Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Cybercriminals have had great success over the past year hitting banks where their security is the weakest–on their customers’ PCs. In 2009, online fraud losses doubled, according to FBI data.

Now banks are starting to hit back, focusing not only on the security of their own systems, but of their customers’ systems. Last week, security firm Trusteer announced it would provide a service to banks that lets them remotely analyze computers belonging to customers who have been hacked. Using the service, called Flashlight, banking customers that believe they have been targeted could download a program to their PC that would quickly search the system for digital tracks left by online thieves and their malicious software.

“By analyzing the malware, the banks can find out how the groups are getting by their security measures,” says Mickey Boodaei, CEO of Trusteer. “We noticed that most banks have no real understanding of their fraud losses. They have no idea where they are originating from, whether it was Zeus [a common Trojan horse program] or some other malicious software, and what criminal groups are attacking them.”

Banks have had mixed success cracking down on cybercriminals. While cyber fraud has declined in the past three years, fraudulent online transactions have climbed, according to a presentation by the Federal Deposit Insurance Corporation (FDIC), the agency responsible for securing Americans’ savings. In the third quarter of 2009, losses due to online fraud topped $120 million, with small-business losses accounting for $25 million, according to the FDIC.

Most of the fraud was due “to malware on the online banking customer’s PC that was related to phishing, downloading Trojan horse programs, or visiting a website that infected the PC with a drive-by type of malware attack,” FDIC examiner David Nelson said during the presentation.

While U.S. regulations have required that banks use more than just a username and password to secure bank transactions, online thieves have adapted quickly to the new security. Instead of logging into a user’s account from a different country, many cybercriminals are now surreptitiously using the victim’s browser to initiate fraudulent transactions. “As soon as the financial institutions began implementing strong authentication, the bad guys began to find ways to defeat strong authentication,” Nelson said. “Almost all of the (latest) losses were the result of the computer intrusions on the networks or the PCs of banking customers.”

5 comments. Share your thoughts »

Credit: Technology Review

Tagged: Business, security, hackers, forensics, banking, computer crime

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me