Threat Management, Malware, Network Security, Vulnerability Management

Zeus vs. online authentication, Part 2: Five hard questions

Businesses, nonprofits, governments and schools simply don't have the same banking protection as consumers, and when banking trojans succeed, it often costs the business money it can ill afford.

After the recent analysis on EMI vs. Comerica, discussed in part 1, several resources came to light. A new study performed by Guardian and the Ponemon Institute surveyed 500-plus executives and business owners in small- to medium-sized businesses in its 2010 Business Banking Trust Study about the impact of fraud on businesses' relationships with their banks. The highlights:

  1. 55 percent of businesses surveyed reported experiencing fraud in the last 12 months, with 58 percent of fraud enabled by online banking activities.
  2. 80 percent of banks failed to catch fraud before funds were transferred out of their institution.
  3. In 87 percent of fraud attacks, the bank was unable to fully recover assets.

Our top five questions were answered by cybersecurity researcher Marsh Ray of PhoneFactor and Laura Mather, founder and VP of product marketing at Silver Tail Systems.

1. When can criminals capture the password but not the timing of the keystrokes?

Laura: Criminals can capture password but not timing info if they are getting the password through a phishing site or the malware has a keystroke logger but does not actually look at the browser.

Marsh: A phishing site or keylogger could capture timing info, it is simply a matter of a little programming.

2. What size bank account fraudulent transfer should justify special protective measures?

Laura: Unfortunately, there isn't a "small enough" size. I can tell you from experience that if the criminals can make $.50 10,000 times, they would be happy to do so. The lower you make the limits, the more accounts they have to steal to make the same amount of money, but it won't stop the cybercriminals.

It works like this: The question most banks ask themselves is "what level of false positive rate am I willing to accept?" This will depend on the potential loss. So, for example, if there is the possibility that the criminal is stealing $.50, the bank might be willing to miss 20 of those per day.

But, if the criminal is stealing $5,000, the bank might not be willing to miss any of those and would be willing to review 100 cases for every one that is fraud to keep that money from being stolen.

3. Who forces someone to write the solutions check?

Laura: It's a tough question. My response: "The banks should do it out of integrity for their customers, but they can't until they have a business case for it." The worst part of this is that the only way to get a business case is:

  1. to have enough money stolen that you have to put in countermeasures, or
  2. to have enough customers leave for your competition that you are losing more money than putting something like this in place would cost.

Marsh: Or maybe the playing field is already too level? Banks are in the habit of simply writing off losses due to fraud as an ongoing cost of doing business. Certainly the banks bear large costs, but much of the true cost is borne by merchants and customers too.

Virtually any level of fraud is considered unacceptable in other businesses (except perhaps insurance). Perhaps the playing field should actually be allowed to naturally tilt more in favor of those banks that elect to emphasize security.

Laura: It is bad that the customer is going to have to experience fraud, and more before the banks can justify this. Supposedly, that is where the government steps in – to require it of all banks and even the playing field.

Marsh: Perhaps banks should be required to purchase third-party insurance for these risks. Let them convince outside actuaries that their online security earns them a good rate.

4. Should it be the government who mandates this?

Laura: I'm torn. I hate seeing consumers/businesses penalized because it doesn't make business sense for the bank to deploy countermeasures, but I don't think the banks should be required either. But I don't have another answer.

Marsh: I just don't think we even have a good enough definition of security, authentication, multifactor, etc., to know what to mandate. For example, would keystroke timing count as a second factor under some proposed regulation? If not, why not?

If so, Zeus would probably chuckle for a second and hardly be slowed.

5. Do these vulnerabilities diminish trust in banking?

Laura: Charles, I disagree with the statement that this type of vulnerability could diminish the trust in the banking system as a whole.

I don't think we're even close to people distrusting the internet, but I do think that if enough "bad events" happen and people start using the internet less (for banking, for commerce, for looking up information...) that will hurt our society and our ecosystem substantially.

Marsh: I know I sure don't trust the internet. With malware in the picture, it is the endpoint PC that can't be trusted either.

It is like going out to dinner downtown. We don't want to discourage people from going downtown and spending money, but people do need to know that they have to be significantly more alert for scams and attacks there, which they don't worry about so much in their bank branch in suburbia.

Laura: Again, we aren't there yet, but I think it is important to watch for that erosion of trust, because one bad experience online will have impact across many online verticals.

Final thoughts

One recent quote sums it up:

"Banks have a new troubled asset – their customers," said Terry Austin, CEO, Guardian Analytics. "The survey data proves that financial institutions are failing to protect the small and medium businesses that are at the heart of our economic recovery. SMBs are fed up with the banks that are leaving them vulnerable to fraud and not reimbursing them when they are attacked. Banks that do not improve their fraud prevention practices will lose customers and hurt their own recovery."

Three things businesses can do today

Here are three steps any small or large business can take to protect its bank accounts:

  1. Update your endpoint malware protection and ensure you have an anti-spam solution that will block the phishing attacks which use spam tactics to reach their victims.  
  2. Plan to audit business bank accounts DAILY from a secure computer. Don't rely too heavily on email alerts – the latest malware disables them. Finding the problem as quickly as possible greatly increases the chance of recovering assets before they're cashed out.
  3. One final step would be to sit down and have a formal review with your bank of the responsibilities involved with an account hijacking and quite frankly, if you don't like what you hear, vote with your feet and either consider changing your approach to online banking or changing your bank.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.