Hackers are not only breaching some of the world’s largest companies and governments, they are also attacking online banking at the industry’s most vulnerable point — the clients’ own PCs.
The problem is so pervasive that the Federal Financial Institutions Examination Council has updated its 2005 online security guidance. In addition, the FBI and NACHA have also issued warnings.
In just one reported crime, the FBI is searching for suspects believed to have stolen more than $20 million from U.S.-based online business accounts in just two months.
According to research firm Gartner Inc., crimeware designed to takeover online accounts and steal money is now the most significant threat concerning U.S. financial institutions. There’s likely a hijacked server in your backyard being used by criminals to direct their attacks.
The root cause of the problem, as explained by the FFIEC, is that hackers have become adept at stealing online credentials and even taking over PCs or hijacking online sessions as they occur.
They use a variety of techniques, but they mostly involve installing some form of malicious software (malware) on the client’s PC or attacking servers to re-direct Internet traffic to hacker sites.
A staggering 25% of computers, according to reports from the Anti-Phishing Working Group, are infected with banking Trojans or downloaders such as ZeuS and SpyEye, used by criminals to take over online accounts and steal millions.
Especially vulnerable are small businesses and municipalities, the preferred targets of cyber criminals, because these organizations often do not have the depth of resources needed to maintain defenses throughout their networks.
And, even if they have some defenses, anti-virus technology is still only successfully detecting these malicious attacks 30% of the time, and that’s on a really great day.
To address the problem, the FFIEC issued a directive to credit unions and banks alike to better protect their online banking customers with multiple layers of security.
That is not easy to do, however, because today’s malware evolves so rapidly it stays ahead of anti-virus and other countermeasures and can slip by undetected.
Since examiners will assess how financial institutions satisfy these enhanced expectations starting in January 2012, now is the time for credit unions to take decisive action to protect members.
One of the five layered security controls recognized by the FFIEC guidance as proven effective to help prevent fraud is the use of USB devices “that increase session security when plugged into the customers’ PC.”
They are effective because they “enable a secure link between the customer’s PC and the financial institution independent of the PC’s operating system and application software,” according to the report.
This “secure browsing” approach is also recognized by Gartner as one of the five critical security controls for preventing online banking fraud. And, importantly, Gartner sees the client’s PC as the place to start for preventing fraud and delivering the biggest ROI faster.
Kevin Bocek is director of product marketing for IronKey Inc. in Sunnyvale, Calif.