Bank on it: Attacks on financial institutions
Doug Johnson, American Bankers Association
Risk is with us, whether physical or online, says Doug Johnson, American Bankers Association. James Hale reports.
From Bill Doolin's Wild Bunch of the 1890s through Depression-era gangsters Alvin “Creepy” Karpis and the Barker Gang, up to David Scott Ghantt, who made off with $17.3 million from Loomis Fargo in 1997, banks have been tempting targets for those desiring fast cash. Today, banks still beckon, but the crooks have traded dynamite, the Tommy gun and insider know-how for digital weapons.
Today, banks still beckon, but the crooks have traded dynamite, the Tommy gun and insider know-how for digital weapons.
“Threats to our industry are not going away,” says Doug Johnson, vice president, risk management policy with the Washington, D.C.-based American Bankers Association (ABA). “Risk is always with us, but the focus has expanded from physical security to cyber security.”
The type and sophistication of cyber attacks on the financial services sector are shifting, too, say those who observe it closely, and so are the people launching the attacks.
“It started out with individuals infecting bank computer networks with viruses, but then we saw the criminal element get involved,” says Bill Nelson, president and CEO of Financial Services-Information Sharing and Analysis Center (FS-ISAC), which was created by the financial services industry in 1999. In 2011, he says, there was an increase in denial-of-service attacks by hacktivists, like Anonymous, and, more recently, foreign-based cyber criminals have targeted automated clearing house (ACH) transfers and used diversionary denial-of-service (DoS) to attempt account takeovers.
“Over the past five years, we have witnessed some big changes,” says Matt Riley, group president of ProfitStars, a division of Jack Henry & Associates, an information processing company headquartered in Monett, Mo. “Today's cyber criminal is much more robust and opportunistic. If you have enough money you can get into it.”
There are websites where you can buy the tools you need, says Nelson. In fact, users can purchase 100,000 fraudulent bank cards that are guaranteed to work. “There's a real marketplace out there.”
He adds that the targets are not limited to the United States, noting that online fraud attempts have jumped significantly in Europe and Asia as well.
Just as banks continue to be targets for criminals looking for big scores, the crooks are not deterred when some tighten their defenses. They just move on to other banks. And just as bank robbers of the past were reticent to give up techniques that worked, today's thieves are reluctant to develop new tools.
“The Zeus family of malware is still the gold standard,” says Dennis Schwarz (left), research analyst for Arbor Networks, a network security company based in Burlington, Mass., referring to the trojan horse botnet that came to light in 2007.
A related strain of malware that Schwarz has studied – Citadel – is the latest to use the so-called man-in-the-browser to attack the financial sector. It attracted attention in 2012 when it was used extensively in Spain and parts of central Europe to steal transaction authentication credentials, and Schwarz believes it still has the potential to wreak havoc in North America.
Also on some analysts' radar are DoS attacks that are combined with swarms of fake telephone calls that tie up voice servers and unauthorized wire transfers – the vehicle that actually removes funds from the bank.
Sean Martin, operations center manager for CSI – a Paducah, Ky.-based company that offers ACH, mobile banking technology solutions and other services – also points to the growth of watering-hole attacks that target bank employees and consumers.
“We are seeing a proliferation of this use of compromised or fake servers, and it has largely replaced the use of spear phishing to get individuals to divulge confidential data.”
As well, cyber criminals are recognizing that customers are easier targets than the banks themselves, says Johnson, who adds that the ease of online banking has lulled some consumers into a false sense of security.
“When you can shuffle over to your computer in your bunny slippers and move large sums of money around, there is a tendency to let your guard down.”
But, people are still the weakest link in any defense against bank fraud, says Riley, who adds that that has not changed in the 15 years that he has been in the security industry.