Lloyds TSB warning may panic some customers
Technorati Tag: Security Breach
Date Reported:
1/4/08
Organization:
Lloyds TSB
Contractor/Consultant/Branch:
None
Victims:
Bank customers
Number Affected:
Unknown
Types of Data:
”personal information including credit card and your internet login details"
Breach Description:
Lloyds TSB's Fraud Response Team, acting on a tip from APACS and intelligence from law enforcement, sent letters to an unknown number of bank customers warning them that their computers may have been infected with a virus that is specifically meant to steal personal information, credit card data, and authentication information.
Reference URL:
ComputerWeekly.com Story
BobsGuideStory
Report Credit:
Karl Flinders, ComputerWeekly.com
Response:
From the online sources cited above:
The bank's Fraud Response Team sent letters to some customers in December after it received a tip-off from payments association APACs, acting on intelligence from a law enforcement agency.
"Lloyds TSB has been recently advised that your computer may have been infected with a virus. This virus is specifically designed to steal personal information including credit card and your internet login details," warned the letter.
"This virus can be difficult to detect and you may have downloaded this unknowingly. It can compromise your use of the internet banking service on your PC including your Lloyds TSB passwords and memorable information."
Lloyds said a small number of customers received the letter but would not give details of the exact number, the type of Trojan or how it discovered the information.
[Evan] Lloyds TSB sends the letter, then won't provide any useful information. If Lloyds TSB had evidence about some "difficult to detect" virus on my computer that was stealing my information, I would certainly like to know what it was!
Lloyds TSB said, "We received intelligence from a law enforcement agency via Apacs that a very small number of UK consumers might have been exposed to a Trojan horse programme and that some of these were Lloyds TSB customers."
"We always monitor customer accounts to guard against any potentially fraudulent transactions and in this case have also advised customers who did not have an anti-virus software package on their machine to consider purchasing one to ensure maximum protection for their PC in the future."
Victim Response:
The letter left one IT director, who banks with Lloyds TSB, angry. He contacted the anti-fraud team but did not receive answers to his questions. He was told that his personal details had been available on a website, which the bank had now closed down, and was offered a security service but was not given details of the Trojan on his PC.
"You cannot go to a customer and spread panic. You go to them with consolidated information and do not just throw unqualified data at them," he said. "They said my details have been published on the internet. I asked what details and where and they could not answer."
[Evan] I can empathize with this person's concern and agree with his point. I am glad to see someone (a customer) step up and demand answers. We all should.
"I have asked to be informed about what this personal information was, and so far Lloyds TSB has been far from helpful and have never responded to my calls,"
Commentary:
This reminds me of some tips I learned from seasoned information security professionals years ago. One tip was not to raise a "red flag" unless you had something substantial to back it up. Other tips were to educate users with facts and earn trust. I am sure that Lloyds TSB's intentions are noble, but the follow-up is questionable at best. People have a tendency to panic about these things unless they are given facts and assured of an outcome.
This also reminds me of my days working for a major U.S. bank years ago. I worked on the Threat & Vulnerability team, which I would assume isn't too much different from Lloyds TSB's Fraud Response Team. We detected and responded to thousands of suspicious activity reports, intrusion detection alerts, phishing reports, etc. We never reached out to a customer without facts and we were always prepared to answer questions with facts. Initiating "takedowns" on malicious web sites (primarily phishing) was a daily occurrence.
I sincerely hope that Lloyds TSB will provide their customers with additional details and handle future incident responses with more thought. To give Lloyds TSB the benefit of doubt, maybe they are unable to disclose additional details because of law enforcement action. Still, customers are frustrated and some are scared.
Past Breaches:
Unknown
Date Reported:1/4/08
Organization:
Lloyds TSB
Contractor/Consultant/Branch:
None
Victims:
Bank customers
Number Affected:
Unknown
Types of Data:
”personal information including credit card and your internet login details"
Breach Description:
Lloyds TSB's Fraud Response Team, acting on a tip from APACS and intelligence from law enforcement, sent letters to an unknown number of bank customers warning them that their computers may have been infected with a virus that is specifically meant to steal personal information, credit card data, and authentication information.
Reference URL:
ComputerWeekly.com Story
BobsGuideStory
Report Credit:
Karl Flinders, ComputerWeekly.com
Response:
From the online sources cited above:
The bank's Fraud Response Team sent letters to some customers in December after it received a tip-off from payments association APACs, acting on intelligence from a law enforcement agency.
"Lloyds TSB has been recently advised that your computer may have been infected with a virus. This virus is specifically designed to steal personal information including credit card and your internet login details," warned the letter.
"This virus can be difficult to detect and you may have downloaded this unknowingly. It can compromise your use of the internet banking service on your PC including your Lloyds TSB passwords and memorable information."
Lloyds said a small number of customers received the letter but would not give details of the exact number, the type of Trojan or how it discovered the information.
[Evan] Lloyds TSB sends the letter, then won't provide any useful information. If Lloyds TSB had evidence about some "difficult to detect" virus on my computer that was stealing my information, I would certainly like to know what it was!
Lloyds TSB said, "We received intelligence from a law enforcement agency via Apacs that a very small number of UK consumers might have been exposed to a Trojan horse programme and that some of these were Lloyds TSB customers."
"We always monitor customer accounts to guard against any potentially fraudulent transactions and in this case have also advised customers who did not have an anti-virus software package on their machine to consider purchasing one to ensure maximum protection for their PC in the future."
Victim Response:
The letter left one IT director, who banks with Lloyds TSB, angry. He contacted the anti-fraud team but did not receive answers to his questions. He was told that his personal details had been available on a website, which the bank had now closed down, and was offered a security service but was not given details of the Trojan on his PC.
"You cannot go to a customer and spread panic. You go to them with consolidated information and do not just throw unqualified data at them," he said. "They said my details have been published on the internet. I asked what details and where and they could not answer."
[Evan] I can empathize with this person's concern and agree with his point. I am glad to see someone (a customer) step up and demand answers. We all should.
"I have asked to be informed about what this personal information was, and so far Lloyds TSB has been far from helpful and have never responded to my calls,"
Commentary:
This reminds me of some tips I learned from seasoned information security professionals years ago. One tip was not to raise a "red flag" unless you had something substantial to back it up. Other tips were to educate users with facts and earn trust. I am sure that Lloyds TSB's intentions are noble, but the follow-up is questionable at best. People have a tendency to panic about these things unless they are given facts and assured of an outcome.
This also reminds me of my days working for a major U.S. bank years ago. I worked on the Threat & Vulnerability team, which I would assume isn't too much different from Lloyds TSB's Fraud Response Team. We detected and responded to thousands of suspicious activity reports, intrusion detection alerts, phishing reports, etc. We never reached out to a customer without facts and we were always prepared to answer questions with facts. Initiating "takedowns" on malicious web sites (primarily phishing) was a daily occurrence.
I sincerely hope that Lloyds TSB will provide their customers with additional details and handle future incident responses with more thought. To give Lloyds TSB the benefit of doubt, maybe they are unable to disclose additional details because of law enforcement action. Still, customers are frustrated and some are scared.
Past Breaches:
Unknown
Posts Atom 1.0
Comments