Tuesday, March 20, 2007

ABC news story on vulnerability of hotel systems for financial information access


Len Tapper and Asa Eslocker have a report on the March 20, 2007 ABC “Good Morning America” “Russina Criminals Targeting U.S. 401Ks and Online Traders”. The report claims that some computers in some hotel “business centers” are rigged with spyware to steal user ids and passwords to brokerage and bank accounts. The story is here.

Particularly risky, the report claims, is online brokerage trading on hotel computers. The report urges users to consider installing programs on their accounts that automatically change passwords constantly, although I’m not sure how the user then would know the password (unless carrying a coordinated smartcard device, or going to a special site, and these facilities are being developed).

It would seem safer to carry one’s own laptop and always use that, but laptop travel may become more difficult as there is a controversy about laptop batteries igniting, and TSA rules may become stricter.

Many hotel chains have business areas or even have public computers in lounge areas with AOL and other major ISP access. I have sometimes used these and found them unreliable, often not working or prone to crash or lock up, or very slow. I have been reluctant to log on to AOL on these on the theory that a pw could be stolen and illegal content could be sent by a hacker, although this has never happened. Libraries and Kinko’s also have public computers, and these computers always warn users not to conduct sensitive business on public computers.

Road access to personal accounts is important to many people. Many jobs require a lot of travel, and employers are often befuddled that employees need to use work computers for personal purposes, in violation of policy, but work-related travel can be one factor.

Travelers should consider developing other strategies for checking financial information on the road. Generally, banks and brokerages have 800 numbers and scripts that enable a customer to check balances by cell phone without logging on to a hotel computer. Some people, however, may need to trade online while on the road, as this may be part of their strategy, and safer business practices for this need to be developed.

Of course, the other major vulnerability is phishing scams, and spyware on home computers. In 2004, the media reported about the owner of a printing business in Florida who had a $90000 line of credit drawn against his Bank of America account without his knowledge. So this sort of problem has been around for some years. Bank websites always advise home users to log off formally and close browser sessions after logging off, apparently as some additional defense against buffer overflow.

Banks and brokerages are not legally liable to refund money lost to hackers because of events that occurs outside of the systems belonging to the financial institutions. Government retirement plan administrators have recently warned federal employees of this fact.

One protective security strategy, however, would be for banks or brokerages not to allow significant money (as a percentage of account value) to be removed from a user’s account without a physical event (like a fax and signature) from the outside world. This practice is often followed.

Again, as postings on the board have suggested before, the development of a definitive preferred address and contact system, out of the USPS NCOA, and its maintenance on a facility not available to the public Internet (preferably with traditional IBM-like mainframe technology, which I still believe is easier to secure, at least in my own experience), could be part of a strategy for preventing this kind of crime.

No comments: