The Expert's View with Marco Morana

Banking Malware Poses New Threats Early Detection Is Critical for Fraud Prevention

Malware banking threats are escalating in sophistication, and financial institutions and bank customers are at increased risk for loss of personal data and wire transfer fraud.

See Also: Ransomware: The Look at Future Trends

According to a survey on data breaches conducted by Verizon in 2014, Citadel is the preferred banking malware among criminals for personal data information theft, while Zeus continues to be the favorite banking malware for stealing money from bank accounts.

Today, it is safe to assume that standard multifactor authentication and transaction monitoring can be compromised or bypassed by banking malware. 

Early detection of banking malware compromises is critical for preventing online fraud.

Compliance Requirements

When banking customers' personal data is breached, banks that fail to promptly notify the customers affected might incur penalties that fall under state data breach notification laws in the U.S., as well as the European Union's General Data Protection Regulation.

Early detection of possible data compromise for bank customers affected by banking malware helps banks comply with data breach notification laws. Bank-owned online banking applications also are required to adopt strong customer authentication, transaction monitoring and implement multiple layers of defense, as required by the Federal Financial Institutions Examination Council and the European Central Bank.

But being compliant with regulations is often not enough to effectively detect and protect your institution and its customers from emerging banking malware threats and online fraud.

Today, it is safe to assume that standard multifactor authentication and transaction monitoring can be compromised or bypassed by banking malware.

Effective risk management should ensure that additional layers of detection and prevention controls are in place to reduce the impact of a personal data compromise and/or account takeover incidents.

Assuming the fraudster is able to modify the money movement transaction with an account takeover, he still might not be able to steal money if the money transfer requires approval from a different user. Generally, risk-prevention measures, such as out-of-band transaction verification and authentication, work best when used in conjunction with Web-fraud detection measures.

Real-time Monitoring

Knowing which banking customers are infected by banking malware is the first step toward assessing the likelihood of banking malware risks - and for taking action.

Giorgio Fedon, technical director of Minded Security, a software security company whose products include malware-detection, says in any given day at a major European bank, at least 5 percent of bank customers' devices will be infected by some kind of malware. He points out that 3 percent will be infected by unwanted adware, 1.5 percent will be infected by spyware, and 0.5 percent will be infected by banking-related malware.

Detecting which browsers are compromised by banking malware helps banks prevent fraud through account takeover.

This detection of browser compromise, which includes the details of the origin of fraud, can be fed into the Web fraud system and be analyzed for anomalies and behavior to calculate the level of risk at the transactional level. From there, flagged transactions can be monitored or put on hold until additional verifications take place.

Multilayered Defenses

From a compliance, risk and fraud management perspective, a good choice is to adopt multilayered detection and risk-prevention controls. For account takeover fraud detection, it is important to cover multiple layers of detection, including the client browser, the online banking application, as well as the data and transactions that are at high risk of compromise by banking malware.

The different layers of Web fraud detection can also be used for evaluating the capabilities of vendors to beat malware, which has been documented by financial consultancy Gartner.

Additionally, Web fraud detection needs to be transparent to the bank user and not impact the customer experience.

Finally, the Web fraud detection should be scalable for a large number of online users and not impact performance. It also should require minimal overhead for maintenance.

Morana is senior vice president for a global bank based in London, where he is responsible for initiatives to reduce the risk of emerging threats, including malware.



About the Author

Marco Morana

Marco Morana

SVP, UK Financial Institution, Citi, Minded Security

In his current professional role, Morana works as SVP at a large financial institution in London, where he's responsible for the architecture risk analysis program. He was previously VP and technology information security officer with the same FI in North America. In his distinguished 15+ year career in application security, Morana held roles in different companies as security consultant, application security architect, professional trainer and program manager. As cybersecurity technologist, Morana's most important contribution to cybersecurity is the invention of the first secure email plug-in using the S/MIME protocol that was patented for NASA in 1996.




Around the Network