Murky FinCEN SAR reporting: Is malware responsible?

Share this article:
Is there finally a "smoking gun" for business banking trojans? Consider 10 years of the growth of malware compared to 10 years of the growth of FinCEN SAR category reporting in Delaware:

In a direct 10-year comparison, Delaware's FinCEN Suspicious Activity Reporting (SAR) Category of "Other" reported previously here mirrors the growth pattern of global malware year after year. Is this due to malware-driven cybercrime targeting business banking?

Delaware is a tiny state ranking 45th in size with under 800,000 people. By way of comparison, California is the largest state by population (281 million) in the U.S., yet Delaware has more businesses than population. From the official Delaware Division of Corporations comes this statistic:

More than 850,000 business entities have their legal home in Delaware including more than 50 percent of all U.S. publicly-traded companies and 63 percent of the Fortune 500.

Additionally, several other facts are relevant. According to the same source, in 2009 more than 73 percent of all new U.S. IPOs were domiciled in Delaware, and in 2007 more than 90 percent of all U.S.-based public offerings were incorporated in Delaware.

The conclusion is that Delaware traditionally has a lot to do with business. What is not so clear is why the bank reporting trend has mirrored malware's growth.

Clarity: Malware and business banking

Back in 2004, the FDIC issued a report warning about 'Account Hijacking,' which seemed to be focused on consumer accounts. By 2006 the anti-virus industry and experts in online security had noticed a measurable shift in the amount of resources cybercriminals were devoting toward research and development of new attacks – malware, zero-day exploits were growing exponentially.

The malware data shown to the left is from AV-Test.org, an independent malware research company and depicts the growth of their malware sample collection, provided by various means. AV-Test uses these samples to provide third-party testing and verification of anti-virus software solutions and other data security solutions found on the market today, performing over 2500 annual security product tests.

What we do know is that "Other" category and the malware growth from 2006 seems to climb at the same rate. While the AV-Test.org collection of malware samples is not entirely definitive, any anti-virus company would be hard pressed to say the growth in the past four years has been nothing short of exponential.

The question is why, with 22 categories, banks seem to be incapable of describing exactly what sudden deluge of unidentified suspicious activity is occurring.

Resolving ambiguity: Why overusing "Other" Is Important

Banks are protected by the FinCEN SAR's Safe Harbor clause for simply filing the report regardless of which categories may be most appropriate. One portion of the SAR is found here and lists 22 categories of a suspicious act.

FinCEN SAR Part III: 22 categories to describe suspicious activity in banking.

In previous Cybercrime Corner articles, preliminary research revealed this July that bank reporting of account hijacking may have been able to legally comply with Federal Depository Institution mandates while essentially obscuring the actual financial impact by malware. The irony for banks is that the category's overuse measures very close to malware industry statistics.

One theory: by liberally using the FinCEN Suspicious Activity Reporting (SAR) Category of "Other," like children use sugar on cereal, actual metrics of phishing/malware triggered account hijacking have been obscured. By inadvertent omission or intentional act, failure to list multiple categories resulted in a "Fog of war" over the methods used by cybercriminals.

The account hijacking elements matched to FinCEN SAR categories bear explanation. By not listing Computer Intrusion for the malware's presence, not listing identity theft for the illicit bank account credential usage and not listing wire transfer fraud for the actual dump of the account funds, the automation of account hijacking through the ACH payment process have become obscured. These potentially are all now listed into one category: Other.

What we do know as fact is that in several states the use of the SAR category Other for the past six years has skyrocketed. In this comparison between multiple states, the tiny state of Delaware even overshadows California.

Click for Flash Graphic on FinCEN Ten Year history state by state for Depository Institutions.

Is Delaware where the money is?

Keep in mind that Delaware is a tiny state ranking 45th in size with under 800,000 people. California is the largest state by population (281 million) in the U.S.

Again, from the official Delaware Division of Corporations comes this statistic:

More than 850,000 business entities have their legal home in Delaware including more than 50 percent of all U.S. publicly-traded companies and 63 percent of the Fortune 500.

Both states have larger corporate presences than others, and both states have larger banking presences than others, yet Delaware corporations consistently provide upwards of 3/4 of all annual initial public stock offerings, or IPOs.

Still, I'm not completely convinced all of the "Other" category is due to malware directly pulling money out of accounts. Initial discussion with law enforcement resources indicate that other cybercrimes, such as credit card skimming combined with bust-out schemes, may be partially responsible.

Ambiguity here could be resolved with one simple change.

Recommendation: Change FinCEN SAR reporting

S. 3898 and similar measures intended to aid business victims of cybercrime would do well to include one specific change to the Department of Treasury's FinCEN reporting: Add a new category of Phishing/Malware into the SAR reporting to aid the quantification of this type of financial attack.

Improper SAR category labeling by banks of three defined elements of account hijacking cybercrimes isn't helping law enforcement. It isn't helping business owners. It isn't helping regulatory agencies and it isn't helping policy makers. It isn't helping the reputation of Delaware and California banks either – my personal opinion is still rooted in community banking/credit unions or other states holding the best use key.

As the statistics for Delaware bear out, there simply appears to be no incentive to measure what appears to be an automated method of theft aimed at business banking.

If banks are mandated by law to pay out the funds stolen from business bank accounts, then by listing the new Phishing/Malware category, the impact of business banking cybercrime will finally begin to speak for itself.

Share this article:
close

Next Article in test - eset