Doug Johnson, senior policy adviser at the American Bankers Association, called the arrests a big step forward. "Just to have an international mule network such as this taken down is a real victory," he said.
Such takedowns make it harder for crooks to siphon off stolen money, he said. "This is something that law enforcement and [the financial industry] have been working very aggressively to achieve."
Now, the goal is to keep the pressure on, he said.
"The FS-ISAC Account Takeover Task Force has become a very vibrant collaborative effort with financial institution, trade association, bank regulatory agency and law enforcement participation," Johnson said. Three working groups are now focused on finding ways to prevent, detect and respond to account takeovers.
The groups are developing a set of recommended business practices in areas such as account opening processes, evaluation and use of fraud prevention, checklists for responding to compromises and training for staff and clients.
According to Simmons, a growing number of banks have introduced stronger authentication measures to prevent account takeovers. For instance, several now require phone and fax-based verification of online money transfer and ACH requests. Others have rolled out new fraud detection tools designed to flag and stop suspicious or out-of-character money transfer requests from an account.
Banks in general have been taking the problem seriously, said Avivah Litan, an analyst with Gartner Inc. "They are definitely putting in measures that were not there a year ago," she said.
Zeus itself continues to be as potent as ever, and last week's arrests will do little to change that, she said. In addition, new man-in-the-middle attacks such as those that redirect user traffic through fraudsters' proxy servers, pose fresh challenges for banks.
For banks, the emphasis needs to be on protecting the user desktop session as possible by making more effective anti-malware software available to clients, and combining that with better user authentication and transaction verification, she said.
For some, like Mark Patterson, the arrests are long overdue. Patterson is the co-owner of Patco Construction, a Sanford, Maine company that lost nearly $600,000 via ACH fraud. The company has sued its bank for failing to prevent what it claims was patently obvious fraud going on with its accounts.
Patco has since moved to a new bank that offers "true dual authentication and out-of-band authentication, which I think is best," he said. "Speaking with a person you know, to confirm [a transaction] is very secure. Having said that, we have not gone back online with ACH transfers for payroll.