Financial institutions around the world were frightened again last month by news of a massive attack that siphoned nearly $2.5 billion from commercial accounts held at multiple financial institutions in the U.S., Europe, and Latin America.
While the media scrambled to hype the emerging story, security experts uncovered enough details to identify this attack as a new twist on several well-known commercial account takeover attacks. The new attack merely automated parts of the Zeus and SpyEye malware that had previously required manual intervention. Obviously, the new automated version is more efficient.
Given the uptick in sophistication, our best assumption is that eventually, one or more of these attacks will reach your financial institution. The question is: what can you do to protect against these new incursions on bank security?
The FFIEC’s Supplemental Guidance on Internet Banking Authentication (issued in June 2011) provides a host of sound recommendations. Among them:
Every financial institution would be wise to consider these recommendations. But another factor looms over the ongoing cybercrime wave: the commercial customer himself.
The Financial Services Information Sharing and Analysis Center (FS-ISAC), NACHA, and the FTC have published a wealth of material about commercial account takeovers since 2009. These groups have long recognized that many safeguards against these threats fall under the control of the commercial customer.
Many of the Zeus infections that resulted in corporate account takeovers stem from the improper use of the customer’s PC for online banking. To combat these risks, FS-ISAC and NACHA released a joint publication on August 24, 2009 titled “Account Hijacking of Corporate Customers – Recommendations for Customer Education.”
This document lists 24 recommendations for business and corporate customers that the authors believed would help reduce the risk of corporate account takeover. They are still valid today:
There are many more recommendations in the FS-ISAC document to be considered by your commercial customer. One way to get those recommendations into your customers’ hands might be to convert them into a questionnaire that your commercial bankers can bring to their customers on a site visit.
Community banks and credit unions regularly pride themselves on their personal attention and proactive service. Visiting your commercial customer with a questionnaire such as the one suggested above might do more than showcase your personal touch and commitment to their well-being; they might actually help these customers avoid a cyber attack.
Many security articles today focus on technical and regulatory approaches to combating the latest security challenges. Fewer articles focus on the customer’s role in preventing a malware infection from occurring in the first place. Experience tells us that an ounce of prevention is worth a pound of cure.