How One Bank Is Counterattacking the Zeus Threat

  • The new year is likely to bring more of the same when it comes tocriminals siphoning funds from consumers and banks. "I'm not seeing too much innovation," says SecureWorks senior security researcher Don Jackson. "Sophistication's evolving but there's been nothing revolutionary."

    January 1

011111case.jpg

Tompkins Financial Corp. of Ithaca, N.Y., is one of many financial institutions that have been attacked by the sophisticated malware known as Zeus. Now it's fighting back — with sticks.

To protect the funds of its largest commercial clients, which use its services to transfer up to $18 million at a time, Tompkins offered them a free USB stick. The device creates a secure connection to the bank, encrypting all instructions as they are typed.

The technology appears to have successfully blocked Zeus attacks, and the $3 billion-asset Tompkins now plans to try to sell the sticks to smaller business customers.

Tompkins is taking an unusual approach to a common problem. Zeus has caused hundreds of millions of dollars of fraud losses since it was identified. There were 1.6 million Zeus attacks against financial institutions in the first quarter of 2010, or about 15% of the total malware attacks in the quarter (the most recent period for which information is available), according to the research firm Gartner Inc.

The malware is hard to catch with most common antivirus software programs because it does not have an identifying signature, as most other viruses do, and it constantly changes.

"Right now banks are struggling for a way to protect the customer's browser session from Zeus and other malware," said Avivah Litan, a vice president and distinguished analyst at Gartner.

In one instance, a school district that banked with Tompkins was victimized as hackers made off with $23,000 of the millions of dollars the district kept on deposit. Another district that was not a Tompkins customer but located in the same region lost nearly $500,000 in a fraudulent automated clearing house transfer.

"Many of our customers were not aware of cybercrime and how rampant and easy it was to defraud them," said Glenn Cobb, vice president of information technology for Tompkins.

The USB sticks are a product called Trusted Access for Banking, from IronKey Inc. of Sunnyvale, Calif. It is designed to protect information even from computers already infected with Zeus or other malware.

About 10,000 of Tompkins' commercial clients actively use its electronic money transfer services. Some of the largest typically conduct ACH transfers of $100,000 to $18 million, and the bank knew it would remain a target.

The attacks that the USB stick is designed to thwart stem from a virus that is inadvertently downloaded by visiting an infected website. The malware lies dormant until a user connects to an online banking site. The program then wakes up to steal usernames, passwords and any other credentials it can grab.

In June Tompkins reached out to its top 120 ACH customers and distributed 200 USB keys at no charge. Since the summer, those customers have not had any break-ins, Cobb said.

Next, Tompkins will try to sell the keys and associated services for $14.99 a month to its small-business customers. That will be a bigger test, industry observers said.

"The Zeus botnet is now actively targeting small-business owners," said Julie Conroy McNelley, senior risk and fraud analyst for Aite Group in Boston. But they are less experienced and less educated than big corporations about financial security, though many transfer large amounts of money electronically. Hence, they may not immediately see the necessity for IronKey's product.

"Fifteen bucks a month might be something that gets some pushback" from them, McNelley said.

Industry analysts say that banks must use a multilevel approach to tighten security against new threats like Zeus. That includes simultaneously using such things as two-factor authentication or out-of-band authentication, such as sending a one-time-use code through a separate device from the one used to bank online. Analysts also recommend using software or hardware barriers to further protect the machine being used to connect to the bank.

"Banks should not count on one piece of security; they need a layered security approach," Litan said, adding it's critical to secure both front-end and back-end systems.

Litan said one of the most widely used vendors in the financial services industry is Trusteer Inc., which produces software that specifically protects customer browser sessions during ACH transactions. According to Trusteer, its customers include Bank of America Corp., Fifth Third Bancorp, HSBC Holdings PLC and ING Group NV's ING Direct USA.

Industry analysts said Trusteer's product appeals to banks because it is easily downloaded over the Web.

Other security vendors working on stronger security approaches include 41st Parameter of Scottsdale, Ariz., which received a patent this month for a product that examines requests made from computers by their individual time stamp to look for irregularities; and Guardian Analytics, a Los Altos, Calif., software provider that analyzes consumer banking behavior and spots irregularities that may indicate fraudulent transactions in real time.

"We take advantage of the entirety of the data that every user creates when they do online banking," said Terry Austin, Guardian Analytics' president and chief executive. The company works with financial institutions with assets of $300 million to $40 billion, and says its technology was instrumental in stopping several recent Zeus attacks.

Though industry observers said IronKey's stick-based product is a useful in fraud prevention, they also said it should not be used as a stand-alone product and that it poses certain logistical difficulties.

For example, because the stick protects only the customer, it would not help protect direct attacks on the systems used by the bank or at any third-party processor that might be involved with the ACH transfer. Securing wireless transactions might also be an issue.

"For [IronKey] the Achilles' heel would be wireless," said Tom Kellermann, vice president of security awareness for Core Security Technologies, a testing company in Boston.

Further, businesses and consumers are "moving toward mobile banking based on [smartphones], and [many] smartphones don't have USB ports," Kellermann said.

Litan also said not all money transfers use ACH. Some occur by file transfer, and such transfers may not be secure using IronKey.

And unlike Trusteer's product, which users download directly, IronKey relies on banks to distribute the USB sticks to each customer, and the banks in turn must teach them how to use the keys.

"The biggest challenge was education," Cobb said.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER