websites by planting phony log-in buttons that users click to enter their credentials, then capture passwords, account numbers and answers to security questions. The information is used to deplete accounts, sometimes even while the account holder is still online.
Attacks on business accounts often involve "spear phishing," a technique similar to phishing that targets individuals who might have a company's computer credentials. Hackers often extract information about their targets from social networking sites, then implant malware on a computer which "can see everything," including nearly any security measures a business relies on to authenticate its accounts....even after upgrading to with what are known as Payment Card Industry (PCI) data security standards.
Crooks also sometimes plant infected USB drives around a target's office, or send targeted executives "thank you gifts," such as an iPhone, that will get the hackers directly inside a company's network.
Once inside, the thieves can send money by wire or the Automated Clearing House (ACH) system. The ACH system is the nation's primary electronic funds transfer network. It relies on credits and debits to move money electronically, and provides the two-day buffer to reverse erroneous or fraudulent transfers. Direct wires have no such buffer, and they are used for much larger transactions.
The FBI, working in cooperation with law enforcement in Britain, the Netherlands and the Ukraine, announced on October 1st that they had broken up a ring that allegedly hacked into the computers of 390 U.S. companies and tried to steal $220 million; $70 million of that was lost over the past four years. The investigation, dubbed Operation Trident ReACH, found that the thieves had set up a network of some 3,500 money mules who received transfers from the hacked accounts, then wired money to overseas drop sites. According to one monitoring source following that case, the United States charged 92 suspects; British authorities arrested 19; and Ukrainian authorities arrested five.
Concerning another company, the cyberthieves ran up charges on his customers' accounts, buying merchandise and gift cards at Walgreen's, Target stores, Wal-Marts and other retailers. The hackers covered their tracks through a network of proxy servers.
Often, when help is sought from federal agencies, they are kind of reluctant in expending their resources on something that they strongly feel would lead them overseas.
In one case, the company was fined by Visa fined $5,000 for the breach, and MasterCard fined him $2,500. All told, the manager said he had spent $20,000 as a result of the hack.
Third-party-interceptor anti-porn-filtering censors used by library and other wi-fi providers not only slow up what otherwise would be full or nonrestricted internet access, but are other possible entities to acquire and disseminate personal information, as do many embedded anti-virus programs which muddy up a computer's performance. Need warnings be said about certain carbonite or go-to-meeting type companies which obviously save or transfer sensitive data of others sent over the web?
Firewall software programs are helpful when on a coffee-shop or restaurant wi-fi network to prevent spying wi-fi neighbors simultaneously on the same wi-fi network from both discovering who else is present on it and preventing them from getting into one's hard drive and copying info therein, adjusting data, or even catastrophically formatting everything into deletion oblivion.
A free software program called Cleanup! is available to download, launch, and use often during one's wi-fi web surfing to get rid of forced-popup and other cookies consisting of spyware, malware trojans, worms, denial-of-access, keystroke-monitoring, plishing, and other virus files -- especially when used on simpler-yet-still-viable earlier wifi-capable Windows operating systems such as 98SE and ME, even XP (to some extent).
Some browsers, like Mozilla's Firefox version 1.5 and Netscape version 9, which are compatible with Windows 98SE and Windows ME, have a "Clear Personal Information" as a dropdown utility from the top toolbar on the browser, which clears potential-malware cookies and should be used frequently when webbing on the internet.
A choice BIOS passcode, rather than a bypassable Windows passcode, is always useful for security purposes relating to enhancing dedicated user security for Windows 98SE, Windows ME, etc.
And, of course, keep in mind that many more tiny digital surveillance cameras are here and there, as are snoopy people looking over one's shoulders or at close proximity who are dishonestly on the prowl.