As Cybercriminals Continue to Steal Corporate Funds Pressure Builds on the Global Banking System
The global banking system has experienced some of the biggest network security challenges over the last year and a half. While struggling to emerge from a recession, financial institutions and businesses alike are now facing a new threat that steal clients’ funds and damage corporate reputation. This article offers valuable advice to help banks and businesses deal with this evolving threat while explaining how organized cyber crime rings are focusing on corporate bank accounts.
Using techniques such as large scale phishing attacks, global cyber crime organizations have a history of funneling millions of dollars from consumers. Differing from corporate accounts, this approach usually involves several small transactions to acquire large amounts of money. To streamline this process, high tech criminal gangs are now targeting corporate bank accounts of public and private sector organizations. Crimes that many estimate could tally over $1 billion this year.
The recent Ponemon Institute (News - Alert) 2010 Business Banking Trust Survey uncovered that 80 percent of banks had not caught fraud before funds were transferred out of their institution. Even more distressing is that 57 percent of the businesses that have experienced a fraud attack were not fully reimbursed by their banks. Too often it’s reported that small to medium size businesses have lost $100,000, $200,000, to a record high of $3 million in an instant from commercial bank account takeovers.
Now more than ever, banking clients are in need of protection for their online accounts to stem the tide of losses, for both clients and banks. Gartner (News - Alert) cautions that the growing number of attacks on online banking transactions is far from over; the banking industry is being faced with a threat that could hinder confidence in the corporate online banking system.
The Changing Threat
Acknowledging that it’s far more advantageous to perpetrate a few large transfers from a handful of corporate bank accounts than to attempt thousands of consumer fraud attacks, global cyber crime rings have changed their tact.
To achieve these goals, criminals are using commercial online banking malware. By using customizable Trojan frameworks such as Zeus, criminals are able to easily attack computers of unsuspecting finance directors and controllers. With a targeted malware attack, criminals can place malware that goes undetected and can even defeat new multi-factor authentication system now in place as required by FFIEC rules. Malware can not only steal banking authentication credentials but automatically perform fraudulent transactions from a victim’s own computer. Bill Nelson, Executive Director of the FS-ISAC says, “90 percent of his audience claimed to have experienced incidents of corporate account takeover”.
The Ties Between a Bank’s Reputation and Malware
The Ponemon Institute study revealed that 40 percent of businesses move their banking activities elsewhere after a fraud incident, proving that the threat of criminal activity can shake clients’ trust in institutions. The study also revealed that 11 percent of firms that have experienced fraud claimed they have abruptly ended their banking relationship immediately following the attacks. An additional 29 percent said they did not fully terminate their relationship, but moved their primary cash management services to other institutions.
There is a limit on how much bad news an institution can withstand before its clients confidence and trust suffer irreparable damage. Banks are increasingly being faced with lawsuits from clients. If funds are not recovered or an institution fails to cover losses, clients are suing banks for not providing sufficient security. While the Electronic Funds Act (EFT) of 1978, also known as Regulation E, covers losses for retail banking, there are no such protections for commercial banking.
NACHA and FBI Guidelines: The Move to Safe Banking
To help deal with this increasing threat, NACHA and the FBI have developed guidelines to help protect banking clients from financial malware. At the core of these recommendations are ways of reducing the opportunity for financial malware to infect client computers. NACHA and the FBI recommendations can be summarized by five guidelines:
*Use a dedicated computer
*Keep the computer up to date with the latest software updates
*Protect the computer with anti-malware software
*Only perform banking transactions – do not use email, office applications or visit non-banking websites
*Use strong, two-factor authentication for gaining access to banking according to FFIEC rules
Almost all known corporate bank account takeovers due to financial malware could have been avoided with this approach. These guidelines are a vital step in moving to a safer online banking environment.
Making use of the Nacha and FBI Guidelines
Upon first glance, the NACHA and FBI guidelines for safe and secure banking may seem impractical. Bank clients naturally expect the convenience of online banking without having to purchase and use a separate dedicated computer. To combat this, banks can use new technologies to create an environment for safe banking while still following the guidelines put forward by NACHA and the FBI.
Technologies that will help institutions protect their clients include:
*A secure web browser that isolates banking sessions form the rest of the computer to prevent malware from taking control
*Automatic updates to keep systems updated with the latest threat protection
*Anti-malware to scan the user’s computer before launching the secure environment to eliminate as many possible threats as possible
*Two-factor authentication to increase the assurance that the user is authorized to access online commercial banking
*A secure environment that’s tamper-proof, portable, and easy to use for all types of commercial banking clients
*Analytics to provide updates on client usage and the threats observed to drive anti-fraud and risk management decisions
Next for institutions is to take advantage of the guidelines already established by NACHA and the FBI. Criminals will only continue their efforts to steal from commercial banks and their clients, leveraging social media and adopting social engineering tactics in the future.
Technology solutions that combine virtualization, portable security devices, and analytics are on the market today to help banks protect their clients and business relationships. Banks that adopt these measure will be ready to safeguards their clients’ business and sidestep the financial pain of this growing threat.