China Wire Fraud: Warning to BanksStronger Authentication Can't Wait for New Guidance
The growing number of fraud incidents also underscores the need for new online authentication guidance from the Federal Financial Institutions Examination Council. A December 2010 draft of the FFIEC's supplemental guidance does address new protective measures related to account takeover. But the final guidance has yet to be issued. [See FFIEC: Where is Authentication Guidance?]
In the absence of formal guidance, industry experts say banks need to make new investments to mitigate online risks associated with commercial accounts. And they need to act now.
"You can be sure the attacks won't abate until banks fight back," says Avivah Litan, distinguished analyst at Gartner Research.
Malware is the EnemyIn February, a Gartner survey of 76 U.S. banks found that a majority of institutions perceive malware to be their biggest threat. But banks, overall, are not making investments and commitments to constantly improve layered security approaches.
By comparison, when surveyed by Gartner in 2008, only 34 percent of these banks said they deemed malware on a bank customer's PC to be a top security threat. In 2010, that response jumped to 79 percent, more than doubling.
In the China-based scheme launched against U.S. commercial customers, the FBI says Zeus, Backdoor.bot and SpyEye were used. One business hit by the malicious software reported its computer's hard drive was infected and erased remotely before the IT department could investigate. Facts about the most common malware:
- Zeus is capable of stealing multifactor authentication tokens, allowing cyberthieves to log in to bank accounts with user names, passwords and token IDs.
- Backdoor.bot has worm, downloader, keylogger and spy ability. It allows fraudsters to remotely access an infected computer, deepening the infection by downloading additional malware from a remote server.
- And SpyEye, a backdoor Trojan, runs as a service process in the background, allowing unauthorized remote access to the compromised computer.
Tom Wills, a fraud analyst with Javelin Strategy & Research, says the latest incidents show that online fraud is evolving, and improving. "Fraudsters have perfected the technique, first described to the industry by Uri Rivner at RSA over two years ago, of a multipronged attack technique involving acquisition of Zeus or a similar Trojan via phishing or drive-by downloads, man-in-the-browser interception of the victim's online banking credentials, subsequent unauthorized access to the victim's account, and use of money mules to move the funds back to the fraudsters' home country," he says. "They really have it down to a science now."
Protecting Small BusinessesFor Wills, the recent wave of China-based attacks is not surprising. "The low-hanging fruit for these overseas criminal syndicates is clearly small and medium-sized businesses, which, because of inadequate and antiquated security controls at 99 percent of U.S. banks, combined with the larger bank balances that businesses typically hold, represent much better financial yields to the fraudsters than when consumers are targeted," he says. "Financial institutions of all sizes in the U.S. need to focus their risk management efforts on the small-business segment with some urgency," Wills says. "With a few notable exceptions, I haven't seen this happening yet, and the bleeding will continue until it does."
Ben Knieff, who oversees fraud prevention strategy for NICE Actimize, says most small businesses don't understand online fraud risks. "In the community bank or credit union space, many outsource to third parties. Those institutions should leverage their relationships to get more sophisticated technology," he says.
Service providers should make recommendations and provide consultative background for their smaller bank clients, Knieff says. "What this breach highlights is that the mode of authentication has to change," he says. "I hope we can come up with some new and innovative ways to handle authentication."