Hundreds ofmillions of dollars have been stolen by cyber-criminals from bankand credit union accounts. That is the reality and what it means tocredit union executives is that the need for vigilance aroundonline and mobile banking is severe.

But then there arethe flat-out empty scares that so often percolate in this field.Last week for instance security experts were aflutter over a threatnamed Flame which, in initial reports, was said to be Stuxnetdoubled down. That would be very, very bad indeed because Stuxnetmay have the capabilities to cripple nation states.

But then on secondlook, the experts seemed to dismiss Flame as more hype than danger. Which is it? Tooearly to say.

Every weekCredit Union Times – and other media outlets– is deluged with press releases that beat the drums of cyberterror and, too often, upon exploration it is revealed that thetrigger for the press release is a malware caper that so far hasbeen limited to a few dozen users in a country nobody couldidentify on a map.

There are threatsand then there are just scares.

But what can besaid is that there are a handful of known, proven threats to onlineand mobile banking. These are the threats that matter. The top fiveare itemized here.

No 1Coming at Apple

Ask James Walter,manager of the McAfee Threat Intelligence Service, what the loudestunexpected buzz in black hat criminal circles is today and he willtell you it is talk about mounting attacks on Apple computers. “Weare seeing a large spike in Apple malware,” said Walter.

As Apple edges itsway above a 5% market share for PCs, thesize of the target has begun to entice cyber criminals who areespecially intrigued because beliefs are widespread that mostApples run without anti-virus protection and many are not regularlypatched with security updates. That would leave a huge base ofessentially unprotected Apples as a criminal target.

Recently apernicious piece of malware called Flashback snuck onto Applesthrough unpatched versions of Java.

If the experts areright, expect many more attacks on Apples (and note this refersonly to desktop and laptop computers, not Apple mobile devices,about which more below).

No 2Mobile Malware

Mainly mobilemalware remains a trickle, but as digital banking goes through atransformation that likely will see huge spikes in the number ofmobile banking users, experts increasingly eyeball mobile malwareas a new frontier.

Much of what isout there is more nuisance than anything else. Petty theft spawnedby premium SMS, possibly unauthorized phone calls to expensivenumbers. Definite aggravations to the users but this is nothingcompared to what afflicts online banking channels.

This may allchange, for the worse, however.

“Mobile is topic1, 2 and 3 in the cybercriminal underworld,” said Steve Santorelliwith researchers Team Cymru.

But a reality isthat it simply is much harder to create dangerous malware that willrun on IOS (iPad, iPhone) or on Android than it is to createmalware for PCs.

Harder but perhapsnot impossible. Researchers at Q2ebanking in Austin, Texas, pointto a rising number of cases of malware named Gozi that is aman-in-the-browser trojan that, apparently, can pilfer asmartphone's IMEI (international mobile equipment identity number),a string of numbers that can be used to obtain a new SIM card froma mobile carrier – and that, in turn, could result in security SMSmessages from a credit union going not to the member, but to thecriminal who has hijacked the member's phone.

Watch for moreattempts to gain control of phones as more financial institutionsattempt to deploy phones as pieces of larger securityinitiatives.

But, for now,fears vastly outnumber real mobile threats, a grim finding in arecent survey by Dublin, Ireland-based Adaptive Mobile which foundone in six U.S. smartphone users believe their device hasexperienced a mobile virus. Almost none in fact had. Those usersapparently had confused normal smartphone activity with malwareactivity.

No 3Counterfeit Banking Apps

So far, say theexperts, there have been no successful counterfeits of U.S. bank orcredit union apps for Android devices, and there is lesserprobability that a counterfeit could make it through the morethorough screening required to upload an app into the Apple AppStore.

Android has adecentralized app distribution philosophy – apps can be downloadedfrom just about anywhere to most Android devices – and that createsthe theoretical possibility of a criminal taking a legitimatecredit union app, inserting a tiny bit of criminal code (perhaps togather up log in credentials and email them back to control), thenuploading it to the Internet and seeing if anybody downloadsit.

Know that largefinancial institutions – though they will not confirm it on therecord – are widely rumored to have employees dedicated to a dailyhunt for rogue versions of their mobile apps.

Experts advisecredit unions to do likewise. Google's Play Storefront, whichdistributes apps, is said to be highly responsive to complaintsfrom financial institutions centered on possible fraud. Apple's AppStore is said also to respond very quickly.

No 4.Phishing Keeps on Stealing

User innocence –maybe ignorance and gullibility – are what have always fueledphishing, which continues to be one of the most virulent onlinebanking threats, per the recent 2011 Phishing ActivityTrends Report out of the Anti-Phishing Working Group.

Phishing attackswere up 23% in the second half of 2011, per APWG's tally. Threatsare evolving with technology. The APWG said it saw many morecampaigns aimed at exploiting users of mobile phones who, due tothe form factor, may be more easily tricked into clicking on badlinks that the same user, with a full size monitor, would haverecognized as deceptive.

Importantly, theAPWG said “financial services continues to be the most targetedindustry sector,” as criminals continue to follow the adage aboutgoing where the money is.

In an email,Nicholas Skrepetos, CTO at Support.com, tersely summed up what isgoing on with phishing: “Phishingschemes still lead the attack on online banking/identity theftbecause users continue to fall victim to the e-mail phishingattacks, despite continuous media coverage.”

No. 5Zeus

Threats do not getbigger than this. Despite aggressive Microsoft raids on Zeus botnetservers – essentially zombie farms for computer malware – severalmillion US computers, at a minimum, remain under control of Zeuscyber-criminals.

Zeus – first identified in 2007 – is believed to infectcomputers in more than 200 countries. Part of the reason for itscomparative success is that it was built with one goal in mind: tosteal from bank accounts. Versions – customized for theft fromtargeted financial institutions – are readily available forpurchase in online criminal forums. Thus, no specialized computerskill is required to operate a Zeus botnet.

One fact:Microsoft, on whose operating system Zeus feeds (it does not workon Apple), has responded by declaring something close to waragainst the Zeus empire. As part of that effort Microsoft makesavailable – free of charge – very good malware screening andpurging tools.

Advice from manyexperts is that protecting Windows computers against Zeus is notharder than using the Microsoft tools and keeping the computerpatched with security updates for Windows, Microsoft Office, anyWeb browsers, and commonly attacked programs (Java, Flash,etc.).

But face thisscary reality: permutations of Zeus, designed to evade detection,are spreading and, said security researcher Brian Krebs, “The more customthey are, the more dangerous and undetectable they are.” In anemail, he fingered IceX, Citadel, Gameover and Jabberzeus asvariants to worry about. More details on these emerging threats canbe found at KrebsonSecurity.

Bottom line:Microsoft may have thrown a roundhouse punch at Zeus, but it hasnot put a stake through its heart. It lives on.

Comingattractions

The one certaintyaround online-mobile banking security is that the threats will keepcoming. And they will get more clever.

Lawrence Pingree, a researcher director atGartner, said in an interview: “There is no silver bullet forsecurity.”

What he urges of financial institutions amounts to this: “Don'tlet things get stagnant.” That is, keep innovating because, forsure, the cyber criminals are.