There is a lot of information available on the Internet about Banking Trojans and the recent trend of online bank account attacks.  In this article we provide a brief overview and then focus on the points of failure that allow these fraud attacks to occur.

Overview of a typical online cash management fraud event:

1. The fraudster builds a huge network of infected PC’s (called a botnet), generally by sending phishing email, scanning for vulnerable computers, or hiding viruses in files that people may download from the Internet.
2. The fraudster monitors his botnet of infected computers to see if any are used to log into online cash management (business online banking) websites.
3. When an online cash management login is detected, the fraudster records the user ID and password that was used, as well as any challenge questions, security cookies, etc.
4.  The fraudster hires unsuspecting people (known as money mules) to accept money into their bank accounts and wire it overseas – keeping a commission for themselves.
5. The fraudster logs into the compromised cash management account and initiates multiple ACH or Wire transactions to their money mules.
6. Depending on the bank’s controls, the transactions are processed and the money is sent out of the victim’s accounts.

What about Retail Banking?

Retail banking applications generally do not have the ability to do high-risk transactions such as ACH or Wire transfers.  Until recently they have not been targeted by fraudsters as much as commercial accounts.  Now that many institutions are implementing strong authentication or other controls to protect their commercial clients, we’re starting to see a rise in attacks against retail online banking and bill-pay.  Here’s one common scenario:

1. Fraudster compromises retail online banking passwords (and challenge questions or security cookies).
2. Fraudster purchases gift cards or other merchandise online, and pay’s using a “Bill me” service such as ebillme.com
3. Fraudster uses the compromised retail bill-pay account to send a payment to the bill me service.
4. The transaction is detected when the customer sees the unauthorized transaction on their statement.

As you can see from the overview above, there are multiple steps involved in an online banking Trojan attack.  Vulnerabilities exist at each step allowing the fraud to occur, but if you can stop the attacker at any one step the attack will likely fail. Here are some of the points of failure at the different stages of the attack.

Point of failure 1: Infected business computer.
The attack starts with the infection of a computer used for Online Banking.  In an upcoming blog posts on layered security and customer awareness training we’ll go over steps to try to prevent infections.

Point of failure 2: joining a bot network and giving the hacker control
There is another opportunity to stop the Trojan virus – if you can block or detect its communication channel back to the hacker.  We’ll discuss tools that can do this when we cover layered security controls.

Point of failure 3: Authentication
One of the main challenges is finding a way for the customer to confirm they are who they say they are when the log in, in a way that is convenient for the customer but a hacker cannot break.  Passwords, challenge questions, and security cookies are all convenient, but they are easy for a fraudster to steal if they can get a virus on your computer.  The next blog posting will cover authentication techniques and challenges in more detail.

Point of failure 4: Transaction capabilities
This is another place where convenience conflicts with security.  Your retail customers want to be able to easily set up and pay bills, without a lot of extra steps involved.  Your commercial clients have the same desire, but they generally have larger balances, make larger payments, and use higher risk transactions like ACH and Wire Transfers.  In a lot of cases a small business only has one person with the time to perform accounting functions, pay bills or run payroll.  To make things convenient, the customer will often desire the ability to set up and execute these transactions without bank validation, two party authorization, or other steps or delays.

Point of failure 5: Monitoring and auditing
Once the fraudulent transaction is executed, there should ideally be some mechanism to detect and raise awareness of the transaction quickly enough to stop or reverse it.  This includes steps the customer may take, such as daily monitoring and balancing of their accounts.  It could also include steps the financial institution takes to be reviewing web site and transaction activity for abnormal transactions.

Point of failure 6: Money mules
Most money mules are unsuspecting “victims” – they think they are performing a legal service for a legitimate business.  As a financial institution you have an opportunity and a responsibility to know your customer and be on the lookout for transactions that could be money mules.  Many of the same techniques you apply for your anti-money laundering/currency transaction reporting program can help identify when your customer may be acting as an unsuspecting money mule.

This overview was meant to provide some background for our upcoming posts in this series, which will cover authentication techniques, layered security, fraud detection, and customer education.