Consumers and businesses alike have embraced technology to improve communications, convenience and efficiency.
This rapid rise in the availability and use of technology has created consumer and business expectations that providers will offer anytime, anyplace, always-on, real-time access to financial services. Financial institutions have moved quickly to meet these expectations, introducing products and services that leverage technology advances and support new access channels.
These advances have a dark side, however; Criminals, too, are leveraging the power and efficiency of technology to perpetrate fraud attacks of incredible speed, scale and, when needed, precision. What used to be a local check-kiting scheme has become a global conglomerate of financial criminals executing coordinated attacks against dozens or even hundreds of financial institution customers, moving money in an instant with anonymity and little fear of prosecution.
One just needs to look at two recent attacks to understand what criminals can achieve given the means, focus and desire. First, there was the Google attack from China that, by leveraging a set of sophisticated social engineering and hacking steps, enabled a major IP theft from highly secure companies such as Google. Next, there was the Stuxnet Trojan designed to attack Iran's nuclear program; it was said to be one of the stealthiest and advanced malware programs ever designed, leveraging techniques that haven't been seen before. Though this may, or may not, be a classic organized crime effort, it nonetheless demonstrates the increasingly complex malware capabilities that exist today
As technology and globalization keep evolving, and the pace of innovation by both banks and criminals quickens, today's controls often are simply not enough. As criminals' sophistication grows, so, too, must the associated security technology. Flexibility and quick response to new threats will be crucial for long-term protection of bank and customer assets.
Malware programs, such as the Zeus Trojan, have been in the news recently, and the threat will not go away as media attention fades. Malware gives fraudsters a massive distributed computing capability at virtually no cost allowing them to execute attacks on a huge scale yet, at the same time, with an ability to make precise strikes against selected targets by leveraging the target's own computer.
Financial institutions must make significant investments to combat these threats. This asymmetry in the cost of doing business suggests that malware will continue to evolve and be used in creative ways to perpetrate fraud. For example, in the past 18 months, the use of malware to execute true man-in-the-browser attacks (beyond traditional key-logging) has significantly increased against online commercial banking customers. Accounts are drained through wire and automated clearing house transactions; losses are often in the six- and seven-figure range per incident.
Using these technologies, criminals have even begun to change their business models. It is becoming less common for a single domestic person to create and use malware to collect information, then personally extract assets. Committing fraud has become a global business in itself, with a network of criminals teaching others how to perpetrate fraud.
For example, an organized group of criminals may rent computing power from a botnet provider in Eastern Europe, acquire compromised customer or card data from a provider in France who stole it from U.S. customers, solicit money mules from a Spam services provider in China and have money wired to accounts held in the Bahamas. This means a single attack may come from dozens of loosely organized individuals spread across the globe, each performing different tasks. They have great agility and the ability to leverage new technologies very quickly. They are difficult to find and prosecute because each task is but a part of the whole.
