Guarding the Gate
Customer Education Helps Stall the Latest Cyber Attacks
By Kevin Hamel, VP
institutions around the world were frightened
again last month by news of a massive attack
that siphoned nearly $2.5 billion from
commercial accounts held at multiple financial
institutions in the U.S., Europe, and Latin
the media scrambled to hype the emerging story,
security experts uncovered enough details to
identify this attack as a new twist on several
well-known commercial account takeover attacks.
The new attack merely automated parts of the
Zeus and SpyEye malware that had previously
required manual intervention. Obviously, the new
automated version is more efficient.
the uptick in sophistication, our best
assumption is that eventually, one or more of
these attacks will reach your financial
institution. The question is: what can you do to
protect against these new incursions on bank
FFIEC’s Supplemental Guidance on Internet
Banking Authentication (issued in June 2011)
provides a host of sound recommendations. Among
Authentication of Customers
Layered Security Programs
Control Over Administrative Functions
Customer Awareness and Education
financial institution would be wise to consider
these recommendations. But another factor looms
over the ongoing cybercrime wave: the commercial
Financial Services Information Sharing and
Analysis Center (FS-ISAC), NACHA, and the FTC
have published a wealth of material about
commercial account takeovers since 2009. These
groups have long recognized that many safeguards
against these threats fall under the control of
the commercial customer.
of the Zeus infections that resulted in
corporate account takeovers stem from the
improper use of the customer’s PC for online
banking. To combat these risks, FS-ISAC and
NACHA released a joint publication on August 24,
Hijacking of Corporate Customers –
Recommendations for Customer Education.”
document lists 24 recommendations for business
and corporate customers that the authors
believed would help reduce the risk of corporate
account takeover. They are still valid today:
a dedicated, stand-alone, ‘hardened’ PC for all
online banking. Email and general internet
browsing should not be conducted on this PC.
The idea here is to prevent a Zeus infection,
thereby significantly lowering the risk of
all banking transactions on a daily basis.
Early detection of fraudulent transactions
provides a better chance for the firm to recover
a dual-control process for all financial
transactions. Businesses should set up their
employees within the system so that one employee
has rights to enter a transaction, and a
different employee must approve the transaction
before it occurs.
use of the dual-factor authentication options
offered by the financial institution. If these
options include a dynamic password token or
something similar, implement that immediately.
advantage of transaction limits. They can limit
financial losses should criminals begin to
initiate fraudulent transactions.
antivirus on the online banking PC and keep it
up-to-date. Although some Zeus variants have
yet to be identified, a number of variants have
already been recognized by the leading antivirus
administrative rights on the online banking PC.
The ID that employees use to access the online
banking PC should not have administrative
rights. This will make it more difficult for
malware to get installed.
are many more recommendations in the FS-ISAC
document to be considered by your commercial
customer. One way to get those recommendations
into your customers’ hands might be to convert
them into a questionnaire that your commercial
bankers can bring to their customers on a site
Community banks and credit unions regularly
pride themselves on their personal attention and
proactive service. Visiting your commercial
customer with a questionnaire such as the one
suggested above might do more than showcase your
personal touch and commitment to their
well-being; they might actually help these
customers avoid a cyber attack.
security articles today focus on technical and
regulatory approaches to combating the latest
security challenges. Fewer articles focus on the
customer’s role in preventing a malware
infection from occurring in the first place.
Experience tells us that an ounce of prevention
is worth a pound of cure.