White Papers

White Papers

Financial institutions around the world were frightened again last month by news of a massive attack that siphoned nearly $2.5 billion from commercial accounts held at multiple financial institutions in the U.S., Europe, and Latin America. 

While the media scrambled to hype the emerging story, security experts uncovered enough details to identify this attack as a new twist on several well-known commercial account takeover attacks. The new attack merely automated parts of the Zeus and SpyEye malware that had previously required manual intervention. Obviously, the new automated version is more efficient.

Given the uptick in sophistication, our best assumption is that eventually, one or more of these attacks will reach your financial institution. The question is: what can you do to protect against these new incursions on bank security?

The FFIEC’s Supplemental Guidance on Internet Banking Authentication (issued in June 2011) provides a host of sound recommendations. Among them:

·         Dual Authentication of Customers

·         Layered Security Programs

·         Control Over Administrative Functions

·         Device Identification

·         Customer Awareness and Education

Every financial institution would be wise to consider these recommendations. But another factor looms over the ongoing cybercrime wave: the commercial customer himself. 

The Financial Services Information Sharing and Analysis Center (FS-ISAC), NACHA, and the FTC have published a wealth of material about commercial account takeovers since 2009.  These groups have long recognized that many safeguards against these threats fall under the control of the commercial customer. 

Many of the Zeus infections that resulted in corporate account takeovers stem from the improper use of the customer’s PC for online banking. To combat these risks, FS-ISAC and NACHA released a joint publication on August 24, 2009 titled “Account Hijacking of Corporate Customers – Recommendations for Customer Education.” 

This document lists 24 recommendations for business and corporate customers that the authors believed would help reduce the risk of corporate account takeover. They are still valid today:

·       Use a dedicated, stand-alone, ‘hardened’ PC for all online banking. Email and general internet browsing should not be conducted on this PC.  The idea here is to prevent a Zeus infection, thereby significantly lowering the risk of fraud. 

·       Reconcile all banking transactions on a daily basis.  Early detection of fraudulent transactions provides a better chance for the firm to recover stolen funds. 

·       Implement a dual-control process for all financial transactions. Businesses should set up their employees within the system so that one employee has rights to enter a transaction, and a different employee must approve the transaction before it occurs. 

·       Make use of the dual-factor authentication options offered by the financial institution.  If these options include a dynamic password token or something similar, implement that immediately. 

·       Take advantage of transaction limits.  They can limit financial losses should criminals begin to initiate fraudulent transactions. 

·       Install antivirus on the online banking PC and keep it up-to-date.  Although some Zeus variants have yet to be identified, a number of variants have already been recognized by the leading antivirus vendors. 

·       Limit administrative rights on the online banking PC.  The ID that employees use to access the online banking PC should not have administrative rights.  This will make it more difficult for malware to get installed. 

There are many more recommendations in the FS-ISAC document to be considered by your commercial customer. One way to get those recommendations into your customers’ hands might be to convert them into a questionnaire that your commercial bankers can bring to their customers on a site visit.

Community banks and credit unions regularly pride themselves on their personal attention and proactive service. Visiting your commercial customer with a questionnaire such as the one suggested above might do more than showcase your personal touch and commitment to their well-being; they might actually help these customers avoid a cyber attack. 

Many security articles today focus on technical and regulatory approaches to combating the latest security challenges. Fewer articles focus on the customer’s role in preventing a malware infection from occurring in the first place.  Experience tells us that an ounce of prevention is worth a pound of cure.