FRAMINGHAM (07/24/2000) - A hacker doesn't have to break into a bank's computer to steal account numbers and access codes. It may be enough to set up a "spoof" Web site that closely mimics a real bank's, according to a warning issued last week by the Office of the Comptroller of the Currency (OCC).
Some customers have provided financial information to sites that they thought were legitimate Web sites, according to OCC spokesman Dean DeBuck.
The fake sites weren't exact copies of the real bank sites, DeBuck said, though some did look somewhat like the originals.
Companies can take legal action against Web site spoofers, said DeBuck. For example, wwwbankofamerica.com -- just like the real site's address, but without the dot after the "www" -- has already been taken down, but not until after a few unsuspecting consumers were taken in, DeBuck said.
So far, the only losses that the OCC is aware of are of private information such as addresses, said Clifford Wilke, the agency's director of bank technology, with no thefts yet reported of personal account information or access codes.
That doesn't mean it can't happen.
"I'm telling banks to be careful and be aware that other people are out there registering similar names," Wilke said.
To keep an eye out for fraud, some banks regularly check to make sure that there aren't Web sites with similar names luring consumers.
"We are on the lookout," said Scott Scredon, a spokesman for Charlotte, N.C.-based Bank of America Corp.
Waiting for customers to come and complain may not be enough. Some may never know they were duped.
According to Richard Bell, an analyst at Needham, Mass.-based TowerGroup, a Web site spoofer may put up a front end identical to the real bank's, then send the customer back to the real Web site once the personal information is collected.
"The most secure way for consumers to protect themselves is to deal with an institution with a strong commitment to security and one that uses some sort of certificate system that the user participates in," he said.
Not only banks are targets. X.com Corp., owner of the PayPal Web site, was spoofed recently with PayPai.com, said analyst Chris Musto at Lincoln, Mass.-based Gomez Advisors Inc. Users were diverted to the fake site with a link that spelled PayPai with a capital "i" at the end, making it look identical to PayPal on many computer screens.
Musto suggested that companies can take a two-part approach to security -- educate consumers to make sure that they're doing business at the correct Web site, and buy up possible alternative domain names.