Expect Greater Impact From Online Banking Fraud

CUs’ luck may be running out on the online fraud front.

April 4, 2011

Online banking fraud has escalated to a top concern throughout the financial services industry. Cyber thieves have been compromising accounts through online banking systems at an alarming rate.

Their efforts have focused on small- to medium-sized businesses. However, banking and security publications report school districts, city/county government, and even a Catholic Diocese account have been pilfered over the last three years.

Credit unions have experienced similar occurrences on member accounts and their accounts at third-party providers of automated clearinghouse (ACH) and wire services. Our industry has been lucky so far and hasn’t experienced online banking fraud to the same extent as banks.

More security coverage

However, it’s quite possible credit unions could soon be impacted on a widespread basis.

The root of the problem has been Trojan keyloggers, primarily the Zeus Trojan. A Trojan keylogger monitors and captures keystrokes, logs them to a file, and sends them to cyber thieves.

The Trojan resides on the user’s computer without their knowledge and is primarily used to capture online banking login credentials.

Trojans like Zeus are spread through phishing e-mails, generally targeting key employees of an organization. Users of popular social networking websites, such as Facebook, also have been targeted.

Cyber thieves transformed Zeus and other banking Trojans into highly customizable toolkits that can avoid detection by antivirus software. Thousands of computers infected with customizable Trojans like Zeus form a botnet allowing cyber thieves to control the infected machines through command and control centers.

Zeus is used in man-in-browser (MITB) attacks. In a MITB attack, the victim’s browser is infected with the Trojan, which sits patiently waiting for the user to access online banking websites. The customization feature allows cyber thieves to target specific online banking websites.

When the user visits a targeted online banking website, Zeus silently springs to life. After the user is successfully authenticated—even with two-factor authentication, such as a one-time-password generated by a token—Zeus “piggybacks” on the user’s session.

It intercepts and modifies details of a transaction entered by the user and initiates new transactions without the user’s knowledge.

The user may initiate an ACH transfer and enter the transfer amount and destination account. But Zeus’ features allow it to intercept the transaction request and overwrite it by changing the amount and destination account.

The online banking system receives the altered transaction request transferring the funds to the new destination account. The user is unaware of the changes, as their browser displays the transaction information entered by the user.

The Federal Financial Institutions Examination Council is expected to release new authentication guidelines soon for financial institutions. The new guidelines are intended to clarify the agency’s existing guidelines on two-factor authentication issued in 2005 and what institutions need to do to bolster authentication efforts.

To better protect member accounts, consider implementing these measures:

  • Stronger two-factor authentication method, rather than the common method of computer recognition (using cookies) combined with challenge questions;
  • Out-of-band authentication (e.g., by telephone) to authenticate members through a separate communication channel;
  • Fraud detection tools to monitor user access behavior and individual transactions; and
  • Out-of-band transaction verification for large dollar transfers.

KEN OTSUKA is senior analyst, Risk Management, with CUNA Mutual Group. Contact him at 847-612-9653.