November 04, 2010, 9:26 PM — As guardians of wealth, financial-services firms have always been a high-value target for cybercrime, and with online banking and trading, banks find they have to work harder than ever to safeguard their operations.
Tech-savvy gangs of cybercrooks have been stealing tens of millions over time by breaking into computers of online banking customers to install malware like the Zeus banking Trojan to make phony funds transfer requests to a bank, so the need for vigilance is only increasing. At Stillwater National Bank and Trust, the concern about the threat of cybercriminals hijacking customers' PCs is enough to spur the Oklahoma-based bank to extend its security to a verification system that add use of automated phone calls to online banking customers to verify the funds requests they are making online are genuine.
There's a need to validate transfer requests beyond what the customer PC appears to be telling the bank because "with the endpoint PC, I just can't control what they're doing," says Laura Briscoe, vice president of information security at Stillwater National Bank and Trust.
While the bank might not be hit by the ZeuS malware directly, this type of malware seems to be "typically targeting the small businesses in general," particularly companies of 1,000 employees or less, Briscoe believes.
Customer PCs could be riddled with malware that could allow crooks to take them over to commit banking fraud from anywhere in the world. As one way to minimize risk related to compromise of PCs used to communicate with the bank, Stillwater recommends that its customers use a "separate PC for online banking" not associated with other Internet use. But Briscoe acknowledges there's no way for the bank to really know that's happening.
So, as added defense, Stillwater has started using a phone-based verification system from PhoneFactor, which allows the bank to initiate an automated phone call to a customer's phone to verify details about the transaction he's requesting and asks for a personal identification number to authorize it. "It might tell them there are five items totaling $15,000, please enter your PIN," Briscoe says.