Cybercriminals have had great success over the past year hitting banks where their security is the weakest–on their customers’ PCs. In 2009, online fraud losses doubled, according to FBI data.
Now banks are starting to hit back, focusing not only on the security of their own systems, but of their customers’ systems. Last week, security firm Trusteer announced it would provide a service to banks that lets them remotely analyze computers belonging to customers who have been hacked. Using the service, called Flashlight, banking customers that believe they have been targeted could download a program to their PC that would quickly search the system for digital tracks left by online thieves and their malicious software.
“By analyzing the malware, the banks can find out how the groups are getting by their security measures,” says Mickey Boodaei, CEO of Trusteer. “We noticed that most banks have no real understanding of their fraud losses. They have no idea where they are originating from, whether it was Zeus [a common Trojan horse program] or some other malicious software, and what criminal groups are attacking them.”
Banks have had mixed success cracking down on cybercriminals. While cyber fraud has declined in the past three years, fraudulent online transactions have climbed, according to a presentation by the Federal Deposit Insurance Corporation (FDIC), the agency responsible for securing Americans’ savings. In the third quarter of 2009, losses due to online fraud topped $120 million, with small-business losses accounting for $25 million, according to the FDIC.
Most of the fraud was due “to malware on the online banking customer’s PC that was related to phishing, downloading Trojan horse programs, or visiting a website that infected the PC with a drive-by type of malware attack,” FDIC examiner David Nelson said during the presentation.
While U.S. regulations have required that banks use more than just a username and password to secure bank transactions, online thieves have adapted quickly to the new security. Instead of logging into a user’s account from a different country, many cybercriminals are now surreptitiously using the victim’s browser to initiate fraudulent transactions. “As soon as the financial institutions began implementing strong authentication, the bad guys began to find ways to defeat strong authentication,” Nelson said. “Almost all of the (latest) losses were the result of the computer intrusions on the networks or the PCs of banking customers.”
Because consumers are not generally responsible for losses to their accounts due to fraud, banks are increasingly taking steps to secure their customers’ systems as well as their own. “Banks are realizing that the human at the end is the weak link,” says Steve Surdu, vice president of professional services at security and forensics firm Mandiant. “By having their customers attached to their systems, they are introducing weakness.”
Many banks already analyze transactions for patterns that suggest fraud. Some require that customers put additional security on their PCs. For example, Trusteer sells a secure add-on for browsers, known as Rapport, that banks can give customers to help secure online transactions.
Flashlight allows banks to gather information on their customers following an incident of fraud without ever having to send an investigator. Since the browser is the portal that online banking customers use to access their financial institution, Flashlight focuses its effort there. The program uses remote forensics to find changes to the browser program running in memory, any malicious files that may have been added, and changes in the way the browser communicates with other programs. It submits its findings back to Trusteer, which creates a report for the bank on which, if any, rogue software was running on the user’s computer.
“This is a process the banks can follow with each fraud event that they have,” Trusteer’s Boodaei says. “They can have an up-to-date view of their fraud losses.”
In early testing, Flashlight discovered that nearly 95 percent of all bank losses in the United Kingdom were caused by three Trojans: the Zeus program; a U.K.-specific program known as Silon; and Yaludle. Trusteer does not have as many customers in the U.S., so it could not provide data on U.S. trends.
Providing remote forensics as a service “is a clever move,” says Mikko Hypponen, chief research officer for antivirus firm F-Secure. Most antivirus companies have support tools that allow technicians to collect information about infected users’ systems. Microsoft provides a forensics package to law enforcement known as the Computer Online Forensics Evidence Extractor.
Hypponen agrees that banks will increasingly demand that consumers secure their systems more tightly. Cybersecurity is largely about defending your systems better than other targets, he says. “You don’t have to have perfect security,” he says. “You have to have better security than the other banks.”