As a computer security reporter, I’m often asked for advice on how to avoid being hacked. I quickly rattle off three safeguards: 1) Use long phrases and symbols in passwords; 2) set up two Web browsers — or better yet, two computers — to keep sensitive data walled off from everything else; 3) on websites that offer it, sign up to receive text-message alerts if someone tries to break into your account.
I may need to add a fourth.
An exchange I had last week with Tom Kellermann, a cyber security expert who has advised the White House and the World Bank Treasury, sparked a new tip that might upset anyone who has a “think before printing” disclaimer in their e-mail signature: Don’t use paperless billing.
Trend Micro, the Japanese antivirus-software maker and Kellermann’s new employer, published an interesting report earlier this year about “automatic transfer systems,” and how criminals are increasingly using them to siphon money out of people’s bank accounts without them ever knowing it.
They do this by initiating wire-transfer requests the moment a victim logs into an online banking account. And, even spookier, they change the account balance and transaction history you see on your screen to hide the fraud. They use malicious code that kicks in after the user has logged into their bank’s website.
In other words, your account could show a full balance online but actually be empty. The only way you’d find out is if you went over the limit or if you see it on a paper statement that’s mailed to your home.
Kellermann presumes that 2013 will be when this cyber tactic becomes mainstream, due largely to the rise in mobile banking. For now, the attack is more common in the U.K., Germany and Italy, but versions targeting U.S. and other countries’ financial institutions do exist and will likely become more common, according to Trend Micro.
Hackers have transferred as little as 500 Euros ($658) to as much as 13,000 Euros ($17,120) at a time to foreign accounts using this technique, Trend Micro found. The criminals often steal small amounts each time victims log into their accounts, to avoid detection.
So if you do a lot of online banking, consider getting paper statements. It’s not eco-friendly or particularly convenient, but paper isn’t so easily hackable.