A $170,000 cyberheist last month against an Illinois nursing home provider starkly illustrates how large financial institutions are being leveraged to target security weaknesses at small to regional banks and credit unions.
I have written about more than 80 organizations that were victims of cyberheists, and a few recurring themes have emerged from nearly all of these breaches. First, a majority of the victim organizations banked at smaller institutions. Second, virtually all of the money mules — willing or unwitting individuals recruited to help launder the stolen funds — used accounts at the top five largest U.S. banks.
The attack on Niles Nursing Inc. provides a textbook example. On Monday, Dec. 17, 2012, computer crooks logged into the company’s online banking accounts using the controller’s credentials and tunneling their connection through his hacked PC. At the beginning of the heist, the miscreants added 11 money mules to Niles’ payroll, sending them automated clearing house (ACH) payments totaling more than $58,000, asking each mule to withdraw their transfers in cash and wire the money to individuals in Ukraine and Russia.
Niles’ financial institution — Ft. Lauderdale, Fla. based Optimum Bank — evidently saw nothing suspicious about 11 new employees scattered across five states being added to its customer’s payroll overnight. From the bank’s perspective, the user submitting the payroll batch logged in to the account with the proper credentials and with the same PC that was typically used to administer the account. The thieves would put through another two fraudulent payment batches over next two days (the bank blocked the last batch on the 19th).
In total, the attackers appear to have recruited at least two dozen money mules to help haul the stolen loot. All but two of the mules used or opened accounts at four out of five of the nation’s top U.S. banks, including Bank of America, Chase, Citibank, and Wells Fargo. No doubt these institutions together account for a huge percentage of the retail banking accounts in America today, but interviews with mules recruited by this crime gang indicate that they were instructed to open accounts at these institutions if they did not already have them.
ANALYSIS
I’ve spoken at numerous financial industry conferences over the past three years to talk about these cyberheists, and one question I am almost always asked is, “Is it safer for businesses to bank at larger institutions?” This is a tricky question to answer because banking online remains a legally and financially risky affair for any business, regardless of which bank it uses. Businesses do not enjoy the same fraud protections as consumers; if a Trojan lets the bad guys siphon an organization’s online accounts, that victim organization is legally responsible for the loss. The financial institution may decide to reimburse the victim for some or all of the costs of the fraud, but that is entirely up to the bank.
What’s more, it is likely that fewer cyberheists involving customers of Top 5 banks ever see the light of day, principally because the larger banks are in a better financial position to assume responsibility for some or all of the loss (provided, of course, that the victim in return agrees not to sue the bank or disclose the breach publicly).
I prefer to answer the question as if I were a modern cyberthief in charge of selecting targets. The organized crooks behind these attacks blast out tens of millions of booby-trapped emails daily, and undoubtedly have thousands of stolen online banking credentials to use at any one time. There are more than 7,000 financial institutions in the United States…should I choose a target at one of the top 10 banks? These institutions hold a majority of the financial industry’s assets, and they’re accustomed to moving huge sums of money around each day.
On the other hand, their potential for fraud is almost certainly orders of magnitude greater than at smaller institutions. That would suggest that it may be easier for these larger institutions to justify antifraud expenditures. That incentive to enact antifraud protections is even greater because these institutions have huge numbers of retail customers, a channel in which they legally eat the loss from unauthorized account activity.
Wearing my cyberthief glasses, if I’m looking at a huge pile of data stolen from thousands of victims, I’m probably more apt to target victims at smaller banks based on one simple assumption: Because I’m going to have a much higher success rate than I would targeting customers of larger institutions.
COMPETING ON SECURITY?
All of this raises several questions: Can smaller financial institutions realistically hope to compete with the larger banks on security? Should they even try? The smaller institutions would not appear to have the same economies of scale to achieve the same security that the top banks have. Perhaps to compensate for this, many smaller institutions have contracted with banking industry service providers to help them operate their online banking services.
Unfortunately, securing the customer transaction space has traditionally not been a major component of these outsourced services, which focus on identifying phishing attacks and other anomalies on the bank’s Web portal and internal systems. For whatever reason, these providers generally have not used the intelligence coursing through their networks to help smaller bank customer discover and stop ACH fraud.
Case in point: Optimumbank’s service provider is Fiserv, one of the largest banking industry service providers. According to Fiserv’s site, at least 52 percent of the nation’s $19 billion in ACH payments are processed using Fiserv software. If this is true, one might think that Fiserv’s systems handled about half of the mule transfers that were sent from Niles Nursing’s hacked bank account.
But according to Murray Walton, Fiserv’s chief risk officer, the software that most of its customer banks run — called PEP+ — is a client solution that does not interact with the company’s data centers. He said while Fiserv does offer an antifraud solution called FraudNet, that tool is designed for online bill pay services that banks can use to detect fraud patterns on consumer accounts.
“There are vendors who can knit it all together for banks, but that isn’t what we do,” Walton said in an interview. “For various and sundry reasons we don’t offer an engine that does the same thing as [an anti-fraud provider like] Guardian Analytics. Realistically, the client and end-user have responsibilities that they can’t abdicate to us. Everyone in this needs to take it seriously and not think that someone else has their back.”
Mark Ackerly, vice president and director of information security at Community Bank N.A., a financial institution based in DeWitt, NY, said there are a number of benefits that come from small banks that may not be immediately obvious.
“Generally speaking, community bank’s that may not have the ability to offer complex automated anti-fraud solutions are able to leverage their smaller size and strong customer knowledge to utilize more simplified solutions in a manner that makes them very effective,” Ackerly said. “It is also this same high level of customer interaction, typically found at community banks, that makes opening of accounts for malicious activity less anonymous or simplified.”
Although historically service providers may have trailed in some of their technological security offerings, that posture has shown significant change, he added.
“Some of the major service providers are starting to show substantial promise in their offerings to detect malware and malicious activity,” Ackerly said.
C.Y.A.
As it stands, the big banks don’t have an incentive to police new accounts for mule activity, because it’s generally not their customers who are getting robbed from this activity, said Avivah Litan, a fraud analyst with Gartner Inc.
“The bad guys shouldn’t be able to set up these mule accounts in the first place,” Litan said. “The bigger banks are not doing a good job of screening for this activity because they’re not the ones eating the fraud on these attacks on smaller bank customers. [The bank service providers] should be spending more money. And the regulators should be coming down on them harder.”
It appears that banking regulators are taking a closer look at the role of service providers. Federal Financial Institutions Examination Council (FFIEC) recently issued revised guidance for bank examiners clarifying that “outsourced activities should be subject to the same risk management, security, privacy, and other internal controls and compliance policies as if such functions were performed internally, and that a financial institution’s board of directors and management have the responsibility for ensuring that outsourced activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations.”
In the end, it may be that small, regional and local banks can pool their clout and resources to extract more from service providers than what those companies are currently offering. It would also be encouraging to see these smaller institutions taking the lead in educating their customers about the seriousness of the threat that faces them.
I’ve often heard it said that in times of economic uncertainty, smaller and local financial institutions are more likely than larger banks to lend money to small businesses. If this is true, then it is likely because these institutions truly know their customers, and know a good bet when they see one. My hope is that smaller institutions make every effort to better understand their customers’ online activity as well, and have the ability to detect and act on red flags that too often indicate an account compromise.
In the meantime, none of this matters: As Fiserv’s Walton said, the best solution for businesses is to behave as though nobody has your back. Like it or not, the “applicable laws and regulations” still ultimately leave businesses responsible for ensuring their own security when banking online. If you run a small business and wish to bank online, shop around if you can and find a bank that offers and advocates additional layers of security. If your bank offers it, consider signing up for Positive Pay; this anti-fraud service was built to defeat check fraud, but it is remarkably effective at stymying unauthorized transfers both online and offline. Niles Nursing was not signed up for Positive Pay at the time of its cyberheist, although the company is now, according to an employee who spoke with KrebsOnSecurity.
But the best way to avoid a cyberheist is to not have your computer systems infected in the first place. The trouble is, it’s becoming increasingly difficult to tell when a system is or is not infected (for example, Niles Nursing was using Microsoft Security Essentials, which failed to detect the banking Trojan used in the attack.) That’s why I advocate the use of a Live CD approach for online banking: That way, even if the underlying hard drive is infected with a remote-access, password stealing Trojan like ZeuS or Citadel, your online banking session is protected.
In an upcoming post, I’ll be looking at different affordable options available to small businesses for insuring themselves against losses from cyberheists. In the meantime, I’ve assembled a short list of other tips that small businesses should consider when banking online.
Be careful out there, folks.