Banking's big dilemma: How to stop cyberheists via customer PCs

In online banking and payments, customers' PCs have become the Achilles' heel of the financial industry as cyber-crooks remotely take control of the computers to make unauthorized funds transfers, often to faraway places.

That's what happened to the town of Poughkeepsie in New York earlier this year to the tune of $378,000 carried out in four unauthorized funds transfers from the town's account at TD Bank. First discovered in January, the town was able to finally get the full lost amount restored by March, according to public records, through sometimes tense interaction with the bank.

Proposed U.S. law would single out cybercrime havens

Though the town declines to discuss the matter, this high-dollar cyberheist, along with a slew of other incidents in the past year, has many bank officials worried. They're concerned that the customer desktop, especially in business banking where dollar amounts are high, is increasingly the weak link in the chain of trust.

Other cyberheists that have reached the public eye include Hillary Machinery of Plano, Texas, for $801,495; Patco Construction for $588,000; Unique Industrial for $1.2 million; and Ferma Corp. for $447,000. Schools and churches aren't immune, either. One FBI report from late last year said the agency gets several new victim complaints each week.

And businesses should be even more worried than consumers about whether banks will restore monies stolen by cybercrooks exploiting compromised computers using botnet-controlled malware. According to Gartner analyst Avivah Litan, while consumer accounts receive specific legal protections to restore unauthorized transfers under what's called the "Reg E" federal regulations, businesses do not.

Disputes over hijacked computers and fraudulent transfers are erupting into the public eye as businesses quarrel with their banks over who is at fault when a cyber-gang manages to make off with the money. The restoration of lost funds occurs on a case-by-case basis.

The dilemma for banks boils down to this: How far can they go to help protect customer desktops that function like part of their shared network but aren't owned by the bank?

Banks are faced with the prospect that "customers own PCs that have been in the hands of Russian crime syndicates," says Jeff Theiler, senior vice president at Hancock Bank, which primarily operates along the Gulf Coast region.

Like many other banks, Hancock finds itself getting more involved in helping customers defend their machines. One recent step has Hancock making available for free specialized protective software for use by the bank's 100,000 e-banking customers.

Developed by Trusteer, the software becomes active when the customer's PC is interacting with Hancock Bank's online banking services. Basically a browser plug-in, the security software can detect and block keylogging, stop re-directions of the user, and inform the bank if the PC's infected with malware.

If a problem is detected, "the bank will call them and tell them," says Theiler, adding cybercrooks would rather target high-dollar automated clearinghouse (ACH) transfers and other substantial payment transfers from business customers, but they wouldn't turn down what they might be able to get from consumers doing online e-banking. "No bank is immune from being faced with these ACH issues regarding a computer malware attack," Theiler says.

But it's a tough question on how far the banks can or should go to try and impose security requirements on their customers' desktops. Theiler acknowledges that at this point, the approach for existing online banking customers is mainly to "highly recommend" using the Trusteer-developed software.

The Trusteer software, tailored for each bank, is now offered by almost 40 institutions, including SunTrust, HSBC, Fifth Third Bank, ING Direct USA, and Huntington National Bank. Trusteer, along with Prevx and TrustDefender, are among the few security vendors coming up with defenses of this type for the banking industry, according to Gartner's Litan. She faults larger security software providers, including McAfee, Symantec and Trend Micro, for doing so little.

But this type of help-the-customer banking software is not an approach Litan thinks should necessarily be a high priority for financial institutions.

"My advice to banks is they can't count on it, it's not ubiquitous," she says, adding "They need to make clear it's not total protection."

Once banks get involved in this help-the-customer software approach, a number of potential liability issues may arise if something bad does occur, she says. "The higher priority should be on things they can control, such as fraud detection and out-of-band protections," Litan suggests.

This so-called out-of-band security in e-banking and payments includes automated phone calls that can be initiated when online behavior analysis tools indicate suspicious online behavior, as well as systems that involve a recording of a voice pattern that can be matched against someone speaking their password.

"The threat landscape is changing," says Christopher Beier, senior product manager in the electronic banking services group at Fiserv, an online payment and services technology provider for banks. Fiserv recently began to make the PhoneFactor phone-based out-of-band authentication system available to its customers, which include 24 of the largest banks.

Phone-based authentication "doesn't take you away from the online banking channel," Beier says. "But I know the computer might be compromised. So you take the authentication out of that channel and onto the phone." This method will likely hold the most appeal in high-risk, large-dollar transactions, he notes.

Bank Leumi, as well as some banks in Australia, are known to be leading the charge in this type of out-of-band authentication, Litan says, but overall there are few practical roll-outs.

Another approach involves beefing up back-end fraud detection that's in use today to monitor for credit- and debit-card fraud so that it also includes e-banking and payments.

Dual-authentication, which requires at least two people to approve a transaction, also ups the security ante, Litan points out. Another approach she believes can be effective, called "positive pay," involves setting guidelines in advance on exactly who the bank is authorized to pay and the thresholds. Litan acknowledges that though it sounds simple, "positive pay" can be hard to do because business software may not already be set up for this or businesses need more flexibility than that approach allows.

Brian Krebs, an investigative journalist who has put the spotlight on the cyberheist epidemic in his online column KrebsOnSecurity, comments, "My mantra on this continues to be that any commercial banking technology that does not begin with the premise that the customer's machine may be and probably is already compromised with malicious software doesn't stand a chance of defeating today's cyber crooks."

"The criminals appear to be limited not by law enforcement or bank security, but mainly by the number of money mules they can harness at any one time to help them haul the loot from the accounts they've compromised," Krebs says, adding he's investigating whether one group is actually "contracting that process out to several different mule recruitment and cashout gangs" in order to find enough money mules.

According to an FBI report from last November about cyberheists and the role of the money mule, cybercrooks' fraudulent ACH transfers are often directed to the bank accounts of willing or unwitting individuals within the United States.

These people are often recruited through "work from home" advertisements or contacted by recruiters after placing resumes on popular employment sites. These mules are directed to open personal or business bank accounts to receive the fraudulent money transfer, and within a couple of days, or even hours, the money is deposited and the mule is directed to immediately forward a portion of the money to recipients overseas, typically in Eastern Europe, via wire-service transfers such as Western Union or Moneygram.

Compromised computers used in online banking have gotten the attention of the Financial Services Information Sharing and Analysis Center (FS-ISAC), a group whose mission is to provide a forum where its members, which include Citigroup, Bank of America, Goldman Sachs and Merrill Lynch among others, can discretely share security concerns and keep direct contact with federal officials.

FS-ISAC has gone so far as to send out a notice telling its membership to only interact with business customers via computers without browser and e-mail capability. It was an awkwardly worded recommendation that was later clarified to mean a "PC dedicated to online banking," Litan says. But she regards this as inadequate.

Other recent activity in the federal government sector includes a symposium organized by the Federal Deposit Insurance Corp last month on the threat of hijacked computers and cybercrime to business.

"The user workstation is the weak point," says Joe Stewart, director of malware analysis at SecureWorks, who has done extensive work looking at sophisticated botnet-based Trojans such as ZeuS and Clampi designed to hijack the victim's computer and execute unauthorized financial transactions by stealing online credentials and account information.

The basic architecture of online banking was designed without the idea that the user would encounter this type of malicious Trojan, he notes, adding, "In that sense, this paradigm of banking is broken."

Since the known banking Trojan malware is Windows-based — "there are no Mac banking Trojans yet," Stewart says — he views the situation today as largely one centering on Windows-based machines. "I wouldn't recommend banking online with Windows."

Read more about wide area network in Network World's Wide Area Network section.

This story, "Banking's big dilemma: How to stop cyberheists via customer PCs" was originally published by Network World.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies