With the ZeuS Trojan continually being revised and updated, the malware remains effective as a tool for stealing online financial credentials, but there are some simple measures banks could take to make online accounts more secure, according to the SANS Institute.
"Somehow, it looks like the banks either don't care, or don't grasp the concept of defence in depth, or both," according to SANS Internet Storm Center blogger Daniel Wesemann.
He recommends four steps banks could take to make online bank fraud more difficult:
1. Stricter controls over how customers can change their email address and phone number on file with the bank. Allowing online changes makes it simpler for attackers to send and receive information with the bank. Recommendation: allow these changes only in person at bank branches.
2. Sending notification of any changes. Recommendation: If anyone changes this type of information for an account, notification of the change is sent to the customer's old email and SMS addresses so they are aware when such a change is made fraudulently.
3. Notification of newly eligible payees. If attackers authorise new payees that they control, they can transfer funds to them electronically. Recommendation: Advise account holders via email and SMS when new payees are authorised.
4. Allow time for customers to read and respond to new payee notifications. If a customer doesn't read emails or SMS messages for a period of time, attackers could transfer funds to new payees under their control before the legitimate account holder has the chance to spot the fraud. Recommendation: Block transfers to new payees for seven days after they have been identified.
Wesemann writes: "All of this can be implemented basically for free. You can even allow your customers to opt-in voluntarily."