The commercial banking industry is under assault from an unprecedented onslaught of malicious software the likes of which we have never seen before. And the targets are not even the banks’ own systems; it is their clients’ PCs.
In fact, a staggering number of computers – 25 percent according to the latest reports from the Anti-Phishing Working Group — are infected with banking Trojans, password stealers or downloaders capable of installing programs to take over the PC.
These programs steal banking login credentials, hijack PCs or even take over sessions after they have been authenticated. By targeting client PCs, the weak link in the security chain, cyber thieves basically become the customer, making them virtually impossible to detect by bank security systems. The unfortunate reality for banks is that when clients are the victims of bank fraud, 40 percent of those clients move their business elsewhere, according to Ponemon Institute research.
The trend during the last two years has been to target small to medium-sized businesses, schools and other organizations that have more money in their accounts and can make ACH payments and wire transfers online. With fewer IT resources and demanding schedules, these clients become easy prey for criminals.
Based on published fraud estimates, this could easily add up to millions of dollars in fraud every year stolen from banks and their clients. The large numbers of newspaper reports and lawsuits by clients seeking to recover losses from their banks makes it evident that the problem is not going away. Even if none of your bank’s clients have been a victim, chances are that a client of one of your competitors has.
Fundamentally two things have changed that have created this problem: the ease with which attacks can be mounted; and the ease with which they can defeat traditional client PC security measures like anti-virus software or even two-factor authentication.
The emergence of malware toolkits, notably the ZeuS Trojan and SpyEye, is a major reason why it has become so easy for cyber thieves to launch sophisticated attacks and in such great numbers. Purchased through online black markets for as much as $8,000, these kits bundle together all the tools a would-be criminal needs to cause a lot of damage, including creating and commanding botnets that can put out tremendous volumes of attacks. They do everything from creating authentic-looking bank landing pages and disabling anti-virus and anti-software programs to creating a broad range of sophisticated download attacks such as keyboard logging, man-in-the-browser and DNS tampering.
Every day, thousands of cyber criminals are working together with these toolkits, now rumored to have merged as SpyZeuS. Some expand them with plug-in apps; others use built-in capabilities to develop new attacks. The result is an explosion in financial malware infection. In one year, more than 70,000 variants of the ZeuS Trojan were observed. Unfortunately, most variants go undetected because each Trojan’s fingerprint or signature is different. This means today’s anti-virus software can not detect new attacks and prevent account takeovers.
Many online banking security controls are also no longer as effective in preventing attacks. One of these is one-time passwords. With this method, your customers use a device to generate a password that is used along with their names and passwords to log in to your banking site — good only for that session. Generally, this is known as a secure form of two-factor authentication, as your customer is using something he has (his device that generates the OTP) and something he knows (his name and password). Unfortunately, malware has been developed that can send the OTP to the criminals in real-time, allowing them to hijack the session and your customer’s account.
Another tactic banks have adopted — installing cookies onto customers’ computers to verify is it truly them making transactions — has also been overcome by stealth malware using the ZeuS Backconnect module. After the consumer logs in to his banking site, the malware opens a second, hidden browser session to make financial transactions. Referred to as a man-in-the-browser attack, the fraud is initiated from inside the customer’s own authenticated browsing session.
What about the future? Expect to see even more targeted attacks to commercial accounts and high-profile individuals like CEOs, chief financial officers and celebrities. We will see more advanced persistent threats, where criminals are going to be taking their time, compiling as much information as they can through emails, social networking activity, chat records and even phone calls, before going after the big payout. Smartphones will also likely become a target, working in conjunction with malware installed on computers. In short, threats will become more sophisticated, more complicated and harder to detect.
Stopping the Threat
Recently, NACHA and the FBI developed new guidelines to help protect banking clients from financial malware. NACHA and FBI recommend these steps:
All of these steps are part of the larger goal — preventing financial malware from infecting client computers. You are probably thinking that expecting consumers to buy a dedicated computer for online banking is unrealistic. It would be even more challenging for banks to ship and manage new computers strictly for online banking to all of their clients. Still, these recommendations are some of the industry’s most effective steps for preventing online account takeovers. Fortunately, there are solutions available that meet these requirements and are still convenient for your customers.
As an example, IronKey has created Trusted Access for Banking, a technology solution that creates virtualized, secure computing environments for clients using portable security devices. The way that it works is that customers insert their security device into a spare USB port, and a protected, virtualized environment is launched automatically. This secure virtual browser works together with a dedicated secure network and management service to make sure the client arrives safely at the bank-defined home page.
Providing a dedicated environment independent of the PC protects online banking customers even if their PCs have been compromised with sophisticated financial malware, including keyboard loggers, man-in-the-browser or backconnect Trojans. This approach achieves the intent of the NACHA and FBI guidelines without the cost and inconvenience of maintaining and isolating an entire PC.
David Jevans is the founder or IronKey, which is located in Sunnyvale, Calif. Contact him at 408-737-4300 or info(at)ironkey.com.
Copyright © June 2011 BankNews Media