Aussie bank account passwords stolen and sold for $900

A bundle package that includes personal information and personal bank details from Commonwealth Bank, ANZ, Suncorp and Bank West account holders is going for €550, according to McAfee Avert Labs’ research.

Prices depend on what’s on offer such as available balance, bank organisation and country. And as in the legitimate world, quality costs more.

“My investigations led me to visit a site proposing top-quality data for a higher price than usual,” wrote researcher Francois Paget, in the
Avert Labs blog.

“Additional information such as PIN and Transfer Pass-phrases are also given when necessary,” Paget said.

A bundle package from multiple US banks is on offer for €450, while stolen data from Spanish banks is the most expensive at €575.

To give an idea of the scope of the activity the research reveals that data from over 900 banks in North America and European countries exist in the trade.

The seller even offers some guarantees, promising to replace the data if the purchaser is unable - within 24 hours - to log into the account with details provided, wrote Paget.

SC notified the Commonwealth Bank upon accessing the research and the bank promptly referred the case to authorities.

According to the Commonwealth Bank’s spokesperson Michael Gleeson, the bank works closely with the Australian High Tech Crime Centre and the country's state police services.

“The security of our customers' details is of the utmost importance to the Commonwealth Bank. We are not sure if the site in question is genuine or a hoax but we are taking it very seriously,” Gleeson said.

ANZ Bank did not respond to calls for comment.

Despite the Commonwealth Bank's prompt measures, experts agree that end-users are, and if not more, at fault than the banks storing the data because of lax security practices.

According to Dave Marcus, security research and communications manager at McAfee’s Avert Labs, the end-user is ultimately the person whose machine was infected with malware in the first place.

“It is usually through password stealing Trojans that are downloaded onto the victims' machines. Other times it’s through a good phishing site or through targeted spear phishing site,” Marcus said.

He said most people still don’t actually get that it is the end-user who is the real victim and the end-user who is the ultimate target.

“The bank is [simply] used as the lure because they’re high profile,” he said.

Marcus praised the role of banks in fighting cyber theft and fraud, acknowledging that in this day and age banks do a very good job of raising awareness and invest in a lot of authentication.

“It [identity theft] happens more often than you would probably be comfortable knowing. These types of sites and then the selling of this type of information is very common in the underground,” Marcus said.

Paget's research did not specify the names of those affected.

Copyright © SC Magazine, Australia