News Blog

The Bank of New York Mellon says sensitive data of more than 4 million people owning shares in public companies was exposed after a box of back-up data storage tapes went missing in February. The data included names, addresses, and Social Security numbers.

In a separate incident in April, a back-up data storage tape containing images of scanned checks and other documents relating to payments made to nearly 50 institutional clients went missing.

In both instances, the tapes were being transported by outside vendors, a company spokesman told CNET News.com on Wednesday.

An unnamed national courier was transporting one back-up storage tape from the Philadelphia office of BNY Mellon Working Capital Solutions to Pittsburgh, Penn. The tape never arrived. BNY Mellon Working Capital Solutions processes payments on behalf of its institutional clients.

In the other incident, an unnamed storage vendor was transporting 10 boxes of back-up data storage tapes with shareholder information from BNY Mellon Shareowner Services' facility in New Jersey to an off-site storage facility when one box was discovered missing. BNY Mellon Shareowner Services is a stock transfer agent and stock plan administrator for public companies.

The bank is cooperating with law enforcement agencies and offering customers two years of free credit monitoring and identity theft insurance up to $25,000. More information and a hotline number is at a special Web site BNY Mellon created related to the security breach.

Customers have been receiving letters in the mail and contacting the hotline for at least three weeks.

The company also is reviewing its policies and procedures. It is requiring that confidential data be transferred in encrypted form when possible to minimize the need for data storage tapes and requiring that confidential data on tapes or CDs be encrypted or transported with added controls.

"Although there is no indication that the data on these tapes has been misused, we are working with our clients to notify individuals who may be affected" and offering fraud protection, Todd Gibbons, chief risk officer at The Bank of New York Mellon, said in a statement issued late last week.

In contrast to the bank's offer to aid its affected customers, LendingTree, which has been sued over a data breach involving its customers, did not offer to pay for any credit monitoring for its affected customers.

Citibank, the country's largest bank, saw intermittent outages to its Web site Tuesday that prevented an unknown number of customers from accessing their accounts.

"Earlier today we experienced an issue that has resulted in intermittent customer access to Citibank.com," the company said in a statement. "As we are addressing this issue, some users are experiencing slow response times. We hope to be operating normally shortly.

A customer service representative of the bank, a division of financial services powerhouse Citigroup, said the issue began this morning and that the glitch has prevented customers from paying bills or performing any banking chores.

A bank spokesman did not disclose what caused the malfunction.

Customers of HSBC, Bank of America, and Washington Mutual suffer the highest rates of identity theft in the banking industry, according to an investigative study released Wednesday by a UC Berkeley Law School researcher.

The Federal Trade Commission received over 245,000 reports of identity theft in 2006, but does not typically publish the names of the financial firms and companies listed in the reports. Through an extensive Freedom of Information Act request, Chris Hoofnagle, a staff attorney at UC Berkeley's Boalt School of Law, was able to get detailed records on the individual consumer complaints.

Hoofnagle received detailed information for three randomly chosen months in 2006: January, March, and September. These months included data from 88,560 complaints, with 46,262 names of institutions identified by victims.

Estimated Annual Incidents Per Billion in Deposits Among Largest US Banks (2006)

(Credit: With permission from Chris Hoofnagle)

Once he crunched the numbers, Hoofnagle discovered that HSBC has the highest rates of reported identity theft in the financial industry during 2006, when adjusted for billions of dollars in deposits. Bank of America and Washington Mutual came in a close second and third. According to Hoofnagle's stats, HSBC had 21 incidents of identity theft per billion dollars in deposits, Bank of America/MBNA had about 17, while Washington Mutual had 16. Online banking leader ING had the lowest rates in the industry, with just a single reported incident.

Technically, American Express and Capital One lead the pack--with 485 and 242 respective incidents per billion dollars in deposits. However, Hoofnagle excluded them from the graph due to the small scale of each company's banking operation (Amex's 7 billion in deposits compared with Bank of America's nearly 760 billion).

Outside of the financial services sector, telecom giants AT&T and Sprint suffered from more than 9,100 and 8,300 estimated reported cases of identity theft. As the firms do not publish the numbers of customers they serve, it was impossible for Hoofnagle to break these numbers down further.

While the FTC incidents that Hoofnagle examined were from 2006, a number of recent reports indicate that HSBC has recently been overwhelmed with a "a wave of banking fraud." Real numbers to back up these reports will not be available from the FTC for some time.

The levels of theft described by Hoofnagle's match up nicely with a 2007 report released by Cambridge University researchers, which revealed that Bank of America and Washington Mutual took the longest time to shut down phishing sites targeting the banks. Sites masquerading as BofA and Wamu typically stayed online for more than 100 hours, compared with less than two days for Chase and PayPal.

Finally, while the FTC publishes an annual identity theft report, it is not required to break down its figures and reveal the names of the most frequently victimized banks. While states like California have been able to pass significant pro-consumer data breach legislation, this is one area where states have little power. Incidents of identity theft are primarily reported to the FTC, and not to state attorneys general. To force the FTC to voluntarily publish such data, federal legislation will be required--something that is unlikely to happen.

Hoofnagle's 16-page study, with detailed numbers and graphs, can be found here.

Morgan Stanley is the banker representing Electronic Arts in its unsolicited buyout bid for rival game publisher Take-Two, the investment bank confirmed Monday.

While that news alone is no big deal, consider this: Morgan Stanley is also representing Microsoft in its unsolicited buyout offer for Yahoo, which was announced a mere 25 days ago.

That's two megabillion-dollar buyout bids the premier investment banking firm has agreed to handle in the past month. And both have the potential to get mean and nasty, should the target companies kick and scream all the way to the altar.

So, this raises the question regarding Morgan Stanley, lofty fees aside:

Is Morgan a glutton for punishment?

WASHINGTON--If your in-box is pelted by a seemingly ever-growing supply of inquisitive e-mails purporting to come from the likes of PayPal and Bank of America, the federal agency charged with consumer protection says it feels your pain.

The deceptive technique--in which crooks dispatch e-mails requesting sensitive personal information, typically by masquerading as financial institutions--"is one practice that absolutely drives me insane," Federal Trade Commission Chairman Deborah Platt Majoras told attendees at the first National Cybersecurity Awareness Summit, which was put on here Monday by a nonprofit partnership of federal government agencies and software vendors.

That's because phishing, more so than some other forms of cyber malice, is a prime example of a tactic that would all but evaporate if more consumers were better informed of what to look out for, she suggested. (After all, it's also an only slightly higher-tech variant of one of the oldest scams in the book--the "ph" comes from the original telephone-based variety of phony information-seeking.)

"I feel like if we could just teach every consumer what this means, never respond to that kind of contact, and train them to hit delete and not reply, we could clear this up," she said.

To that end, the agency is concocting a new video to supply "important information about phishing" and plotting other ways to "revitalize consumer education efforts," Majoras said. Working with the financial sector to spread the word will be critical because the messages so often rely on confusing consumers with the real thing, she added.

Attempting to go after the enterprising e-mailers in court will play some role, too. Majoras said the commission has already targeted phishers with three civil cases and has also worked closely with the Department of Justice to pursue criminal penalties, which the FTC doesn't have authority to levy, as what they hope will supply a further deterrent.

At the moment, the FTC has about two dozen open investigations involving corporate data security practices, she said, adding, "where appropriate, we will again take enforcement actions."

But it's questionable whether such actions will really make a dent. Phishing attempts have by far outnumbered any other sort of malicious activity reported to the U.S. Computer Emergency Readiness Team (US-CERT) since 2003, accounting for nearly 42,000 of some 63,000 total reports, Department of Homeland Security cybersecurity czar Greg Garcia told summit attendees.

Still, there's no reason for panic, said Wayne Abernathy, who represents the American Bankers Association. It's actually quite simple--banks don't do business by asking consumers for basic account information via e-mail, he said. "If customers receive e-mails for asking such information, they should consider them to be fraudulent in nature," he told summit attendees.

A bank that guarantees its online users safety and security has direct evidence that its Web-based banking system may not be 100 percent bullet-proof.

Should that bank tell its customers? And if it doesn't, is it misleading, or even worse, lying, to them?

Bank of America, like many other financial institutions in the U.S., has jumped on the "two-factor" authentication bandwagon. Instead of having its customers log in with just a user name and password, these new schemes require some third bit of information.

Some banks choose to issue their customers a cryptographic hardware token (a keychain with a digital display that spits out a new random number every 60 seconds). Others, especially those banks with less profitable customers, have opted to instead adopt software solutions. The advantage of this, of course, being that they don't have to spend any money to send widgets out to their customers.

BofA's SiteKey two-factor authentication system is essentially a rebadged version of the PassMark system sold by RSA/EMC. Other banks that have licensed the technology include Pentagon Federal Credit Union, Vanguard, and U.K.-based bank Alliance & Leicester. Users of SiteKey and similar systems select a graphical image and phrase, which are then displayed to them every time they login to the Bank of America Web site from "trusted" computer (that is, one that BofA has seen before).

According to Bank of America's own numbers (PDF), over 21 million customers use their online banking system. BofA's Web site promises customers that the SiteKey system will keep them safe, stating: "You know it's really us--when you see your SiteKey, you can be certain you're at the valid Online Banking Web site at Bank of America, and not a fraudulent look-alike site. Only enter your Passcode when you see the SiteKey image and image title you selected."

The problem is that all of these schemes--every single one of them--is vulnerable to a form of deception known as a man-in-the-middle (MITM) attack. Russian phishers launched a sophisticated MITM attack against the hardware-token-based, two-factor authentication scheme used by Citibank. Another group of hackers was able to rip off customers of the Dutch bank ABN Amro, which also issued hardware tokens.

On multiple occasions in 2005 and 2006, security researchers raised the alarm regarding the false promises of two-factor authentication, and in particular, Bank of America's SiteKey system. Finally in April 2007, Professor Markus Jakobsson and I announced a working demo of a successful man-in-the-middle attack against SiteKey. Based on advice from lawyers, we did not release an easy-to-use version of the system, nor were we able to provide access to the demo to others online. To provide the factual support for our claims and to demonstrate how relatively easy such an attack would be to perform, we released a screen-captured video of the demo, as well as source code that would allow an advanced user to download the SiteKey image from any remote, untrusted machine.

Our demo got quite a bit of press attention, with mentions in The Register, ZDNet and The Washington Post. One of the main points we tried to make when we put our demo online is that Bank of America is promising its customers something impossible. By telling users that the SiteKey image guarantees they are visiting BofA's Web site--and not a phishing page--Bank of America is giving its users a false sense of security. Were BofA to instead acknowledge the risks of phishing and man-in-the-middle attacks, users might be more cautious when logging into suspect Web sites.

Shortly after we released the demo, Louie Gasparini, chief technology officer for RSA's Site to User Authentication group was interviewed by Brian Krebs at The Washington Post. He said that our attack demo "overlooks a number of back-end technologies that financial institutions use to detect fraudulent transactions."

"What they're critiquing is just the most visible piece to this technology," Gasparini added. "There is a whole bunch of risk management and fraud detection that goes on behind the scenes so that even if a user's account does get compromised, the bank can still protect that person."

Gasparini's comments mirror those of Betty Riess, a spokeswoman for Bank of America with whom I chatted on Tuesday. Reiss made it a point to mention that SiteKey is just one part of BofA's multipronged approach to security. However, she declined to comment further when specifically asked if the text on the SiteKey page is misleading, or if Bank of America has a responsibility to be honest with its users about the risks of man-in-the-middle attacks.

Customers expect some companies to lie to them. Very few people expect cosmetics and skin creams to actually make them look 20 years younger. Likewise, few would be surprised if the salads at fast-food restaurants are actually full of calories and fat. However, when a bank tells its customers that its online banking system is safe and secure, most people would be shocked to find out otherwise. Thus, a major question remains: Is Bank of America lying to its customers when it tells them that they can be "certain (they're) at the valid Online Banking Web site" when they see the SiteKey image? Do banks have a responsibility to acknowledge the risks, and to inform consumers of them?

Watch our video of the man-in-the-middle attack against the SiteKey system, read Bank of America's promises of safety and security on its Web site, and decide for yourself.

Forty years ago this week, life changed. There's been plenty of hoopla over the 40th anniversary of the "Summer of Love" and the Beatles appearing on American TV, but this event even affects life on Antarctica: the birth of the ATM. Yes, there's an ATM for researchers down at McMurdo Sound.

Before the first ATM was installed by Barclay's Bank near London in 1967, there was a lot of standing in line and writing of checks, though there were probably a lot fewer $20 bills in the United States back then.

More than $25 billion will be withdrawn from bank accounts around the world today from 1.5 million of the ubiquitous dispensers. In keeping with our status as the most indebted nation in history, we Americans have more than a quarter of the world's ATMs.

Despite some security threats and occasional hacks, there seems to be no worry that ATMs will continue to be the teller of choice for most consumers. And for the record, when you're visiting its birthplace, the United Kingdom, don't ask for the nearest ATM. They're called "cash machines."

Ten leading investment banks that helped several hundred technology companies make initial public offerings during the dot-com bubble of the late 1990s can't be sued for antitrust violations, the U.S. Supreme Court ruled Monday.

In a 7-1 decision (PDF) authored by Justice Stephen Breyer, the majority dismissed arguments made by 60 investors who filed a pair of class-action antitrust suits against the banks in January 2002.

The investors had claimed that the banks had behaved anticompetitively by imposing special conditions on top of the agreed-upon IPO share prices and commission. According to the high court opinion, those conditions included forcing the investors to agree to purchase additional shares later at higher prices, to pay "unusually high" commissions, or to buy "less-desirable" securities as well.

A federal district court initially dismissed the allegations against the banks, but the Second Circuit Court of Appeals disagreed. The Supreme Court, for its part, reversed the appeals court finding.

Breyer wrote that the Securities and Exchange Commission already actively enforces forbidden conduct and that "to allow an antitrust lawsuit would threaten serious harm to the efficient functioning of the securities markets."

What does all of this mean for Wall Street? Read the full story on CNET News.com.