Cybercrime fact or fiction, Part 1: Banking trojans and FinCEN reporting
Let's be blunt: most statistics on cybercrime range from under $300 million lost per year to over $48 billion lost per year – a pretty big range to quantify damage from a threat that isn't physically sticking a gun in anyoneís face.
Further, two plus two is not equaling four. Banking industry stipulates that unauthorized debit transactions are constantly decreasing while researchers in the security industry report that losses from malware triggered wire transfer fraud are increasing?
Could they both be right? I'll show that they can and also reveal startling information about how the bleeding of American business to offshore criminal enterprises can be measured in the billions without the banking industry being held accountable.
ABA / NACHA: Unauthorized debits declining?
IT experts have rightfully been skeptical of malware / antivirus industry claims that malware driven thefts are on the massive increase. After all the banks are telling us that it is safe and getting safer and I've recently posted about the ABA's viewpoint shifting from 2005 to 2010.
According to NACHA reporting, ACH transfers – the payroll and commerce backbone of the nation – in 2000 numbered around six billion per year. In 2005, this amount had increased to 14 billion, and in 2009 it has nearly tripled in volume from 2000 to 18.76 billion.
As the volume has risen, NACHA consistently reports that unauthorized debits have been on the decline:
While ACH volume continues to increase, unauthorized debits have been on a multi-year downward trajectory. The number of ACH debits returned as unauthorized in 2009 declined 9.6 percent over 2008. These transactions constitute 0.02 percent of total Network volume.
The preliminary conclusions I've reached, however, are startling and in drastic conflict with the NACHA's statement. In fact, today you'll read along the lines of some FBI agents' viewpoints: We're losing the war and need to gain back some ground.
FBI, FDIC, Gartner say ACH losses from malware and phishing are increasing
One explanation could be that while the amount of fraudulent transactions has decreased, cybercriminals, like most white collar organizations, have refined their approach to maximize their profitability of each separate malware driven attack. I began to build a hypothesis that this refinement comes from process automation found within malware.
First order of business: prove that both the NACHA and the industry experts and FBI were correct. This hypothesis would explain massive growth in the volume of malware samples seen by anti-virus vendors (such as my employer ESET), as well as the higher dollar amount taken per crime as documented by researchers Brian Krebs, Dr. Laura Mather and Avivah Litan justified the fraudulent transfer rate going down.
In short, volume of attacks are down, dollars per attack are up.
What I wasn't expecting to find was that not only is the threat real, preliminary research shows that the true volume of attacks may also have been misreported for years by the banking industry, clouding the measurement of exactly how much money has been lost.
First, let's examine malware trends.
Malware's stark realities: Business banking
For the past two years, the heavy-hitting banking trojan cybercrime crews have passed consumer banking up in favor of the crown jewels of American business – the small business bank accounts. Dollars per attack are up.
Back in 2004, the FDIC issued a report warning about 'Account Hijacking,' which seemed to be focused on consumer accounts – after all, the FDIC insures the broader banking base of consumer accounts and our tax dollars may be available for stabilizing banks which suffered significant consumer account theft. Since then the scary part of this matter has risen.
Fact: Business banking accounts hijacked are not going to be reimbursed by the banks. That money – payroll, investment seed money, the lifeblood of any business – is gone, gone, gone not just from victims, but permanently out of United States circulation and out of our effective GDP since offshore cybercriminals spend it where they live.
Next, let's look at how the bank reporting works – and how easy it can be to skew the entire nation's results with a little handy check box action.
Preliminary analysis suggests that banks may have found a convenient loophole.
Two + two is not equaling four
If the amount of damage isn't quantifiable, what about the decreasing rate of attacks mentioned by the NACHA? I dived into the heart of the financial crimes reporting – the Treasury Department's Financial Crimes unit known as FinCEN – in order to quantify the frequency of these attacks.
A search for definitive data behind the threat led me to FinCEN's Suspicious Activity Reporting, or SAR, of Depository Institutions. My skepticism found traction within the accuracy of FinCEN reporting. Compliance procedures dictate that banks just have to FILE the SAR report within 60 days of an incident. By completing the SAR, the bank then has what is known as 'Safe Harbor' from criminal and civil liability. In short, the bank can't be sued or arrested for mistakes on the SAR. Ever.
Further, the Bank Secrecy Act stipulates that effectively this is a gag order and mandates that the bank may not ever speak to their client about the SAR.
If the bank marks 'Other,' then the Suspicious Activity Report becomes stacked into a different category than 'Computer Intrusion,' 'Wire Transfer Fraud' or 'Identity Theft' – all three categories which would point toward a trend in cybercrime on the rise, and point toward flaws in the ACH methodology.
Marking 'Other' to notate a crime consisting of a phish resulting in a malware-driven identity theft (also technically a computer intrusion) resulting in an ACH payroll compromise through wire transfer fraud could be marked as 'Other' and nobody would be held responsible. Ever.
Effectively, malware account theft could fit into all four categories of each SAR report as this diagram shows:
To be clear: Filing the report within 60 days, no matter how incorrect, is a get-out-of-jail-free card.
How big of a change could a simple category make? Compare the five-fold difference between a tiny state like Delaware and New York or Virginia. Compare the California, Arizona and Texas differences.
'Other': What's in a name?
The massive growth of the 'Other' SAR reporting category in business-centric states, such as California and Delaware, is way outside of the national norm. If banks began changing their habit of reporting suspicious activity in just a few states, the entire national 'big picture' changes radically.
The spike in California seemed to disappear within a year or two. Simultaneously, the category of 'Other' rapidly increased. A few other states showed similar trends, but none with a decrease in computer intrusion and wire fraud like California.
Motive? Operating costs of online banking
Consumer confidence (business consumer confidence) should definitely be considered a motivating factor for changing statistical reporting.
- After mass migration toward online banking, profitability would be severely impacted by any sizeable trend back to 'over the counter' banking.
- It should also be mentioned that a separate FinCEN study reported that on closer examination of the SARs, nationally eight percent of all 'Other' SARs were found to be directly attributable to identity theft.
- 'Other' seemed harmless enough, yet the timing of the volume change in California coincided with a rapid deflation of computer intrusion and wire transfer fraud numbers.
- The SAR report may offer safe harbor, but if there was an internal effort among individual banks to standardize cloudy reporting one theory is that Sherman Antitrust violations may be applicable. Get 'em.
Bottom line: Is malware bleeding our nation?
If business banking trojan threats have been this scalable, it demonstrates a significant threat to business banking. The ease of theft is created through sophisticated efforts made effortless with the use of malware.
Whatever is causing the 'Other' SAR category to spike in one way or another will likely be automated through software.
- My personal opinion is that software will continue to be at the root of any automated and scalable fraud in the 21st Century. This software will likely consist of malware and phishing via spam engines, targeted by criminal organizations such as the JabberZeus crew.
- My second opinion is that we all should be recognizing this threat business banking through malware for what it is – not a HILF, but a game-changing show-stopper, which needs protection along the line of putting cash into a safe.
- Third, this migration of cash equivalents offshore via cybercrime is a clear threat to national security. Host governments provide safe havens outside of jurisdiction to create the perfect breeding ground. These form a symbiotic relationship with the cybercriminals who bring in billions of dollars directly to any host country while those host governments look the other way.
- Fourth, I feel this data provides enough to warrant a deeper dive by a third party, perhaps the Government Accountability Office (GAO), which could internally audit and itemize the 'Other' data category and prove or disprove the existence of any new financial threat other than malware.
- Finally, FinCEN could really help us all by creating a 23rd category of malware/phishing within their SAR form. Bank examiners would then be responsible for due diligence in bank SAR reporting the proper category.
In the 20th Century, a steep growth of white collar crime within one state or banking institution would depict refinement of operations, i.e., organized crime. It would flag the interest of those agents dedicated to busting organized crime. In the old days, this would mean RICO and Feds would start cracking skulls by putting the pieces together via the mandatory reporting. Malware is different mainly because right now it is not able to be fully quantified. We can change that, and we should.
FinCEN staff could not be reached for comment at the time of this article. NACHA has not been contacted for comment.
Raw Data / Open Source
Thanks to the efforts of all banks as well as the transparency of FinCEN, anyone can download the FinCEN Suspicious Activity Reports in Excel format here: http://www.fincen.gov/news_room/rp/sar_by_number.html (within the PDF click and download the .xls links)
under $300,000,000 via IC3.gov in 2008 vs $48,000,000,000 via FDIC in 2004