Internet Banking Fraud Creates Severe Challenges to Financial Institutions

Fraud News

Fraud News

Here is some of the recent news about banking fraud. If you would like to know more about any of these news items, please contact us.

• Zeus now available as a rootkit, speeding development of new attacks
• 12.6 million victims of identity theft in 2012
• NBC website hacked, leading visitors to Citadel banking malware
• DDoS attack hid $900,000 cyberheist; OCC confirms that DDoS attacks are being used to hide fraud attacks
• Hackers offer phone flooding service that will "take care" of competitors phone lines
• Fraudsters using mule accounts at big banks to move funds out of small banks
• New scheme uses website Live Chat feature to process fraudulent wire transfer
• Fraudsters successfully authenticate in 3 out of 5 attempts to log into online banking
• New mobile banking Trojan for Android lets crooks use smartphone as part of DDoS attack
• Carberp banking Trojan now available as bootkit with $40,000 pricetag
• Phishing scheme exploits Facebook to compromise 11 million computers and stead $850 million

Internet Banking

Internet Banking is Strategic

Protecting your customers and members from fraud attacks is not just a simple matter of making sure their money is not stolen. The strategic opportunity at stake is much larger and includes lifetime value, profitability, competitive advantage, and brand reputation. (Video: Why Online Banking is Strategic)

Individuals and businesses want to bank when and where it's convenient for them. To be competitive, to meet customer needs and reduce churn, banks and credit unionsmust not only offer online and mobile banking capabilities, but must continually expand the set of offerings. And do so while building customer confidence that their transactions are secure, their assets are safe.

To fully realize the strategic benefits of robust Internet banking services, youmust have a fraud prevention solution that's up to the challenge.

Please click the Know Your Enemy tab to learn more.

Know Your Enemy

Know Your Enemy

It's a war, and the enemy is relentless.

Fraudsters are businessmen. Fraud is a large, organized, global business with strong funding and state support. And their targets are financial institutions in the West.(Video: Financial Institutions are at War with a Formidable Enemy)

Fraudsters are organized and specialized (see graphic), and have established social networks to share their ideas, assistance, and successes.

Fraudsters also have a very efficient capital system, and often operate with the implicit approval and support of their federal government. In short, by being criminals and operating outside of the laws, ethics, and procedures that guide much of the law-abiding institutional behavior, fraudsters have a lot of advantages. And the financial returns they realize are very attractive.

How They Attack

Cyber criminals use a spectrum of techniques (see graphic) to compromise accounts and set up attacks, and are using all options available to them for completing transactions. Malware is certainly a challenging aspect of what you must detect, but many of the schemes involve human interaction, which enables the fraudster to adapt quickly and therefore makes the attacks harder to detect.

Credentials Are Widely Available

• 40% of PCs already infected (APWG)
• Authorities found thousands of stolen credentials on a single fraudster's computer
• Phishing and email breaches provide additional data
• Fraudsters successfully authenticate for 62% of the online banking sessions they attempt (Guardian Analytics)

Phishing and Social Engineering Resurfacing

• Social engineering on the rise (Gartner)
• Trend showing fraudsters using mobile/tablets to compromise credentials (Aite)
• Email breaches connected to banking fraud (Aite)
• 60% of passwords reused

Rapid Malware Innovations Leave FIs Exposed.

Malware detection providers themselves say when something new appears, it is a two-week cycle to research and formulate new protections. A study by Imperva found that AV software detects only 5% of new malware. Criminals are accelerating their investments to exploit this weakness.

Here are just some of the malware familiesthat criminals are using steal credentials and bypass authentication, with an increasing number of "rootkits" available commercially within the fraudster community, dramatically shortening the time needed for a new fraudster to develop and launch an attack.

Zeus SpyEye Gameove ICE IX

Ramnit Carberp Shylock

Gozi Zitmo Spitmo

Moving Funds Through Online and Offline Transactions

• In a 2012-2013 account reconnaissance attack, ~1000 accounts at 75 FIs were involved in a single offline fraud scheme
• ACH channel represents 56% of losses (FS-ISAC). Criminals are taking advantage of operational weaknesses in ACH
• Wire channel represents 76% of attempts (FS-ISAC)
• Fraudsters using online account to gather information for offline fraud attacks (for example, see Guardian Analytics Fraud Informer: Chatting for Dollars)
• 90% of confirmed fraud incidents did not involve a payment (Guardian Analytics); fraudsters are gathering information online for offline attacks.

Please click the True Cost of Fraud tab to learn more.

True Cost of Fraud

The True Cost of Fraud

A Guardian Analytics survey found that in 78 percent of attacks, the money left the institution before the attack was recognized, and in half of the cases, the FI took all or some of the loss. So, the initial fraud loss certainly is part of the cost. But additional costs can be significant, too. (Video: The True Cost of Fraud)

The full cost of fraud loss includes:

• Investigation and Remediation. Investigation is the staff time for the forensic analysis (i.e. what malware was involved and how the account was compromised), determining fault, and evaluating what processes worked or didn't work. Remediation is determining how the bank may or may not compensate the business for the loss.
• Legal Costs. Recent court cases have sided with the victimized business. If you (the financial institution) are found to be liable, you can expect to have penalties added on to court costs.
• Customer churn. Customers will leave if they feel you are not adequately protecting them, costing you the future lifetime value of that customer.
• Brand & Reputation. It's hard to measure true cost, but clearly there's damage to your brand and reputation if you're a victim of fraud losses.