CID Warns 'Keylogging' Can Steal Thrift Savings Plan Funds
March 13, 2007
FORT BELVOIR, Va. (Army News Service, March 13, 2007) - Soldiers, family members and Army civilians using their home computers to access Thrift Savings Plan accounts online can be vulnerable to having personal information stolen, according to a recent alert posted on TSP's Web site.
According to the alert, TSP officials have identified customers who are victims of a computer crime known as "keylogging" or "keystroke logging." Keylogging is a diagnostic tool used in software development that captures a user's keystrokes, but in the wrong hands, it enables criminals to record all the typing on a keyboard without the user's knowledge. The technique can capture a computer user's TSP personal identification number or other personal account information such as a Social Security number.
The Director of the U.S. Army Criminal Investigation Command's Computer Crime Investigative Unit, Michael Milner, said personal information is increasingly available on 'keylogger' lists for sale through criminal networks and so far, all of the TSP cases involve the transfer of electronic funds, since criminals normally prefer the 'paperless' way to steal money.
"Computer users should protect themselves from keyloggers and other malicious software and should promptly close the Web browser after they have checked their TSP account information," Milner explained. "Users must remember logging off a Web site does not clear a browser's memory, and subsequent users might be able to access the TSP account information."
Milner said he is unaware of any Army victims at this point, but strongly recommends computer users review their home system's security effectiveness to reduce exposure to these types of attacks. He added the best advice for computer users is to follow general computer security principles at home and to download antivirus software.
According to the TSP notice, external penetration testing determined the TSP record keeping system was not breached, but concluded personal information was compromised when keyloggers monitored each individual keystroke of some victims when they used home computers to enter their TSP PIN and Social Security numbers. TSP was also able to identify participants who had relatively small amounts withdrawn from their accounts. As an added security measure, TSP has discontinued making electronic payments for on-line transactions, according to TSP officials.
CID will continually release notices such as the TSP alert through their CID Cyber Lookout program, an initiative aimed at helping Soldiers protect themselves and their families from becoming victims of cyber crime.