One of the biggest security problems facing the banking industry is online takeover of commercial bank customers' accounts.
During an FDIC earlier this year it was disclosed that automated clearing house fraud had quadrupled over the prior 12 months.
As they increasingly come under attack, many banks are discovering they lack the resources to protect themselves.
Education itself is not sufficient to ward off the current wave of cyberattacks. Banks must determine what is reasonable security and deploy new, advanced technologies. Their executives should realize their machines could become infected anywhere. The worst-case scenario, in which litigation and government policy dictate banking decisions, could become reality.
Banks must take proactive steps. Otherwise they risk losing revenue, profits and customers; destruction of their brand; and fines for not meeting security compliance and audit mandates.
Many attacks use an insidious malware that in effect allows the attacker to take over the corporate financial accounts in real time by hijacking active banking sessions on the computer of a chief financial officer or other finance professional. The attackers can then issue commands for funds transfers to offshore accounts where the money is rarely recovered.
In the past six months financial institutions, security companies, the media and law enforcement agencies have all reported a sharp increase in funds-transfer fraud involving the exploitation of valid banking credentials belonging to small and midsize businesses.
Criminals are using commercial online banking malware that includes a number of new families of Trojans that use live authenticated sessions to defeat traditional security defenses.
The new Trojans are even able to beat multifactor authentication that banks have employed to protect consumers against phishing fraud. Not only are they capable of stealing corporate authentication credentials, but they can also perform fraudulent transactions from a victim's own computer.
These "man in the browser" Trojans also rewrite the web browser pages that a victim sees and often request secondary authentication credentials such as secret questions and answers that can be used later to change the victim's login creden- tials.
To combat this growing threat, Nacha and the FBI developed guidelines designed to help banks and their clients protect commercial bank accounts. Here's a summary of the recommendations:
- Use a dedicated computer to perform only banking transactions — do not use work applications, e-mail, or visit nonbanking websites.
- Conduct banking operations in a secured environment.
- Protect the computer with anti-malware software.
- Keep the computer refreshed with the latest software updates.
- Use strong, two-factor authentication for gaining access to banking according to Federal Financial Institutions Examination Council rules.
At first the Nacha and FBI safe-banking guidelines may seem unrealistic. Banks take pride on being able to offer their customers the convenience of online banking without having to buy and use a separate, dedicated computer. Using a dedicated computer is unrealistic for some companies, and there are ways to avoid this particular recommendation.
New technology is available for all types of banks and their commercial banking clients that allows them to have the same benefits of a designated computer, and also allows mobility and additional usage while providing the same protection.
When considering these products, be sure to ask about features such as tamper-resistance, portability and ease of use. Banks can use this technology to create a safe environment for banking while still following the guidelines put forward by Nacha and the FBI.
Virtually all the known account takeovers due to financial malware could have been avoided. Banks that leverage this new technology and the Nacha and the FBI guidelines will be able to avoid the risk of the ever-evolving threat of next-generation malware.