Banks are having to fend off ever more attacks from hackers who break into computers of their business customers and try to make fraudulent funds transfers electronically for large amounts. If you doubt how bad this hacker scourge has become, ask Jorge Solis, senior vice president of security at First Midwest Bank.
Across the banking industry, "these are attacks that happen on a daily basis," says Solis, who heads up security for the Itasca, Illinois, bank. First Midwest Bank has seen its share of crimes in which hackers take over a customer's business computer in order to initiate fake electronic funds transfers and payments. Thwarting them has to be done with speed since "transactions and ACH automated clearinghouse wires happen very quickly," Solis says.
Hackers want to send large amounts to accounts where they can seize it, and they can even overcome safeguards such as strong two-factor one-time-password token authentication, says Solis, who has seen it happen.
Hackers who installed malware on one victim's compromised machine — ZeuS is the most common malware type the banking industry fights - commandeered it to set up a man-in-the-middle attack that intercepted the customer's intended transactions by means of fake web pages. This happened despite the customer using token-based authentication, according to Solis.
The fraudulent transfer made by the hacker was caught through internal fraud-detection operations in the backroom at First Midwest Bank, Solis says. But it was a shock to see how token-based authentication could be compromised. "I'm not saying tokens do not work," Solis says. "But we saw this happen."
At that point, First Midwest Bank decided to add security controls. One of them offered to the bank's business customers is an automated phone-based authentication from PhoneFactor that makes a voice call to the phone of the person who originated the electronic transaction. The automated call presents the information about the transfer and asks the individual to verify and approve it through a secret personal identification number. It's also possible to have multiple people authorise a single transaction using PhoneFactor.
Since adding this security control in the summer, First Midwest Bank has seen phone-oriented authentication work to stymie at least one attack on a customer's corporate account. A customer received a phone call where PhoneFactor delivered the news that the request for a large-dollar amount had been made, from a compromised computer it turned out. The customer, who hadn't authorised the transfer, of course didn't enter the PIN, and that with a fraud alert stopped the transfer from going through.
Like many other banks, First Midwest Bank has gotten involved in helping customers cope with possible malware infections on their computers, and to that end, the bank is looking at using a malware-removal service. The type of attacks that First Midwest Bank has seen against its business customers appear to be growing throughout the financial services industry.
The Financial Services Information Sharing and Analysis Center (FS-ISAC), the group of banks that shares threat information with the federal government on critical infrastructure issues, recently released the results of poll of 77 financial institutions about the frequency of account takeovers they saw during the first half of 2010, the most recent data available.
Twenty-one of the financial institutions reported a total of 108 commercial account takeovers during those six months alone in 2010 compared to just 86 for the entire year of 2009. The good news is that banks in this 2010 period managed to stop the funds transfers 36% of the time, but were only successful 20% of the time in all of 2009.