This article by Byron Acohido served as the basis for Mark’s Wise As A Serpent column on page 21 of the November 2010 Levitt Letter.
By Byron Acohido, USA TODAY
For generations, U.S. consumers have relied on banks to bear the primary responsibility for keeping their hard-earned cash deposits out of the hands of thieves. Now, banks want consumers to share the load.
About 80% of U.S. households have come to do their banking over the Internet, banking consultancy Novantas says. Many consumers believe online banking is every bit as safe as branch banking. But that’s clearly not the case, banking and tech security specialists say.
Cyber-attacks against individual online accounts have become so sophisticated and pervasive that the American Bankers Association (ABA) is now asking consumers to “partner” with banks to keep cyber-robbers in check.
The banking industry wants consumers to monitor their online accounts for unauthorized transactions on a “continuous, almost daily, basis,” says Doug Johnson, the ABA’s vice president of risk-management policy. That’s because PCs and smartphones have become “the online bank branch for a lot of individuals,” he says. “The customer needs to really recognize that security is most effective when they work in partnership with their financial institution.”
This shifting burden has come about because of developments that the banking industry did not anticipate a decade ago, when it began promoting personal computers as convenient venues for consumer banking. Ambitious online attacks soon followed. Banks have spent heavily to shore up cyber-defenses, and they’ve kept a policy of reimbursing individual online account holders who can verify that they’ve been ripped off, Johnson says.
Even so, cyber-robbery has evolved into a multifaceted, multibillion-dollar global industry that shows little sign of cooling. Last year, the number of malicious software programs designed to pilfer online bank accounts — referred to as banking Trojans — rose to 65,098 in December, up from 4,295 at the start of 2009, according to Panda Security, a Madrid-based antivirus software supplier.
Writers of malicious software code are prolific, always focusing on new ways to get past the latest defenses erected by banks and antivirus companies, says Panda Security researcher Sean-Paul Correll.
A 2009 ABA survey of 170 U.S. banks revealed that 85% of big banks are incurring losses stemming from cyber-attacks on consumer online accounts. Banks responding to the survey rated the “threat level” of online attacks at 2.58 on a scale of zero to five; that’s up from a 1.84 rating in 2007.
“Every single bank I’ve talked to in the last six months, big and small, has seen these attacks,” says Avivah Litan, banking security analyst at research firm Gartner. “It’s an arms race. There are solutions — until the next kind of attack comes along. And if you’re caught in the middle, you’re screwed.”
Successful robbers are patient
Janis Stuart, a retired San Diego personal trainer, barely dodged one recent cutting-edge attack. Returning from an out-of-town trip in April, Stuart booted up her desktop PC and began checking e-mail. She found a notice from her community bank advising her that all future e-mails would be sent to a new e-mail address, as per her online instructions. Stuart never requested such a change.
“My immediate reaction was that they had confused accounts, and this was a big mistake,” she recalls. Stuart drove down to the branch office. A clerk informed her that $5,836.66 was about to be transferred from her savings account to a woman Stuart had never heard of, in the form of a bill-payment check. Payment was stopped.
Stuart says bank officials advised her that she most likely had a computer infection that allowed an attacker to gain access to her account, change the e-mail address and set the bill payment in motion. The bank authorized the transfer because the thief knew the answers to Stuart’s “secret questions” — such as her mother’s maiden name and the city of her birth — and because a similar bill-payment check had been sent from Stuart’s account to the same woman 12 months earlier. That initial check was never cashed, Stuart says.
It was a ruse that allowed the attacker to remain undetected while establishing the woman as an approved recipient of bill-payment checks from Stuart. After waiting a year, the attacker triggered the second payment. “It was a fluke that I caught it in time before the money disappeared,” says Stuart. “I was very upset.” Stuart says she “felt the bank was somehow responsible” for enabling an intruder access to her account.
Stuart’s experience illustrates a prerequisite for accomplished cyber-robbers: patience. The cyber-underground has advanced to the point where very powerful hacking tools and tutorials are readily available for free, and a highly efficient and organized support infrastructure has been established to help thieves. Taking full advantage of such tools takes time.
Chasing thieves’ technology
Instead of holding up a bank branch at gunpoint, modern-day cyber-robbers do their homework.
“To maximize their effectiveness and streamline their ability to move money quickly, criminals take the time to learn your online banking platform and do account reconnaissance,” says Terry Austin, CEO of Guardian Analytics, which supplies fraud-detection systems.
First, they acquire valid account log-ons, often by purchasing them from specialist data thieves. Next, they quietly access accounts, making note of high cash balances and access to credit lines. They also familiarize themselves with the bank’s protocols for authorizing the creation of new online accounts and approving cash transfers.
They look for coding security holes — and invariably find them in the Web browser, the tool banks rely on to run programs that serve as a virtual bank teller. But Internet Explorer, Firefox, Opera, Google Chrome and Apple Safari are designed to let users navigate the entire Internet; they weren’t meant to execute secure financial transactions. Cyber-robbers craft banking Trojans that inject software code into the Web browser, letting the attacker take control of online banking sessions, alter what the account holder sees and make stealthy transactions.
“With the exception of some rare cases, the current online banking systems are at least one full generation behind the current techniques employed by cyber-crooks,” says Costin Raiu, Kaspersky Lab research director.
Cyber-robbers also take great care in setting up “drop” accounts — online accounts they control, usually at the same bank as victims — poised to receive cash transfers. They typically recruit “money mules,” accomplices who execute the final, riskiest step of withdrawing cash from drop accounts and forwarding proceeds to the ring leaders.
Mules are recruited through work-at-home advertisements on employment websites and, increasingly, on popular social networks. Typical pitches promise high earnings for minimal work involving accepting deposits and handling cash transfers. Kaspersky Lab researcher Dmitry Bestuzhev recently tracked down one Facebook-based mule recruiter who had 224,000 friends. “Who knows how many of them accepted the offer to be a money mule?” Bestuzhev says.
In one caper recently investigated by SecureWorks, the attacker embedded a banking Trojan in the victim’s Web browser by getting the person to click on a corrupted Web link in an instant message. The Trojan watched for when the victim next accessed his online bank account and sent a copy of the user name and password to the attacker. It also automatically injected a spoofed bank form into the legitimate banking Web pages.
The bank form asked for the last four digits of the user’s debit card number, ostensibly to complete a security update. The victim complied and filled out the form. The attacker now had a key piece of information necessary to execute large cash transfers.
On a Wednesday shortly before noon, the attacker logged on and began a series of transactions. He changed the e-mail address associated with the account, so notices of any questionable transfers wouldn’t reach the account holder. He next accessed a credit card line of credit and transferred the maximum loan amount into checking.
He then emptied the account of more than $20,000, via a series of transfers into a drop account. To execute the transfers, the thief had to answer this question: “What are the last four digits of your debit card account number?” It took four days for the bank to reimburse the victim.
Such attacks are likely to continue to be commonplace, says Joe Stewart, senior threat researcher at SecureWorks. “Cybercriminals can steal credentials for thousands of accounts at a time with very little effort,” he says. “They have access to more accounts than they could possibly ever use, and most of those are personal accounts.”
Consumer distrust increases
To slow down cyber-robberies, banks increasingly are asking “knowledge-based authentication” questions at key junctures of online banking sessions, says Johnson, the bankers association risk expert. Such questions, derived from data amassed by the big three credit bureaus, Experian, Equifax and TransUnion and by data aggregators LexisNexis and Axiom, ask about obscure personal details such as the name of one’s mortgage holder or father-in-law, a previous address, even the color of one’s car.
“The questions are going to get more difficult over time,” Johnson says. “The threat is real, and (banks) are providing the tools to help customers protect themselves.”
Citibank and Bank of America rank third and seventh among the top 10 most frequently attacked banks in the world, according to Kaspersky Lab. Each uses a variety of security systems and relies on consumers to help protect their online accounts.
“It is paramount that our customers know how to protect themselves,” says Bank of America spokeswoman Tara Burke. “We recommend that customers always protect their passwords, ensure the bank has up-to-date contact information and review their accounts on a regular basis.”
Litan, the Gartner banking security analyst, says banks need to move away from technologies that rely on common Web browsers, which is where banking Trojans thrive. Handheld optical readers, a more advanced technology, are available from Gemalto and Cronto. These devices must be used to take a picture of a visual cryptogram — a secure image produced by the bank — as part of authorizing any cash transfers.
Mandatory use of a verification device that operates separately from the browser would enable banks to ensure “secure transactions no matter what is on the customer’s PC,” says Paul Beverly, executive vice president at Gemalto.
But Litan says banks are a long way from even thinking about widely distributing such devices to consumers. “They don’t want to get into the business” of providing hardware to customers, she says.
Banking and security experts say the only thing that will change the banking industry’s current approach is widespread consumer backlash. Stuart’s reaction to her brush with a near robbery could be a harbinger. The experience prompted her to get offline and revert to branch banking.
“It’s inconvenient not to be able to check my account whenever I feel like it. I have to go by the bank and ask for printouts,” says Stuart. “But at this point, I distrust the system of online banking.”