Financial institutions around the world were recently frightened again by news of a massive attack that siphoned nearly $2.5 billion from commercial accounts held at multiple financial institutions in the U.S., Europe and Latin America.
While the media scrambled to hype the emerging story, security experts uncovered enough details to identify this attack as a new twist on several well-known commercial account takeover attacks. The new attack merely automated parts of the Zeus and SpyEye malware that had previously required manual intervention. Obviously, the new automated version is more efficient.
Given the uptick in sophistication, our best assumption is that, eventually, one or more of these attacks will reach your financial institution. The question is what can you do to protect against these new incursions on bank security?
Issued in June 2011, the FFIEC’s Supplemental Guidance on Internet Banking Authentication provides a host of sound recommendations. Among them: dual authentication of customers, layered security programs, control over administrative functions, device identification, and customer awareness and education.
Every financial institution would be wise to consider these recommendations. Another factor looming over the ongoing cybercrime wave is the commercial customer himself.
The Financial Services Information Sharing and Analysis Center, NACHA and the FTC have published a wealth of material about commercial account takeovers since 2009. These groups have long recognized that many safeguards against these threats fall under the control of the commercial customer.
Many of the Zeus infections that resulted in corporate account takeovers stem from the improper use of the customer’s PC for online banking. To combat these risks, FS-ISAC and NACHA released a joint publication on August 24, 2009 titled "Account Hijacking of Corporate Customers – Recommendations for Customer Education."
This document lists 24 recommendations for business and corporate customers that the authors believed would help reduce the risk of corporate account takeover that are still valid today. Among them are using a dedicated, stand-alone, hardened PC for all online banking. Email and general internet browsing should not be conducted on this PC. The idea here is to prevent a Zeus infection, thereby significantly lowering the risk of fraud.
Another recommendation is to reconcile all banking transactions on a daily basis. Early detection of fraudulent transactions provides a better chance for the firm to recover stolen funds.
The publication also suggests implementing a dual-control process for all financial transactions. Businesses should set up their employees within the system so that one employee has rights to enter a transaction and a different employee must approve the transaction before it occurs.
Make use of the dual-factor authentication options offered by the financial institution, according to the guidance from FS-ISAC and NACHA. If these options include a dynamic password token or something similar, implement that immediately.
Other recommendations are taking advantage of transaction limits to curb financial losses should criminals begin to initiate fraudulent transactions.
Install antivirus on the online banking PC and keep it up to date. Although some Zeus variants have yet to be identified, a number of variants have already been recognized by the leading antivirus vendors.
Limit administrative rights on the online banking PC. The ID that employees use to access the online banking PC should not have administrative rights. This will make it more difficult for malware to get installed.
There are many more recommendations in the FS-ISAC document to be considered by your commercial customer or member. One way to get those recommendations into their hands might be to convert them into a questionnaire that your commercial bankers can bring to their customers on a site visit.
Community banks and credit unions regularly pride themselves on their personal attention and proactive service. Visiting your commercial customer with a questionnaire, such as the one suggested above, might do more than showcase your personal touch and commitment to their well-being: they might actually help these customers avoid a cyber attack.
Many security articles today focus on technical and regulatory approaches to combating the latest security challenges. Fewer articles focus on the customer’s role in preventing a malware infection from occurring in the first place. Experience tells us that an ounce of prevention is worth a pound of cure.
Kevin Hamel is vice president and security officer at COCC Inc.
Contact 888-678-0444 or Kevin.firstname.lastname@example.org