Hundreds of millions of dollars have been stolen by cyber-criminals from bank and credit union accounts. That is the reality and what it means to credit union executives is that the need for vigilance around online and mobile banking is severe.
But then there are the flat-out empty scares that so often percolate in this field. Last week for instance security experts were aflutter over a threat named Flame which, in initial reports, was said to be Stuxnet doubled down. That would be very, very bad indeed because Stuxnet may have the capabilities to cripple nation states.
But then on second look, the experts seemed to dismiss Flame as more hype than danger. Which is it? Too early to say.
Every week Credit Union Times – and other media outlets – is deluged with press releases that beat the drums of cyber terror and, too often, upon exploration it is revealed that the trigger for the press release is a malware caper that so far has been limited to a few dozen users in a country nobody could identify on a map.
There are threats and then there are just scares.
But what can be said is that there are a handful of known, proven threats to online and mobile banking. These are the threats that matter. The top five are itemized here.
No 1 Coming at Apple
Ask James Walter, manager of the McAfee Threat Intelligence Service, what the loudest unexpected buzz in black hat criminal circles is today and he will tell you it is talk about mounting attacks on Apple computers. “We are seeing a large spike in Apple malware,” said Walter.
As Apple edges its way above a 5% market share for PCs, the size of the target has begun to entice cyber criminals who are especially intrigued because beliefs are widespread that most Apples run without anti-virus protection and many are not regularly patched with security updates. That would leave a huge base of essentially unprotected Apples as a criminal target.
Recently a pernicious piece of malware called Flashback snuck onto Apples through unpatched versions of Java.
If the experts are right, expect many more attacks on Apples (and note this refers only to desktop and laptop computers, not Apple mobile devices, about which more below).
No 2 Mobile Malware
Mainly mobile malware remains a trickle, but as digital banking goes through a transformation that likely will see huge spikes in the number of mobile banking users, experts increasingly eyeball mobile malware as a new frontier.
Much of what is out there is more nuisance than anything else. Petty theft spawned by premium SMS, possibly unauthorized phone calls to expensive numbers. Definite aggravations to the users but this is nothing compared to what afflicts online banking channels.
This may all change, for the worse, however.
“Mobile is topic 1, 2 and 3 in the cybercriminal underworld,” said Steve Santorelli with researchers Team Cymru.
But a reality is that it simply is much harder to create dangerous malware that will run on IOS (iPad, iPhone) or on Android than it is to create malware for PCs.
Harder but perhaps not impossible. Researchers at Q2ebanking in Austin, Texas, point to a rising number of cases of malware named Gozi that is a man-in-the-browser trojan that, apparently, can pilfer a smartphone’s IMEI (international mobile equipment identity number), a string of numbers that can be used to obtain a new SIM card from a mobile carrier – and that, in turn, could result in security SMS messages from a credit union going not to the member, but to the criminal who has hijacked the member’s phone.
Watch for more attempts to gain control of phones as more financial institutions attempt to deploy phones as pieces of larger security initiatives.
But, for now, fears vastly outnumber real mobile threats, a grim finding in a recent survey by Dublin, Ireland-based Adaptive Mobile which found one in six U.S. smartphone users believe their device has experienced a mobile virus. Almost none in fact had. Those users apparently had confused normal smartphone activity with malware activity.
No 3 Counterfeit Banking Apps
So far, say the experts, there have been no successful counterfeits of U.S. bank or credit union apps for Android devices, and there is lesser probability that a counterfeit could make it through the more thorough screening required to upload an app into the Apple App Store.
Android has a decentralized app distribution philosophy – apps can be downloaded from just about anywhere to most Android devices – and that creates the theoretical possibility of a criminal taking a legitimate credit union app, inserting a tiny bit of criminal code (perhaps to gather up log in credentials and email them back to control), then uploading it to the Internet and seeing if anybody downloads it.
Know that large financial institutions – though they will not confirm it on the record – are widely rumored to have employees dedicated to a daily hunt for rogue versions of their mobile apps.
Experts advise credit unions to do likewise. Google’s Play Storefront, which distributes apps, is said to be highly responsive to complaints from financial institutions centered on possible fraud. Apple’s App Store is said also to respond very quickly.
No 4. Phishing Keeps on Stealing
User innocence – maybe ignorance and gullibility – are what have always fueled phishing, which continues to be one of the most virulent online banking threats, per the recent 2011 Phishing Activity Trends Report out of the Anti-Phishing Working Group.
Phishing attacks were up 23% in the second half of 2011, per APWG’s tally. Threats are evolving with technology. The APWG said it saw many more campaigns aimed at exploiting users of mobile phones who, due to the form factor, may be more easily tricked into clicking on bad links that the same user, with a full size monitor, would have recognized as deceptive.
Importantly, the APWG said “financial services continues to be the most targeted industry sector,” as criminals continue to follow the adage about going where the money is.
In an email, Nicholas Skrepetos, CTO at Support.com, tersely summed up what is going on with phishing: “Phishing schemes still lead the attack on online banking/identity theft because users continue to fall victim to the e-mail phishing attacks, despite continuous media coverage.”
No. 5 Zeus
Threats do not get bigger than this. Despite aggressive Microsoft raids on Zeus botnet servers – essentially zombie farms for computer malware – several million US computers, at a minimum, remain under control of Zeus cyber-criminals.
Zeus – first identified in 2007 – is believed to infect computers in more than 200 countries. Part of the reason for its comparative success is that it was built with one goal in mind: to steal from bank accounts. Versions – customized for theft from targeted financial institutions – are readily available for purchase in online criminal forums. Thus, no specialized computer skill is required to operate a Zeus botnet.
One fact: Microsoft, on whose operating system Zeus feeds (it does not work on Apple), has responded by declaring something close to war against the Zeus empire. As part of that effort Microsoft makes available – free of charge – very good malware screening and purging tools.
Advice from many experts is that protecting Windows computers against Zeus is not harder than using the Microsoft tools and keeping the computer patched with security updates for Windows, Microsoft Office, any Web browsers, and commonly attacked programs (Java, Flash, etc.).
But face this scary reality: permutations of Zeus, designed to evade detection, are spreading and, said security researcher Brian Krebs, “The more custom they are, the more dangerous and undetectable they are.” In an email, he fingered IceX, Citadel, Gameover and Jabberzeus as variants to worry about. More details on these emerging threats can be found at KrebsonSecurity.
Bottom line: Microsoft may have thrown a roundhouse punch at Zeus, but it has not put a stake through its heart. It lives on.
The one certainty around online-mobile banking security is that the threats will keep coming. And they will get more clever.
Lawrence Pingree, a researcher director at Gartner, said in an interview: “There is no silver bullet for security.”
What he urges of financial institutions amounts to this: “Don’t let things get stagnant.” That is, keep innovating because, for sure, the cyber criminals are.