Wade, Will, Wolfe, Daniel, American Banker
Byline: Will Wade and Daniel Wolfe
Social networking Web sites could provide more than enough clues to help criminals gain access to online banking accounts through the "Forgot your password?" feature, according to Bob Sullivan's "Red Tape Chronicles" column on MSNBC.com.
Many banking sites have a page for people who cannot remember their password, but with enough personal information, a criminal could use these pages to reset a password, Mr. Sullivan wrote last week.
Many people provide exactly this kind of personal information on their personal Web pages, he wrote. "With the help of social networking sites like Facebook and MySpace, personal trivia is getting less obscure all the time. You'd be surprised how easily someone can uncover Fido's name or your alma mater with a little creative searching."
As an experiment, Herbert Thompson, the chief security strategist at the New York consulting company People Security, tried to break into some friends' accounts using details he collected online. In one case, starting with only a friend's name and employer led him to the friend's blog and resume, where he collected such details as the names of her pets, her hometown, and her grandparents.
When Mr. Thompson visited the friend's banking site, he found her user name was simply her first initial and last name. When he asked the site to reset the password, it automatically sent a confirmation message to the friend's e-mail account; he reset the password at that account, and the bank sent a message to an old college e-mail account, which Mr. Thompson was able to access by providing her address, ZIP code, and birth date.
From there, he was able to get into the friend's current e-mail account using her birthplace and father's middle name, and then got into the banking site by providing her pet's name.
"This is a serious problem. It kind of blew me away," Mr. Thompson said.
Though Mr. Sullivan wrote that there "are no known cases in which hackers have widely exploited forgot-your-password" pages, researchers say criminals are becoming more aware of the technique.
Markus Jakobsson, the principal scientist at Palo Alto Research Center, said personal details that can be used to answer online security questions are widely available on the black market for about $15 a set.
A wealthy hedge fund investor says he fell victim to common automated clearing house fraud because he did not check his private bank statement.
Guy Wyser-Pratte, who runs a $500 million hedge fund, filed a complaint with the New York Police Department after realizing in May that nearly $300,000 had been drained from his personal bank account over the previous 15 months, The New York Times reported Saturday.
He said the dozens of transactions were used to pay for computers from Dell Inc., though police officials say they have been able to track only a single shipment, valued at about $1,600, to a nonexistent Brooklyn company.
JPMorgan Chase & Co., Mr. Wyser-Pratte's private bank, has said it would cover only $50,000 of the loss, because he did not report most of the purchases in time; federal regulations give consumers 60 days after a statement is issued to challenge an unauthorized transaction. …