Sunday Times - Why Friday is the Most Dangerous Day for Fraud

organic_wanabe

Thought I would post this just in case it might be of interest to anyone who doesn't get The Sunday Times:

http://www.thesundaytimes.co.uk/sto/business/money/Consumer/article1527879.ece

I used to have an account with HL (probably still do, with a zero balance). It said that the fraudster had been hacking into the man's email account for a period of two months, but even so I can't work out how he would have got enough info to breach security. Good for H-L refunding the money because 'it was the right thing to do'.

I'm hoping that my anti-virus software is robust!

InvestInPoker

Yes frankly the big online investment companies online should issue RSA tokens. I am not talking about the bad implementation of card readers but rather the far more user friendly SecurID http://uk.emc.com/security/rsa-securid/rsa-securid-hardware-tokens.htm style.


It would near completely eliminate this worry if done correctly. I have had this security in place for 8 years at some poker sites (big target for hackers/fraudsters). It boggles my mind how far behind the more mainstream financial institutions are in the UK regarding customer security.


Of course it is expensive to implement and not all customers would want it. But I would be willing to foot some of the bill to get proper security on my investment accounts and it could be customers choice of having it or not. I know Fidelity in the USA offer this facility, apparently UK customers don't get it though.

Orwell

You can avoid what happened here, by making your Email accounts more secure. I set two factor authentication on my (well known) web email provider and social media.

This sends texts to my mobile phone with a code in it, which has to be entered to approve any change.

H-L could also implement this without any need for token machines. Then withdrawals would need a code from the text. Naturally any change to the mobile number would need to be handled securely as well.

masonic

Orwell wrote: »

You can avoid what happened here, by making your Email accounts more secure. I set two factor authentication on my (well known) web email provider and social media.

This sends texts to my mobile phone with a code in it, which has to be entered to approve any change.

H-L could also implement this without any need for token machines. Then withdrawals would need a code from the text. Naturally any change to the mobile number would need to be handled securely as well.

Yes, the phone based verification loop is a better option IMHO than a different dongle for each account.

Very interesting how someone could gain enough information to pull this off.

InvestInPoker

masonic wrote: »

Very interesting how someone could gain enough information to pull this off.

It's sadly pretty easy. The last few years have seen a huge amount of online sites targeted by hackers. Places with weak security like forums, blog sites, online casinos, online web wallets etc. Once they have the database from xxx hacked site the info on every individual user like the password to your forum account/email address associated with the account is in their hands pretty painlessly. It's then a simple process for them to try and get into the email account with the password you used for the forum or whatever (or sell the database to someone who will take it further). Not everyone will use identical passwords but some will and I think you would be surprised at what sites have been compromised without publically admitting it. Once they have access to someone's email account you can see how things start to unravel. Do not be as naïve to think your password cannot be viewed by a hacker who steals the database from a forum you frequent. It would eliminate this threat if you used a different email address for every single online account you had and a different login and different password for every single account as well. Sounds good but to all intents and purposes not practical or feasible to a lot of people.


This thread inspired me to go and check an old Hotmail account I have had for 12 years. This account I know for 100% was attached to me at sites which were compromised. Hotmail has a facility to view recent attempted logins and I can see 7 in the past 10 days, 3 from China and 4 from Ukraine. I am pretty sure I have it as secure as I can but there you go. It's almost certainly going on for everyone who has been around the internet for a while.

masonic

InvestInPoker wrote: »

It's sadly pretty easy. <snip>

Oh yes, I'm well aware of the many breaches and that many people have a tendency to reuse their passwords on different sites.

But I would have thought it would take a bit more than for the fraudster to simply log in and update the details. Banks that operate savings accounts with a linked account often require changes to that nominated account to be verified by the customer providing a cheque or debit card deposit, or the setup of a direct debit, so that the name on the account can be cross-checked. I thought HL did this also, and if they did, it would mean the fraudster would have had to open a current account in the victim's name, which would tend to require a lot more than the information the fraudster is likely to find in the victims email and social media accounts.

Perhaps HL don't in fact do anything to verify new linked accounts actually belong to their clients.

InvestInPoker

masonic wrote: »

which would tend to require a lot more than the information the fraudster is likely to find in the victims email and social media accounts.

Well I know credit check companies (and other financial institutions) require identity documents sometimes to open accounts. These are frequently sent by email and copies are left in sent mail folders etc.

masonic

InvestInPoker wrote: »

Well I know credit check companies (and other financial institutions) require identity documents sometimes to open accounts. These are frequently sent by email and copies are left in sent mail folders etc.

I suppose it's possible, although nobody who has asked to verify my identity has allowed me to get away with anything other than original documents or certified copies sent by post or taken into a branch.

However, with online statements becoming so common (I receive a few in pdf format by email and if printed in sufficient quality they would look indistinguishable from an original), it wouldn't be beyond the realms of possibility for the fraudster to get access to a bill or account statement and create a forgery from there.

Onawingandaprayer

Fair 'do's' for H-L refunding the £50k, but if it was my account and within 2/3 weeks of totally changing my bank details I withdrew a very large amount online, I'd be a little peed off if they didn't at least question the transaction.

I wanted £10k from my H-L portfolio a few years back and they put me through a bit of a wringer, making sure I was aware of the implications! Sounds like they don't do that any more...

InvestInPoker

Onawingandaprayer wrote: »

I wanted £10k from my H-L portfolio a few years back and they put me through a bit of a wringer, making sure I was aware of the implications! Sounds like they don't do that any more...

It probably depends how verified with them you are (not speaking about HL specifically, more a general statement). I know other platforms will proceed on a lot of things without needing much further documentation if your account is linked to a FA who verified you originally. For users who just signed up and deposited themselves via the website, it will be stricter on the first withdrawal.