Tuesday, 18 November 2008

How your bank account gets hacked

Banking has never been easier. Type in one simple Web address and you have access to your bank for almost anything, from viewing the latest balance to transferring money to your friend to paying for that online purchase.

However, this convenience has its set of risks too. The stepping of financial institutions into the virtual realm has lead to a new breed of financial criminals. Criminals, who largely thrive on the innocuousness of netizens and technology loopholes.

Here's how cyber crooks operate and make merry with your bank accounts online.

Starts with a spam
You receive an email from an unknown address with an enticing subject line, like 'Pakistan missiles attack India' with an attachment that supposedly includes a news story. You open the file. Instead of a news story, a piece of malicious software gets secretly installed itself on your computer.

Another category of mails can be those that may tell you that your account is about to get closed, or ironically warn you that someone appears to have stolen your identity, or even say that someone has opened a fraudulent account using your name.

And to get immediate redressal, you are supposed to click on the link attached/pasted in the mail and provide some basic account information to verify your identity and then give further details to get everything cleared up.

And remember, these messages can follow any route: email, instant messaging, SMS or social networking sites (the latest platform). The emails may actually look like a genuine message from your bank, financial institution or a popular online portal.

Passwords get logged
The software absorbs the PC into a botnet, a network of infected computers doing the bidding of a cyber criminal, begins sending spam; you don't notice, other than thinking that PC is slowing. But that is only the smallest part of the game.

The software also logs your keystrokes without your knowledge. This means they save your passwords and other personal information.

Swoops on your bank
So, next time when you visit your bank's website and type your username and password, the software sends them to cyber criminals. The criminal uses this stolen account, username and password to log into your online banking account and makes merry.

Also, always check the URL of your bank's website. Fraudsters can lure you to enter your user ID and password at a fake website that resembles your bank. If you see anything other than the bank's genuine URL, it has to be fake. Remember genuine websites use encryption technologies. Any website using encryption will have https instead of http.

So, never select the option on browser that stores or retains username and password. As it can easily be cracked by cyber criminals. Also, never paste your password, always type it in. This little amount of `finger exercise' will go a long way in safety.

How money is transferred
Money is transferred from your account to the account of 'assistants' who work for companies that could be fronts from the criminals. The assistant, a so called money mule, gets an email saying the money has been credited in his or her bank account.

The mule withdraws the cash and wires the money and takes out his commission. After this money is sent back to the 'employer'. The criminal, often on the other side of the globe, picks up the cash.

Evil kits
A small number of malicious "toolkits" -- bundles of exploits allow criminals to customise their own scams and attacks. Crooks use phishing messages to try and steal personal and financial information by tricking people into entering private information into bogus websites that look like the sites of legitimate brands such as banks or popular retailers. Such toolkits cost between $300 to $800.

A widely available toolkit in 2007 -- called MPack -- sold online for $1,000 and allowed users to launch attacks in Web browsers against people who surf on malicious or compromised sites.