Frontlines of Fraud

In its updated guidance issued June 2011, the FFIEC specifically identified anomaly detection as one of the two minimum components of a layered security program required for any financial institution offering online banking (see page 5!).

We recently released an Anomaly Detection Toolkit to help educate financial institutions on the topic. Here is our infographic on what anomaly detection is, how it works to detect fraud attacks, and how financial institutions can respond to any anomalous, or suspicious, online banking activity. 

We here at Guardian Analytics know a little something about anomaly detection. We’ve pioneered use of this technology to detect online banking fraud, and currently deliver this powerful capability to about 150 banks and credit unions – day in and day out.

If you want to hear this graphic come to life, here’s a video with voiceover that explains the whole process.

(click to enlarge the infographic in a new window)

The new “Gameover” malware driving online banking fraud has gotten much attention in the press lately, but I realized that most of it has focused on the distributed denial of service (DDoS) attacks launched by this malware variant to bypass common controls.  Another important element of the total scheme that I think is worth highlighting is a new twist on how criminals are using money mules to “pick up” and move stolen funds.

Fraudsters are getting creative and employing a new, retail-based approach. Why? To decrease the risk of their mules getting caught. They are using high-end jewelry stores to essentially launder their loot.

Here’s how it works:

1. The fraud victim – typically a business banking customer – gets a phishing email that appears to originate from reputable organizations like the National Automated Clearing House Association (NACHA), the Federal Reserve Bank, or the Federal Deposit Insurance Corporation (FDIC). When this attack was first launched, all emails appeared to originate from NACHA. The email may claim that there is problem with a recent transaction that requires the user’s attention.
2. When the link in the email is clicked, the victim is sent to a bogus website and inadvertently downloads a new variant of the notorious ZeuS malware called “Gameover”.
3. Once infecting the victim’s PC, “Gameover” keylogs all online banking activity and sends stolen account credentials to the criminal.
4. In a new wrinkle, the criminal employs a DDoS attack to cover their tracks. When the attack begins, the victim’s business may be hit with DDoS to prevent Internet access so they don’t notice the attack and can’t reverse the transaction.
5. In a more sophisticated version of the scheme, the financial institution is included in the DDoS attack, further decreasing the likelihood of the fraudulent transfers being noticed.
6. The criminal wires money to a high-end jewelry store and then places an order for precious stones or expensive watches.
7. A mule physically visits the store to pick up the order.  The jeweler checks their account, sees that the funds are there, and delivers the merchandise to the mule.
8. The mule may then turn the jewelry over to the fraudster or sell it for cash.
9. When the fraud is discovered, it can be the account holder or the jewelry store itself that’s hit with the loss.

It’s definitely “game over” for the victims of this fraud scheme.

This use of the Gameover Trojan was recently written up by the FBI and my colleague Craig Priess explains it nicely in a video explaining this attack . Our fraud and threat research teams stay up to date on the latest cybercrime tools and techniques and I hope you will use this blog as a resource for combating fraud at your financial institution.

We hear often from our bank and credit union clients about the account takeover and fraud they’ve stopped using our anomaly detection solution, FraudMAP.  Normally the movie plays out roughly the same: fraudster meets bank account, fraudster likes bank account, FraudMAP detects the fraudster’s suspicious or anomalous activity, FI looks like a hero to their account holder, fraudster goes home with no money.

Recently we heard a tale from one of our customers with an interesting twist. At Guardian Analytics we are passionate about the concept of great security AND a great account holder experience.  The plot twist in this fraud story highlights how the right protections can create the right customer experience that builds trust and loyalty. And lack of the right protections creates, well, something very different.

The movie begins with one of our customers, Bank A, a mid-sized bank using FraudMAP that proactively detected suspicious activity in an account.  FraudMAP alerted the bank to unusual behavior before any sort of transaction was initiated.

Based on the suspicious behavior, the bank called the account holder to inquire about the activities.  The account holder confirmed that they had not logged in to their account at that time or from that location. He was thrilled that the bank was proactively looking out for his safety and was able to catch this before any money was moved.

Now for the twist: while they were on the phone discussing next steps, the account holder realized that if his account at Bank A had been compromised, it was likely his account at Bank B had been compromised as well.

He logs into his account at Bank B, a much larger national bank, and discovers that a very large wire transfer had been initiated through his account and released by the bank. He had to make “the call” that far too many banks receive – according to a survey done by ISMG – 76% of FIs find out about fraud from their customers.

One client, two banks. One happy ending, one nightmare.  The FFIEC got it right. In their new Guidance for online banking security, they call for all banks to have anomaly detection as the foundational component of their security strategy.  This account holder’s money was clearly safer in the bank with sophisticated anomaly detection looking for signs of suspicious activity before money leaves the bank.  Powerful protections and a great customer experience can and do co-exist.

Which movie would you star in? The fairy tale? Or the horror story?

For cyber criminals, security researchers, regulators and financial institutions, there’s been no summer break.  The FFIEC announced a Supplement to its 2005 Authentication Guidance, hackers produced significant volumes of new malware, more businesses lost money and another lawsuit was filed.

With so much going on, we thought we’d use the blog to regularly summarize the hot news. Welcome to our first “Fraud Roundup”:

• New FFIEC Supplement and Clarifications from the Agencies

The FFIEC raised the bar on expectations for layered security, risk assessments and customer education. Following the Supplement’s release, there has been a lot of discussion on the topic of the guidance and layered security.

In recent presentations by the FDIC, OCC and the Federal Reserve Board, the Agencies make one thing very clear about the Supplement: all institutions are expected to have layered security; layered security at a minimum is defined by the capability to detect and respond to anomalous customer behavior at login and initiation of transaction. The Agencies further clarified this is expected for retail and commercial banking and that business accounts.

For more details, resources, and to track what key topics about the Supplement, please visit our FFIEC Resource site.

• New ACH Fraud Suit Filed, BankInfoSecurity.com

In March 2010, Village View Escrow of California had its online bank account infiltrated by hackers, suffering $465,000 in losses. The company now has filed a lawsuit in the California Superior Court against its bank. This is the latest in a stream of other recent commercial banking fraud lawsuits.

• FBI Investigating Online Banking Theft of $139,000 from Pittsford, NY, Krebs on Security

The fraud losses continue. The latest theft is the latest reminder that cybercriminals are effectively bypassing existing controls.

• More Fraud Losses – eThieves Steal $217k from Arena Firm, Krebs on Security

Cyber thieves stole $217,000 last month from the Metropolitan Entertainment & Convention Authority (MECA), a nonprofit organization responsible for operating the Qwest Center and other gathering places in Omaha, Nebraska.

• Spam Fraud Down, Targeted Phishing Attacks Up 400%, Bank Technology News

End users aren’t getting any relief. A Cisco study finds that cyber fraud has shifted from mass, generalized attacks to very specific spear phishing hits that harness stolen user information to dupe unwitting consumers (such as bank customers and cardholders) into divulging account information.

• SpyEye hacker toolkit to lead to surge in cyberattacks, USA Today

Security experts are expecting a surge in SpyEye attacks this year, after the license key to SpyEye, the top rival to the ZeuS banking Trojan, was exposed. Hackers started making versions of SpyEye available for $100 (down from $10,000), making the Trojan kit much more readily available to criminal gangs. More than 2.2M computers are estimated to be infected and under the control of SpyEye botnets.

• Mobile Malware on the Rise, McAfee

McAfee reports that the Android was the most popular target for malware developers in Q2 2011. Researchers highlight mobile crimeware on the Android that forwards SMS messages, a technique to thwart out of band authentication and verification.

Yesterday, Bloomberg posted a lengthy article – Hackers Take $1 Billion a Year from Company Accounts Banks Won’t Indemnify – highlighting the serious problem of online banking fraud attacks against small and medium sized businesses (SMBs). I’m pleased this is getting more mainstream attention, but anyone reading this blog will know this is not a new problem. In fact, we’re just about at the two-year anniversary of the first alarm bells ringing on the corporate account takeover problem.

The article pretty thoroughly covers the commercial account fraud ecosystem and the devastating results of fraud.  But while it nicely admires the problem, it fails to point out that there are solutions within the reach of every bank and credit union, and that many are equipping themselves to proactively stop these attacks.  And they are doing so successfully and affordably.

A rapidly growing number of national and community banks and credit unions are using FraudMAP, our anomaly detection and transaction monitoring solution, to identify account takeover and stop the very fraudulent wire and ACH transfers described in this article. These institutions consistently detect and stop fraud, spend less than an FTE to investigate high-risk accounts, and receive high praise from their account holders when they make a call to discuss suspicious activity. It took many of these institutions less then a week to deploy the solution on a wide variety of online banking platforms, and it costs them less then one average ACH or wire fraud.

As I discussed in my last blog post the FFIEC recently updated its guidance on Internet Banking security. They too agree that the threat has grown too great, criminals can defeat existing controls, and this is an issue banks must tackle. They are now expecting all institutions to have the capability to detect and respond to anomalous behavior.

We had an interesting call from one of our customers today that highlighted the difference between banks that are equipped to solve the problem and those that are not.  Our customer, lets call them Bank A, used FraudMAP to proactively detect an account compromise for one of their accounts. Our solution alerted Bank A to suspicious activity in the account and they quickly notified the account holder. This all happened before a fraudulent money transfer was even attempted.  While discussing the situation, the account holder mentioned that they had also an account at a different institution, Bank B, which is not a user of FraudMAP.  When the account holder checked their account at Bank B, they found an unauthorized wire transfer and a significant amount of $$$ missing from their account.

Bank B now is faced with 1) spending time to attempt claw back the money, 2) trying to explain why they were not able to stop a fraud that Bank A could and 3) a potential customer loss.  Customer churn is a common outcome of these attacks – our 2011 Business Banking Trust Study reports that 43 percent of SMBs take their banking business to another institution following a fraud attack. Despite the title of the article, nobody wins when a commercial account is raided.

This real-world scenario shows that with the right protections in place, money can be safe in the bank. And it can be safe at large banks, midsize banks and small banks.  Businesses don’t need to run to the large institutions, they should just work with banks that have the right security.

By this time next year, if institutions meet the updated layered security expectations set forth in the guidance, the story should be very different. Instead of focusing on the villains and victims, we’ll be hearing stories of the heroes who stopped the criminals in their tracks.  We’ll be hearing more stories of  ordinary institutions providing extraordinary fraud prevention.

It’s been 24 hours since the FFIEC released their Supplement to the Authentication in an Internet Banking Environment guidance issued in October 2005 and it has been interesting to watch the industry’s reaction to this much-anticipated update.  Some think it is a positive step, some think it is not specific enough in defining responsibilities for banks, and some think it is outright lacking in certain areas.

And while all of these points have some element of truth to them, it is important not to overlook that at its heart and most importantly the guidance acknowledges that today’s threats are too sophisticated for yesterday’s controls.  Authentication alone is no longer effective for protecting online accounts and transactions and financial institutions now have new expectations for risk assessments and layered security strategies.

The supplement reinforces the need for a layered security approach, and explicitly states that the agencies expect (not suggest or encourage, but expect) that an institution’s layered security program will contain two elements at a minimum: 1) the ability to detect and respond to suspicious activity, and 2) improved control of administrative functions. It defines the first element as processes designed to detect and effectively respond to suspicious or anomalous activity related to initial log-in and electronic transaction requests. That is, check for suspicious activity from log-in to log-out.

There is a reason detecting anomalies and suspicious activity is first – it works across all customers and across the widest array of threats.  The Guidance even states, “transaction monitoring and anomaly detection and response could have prevented many of the frauds since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer’s established patterns of behavior.”

Our company was founded on the idea that the best way to prevent online and mobile banking fraud is to do precisely this – look for anomalous activity at the individual account holder level that is indicative of account takeover, account reconnaissance, and fraudulent transactions. More than 50 financial institutions who we have the privilege of calling customers know this, too, and have day in and day out seen the benefits of proactively stopping criminals in their tracks, before money leaves their institutions.  And now its expected of all institutions.  We think this is a positive step forward and that banks, credit unions, and their account holders will benefit.

There has been a perception perpetuated in the industry that fraud monitoring is difficult to implement and complex to operationalize.  This is just wrong. Our online and mobile banking fraud prevention solution, FraudMAP, is rapidly deployed and customers can be up and running in just a few days with little to no support required from IT. To learn more about how FraudMAP can help you to meet the first, and most important expectation expressed in the Guidance Supplement, visit our website, or for a more detailed look at how FraudMAP has helped our customers, download our case study kit.

A magistrate has recommended that a U.S. District Court in Maine deny a motion for a jury trial in the case of PATCO Construction suing its former bank, Ocean Bank over a $500,000 fraud loss. According to the order, the bank fulfilled its contractual obligations for security and authentication through its requirement for log-in and password credentials.

At issue in the case is whether financial institutions should be held responsible when commercial accounts are drained because of fraudulent ACH and wire transfers approved by the bank. How much security should banks and credit unions reasonably be required to apply to their commercial accounts? The magistrate in this case has closely aligned his recommendation with a literal interpretation of the 2005 FFIEC Guidance that states single factor is not enough.

Now that this water is almost under the bridge, we feel the remaining issue is what the FFIEC can do now to offer leadership to the industry and stem the flood of similar losses and resulting lawsuits.  While the courts may feel that the bank was using reasonable security from a legal standpoint, clearly that security isn’t enough from a practical standpoint and should no longer be the standard.  The court even commented that the bank could have done more and could have prevented the loss.

The case must still be reviewed by the presiding judge, but regardless of how it is ultimately decided, it’s a hollow victory for the “winner.” The only winners in this case were the fraudsters that stole the money.  The bank spent time, treasure and good will defending its contractual obligations and its security framework. And PATCO lost over a quarter of a million dollars plus legal costs and productivity losses.   Worse, this isn’t an isolated incident.   There are many more victims – banks and credit unions, commercial and retail accounts – going through the same thing every day.  And unnecessarily so.

The technology and processes to stop this blight exist in the market today. They are affordable for any size institution and have been proven over and over again to be effective at stopping online and mobile fraud. The financial institutions need to adopt them.  The commercial account holders need to insist on them.

But what’s most important in light of this legal precedent is that the FFIEC step off the sidelines and take action by releasing their long-expected updated guidance with more specificity around risk assessments and control expectations. The FFIEC has the chance to lead the way – but they need to act, and act now.

For a nice summary on the recommendation by the magistrate read Bank Info Security’s article: ACH Legal Ruling Favors Bank

I recently spent some time with one of our community bank customers and I was struck by their business and technology approach to securing their account holders.

This Illinois-based $2.5B bank strives to offer leading online and mobile products competitive with the big national banks AND deliver community bank style service. Expanding their offerings without increased fraud risk required enhancing their fraud prevention capabilities.  Here are some valuable snippets:

Security point of view: You can’t depend on account holders, you can’t secure the endpoint: The bank understood that cyber criminals continue to attack account holders directly and designed their fraud prevention strategy with the notion that all end points have been compromised and you can never truly secure the end point.

The bank wanted a solution that would transparently provide complete coverage across all account holders and not require account holders to do anything or change their processes. They also wanted a solution that had no dependencies on understanding malware or fraud patterns. As the bank states – “You don’t know what your enemy will do, but you always know what your customers have done.”

Business point of view: The risk of fraud is too great to the business not to take action. The bank recognized the strategic value of preventing fraud and that the true cost of fraud goes well beyond any financial losses. Customer churn, reputation issues, and lost staffing time are all risks of a fraud event that the bank was not willing to take.  An executive at the bank explained,  “I’d rather invest a known amount in a proven solution, than risk the unknown costs of a fraud event.”

Benefits beyond fraud losses averted. The bank deployed our solution, FraudMAP, and has experienced a wide range of benefits.  What stands out to me is the impact it has had on their ability to retain current clients and draw in new business. The CISO of the company goes out on sales calls with the account management team,  positioning to their commercial clients that the bank has industry leading security, with FraudMAP as a critical part of their story.

Additionally, every call to a customer about suspicious activity has become a relationship building event.  The bank receives wildly positive feedback – “we’re so glad you have our back!”

Our latest case study provides more background and details. After implementing FraudMAP, the SVP of Deposit Operations summed up the project quite nicely when he said, “It’s the perfect balance of sophistication and affordability.”

Recently, the FBI, FS-ISAC, and IC3 alerted the industry to a new fraud scheme involving corporate account takeover and unauthorized wire transfers sent from the accounts of small and medium-sized businesses to China. There were twenty incidents investigated by the FBI with $20M at risk and $11M in losses. I’m guessing there were many more incidents that never made their way to the FBI and the situation is actually much worse. In fact, some of our customers detected fraud attempts associated with this same alert and were able to stop fraudulent transactions from occurring.

What’s really striking to me is not the total loss, but the boldness of each individual attack. Wires investigated by the FBI ranged from $50,000 to  $985,000.  Data from unsuccessful attempts against our FraudMAP users put the largest single wire attempt at $1.9M.  You can read more about the attempts that we recorded in our recent Fraud Informer.

With no risk of retribution, criminals are getting bigger and bolder and experts are warning these schemes will continue.  Avivah Litan was quoted in a BankInfoSecurity.com article saying, “You can be sure the attacks won’t abate until banks fight back.”  I couldn’t agree more.

The risk of not taking action is too great for financial institutions. The cost of this type of attack and its impact on profitability, operational resources, customer loyalty and reputation is much higher than any fraud prevention solution. We are thrilled our customers proactively invested in protecting their account holders and that no money was lost to these attacks. Not every business and every bank was as fortunate.

We hope the attention given to this scheme will create a call to action for institutions to fight back. It costs less money, time and effort than most think to prevent these attacks. Millions of stolen credentials are already available to criminals and with the recent Sony PS3 and Epsilon breaches, there is more personal information than ever at large to help criminals compromise accounts. I hope it doesn’t have to get too much worse before it gets better.

Last week the Department of Justice announced it had taken the most comprehensive and complete action in its history to bring down an international botnet. Active for over 10 years, the botnet was a network of over 2 million computers infected with a malicious software program known as Coreflood.  Coreflood is a key logging program that steals usernames, passwords and other  personal and financial information for a variety of criminal purposes, including stealing funds from the compromised banking accounts.

The court papers for the civil suit against the criminals identified a set of sizable corporate account takeover and fraud incidents directly related to Coreflood:

• $115,771 fraudulent wire transfers from a real estate company in Michigan
• $78,421 fraudulent wire transfers from a law firm in South Carolina
• $151,201 fraudulent wire transfers from an investment company in North Carolina
• $241,866 in fraudulent wire transfers from defense contractor in Tennessee

The 2011 Business Banking Trust Study highlights that attacks like these put banks and their customers in a lose-lose situation, and permanently damages the relationship between a business and their bank.   But what’s really concerning is that with 2 million computers infected, who knows what additional damage is waiting for financial institutions and their account holders.

It’s too late for the consumers and businesses whose credentials have already been stolen to use anti-virus or secure browsing techniques to protect themselves.  These retail and commercial account holders will have to rely on their own diligence and the proactive fraud prevention efforts of their financial institution to keep their money safe.

This serves as reminder for banks and credit unions of all sizes to assume the endpoint is compromised and build fraud prevention strategies accordingly.  And while they can hope for the best (that those stolen credentials will never be used),  institutions should really prepare for the worst.