ACH Fraud: A Cat & Mouse GameChina Breaches Prove Authentication is Too Easy to Defeat
The scheme targets U.S. small business accounts, usually held at small banking institutions. And how are fraudsters hitting the accounts? By unleashing Zeus, Backdoor.bot and SpyEye on unsuspecting commercial customers who, rightly or wrongly, click on links and open attachments that expose them to fraud.
Essentially, the attacks bypass authentication. Once in, the hackers, with Backdoor.bot, remotely access the infected PC and deepen their attack.
The whole authentication and malware phenomenon is a cat-and-mouse game. Fighting malware with authentication is a losing battle
Security pundits say the China scheme exemplifies why the financial industry needs updates and guidance about adequate online security from the Federal Financial Institutions Examination Council. The FFIEC is expected to issue new guidance - an update, really, to guidance it issued in 2005. [FFIEC: Where is Authentication Guidance?]
But that's a topic I won't broach here. If you want to read more about the expected FFIEC guidance update and what bankers are doing while they wait, check out this update from a bank CISO we posted this week: FFIEC Guidance: Compliance Begins.
As for the China hack, I've found a couple of things interesting. First, the hack has gotten around authentication. Second, the attack is clever and bold.
According to the FBI, the China hackers have attempted pushing wire transfers through that range from $50,000 to $985,000. That's a lot of money for a small business and a small banking institution. And here's what's more interesting: It seems better fraud analytics and device identification measures, also noted as FFIEC recommendations, could have picked up on the fraud sooner and helped the FBI track down the cybercriminals behind the hacks.
I had an interesting call this week with a security vendor about the online vulnerabilities of small business that often lead to ACH and wire fraud. During that conversation, which revolved around results recently released from a February survey, I learned that the China hacks were rather far-reaching. In fact, this vendor told me some of its own small banking clients got hit; but the crime didn't get too far.
Terry Austin, CEO of Guardian Analytics, the vendor that recently released survey results included in its 2011 Business Banking Trust Study, told me one of its bank customers saw a China wire transfer attempt for $1.9 million.
Austin had some interesting insights from the study, such as most SMBs have done nothing or very little over the last year to address corporate account takeover; instead, they continue to look to banks to protect them. But his thoughts about the China hack were more intriguing, since some of Guardian's clients -- all within the small-to-mid-sized institution range -- were affected. "We saw this fraud attack hitting our customers, but we have more data, beyond what the FBI has," Austin says. "The FBI alert talked about international wires, but we saw international and domestic, and, in some cases, it was going to a domestic account first and then to China, so it's trickier to catch. It was a two-step process."
"And it's clear that this malware bypassed all of the two-factor authentication our customers had in place," Austin adds. "The level of risk now is getting so extreme for these smaller institutions, if they don't put this at the forefront of their strategies, they could be putting their entire business and the business of their customers at risk."
Austin says Guardian started picking up on some anomalous behavior about a week before the April 26 alert was issued by the FBI. But a pattern quickly emerged, he says. The IP address used by the hackers never changed, "and network characteristics and some of the other identifiers were common across all of the transactions," Austin says. "Seeing the FBI alert helped us see this was a larger trend."
Only a handful of Guardian's bank and credit union customers were hit, but the attack was not concentrated. Banks and credit unions in various geographic locations saw transactions from China that were allegedly approved by their commercial customers.
The whole incident proves authentication, multifactor or not, just isn't enough anymore.
"The whole authentication and malware phenomenon is a cat-and-mouse game," Austin says. "Fighting malware with authentication is a losing battle." It's a bold statement, but one I'm leaning toward agreement with. If the breach of RSA's SecurID tokens wasn't enough to convince me, well, this case of ACH fraud from China should be.
The future of online security must rely on layered approaches. What investment is your institution prepared to make in 2011?