Community Bankers of Iowa Monthly Banker Update June 2014 | Page 11
Hackers are also creating attacks which present fake popups during online banking sessions asking the user to reauthenticate. These attacks are extremely successful, because
users assume once they are inside an online banking portal,
the request is legitimate and will re-enter all information
including one-time token-generated passwords. Cybercriminals
are constantly monitoring these feeds and will log-in in seconds
after the user complies and types in their info.
While this may sound like true blasphemy, we need to
recognize that IT staff will also most likely make errors which
can lead to security breaches and CATO attacks. Consider the
Target breach where a highly funded, extremely sophisticated
staff made several critical errors which opened network
vulnerabilities to attackers. In this case, credentials granted to
a vendor were utilized to access different network areas which
means that IT staff failed to isolate sensitive assets. There is
also evidence that IT staff failed to respond to multiple warnings
from the intrusion detection system. It is imperative that IT
remember that they too are human and can make mistakes.
The most devastating mistake which can be made is the belief
that a business is secure and that traditional defenses will
provide requisite protections. The National Cyber Security
Alliance released a survey where 66% of the respondents
stated that they believe they are safe from cyber-attacks. 77%
responded that they’ve never been hacked. In nearly every
case, those assumptions simply don’t hold up to validation.
Mark Eich of Clifton Larson Allen agrees “we see people who
think they are secure and we can go through their protections
like a knife through butter”. It’s not uncommon for security audit
firms to conduct penetration tests where they attain complete
domain control in 20 minutes or less.
4. Cyber-fraud is going to get worse
Ask any industry expert and they will tell you cyber-fraud is
only going to get worse. Aite Group predicts that CATO losses
will grow from over $400mm in annual losses in 2012 to
over $800mm by 2016. Research indicates that fraud losses
exceeded $523mm in 2013, which means that actual fraud
outpaced projections by 46%. The growth in fraud is fueled
by more and more cyber-attacks. Symantec reported that
attacks against small to medium sized businesses doubled in
the first half of 2013. Supporting that study, The White House
Cyber-Security Coordinator stated that 85% of cyber-attacks
are targeting small businesses. These attacks are frequently
targeting financial data and the FDIC lists Financial Malware as
the #1 fraud threat.
In Corporate Account Takeover, cybercriminals have found
a way to make quick cash from their exploits. Because this
type of fraud is so successful and lucrative, there will be more
attacks. Not only will current cybercriminals escalate their
attacks, but new fraudsters will join in after seeing the large
paydays being attained by their peers.
Another large factor contributing to the rise in online banking
fraud is the advances by hackers in infecting large amounts
of computers effectively and easily. Yahoo recently reported
that their European homepage had been compromised and
those that had viewed their site could be potentially infected
with ZueS. At the time of the attack, Yahoo was experiencing
over 300,000 visitors per hour and low-end estimates are that
over 29,000 computers were infected. This is a tactic which
is gaining popularity among hackers and will continue to
occur. Several other large websites have experienced similar
compromises including: LATimes.com, MSNBC.com and even
the Star Tribune.
Some will breathe easier as banks roll out advanced
authentication methods to deter attacks. However, many of
these solutions are already legacy technologies which can
be easily bypassed by sophisticated criminals. Tokens are a
very popular security measure being implemented by U.S.
financial institutions, yet have several high-profile cases where
they failed, including: Experi-Metal ($560,00), Lifestyle Forms
& Displays Inc. ($1,200,000) and Efficient Services Escrow
($1,500,00). Security tokens, when used effectively, will
drastically mitigate the chances of fraud. However, they will not
eradicate the risk completely.
5. Your company is likely to fall victim unless there is a
specific security plan for online banking
There is one commonality in every Corporate Account Takeover
attack: either the victim believed themselves to be secure,
or simply didn’t care. A critical fact every organization must
realize is that standard IT protections are simply not enough to
deter Corporate Account Takeover attacks and there must be a
specialized security plan in place specifically for online banking.
The other common denominator in every CATO attack –
infected computers. Because of the amount of money at
stake, it is imperative that organizations properly secure
the computers used to access online banking. One of the
commonly shared best practices is to dedicate a single
computer to access online banking which is segregated from
the rest of the network. This computer’s sole purpose is to
conduct online banking sessions and is not used to access
email, surf the web, etc.
In lieu of a dedicated device, online banking users can utilize
specialized software, such as SafeCentral, which provides
the same benefits at a fraction of the cost and none of the
inconvenience. Through patented technologies, SafeCentral
will render any malware on the machine inoperable during an
online banking session and thus providing a clean environment
for every transaction.
In addition to technological controls, online banking is a
specialized function and requires administrative controls as
well. Best practices include:
- Balancing and reconciling account balances on a daily
basis
- Utilizing administrative controls: such as debit blocks/filters,
ACH positive pay
- Utilizing dual control where one user initiates a tra