FDIC Warns of Online Fraud Against Banks, Small BusinessesAlert Cites Increase in ACH, Wire Transfer Fraud
"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," says a bulletin sent on Aug. 21 to member financial institutions by the Financial Services Information Sharing and Analysis Center, (FS-ISAC). The FS-ISAC is part of the government-private industry umbrella working with the Department of Homeland Security and Treasury Department to share information about critical threats to the country's infrastructure. The member-only alert described the problem and told its members to implement many of the precautions and monitoring currently used to detect consumer bank and credit card fraud.
The FS-ISAC notice -- and subsequent media attention -- in turn prompted the FDIC alert to warn banking institutions about this kind of fraud.
The FDIC traces the fraud to compromised login credentials on online banking websites. Over the past year, the FDIC says, it has detected an increase in the number of reports and the amount of losses resulting from unauthorized electronic fund transfers (EFTs), such as automated clearing house (ACH) and wire transfers.
In most of the cases, the fraudulent fund transfers were made from business customers that had their online business banking software credentials stolen or compromised.
"Web-based commercial EFT origination applications are being targeted by malicious software, including Trojan horse programs, key loggers and other spoofing techniques," says the FDIC's alert. These malware are designed to circumvent online authentication methods. Illicitly-obtained credentials can be used to initiate fraudulent ACH transactions and wire transfers, as well as take over commercial accounts. These types of malicious code, or "crimeware," can infect business customers' computers when the customer is visiting a Web site or opening an e-mail attachment.
Some types of crimeware are difficult to detect because of how they are installed and because they can lie dormant until the targeted online banking session login is initiated. These attacks could result in monetary losses to financial institutions and their business customers if not detected quickly.
The FDIC recommends that institutions and technology service providers use regulatory guidance on authentication and information security for high-risk transactions.
Security experts familiar with online attacks have long warned of these dangers to institutions and their customers. While the institutions and business customers are not necessarily large or high-profile, the money that is being drained by the criminals can add up to significant amounts. One recent example: Dwelling House Savings and Loan Association, Pittsburgh, PA. The tiny institution failed after an ACH fraud event siphoned off a whopping $3 million.
This fraud trend bears some of the same trademarks of larger breaches, namely the collaboration among overseas hackers and people within the U.S. Paul Kocher, chief research scientist at Cryptography Research Inc., says it's interesting that Albert Gonzales, the hacker indicted in the Heartland Payment Systems breach, was allegedly cooperating with Russian counterparts. "International cooperation within fraud rings has been a growing trend for a long time," says Kocher. "What I always find frustrating is that perpetrators of fraud are much better than victims or law enforcement at forging international working relationships."