Are we facing yet another banking crisis?

How cybercriminals’ are stealing corporate funds, and putting pressure on the global banking system

The last eighteen months have delivered some of the most testing challenges to the global banking system. Whilst financial institution and businesses alike both struggle to emerge from a brutal recession, they’re now having to face up to a new threat which can potentially steal away their funds and corporate reputation with the simple click of a mouse.

In this article Dave Tripier, CMO of IronKey, explains how organised cyber crime rings have begun to target corporate banking transactions - and offers valuable advice to help banks and businesses to deal with this new threat.

For many years, global cyber crime organisations have been successfully stealing millions from personal customer bank accounts, through large scale phishing attacks. However these hi-tech criminal gangs have shifted focus to instead target the more lucrative corporate bank accounts of both public and private sector organisations.

Reiterating the seriousness of this new cyber threat, Ponemon’s 2010 Business Banking Trust survey recently revealed that 80% of banks had failed to catch fraud before funds were transferred out of their institution. More worryingly still, 57% of the businesses that have experienced a fraud attack were not fully compensated by their banks. So, businesses are naturally waiting for guidance on protecting their accounts from crime – and insuring their funds are returned if they are hit by an attack. And as analyst firm Gartner warns that the increasing attacks on online banking transactions is merely the tip of the cyber crime iceberg, the banking industry is faced with a threat that could cripple confidence in the corporate online banking system.

Why the threat landscape has changed

Global cyber crime rings have changed their tact, in recognition that it’s far more profitable to make numerous large transfers from a single corporate bank account than to try to hijack thousands of consumer-based accounts and make small money transfers.

The cyber criminals are using commercial online banking malware which comprises of a number of new families of Trojans that use live authenticated sessions to defeat traditional security defenses. The new Trojans are even able to beat multi-factor authentication that banks have employed to protect consumers against phishing fraud. They are not only capable of stealing corporate authentication credentials, but can also perform fraudulent transactions from a victim’s own computer.

These “man-in-the-browser” Trojans also rewrite the Web browser pages that a victim sees and often request secondary authentication credentials such as secret questions and answers that can be used later to change the victim’s login credentials.

Can the banks afford to take another reputational hit?

It’s natural that the threat of criminal activity will mean that companies’ confidence in their banks will drop. The Ponemon study revealed that 40% of businesses have moved their banking activities elsewhere after a fraud incident. 11% of firms that have experienced fraud claimed they have terminated their banking relationship following the attacks, and an additional 29% said they did not fully terminate their relationship, but moved their primary cash management services to another institution.

While consumer confidence is clearly a big priority for banks, reassuring corporate customers is even more pressing – with the large amounts of money changing hands. Where banks may be able to deal with the loss of ten individual customers that have experienced fraud, the financial and reputational damage of losing a big corporate customer is significantly more difficult to recover from. It’s clear that after the global banking crisis of 2009, financial institutions cannot afford any further damage to their status.

Dealing with the threats

This undoubtedly a global threat, as yet, the only authority to issue advice to banks and businesses to date has been the US Electronics Payment Association, NACHA. NACHA has advised that any business uses separate computers for banking transactions – which are not enabled for web browsing or email services. This means that while the computer is only used for banking transactions, it is not open to email nor Web based cyber attacks.

The security industry welcomes NACHA’s advice; the reality for organisations is that each member of a company’s finance team will need two computers - one for web browsing and email – and one for its banking transactions. This adds pressure time and complexity to the employee – and can prove costly for an organisation. Add to the cost of infrastructure, the associated security protocols for setting up new computers, and the need to renew the systems every three years, and this is an increasingly costly exercise.

A possible alternative?

However, it seems that just as cybercriminals are using technology to commit fraud, the banking industry can make use of advances in technology to fight back.

One approach is by IronKey who has developed a unique integration of custom silicon, security firmware, security software, and online security services into one cost-effective safe oasis for online banking.

Following NACHA’s guidance and best practices IronKey has created an integrated solution into one easy to use package which includes:

  1. A virtualised environment that operates in a read-only mode, so that malware cannot tamper with the stored image on the IronKey device. The virtualised environment can be written to only when a digitally signed update is delivered from the IronKey security management service and verified locally on the IronKey device.

  1. A secure browser runs inside a virtualised environment, it is isolated from the host’s PC malicious software providing a safe transactional environment to corporate customers.

  1. Two-factor authentication with RSA SecurID for a defense in depth approach.

  1. Anti-malware to scan of the user’s computer before running the secure environment

  1. A online service to manage the devices and provide security updates - no management infrastructure required

In summary the IronKey multifunction security device, combined with IronKey security services, gives financial institutions a cost-effective way to protect their commercial banking customers from the next generation of banking malware.


Ponemon’s 2010 Business Banking Trust survey

FS-ISAC Account Hijacking of Corporate Customers. Recommendations for Customer Education.

August 24, 2009. A joint effort between the Federal Bureau of Investigation (FBI), the Financial

Services Information Sharing and Analysis Center (FS-ISAC), NACHA - the Electronic Payments

Association, and other Federal government agencies.

FFIEC Guidance–Authentication in an Internet Banking Environment