FRAMINGHAM (07/27/2000) - A cracker doesn't have to break into a bank's computer to steal account numbers and access codes. It may be enough to set up a spoof Web site that closely mimics a real bank's site, according to a warning issued two weeks ago by the federal U.S. Office of the Comptroller of the Currency (OCC).
Some customers have provided financial information to sites that they thought were legitimate Web sites, according to OCC spokesman Dean DeBuck. The fake sites were close - but not exact - copies of the real bank sites, he said.
So far, the only losses that the OCC is aware of involve private information such as addresses, said Clifford Wilke, the agency's director of bank technology. No thefts have been reported yet of personal account information or access codes.
To keep an eye out for fraud, banks should make sure that there aren't any Web sites with similar names that are luring consumers, instead of waiting for customers - who may not realize they've been duped - to complain, said DeBuck.
Companies can take legal action against Web site spoofers, DeBuck said. For example, wwwbankofamerica.com - the same as the real site's address, but without the dot after the "www" - was taken down after a few unsuspecting consumers were taken in, he said.
But banks aren't the only targets. X.com Corp.'s PayPal Web site was spoofed recently with PayPai.com, said Chris Musto, an analyst at Gomez Advisors Inc. in Lincoln, Mass.
According to Vince Sollitto, a spokesman for Palo Alto, Calif.-based X.com, the phony site was shut down "within hours" of going public, and no customers lost money.