Online? On Guard!

In turn, financial institutions that embrace the web can provide more services to more customers more efficiently than ever before. According to the US General Accounting Office (GAO), the number of US households taking advantage of online banking is expected to grow to 32 million by 2003, up from 6.6 million in 1998.

HERE'S THE PROBLEM

On the surface, this seems like a win-win situation, but upon deeper inspection, that might not entirely be the case. The virtual world has its own set of bank robbers and scam artists, more commonly known as hackers and crackers. There's a subtle difference between the terms: a hacker is someone who illegally gains access to a computer system and exposes its vulnerabilities to the owner and the general public, but not necessarily for personal gain, whereas a cracker is someone who engages in a similar activity, but uses the information gained for self-benefit or for the benefit of some criminal or terrorist organization.

The skill sets among hackers vary greatly, although the results are much the same. At one end of the spectrum, novices with little or no experience download hacking tools and programs and run them blindly simply because they can. At the other end, hacking professionals with years of experience spend hours on end figuring out ways to get around the latest defense measures implemented by security experts.

International boundaries have no meaning in the realm of cybercrime. Increasing numbers of hackers and crackers are operating in countries such as Russia and China, where the activity of compromising US corporations and government agencies is seen as an ego-boosting achievement and a favor to nationalist causes. After the episode in April 2001 in which a US Navy EP-3 crew was detained on Hainan Island in China, various US hacker organizations waged a cyberwar, attacking as many Chinese websites as they possibly could. Chinese hacker groups retaliated by targeting US websites.

Interestingly, many of these individuals perpetrate their crimes by using equipment that is antiquated by US standards. Russian hacker Vladimir Levin was the subject of a 1995 case involving the online theft of $3.8 million from Citibank accounts. Apparently, he committed this crime using only a run-of-the-mill personal computer at his workplace with a dial-up connection to the Internet.

Further, online attacks against government agencies and companies worldwide are increasing at an alarming rate. In fact, reports from the Gartner Group, a well-known technology research and advisory firm, indicate that the financial damage caused by cybercrimes could increase by as much as 10,000% in the next four years. Given that the US Department of Defense alone endures more than 250,000 hacking attempts per day, the magnitude of the problem is not difficult to fathom.

Even more troubling is that less than 10% of such intrusions are actually reported. Financial institutions are especially inclined to keep intrusion reports under wraps because of the negative impact it would have on their online service businesses. In the Citibank case, the bank played down the episode as much as it could, issuing a statement that only $400,000 was actually moved and insisting that the security systems it had in place led to the eventual capture and conviction of Levin.

In addition to breaking into computer networks to steal large sums of money electronically, terrorists have also been known to hold their victims for ransom. In 1996, The Times of London reported that a group of Eastern European terrorists amassed more than $500 million from banks, brokerage houses, and investment firms after threatening to destroy their computer systems by hacking into them. However, this incident was strongly denied by the institutions involved.

In order to control the situation to some extent, the US government agency that oversees nationally chartered banks (the Office of the Comptroller of the Currency) sent out a notice in 1999 outlining a set of mandatory security guidelines to be implemented. Among them was a requirement that banks report computer crimes to law-enforcement authorities. The notice included several recommendations, such as the use of firewalls and complex passwords to protect the institutions' networks. But a GAO report later that same year indicated that only 40% of the institutions to which the notice was sent actually implemented the recommendations.

More recently, Senator Robert Bennett, chairman of the US Senate's high-tech taskforce, proposed that the Securities and Exchange Commission (SEC) require financial institutions to disclose their network security readiness in a statement similar to that required in 1999 for Y2K readiness. It remains to be seen if this latest attempt to strengthen security measures will have a positive effect.

The government itself is not immune to the problem. A recent security audit of the computer systems used by the Internal Revenue Service (IRS) indicated that if you used the IRS's new e-file system in 2000, your personal information could easily have been compromised. The report went as far as to say that tax records could also have been modified by a cracker from anywhere on the Internet.

A portion of the responsibility for solving these problems lies with government agencies, which need to set and regularly update adequate criteria for Internet security N especially for nationally critical services such as financial institutions N and to strengthen laws against cybercrimes. Responsibility also lies with law-enforcement agencies to enforce the law to the maximum extent by continuing to pursue and prosecute cybercriminals. Given the global nature of the threat, international cooperation among law-enforcement agencies from different countries is required. The financial institutions and other companies that conduct business online must also take responsibility by continuing to invest heavily in network security. Security experts are hard to find and hire, but given the current threats, this safeguard clearly cannot be skimped on.

Finally, some responsibility also lies with you, as a consumer of online services. You need to educate yourself about the threats posed by the online world and navigate cautiously within the World Wide Web.

HERE'S WHAT YOU CAN DO

You can do a lot to reduce the risks associated with allowing sensitive financial data to float around in the great Internet cloud:

Maintain a level of healthy paranoia simply by being aware that unscrupulous parties could intercept any transaction you make on the Net. If you ever feel uncomfortable about some information you are entering into a website, trust your hunches; there's probably a reason for your unease. Keep an eye on your bank, brokerage, and credit card balances and question anything suspicious. Keep paper copies of your statements as backup. You never know when you might need to look back and double-check something.

Take a good hard look at your password. One of the oldest methods hackers use to break into systems is to figure out your password. Password-cracking algorithms try common passwords, dictionary words, and all combinations of characters and punctuation marks. It's a good idea to ensure that your passwords are longer than six characters and do not contain any known word in any language. As the number of characters increases, so too does the number of combinations. For example, an eight-character password using Roman letters would have 208 billion possible combinations. To make things even more difficult for a cracker program, use numbers and punctuation marks in your password. And don't write your password down anywhere. Commit it to memory.

Always log off when you're done. When you log on to a bank's website, it normally stores a cookie on your computer, which contains a unique key that authenticates every request you make to the website. These credentials allow you to browse away from the site and back again within some predefined time limit (such as 30 minutes). Explicitly logging off from the site and closing your browser will eradicate the cookie and ensure that if anyone manages to hijack your key, he or she won't be able to access your personal finances during that timeout period.

Read your financial institution's security statement. (If it doesn't have one, consider changing banks.) Make sure the institution is using Secure Sockets Layer (SSL) to encrypt web transmissions. Browsers will normally give you a visual indication that encryption is being used by displaying a key or padlock icon in the user interface. Find out if your financial institution requires 128-bit encryption for transactions. This will normally necessitate a browser upgrade, but the chances of the transactions between your computer and the financial institutions' servers being intercepted are almost zero when this stronger encryption method is used.

Make sure the website you're using is the one you intend to be using. This may sound obvious at first, but website spoofing is becoming a common problem. It's not difficult for a thief to register a domain name that is similar to a well-known financial institution (such as www.bankofamerca.com, for example). Suppose you accidentally type this incorrect URL into your browser. You're never going to know the difference, because the criminal would have created a website that looks exactly like the financial institution's real website. You type in your account number, password, and Social Security number, and without your knowledge, somebody else will have all your information!

Be careful whom you trust. Overall, the use of good common sense cannot be overstressed. Don't trust just anyone with your financial data N make sure it's a reputable company N and use prudent computing practices. Don't execute attachments sent by e-mail from unknown sources. Don't install pirated software and software from unknown sources. Update your virus detection software regularly and don't allow unauthorized access to your personal computer.

Most important, be careful out there. The concepts that most of us employ to ensure that our financial data is kept private in the real world (such as not leaving your brokerage statements in the sauna or dropping your wallet on a subway train) can be applied to the virtual world as well.

HERE'S THE SUMMARY

Experts agree that 100% security on the Internet is just not possible. But with law enforcement working harder to prosecute cybercriminals, banks and corporations spending more money than ever on network security, and a little common sense among web surfers, the number of criminal incidents will diminish. In fact, in the grand scheme of things, cybercrimes that adversely affect consumers directly are almost nonexistent when compared with the number of incidents of credit card theft, calling card fraud, bank holdups, and purse snatchings. The jury is still out on whether the virtual world is safer than the real world, but when it comes to managing finances, it's safe to say that the risks are at least comparable.

Venkatesh Gopalakrishnan is a software engineer for a major software company.

RELATED READING

Penn, David [2001]. "Onward, Online Banking," Working Money, Volume 2: July/August.
http://www.gartner.com

Copyright © 2001 Technical Analysis, Inc. All rights reserved.