"Now, Every Keystroke Can Betray You" from the Los Angeles Times, Sunday September 18, 2005. ©2005 Los Angeles Times. Reprinted with permission.
Now, Every Keystroke Can Betray You
September 18 , 2005
Home Edition, Main News, Page A-1
By Joseph Menn, Times Staff Writer
Bank customers know to shield their ATM passwords from prying eyes. But with the rise of online banking, computer users may not realize electronic snoops might be peeking over their shoulder every time they type.
In a twist on online fraud, hackers and identity thieves are infecting computers with increasingly sophisticated programs that record bank passwords and other key financial data and send them to crooks over the Internet.
That's what happened to Tim Brown, who had account information swiped out of the PC at his Simi Valley store.
"It's scary they could see my keystrokes," said Brown, owner of Kingdom Sewing & Vacuum. "It freaks me out."
Brown learned of the scam only after security researchers stumbled onto a computer harvesting information from hundreds of PCs and felt compelled to alert some of the people who had the most data exposed. Realizing he was lucky to get the call last month, Brown changed his passwords and is hoping for the best.
"This even staggered us," said Alex Eckelberry, president of Sunbelt Software Inc., which found that the so-called keylogger program installed itself in a way most antivirus software could not block. "Online institutions now have to assume that the account holder may have been compromised."
Such security breaches are on the rise, even as other sorts of Internet scams decline.
Security experts attribute the new approach to rising savvy among both computer users and crooks.
Many users, for instance, know not to reply to unsolicited "phishing" e-mails requesting financial information, even if the requests appear to have been sent by a bank. The number of reported phishing attacks fell in July from June, according to the Anti-Phishing Working Group, which is backed by most of the biggest U.S. banks and Internet service providers.
But the number of programs aimed at stealing passwords more than doubled in the same period.
"We're seeing explosive growth in 'crimeware,' " said Peter Cassidy, the working group's secretary general. "It's really galloping."
Consumers are increasingly jittery: 42% say security concerns have caused them to change their electronic shopping habits, according to research firm Gartner Inc.
Banks and other institutions, though, encourage online transactions because they are cheaper than branch visits or calls to a customer service center.
The keylogging programs can install themselves after computer users open faked e-mails, instant messages or even advertisements on mainstream websites. Then they record everything typed on a computer -- or just what's typed during user visits to specified financial sites. Such information is sometimes sent to the hackers in neat bundles, with a column for the relevant financial website followed by columns for the user's log-in name and password.
So far, such purloined information has been used to access accounts one by one, by impersonators who withdraw or transfer cash. In Brazil, authorities have arrested scores of people they accuse of using the password-stealing program Bancos, which mimics online bank interfaces, to loot more than $30 million from banks.
But recently thieves have been working to automate more of the process, potentially enabling attacks on thousands of accounts simultaneously.
One financial institution has already seen attempted withdrawals that occurred in alphabetical order by the names of customers, said Amir Orad, executive vice president at Cyota, which provides antitheft services to many of the biggest banks. He declined to identify the business.
Bank industry officials said they wouldn't discuss any such attacks.
At Corillian Corp., one of the largest developers of online banking programs, Chief Security Executive Jim Maloney said he had detected one criminal testing the validity of "10 or 20 accounts" within a minute from a single computer, strongly suggesting an automated verification system. Those tests, he speculated, were a prelude to choosing which accounts to target or to sell information on.
In one especially alarming case, security experts last fall found a program planted on personal computers to intervene whenever the user logged on to an electronic payment site called E-Gold, based on the Caribbean island of Nevis.
Instead of just recording the password and other data for some future attempt at fraud, the software -- dubbed Grams -- immediately "cleans out an account and transfers it," said Jason Milletary, an analyst with the CERT Coordination Center, the chief U.S. team responding to computer security breaches.
E-Gold Chairman Douglas Jackson said he didn't know the exact number of compromised accounts, putting it at "dozens" to "the low hundreds." He said company policy was not to reimburse the victims. "Somebody could rip themselves off and try to get the money back," Jackson said. "It's very hard to tell if there's truly been a third party."
Variants of the Grams software have targeted U.S. banks and other financial institutions as well, said Nathan Johns, chief of information technology at the Federal Deposit Insurance Corp., which guarantees bank deposits in case of insolvency. He declined to give details.
In July, the FDIC strongly encouraged U.S. banks to evaluate the risks from computer fraud, educate their consumers and consider adding new measures, such as devices that generate new numeric passwords every 60 seconds.
Some banks complained that the inconvenience of such devices would cost them customers, but the FDIC differed.
"Although consumers are certainly interested in convenience, they are also very concerned about the security of their accounts," the agency wrote.
"We're looking at this as a sort of wake-up call for the industry, indicating they've got to act," Johns said.
So far, according to many experts, the arms race is favoring the bad guys.
Last week, UC Berkeley researchers reported that a $10 microphone near a keyboard could, with sophisticated analysis of the sounds made by different keys, reveal most of what was being typed -- enough that the researchers could guess 90% of five-character passwords within 20 tries.
And analysts said con artists had mimicked each bank industry innovation.
As more customers grew too frightened to respond even to legitimate mail, for example, CitiBank began including partial account numbers in its communications to prove their legitimacy. Thieves took advantage by using pilfered credit card numbers in messages to each account holder, posing as banks and asking for more data.
The British bank Barclays, among other businesses, responded to keylogger attacks by presenting a graphic display of letters or numbers and asking users to peck out a password with mouse clicks instead of keystrokes, which can be recorded more easily.
By late July, cyber-cons were delivering more programs that take a picture of what's on a computer screen each time a mouse gets clicked.
"The industry has helped the bad guys," Cyota's Orad said.
Many security experts say that a physical means for authenticating customers, such as $40 password devices given to each, would be a major help in reducing fraud. But schemes like the one used against E-Gold defeat that protection, since the theft occurs as the victim is typing.
Other banks are pursuing more elaborate systems, such as one that requires telephone calls to customers who depart from their banking patterns.
Still unresolved is who bears the financial responsibility when electronically purloined account information is used to steal money.
The FDIC says banks are usually on the hook, but some banks disagree. Bank of America is among a minority that offers guarantees to most customers even though they say they don't have to do so.
But a computer and copier supply business in Miami, Ahlo Inc., has sued Bank of America in a closely watched case, saying the bank negligently encouraged Ahlo to do business online and then stood by as fraudsters made off with more than $90,000 through a wire transfer to Latvia.
Bank of America has asked the judge to dismiss the suit, arguing that it isn't responsible for Ahlo's failure to protect its computers from malicious software. Bank spokeswoman Shirley Norton said the guarantee didn't apply because Ahlo was a business customer instead of a consumer.
Some analysts say that financial institutions will be better served by competing on the basis of security. With 80% of adults online worried about identity theft, banks are "losing a battle of confidence," said Forrester Research Inc. analyst Jonathan Penn. "Security needs to come out of the closet."