Cybercrime: Are Businesses and Banks on the Same Team?

Some of the biggest technological innovations of recent years – from smartphones to cloud computing – give corporates and banks alike excellent opportunities for improving customer access and service options, business process efficiencies and productivity. But these same innovations are also opening new gateways for cyber criminals to exploit weaknesses in network security defences and launch relentless, targeted attacks to gain access to confidential data and money.

Banks and businesses are generally on the same team and co-operate when all goes well. However, when a security breach or financial loss occurs for either party, collaboration can quickly become litigation.

Last year, a court decided in favour of Experi-Metal, Inc (EMI), a Michigan custom auto-parts manufacturer, and against Comerica Bank, after a 2009 ‘phishing’ attack compromised the web login credentials of EMI’s company account at Comerica. Even though the bank used a form of ‘true’ multifactor authentication, the fraudsters penetrated EMI’s account using an employee’s username, password and token number. It took hackers less than seven hours to wire-transfer more than US$1.9m from EMI’s account to destinations around the globe. All but US$561,399 was recovered.

Comerica, which discovered the fraudulent transfers about four hours after the attack began, argued that it had met the standard of ‘commercially reasonable’ security and that Experi-Metal should be liable for the losses since its access controls had been compromised. The court disagreed, stating that the bank should have detected and stopped the fraudulent wire transfer earlier.

This decision was one of several that paved a path for other merchants victimised by cyber heists to recover their stolen funds by suing the financial institution that holds their account.

In PATCO Construction versus People’s United Bank (Ocean Bank), online criminals installed Zeus malware on a computer that PATCO used to initiate electronic funds transfers (EFTs) from its Ocean Bank account. The perpetrators gained entry to PATCO’s online account by capturing and using legitimate corporate and user identities, passwords and answering the bank’s challenge/response security questions for authenticating user access.

Over the course of a week, the fraudsters stole US$588,851. While the bank eventually blocked or recovered US$243,406 of the fraudulent transfers, PATCO sued Ocean Bank for the rest, claiming the bank’s security measures weren’t ‘commercially reasonable’ and that it had failed to live up to the multifactor authentication guidelines for financial transactions established by the Federal Financial Institutions Examination Council (FFIEC).

The court disagreed, dismissing PATCO’s suit to recover money lost in the fraudulent transactions. However, the decision was recently overturned by a federal appeals court, which found that Ocean Bank failed to sufficiently monitor its transactions for fraud and to notify customers before allowing suspicious transactions to proceed, even though it had the resources to do so.

On a related front, a merchant who felt its acquirer was overzealous in assigning fault for an alleged breach resulting from Payment Card Industry (PCI) non-compliance countersued to recover funds taken from that merchant’s account.

In Elavon versus Cisero’s, US Bank (Elavon’s parent company) was fined about US$90,000 by Visa and MasterCard for alleged failures by its customer, Utah-based Italian restaurant Cisero’s, to comply with PCI data security requirements, which the financial institutions and card companies claimed allowed hackers to steal unencrypted credit card data from the restaurateurs’ payment system.

In attempting to pass on the fine, Elavon unilaterally withdrew US$10,000 from Cisero’s account without notifying the restaurant owners, then sued Cisero’s to recover the remaining US$80,000 fine levied against Elavon and US Bank by Visa and MasterCard. The owners of Cisero’s counter-sued, saying they hadn’t broken the PCI rules, no fraud had occurred because a forensic investigation yielded no evidence of a data breach, that Elavon and US Bank deceived them into signing an unfair contract allowing arbitrary changes without notice, imposed random fines without a clear explanation and failed to give the merchants a chance to dispute the fines before the money was taken from their account. The case is still pending.

These rulings are significant because they signal a trend by the courts to hold financial institutions increasingly accountable for addressing cyber fraud and its consequences. They reason banks are in a better position than small merchants to counteract cyber threats, since banks understand the nature of cybercrime better and have more experience and resources to combat them.

What Creates Conditions for Teammates to Become Opponents?

First and foremost, cyber security, fraud detection and prevention are getting more difficult by the day.

Cyber criminals are clever, patient, organised and global. They’re masters of social engineering, skilled in targeting the most vulnerable businesses, governments and individuals with the highest potential for gain. They focus on their targets with methodical precision, studying victims’ digital personas on Facebook, Twitter, LinkedIn and other social media channels. By piecing together bits of information to help them more easily penetrate systems and lure unsuspecting targets into clicking on links in seemingly genuine emails, they can unleash malware that compromises computers, or allows keystroke logger robots to collect user login IDs, account data and other personally identifiable information.

Malware that embeds itself in a browser application can then divert, modify or manipulate data that a user submits on an online log-in page. This type of crime – known as a ‘man-in-the browser’ or ‘man-in-the-middle’ attack – scans a computer for information that can then be used by cyber crooks as secondary authentication for logging into a user’s bank account.

Online criminals are also persistent, probing a system until they penetrate its perimeter and then continue attacking its vulnerabilities in an attempt to hit the right target. Once inside a system, many attackers become entrenched. They lie low, undetected for months or even years, using advanced malware and bots designed to fly under the radar of security software, all the while surreptitiously stealing funds and/or data. Often, they and their accomplices are well-funded by crime groups from rogue nations where security and enforcement are lax and financial fraud is difficult to prosecute.

The Holy Grail for cyber attackers is a ‘zero-day exploit’. Malicious programmers create a worm or virus that exploits unknown or undocumented vulnerabilities in browsers, software applications or operating systems, then often use email phishing to trick computer users into visiting a web site where the Trojan resides. Once triggered by clicking on a link, the worm can quickly infect the user’s PC and spread to other computers.

In September, a previously unknown security hole in Microsoft’s Internet Explorer was being actively exploited to deliver the latest version of a back-door Trojan called Poison Ivy. This zero-day exploit was designed to execute a malicious code that allows attackers to take over complete control of a PC and turn a victim’s machine into a ‘server’ that could then be remotely controlled. Within a week, Microsoft released a patch to fix the security hole.

But cyber criminals are unrelenting in their drive to compromise user credentials and access financial accounts. According an anti-virus security vendor, McAfee, malware writers went on a record-breaking spree in the second quarter of 2012, generating some 100,000 new samples per day. Their hottest targets: mobile devices.

A study conducted earlier this year by Arxan Technologies found that 92% of the top 100 paid iPhone apps and 100% of the top 100 Android apps have been compromised by malware.

Lookout, a company that offers security services for a number of smartphone platforms, said data collected from its analysis of global app threats revealed that more than six million people were affected by Android malware between June 2011 and June 2012, with Toll Fraud, a type of malware designed for profit, emerging as the leading threat.

A mantra of corporate and bank information security is to keep computer operating systems and web browsers updated with the latest patches. But that task becomes much more difficult when businesses allow employees to use their own mobile phones, tablets and other mobile devices to access company systems and data.

A recent survey by Metaforic found that nearly 70% of smartphone owners who have not yet plunged into mobile banking are “holding back due to security fears”, while 14% of those surveyed said security concerns prevented them from using PC-based online banking.

What Can Banks and Clients do to Stay Security-focused?

For starters, they should recognise that, while no system on earth is 100% hack-proof, damage from most breaches can be contained if routine data protection processes are in place and one plans for ‘graceful failure’. This approach minimises economic or corporate harm because multiple countermeasures are in place to detect and respond to an attack in case one system safeguard fails. A deep, multi-layered security approach remains the best breach defence, whether you’re a large enterprise, bank or a small business.

The FFIEC issued guidance in 2005 that encouraged banks to move beyond a single-factor authentication requirement for users logging into their online accounts and to take a risk-based approach in evaluating the strength of user authentication. With corporate fraud-related losses and court cases mounting, the FFIEC released revised guidance last year that calls for stronger, multi-layered authentication controls. Among the recommendations was that banks use stronger authentication tools and techniques to safeguard their customers’ financial accounts, such as dual user access authorisation, out-of-band verification for transactions and ensuring transaction values and the number of transactions allowed per day meet specific thresholds.

Some financial institutions have already implemented multi-layered defences using technologies that monitor corporate payment account activity and flag irregularities, such as out-of-pattern dollar amounts for certain types of transactions, then bring these irregularities to the attention of the company from which the transactions are originating. These technologies not only authenticate users, they also control where they can go in the system and what they can see and do when there.

An alert mind is often the best defence against fraud, and stopping cybercrime begins and ends with individual computers and their users. Train all employees, not just IT administrators, to keep an eye out for unusual behaviour, such as unexpected account usage, and to sound an alert in case of anomalies. Warn employees against clicking on pop-up windows or suspicious links in emails – even from people or businesses that appear legitimate – which can be tricks to install spyware and steal confidential information. Ensure all employees, contract personnel and business partners know your company’s fraud policies, practices and fraud-response processes.

Given the growing role of organised crime in perpetrating credit card fraud and theft, make sure anyone with access to important intellectual property and trade secrets is trained on the latest cybercriminal breach tactics, such as phishing, man-in-the-browser attacks and other social engineering schemes. Merchants who accept credit or purchase cards should also set up their payment systems so that access is limited to key staff on a need-to-know basis.

Aaron Bills will be joined by legal cybersecurity expert Randy Sabett and AAA’s treasury consultant Dan Ellecamp at the AFP Annual Conference on Monday 15 October from 10.30-11.45 in room D237 for an in-depth look at the biggest cyber security threats facing corporates and banks – and the latest tools and techniques for counteracting those threats.



Related reading