September 25, 2013 No Comments-
Vodafone Germany suffered a huge data breach earlier this month, as customer details for over two million accounts were stolen from their databases in what the company thinks was an inside job.
Alongside the usual information nabbed by hackers – customer names, genders, birthdays and addresses – the leak also contained bank sort codes and account numbers: the holy grail for data thieves.
What can criminals do with this information?
When bank details are compromised, there are two avenues of attack for cyber criminals – direct access and “phishing”.
Direct access is a simple concept – the criminals want to use your data to access your bank account, steal your money and leave. While a sort code and account number aren’t typically enough to allow someone to access your bank account, there are a multitude of ways criminals can use this information to take your money.
If a bank has poor security measures for its online banking, the criminals could use the account number alongside answering some secret questions to reset a password and gain access.
For example, if someone’s secret question was “what is my home town?” – and the criminals have the victim’s address – it’s obvious that they would be able to answer it for anyone that had never moved away. That would probably be a large proportion of people who live in small towns around the country.
Sort code and account information can also be used to sign people up to direct debit services, where money is regularly taken out of your account without you knowing. Typically, all these need is a name and home address to confirm their set-up – which the criminals now have.
Of course, you would be able to see money coming out of your bank account each month, but with two million people’s details, they criminals need to just ask for €10/month and they would make €20 million in just one month. Wow.
The other issue is phishing. This is when criminals get in contact with you (usually by email) and try to trick you into giving up more of your details. In this case, someone might set-up a fake email address pretending to be your bank. Then they might ask you to login to your bank’s website to confirm some security feature (or some other piece of made-up rubbish).
Instead, however, they would actually send you a link to a fake website they have made, which looks just like your bank’s real website, but instead will transmit all of the information you enter to the criminal’s computers. Because of the hack, the criminals could also include your bank details in the phishing email itself, which would go a long way to help convince you it was a legitimate message from your bank.
What to do if you’re a victim?
If a big company loses your bank information, it’s up to you to be vigilant about the rest of your life – especially your bank. Expect fake phone calls, phishing emails and regularly check your bank account for strange transfers that you didn’t make.
It might not be your fault that your data has been stolen, but it’s up to you to make sure that the rest of your security is watertight.
Made up of various contributors' opinions and insights - the power of the collective.
Norman Safeground Blogs Archive