Cyberattacks raise e-banking security fears

Government, business groups urge banks to upgrade security controls as attacks grow

1 2 Page 2
Page 2 of 2

"The good news is there are plenty of effective fraud-detection and authentication solutions that can and are thwarting these attacks when employed by the banks," she said. "The bad news is that many banks are not using these solutions and the bank regulators are not paying adequate attention to this."

Regulators such as the FDIC and the federal Office of the Comptroller of the Currency have so far not enforced their own recommendations for strong authentication. "The bank examiners are really behind the eight ball on this," Litan said.

Paul Smocer, vice president of security at BITS, an industry consortium representing the 100 largest financial institutions in the U.S, said there has been a "real uptick in sophistication" in cyberattacks targeting commercial accounts over the past six months or so.

Such attacks are seriously testing token-based authentication measures that have been used by banks for many years, Smocer said.

"Until fairly recently, token-based authentication was considered to be very strong," he said. However, as banking malware becomes increasingly sophisticated, "token methodology is not as strong as it has been historically."

Smocer said there is a rapidly increasing need for context-aware and out-of-band authentication tools as well as monitoring tools that are capable of detecting fraud by comparing current transaction patterns against historical behavior. "We are starting to see a lot of our members move in that direction," he said.

BITS has started advising members on ways to identify accounts used by so-called money mules to transfer stolen money to overseas bank accounts. "By working with law enforcement, we are seeing patterns beginning to emerge with regard to the nature of the activity that mules often engage in," Smocer said.

The attacks are pushing bodies such as the American Bankers Association to ask members to review internal security controls.

In a February alert, for example, the ABA asked banks to be on the alert for funds-transfer fraud involving small and medium-size businesses. The alert specifically cited "large-value" payments to previously unknown payees, unusual international payments and new accounts "with high-value, high-volume transactions [and] previously unfunded accounts with large-value incoming funds that are cashed out as soon as funds are cleared."

The bankers association is "strongly recommending" that banks review existing controls, such as their anti-money-laundering tools, to determine whether features can be added to fulfill the recommendations, said Doug Johnson, senior policy adviser at the ABA. The ABA is also advising members to implement multiple layers of security for detecting fraud in much the same way that credit card companies have for years, he added.

"Cybersecurity is always an arms race. It is incumbent upon financial institutions to be vigilant. If the exploits change, the defenses have to change with them," said Johnson who is the ABA's representative on Financial Services Sector Coordinating Council. "We are obviously very much concerned about the potential for these exploits to really damage the relationship between the customer and the bank, and we will do everything in our power" to alleviate the situation, he added.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, send e-mail to or subscribe to Jaikumar's RSS feed .

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon