The security of online banking is being tested like it’s never been tested before. A number of recent incidents have made the news in which mostly small businesses have lost tens of thousands of dollars to overseas cybercrooks.
Hats off to The Washington Post‘s Brian Krebs for breaking most of these stories and getting the victims on the phone to discuss exactly what happened.
As Krebs describes, many of the scenarios are being played out in a similar fashion. A targeted, socially-engineered email arrives at a business or other organization, such as a school district. A gullible employee opens it and installs a pernicious, difficult-to-detect trojan, such as Zeus or Clampi, which sits quietly on the infected desktop until that employee visits the company’s online bank site. At this point, the malware lifts username and password, sends it back to the attacker, who quickly wires money out of the victim’s account to a “money mule” — and the rest is pretty much history.
What makes these attacks interesting is that apparently such technologies as tokens are not helping much. The attackers have created a slick scheme so that when the user visits the bank site, he or she is greeted with a fake login screen. Not sensing the page is a fake, the victim will give up his or her username and password (and one-time token or other second-factor, if applicable). The crooks will capture these details in real time and enter them into the real bank page, allowing them to transfer cash before the victim can even bat an eyelid.
It sounds as if it is time for end-users and banks to shift some their existing habits.
They may want to consider out-of-band authentication — meaning get that second factor off the computer that the hijacker already has compromised. Technologies such as those offered by Phone Factor, which offers a phone-based tokenless authentication system, may answer the call for additional security, no pun intended.
Banks, meanwhile, should look into additional fraud detection capabilities. I recently got briefed by ArcSight, which has launched a new security information and event management solution specifically for financial institutions.
And, it might be wise to revisit such ideas as single-site browsers, in which the user can only login to his or her bank through a web browser that sits as an application on the desktop. You can navigate all you want to one particular site — say Bank of America — but you won’t be able to get anywhere else.
Clearly, better front- and back-end controls are needed.
But as Krebs writes, perhaps banks don’t need to care.
Businesses and consumers do not enjoy the same legal protections when banking online as consumers. Consumers typically have up to 60 days from the receipt of a monthly statement to dispute any unauthorized charges.
In contrast, companies that bank online are regulated under the Universal Commercial Code, which holds that commercial banking customers have roughly two business days to spot and dispute unauthorized activity if they want to hold out any hope of recovering unauthorized transfers from their accounts.
Banks may just assume the risk that the consumer is not going to immediately spot the fraudulent transaction, thus buying them time and saving them the cost of recouping losses.
Of course, it all goes back to end-user awareness. Trojans don’t magically appear on victim machines. Organizations need to do a better job of patching for client-side vulnerabilities — they’re nowhere close, right now — and in training employees to not open (or act on) emails that look suspicious.
More to come, surely, with this story.