Hackers Target Financial Institutions

(CBS)  When Robert Blanchard tried to access his Citibank account this past July, he was blocked. Even though he alerted Citibank right away, within 24 hours Blanchard was missing $1 million.

"If you had a robbery taking place in your facility you could call 911," Blanchard said. "Here there is no 911 for any cyber crime."

CBS News justice correspondent Bob Orr reports that investigators later found his computer had been hacked by an organized crime gang in Russia. Monitoring Blanchard's keystrokes, internet thieves were able to access and empty his bank account.

"It's the business of hacking where organized criminal elements have very well structured organizations to specifically target financial institutions," said CBS News terrorism analyst Paul Kurtz. "Specifically target their customers and to extract as much wealth and value as they can without getting caught."

Blanchard is just one victim in a largely-unacknowledged cyber crime wave. No one knows exactly how much is being stolen. But law enforcement sources say foreign-based hackers are continuously targeting customer accounts of every major financial firm.

While the cyber thieves have been very successful, banks and financial firms refuse to publicly concede any losses.

"No one wants to admit they've been hit," Kurtz said. "No one wants to come out and say I have a problem and I need help."

Banks, fearing a drop in customer confidence, are working to bolster their cyber security. But, individuals like Robert Blanchard who use home computers to do their banking are still highly vulnerable.

"I have stopped transferring money," Blanchard said. "I'd rather take the walk down to the bank."

Investigators helped Blanchard recover about $810,000, and Citibank covered the balance of his missing million. But, his case stands as fair warning: online banking customers are prime targets of criminals armed with computers.

[Beej27]

With respect to Terry Oliver's comments, if you authorize the download of software on an Apple computer , what is your assurance the download doesn't contain "undetectable" malware containing keyloggers? Most of the keyloggers in daily distribution are undetectable and polymorphic and there is little chance of detection. With this being said, no one is safe from attack.

As for financial institions, my firm has only had ONE credit union in the country who has shown ANY concern over malware residing on their customers computers by offering new technology to their members. My firm has been told over and over again by FIs they are not responsible for what's on customers computers even though this is where a lot of the theft is occuring. In other words, they don't want their lack of security cover blown by admitting keyloggers steal the information before it even reaches their website SSL protection.

Yes, there is a solution, but the FIs are reluctant to discuss it because they would have to be honest to their customers about the lack of security or that the customers have little protection even when the best anti-virus solutions are installed.

By providing true security education, it is obvious customers will realize the FIs really cannot protect their accounts if a computer has undetectable keylogging malware on it... and this opens up a can of worms for FIs who have long avoided the issue of providing solutions. Some try to offer their customers free sandbox browsers as a solution but again, keyloggers are stealing the info before it reaches browers security.

To me, FIs are complicit in the theft of customer information because they have been told by my firm and industry experts who report on the cyber threat landscape of inherent keylogging risks both on internal computers and those of their customers.

Seems easier for them to avoid the issue of security risks by not being honest with their customers for fear of losing them or having to invest money so customers have real protection, or even giving them the opportunity to purchase low cost anti-keylogging technology.

Worse, most FIs give a lot of lip service about how customer security is important to them but when you approach them and show how easy it is to use a keylogger to steal usernames and obfuscated passwords, they get quiet. Why? Again, fear of losing online banking customers... fear of having to invest time and resources in addressing the problem. Guess it's easier to keep a low profile and eat the financial losses.

[ToolMangler1]

Hackers are doing the work of the Jihadists for them. If they keep it up, they will win the war for the Jihadist and lose it for mankind. Well, I guess it would serve them right since they don't care about anybody but themselves. I just hate what it will do to us...

[Terry_Oliver]

The story is entirely believable. But the presence of an iMac computer seems odd. To have a keylogger installed on his iMac (or any Apple computer), he would have had to intentionally authorize the software installation; intentionally in that he would have had to use his administrator password and would have known that software was being installed. He might not have known that the software included a keylogger. But the only place to be exposed to such malware for Apple computers are illegitimate web sites such as warez sites or porn sites which ask you to install "viewers". There are no worms or viruses in the wild that impact Apple computers, only trojans you have to go out of your way to find and install (albeit through ignorance of the risk). No Apple computer allows automatic installation of malware like this.

[dsteinbo]

It would be most interesting to know what security software, if any, Mr. Blanchard is running on his iMac and whether that software is up to date.

[wdh3007]

This Bank accepted bailout money & shares of Citigroup fell 5 cents to $3.29 Wednesday now that they claim to have repaid 20 billion in TARP money to the Government.