Bank customers know to shield their ATM passwords from prying eyes. But with the rise of online banking, computer users may not realize electronic snoops might be peeking over their shoulder every time they type.
In a twist on online fraud, hackers and identity thieves are infecting computers with increasingly sophisticated programs that record bank passwords and other key financial data and send them to crooks over the Internet.
That's what happened to Tim Brown, who had account information swiped out of the PC at his Simi Valley store.
"It's scary they could see my keystrokes," said Brown, owner of Kingdom Sewing & Vacuum. "It freaks me out."
Brown learned of the scam only after security researchers stumbled onto a computer harvesting information from hundreds of PCs and felt compelled to alert some of the people who had the most data exposed. Realizing he was lucky to get the call last month, Brown changed his passwords and is hoping for the best.
"This even staggered us," said Alex Eckelberry, president of Sunbelt Software Inc., which found that the so-called keylogger program installed itself in a way most antivirus software could not block. "Online institutions now have to assume that the account holder may have been compromised."
Such security breaches are on the rise, even as other sorts of Internet scams decline.
Security experts attribute the new approach to rising savvy among both computer users and crooks.
Many users, for instance, know not to reply to unsolicited "phishing" e-mails requesting financial information, even if the requests appear to have been sent by a bank. The number of reported phishing attacks fell in July from June, according to the Anti-Phishing Working Group, which is backed by most of the biggest U.S. banks and Internet service providers.
But the number of programs aimed at stealing passwords more than doubled in the same period.
"We're seeing explosive growth in 'crimeware,' " said Peter Cassidy, the working group's secretary general. "It's really galloping."
Consumers are increasingly jittery: 42% say security concerns have caused them to change their electronic shopping habits, according to research firm Gartner Inc.
Banks and other institutions, though, encourage online transactions because they are cheaper than branch visits or calls to a customer service center.
The keylogging programs can install themselves after computer users open faked e-mails, instant messages or even advertisements on mainstream websites. Then they record everything typed on a computer -- or just what's typed during user visits to specified financial sites. Such information is sometimes sent to the hackers in neat bundles, with a column for the relevant financial website followed by columns for the user's log-in name and password.
So far, such purloined information has been used to access accounts one by one, by impersonators who withdraw or transfer cash. In Brazil, authorities have arrested scores of people they accuse of using the password-stealing program Bancos, which mimics online bank interfaces, to loot more than $30 million from banks.
But recently thieves have been working to automate more of the process, potentially enabling attacks on thousands of accounts simultaneously.
One financial institution has already seen attempted withdrawals that occurred in alphabetical order by the names of customers, said Amir Orad, executive vice president at Cyota, which provides antitheft services to many of the biggest banks. He declined to identify the business.
Bank industry officials said they wouldn't discuss any such attacks.
At Corillian Corp., one of the largest developers of online banking programs, Chief Security Executive Jim Maloney said he had detected one criminal testing the validity of "10 or 20 accounts" within a minute from a single computer, strongly suggesting an automated verification system. Those tests, he speculated, were a prelude to choosing which accounts to target or to sell information on.
In one especially alarming case, security experts last fall found a program planted on personal computers to intervene whenever the user logged on to an electronic payment site called E-Gold, based on the Caribbean island of Nevis.
Instead of just recording the password and other data for some future attempt at fraud, the software -- dubbed Grams -- immediately "cleans out an account and transfers it," said Jason Milletary, an analyst with the CERT Coordination Center, the chief U.S. team responding to computer security breaches.
E-Gold Chairman Douglas Jackson said he didn't know the exact number of compromised accounts, putting it at "dozens" to "the low hundreds." He said company policy was not to reimburse the victims. "Somebody could rip themselves off and try to get the money back," Jackson said. "It's very hard to tell if there's truly been a third party."