[ news_security_news ]
Online Theft Snared 401k Account
David Utter
Staff Writer
2007-01-05
 Insider Reports RSS Feed
Although the story of one man's lost of $179,000 from a retirement account appears to be headed for a happy ending, the article leaves out some crucial information.
Down in the comments about Dave DeSmidt's victimization by an unknown criminal, one person commented on a point that writer Bob Sullivan did not address: "It was never explained how the hackers obtained his login and password."
That would have been useful to know, because a lot of people could benefit from learning a lesson that nearly cost DeSmidt his retirement. Based on what has been reported, someone obtained his login credentials, signed on to J.P Morgan & Co and emptied the account into a Bank of America checking account owned under a different name from DeSmidt's.
It sounds a lot like a keylogger looking for financial site logins could have been the culprit. It's also possible that DeSmidt had the login details written down and subsequently lost them, but it seems more likely that some spyware was in play.
Criminals have been writing such malware to be more selective in the information that gets captured and sent back to its creators. These programs now commonly look for connections to URLs belonging to banks and other financial institutions.
The thief's digital footprints appear to have run through either a botnet or some type of anonymous proxy service, as Sullivan noted how connections to J.P. Morgan and Bank of America related to this crime came from New Jersey, Atlanta, and San Francisco.
Since the first connections came from the same machine in New Jersey, that could indicate the criminal's location, assuming he or she was careless enough to perpetrate the crime from an easily located machine. But that system could be zombied.
Authentication methods didn't help here. J.P. Morgan's response on that angle said the authentication process worked just fine. Obviously it did, for 179,000 reasons.
The only proposed solution I've heard of so far is one I've covered previously, Virtual ATM being readied for release by Authentium. I asked them for a comment about the DeSmidt incident.
"It is clear that hackers now mostly concentrate on information of commercial value. Stock accounts, 401K plans, banks, etc. are obvious targets as most require limited and simple credentials to log in and to transfer money. Few have any additional security measures to protect the user from identity theft," said Authentium CTO Helmuth Freericks.
"Authentium's VATM has been developed specifically to enhance the security of financial transactions by securing the desktop through checks for key loggers, malware and other potential security threats and then by creating a safe non-spoofable connection to the real financial site. Using VATM would have avoided the loss of money and time both for the user and the financial institution."
I'm anxious to see this product roll out and succeed, because the attack that hauled in DeSmidt's account information would not have worked. A keylogger would have been thwarted early on; a connection back from J.P. Morgan back to the attacker's computer would not have been able to authenticate the foreign machine.
Sullivan said DeSmidt got his money back. It never should have had a chance to leave.
---
Tag: Online Theft
Add to  Del.icio.us |  Digg |  Reddit |  Furl
Get all the SecurityProNews updates: 
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More news_security_news Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
