By Sarah Fender
Vice President, PhoneFactor
877-688-6536
www.phonefactor.com

November 2010

Recent forecasts predict $1 billion in online banking fraud losses in the US this year. As the incidence of online banking fraud rises to an unprecedented level, retail and commercial banking customers are growing increasingly dependent on their trusted service providers to insulate them from these threats. In addition, more sophisticated threats have emerged that redefine established security best practices and make many of the security measures in place today obsolete.

The most prevalent threats include online banking trojans, which are used to harvest credentials and launch Man-In-The-Middle (MITM) attacks, and both targeted and wide-scale phishing attacks. The magnitude of their infiltration into the financial services sector is astounding, impacting the largest banks as well as community banks and both their retail and commercial account holders. 

This whitepaper will look at how these threats affect online banking, customer perceptions about risk and financial responsibility, and the role of out-of-band authentication in protecting against online banking fraud.

The Current Threat Landscape
Malware poses the single greatest threat to online banking today. It is rapidly evolving, defeats many of the security measures currently in place, and infects a staggering number of computers. An APWG report released in early 2010 indicates that 53% of the more than 21 million scanned computers were infected with malware. 1 Nearly 15% (3 million+ computers) were infected with malware designed specifically to target online banking. The ZeuS trojan alone is said to have infected hundreds of thousands of computers and penetrated 90% of the Fortune 500.

These online banking trojans, which are used to harvest credentials and launch Man-In-The-Middle (MITM) attacks, have become increasingly sophisticated since the introduction of the SilentBanker Trojan in late 2007. SilentBanker heralded the emergence of real-time malware-driven attacks targeting online banking. Unlike passive attacks, such as phishing schemes that are used to obtain account credentials for use by the attacker at a later time, MITM attacks target live online banking sessions. Attackers use malware running on the user’s computer to infiltrate active online banking sessions and transfer funds to “mule” accounts.

Because MITM attacks defeat security questions, device IDs, one-time-passcodes, and most other security measures, their use has grown exponentially since SilentBanker. Today, online banking trojans are responsible for millions of dollars in fraudulent financial transactions each month. As online fraud losses mount, a debate about who is financially responsible (the bank or the account holder) has begun, and a number of related lawsuits have been filed. 

A recent case between Hilary Machinery and Plano Capital illustrates the financial and legal issues raised by this new wave of online fraud. Hilary Machinery suffered an attack by ZeuS in January of 2010. Working with their bank, Hilary Machinery was able to retrieve all but $200,000 of the more than $800,000 stolen from their account. Plano Capital was unwilling to reimburse the balance, noting that the bank had implemented “reasonable” internet banking security measures. Interestingly, Plano Capital was FFIEC compliant, but they were not using out-of-band authentication.  The two organizations later settled out of court for an undisclosed amount.

In addition to these more sophisticated attack vectors, password phishing continues to plague the financial services sector with no end in sight. The APWG Phishing Activity Trends report indicates that phishing in Q1 of 2010 was down from the all-time high in late 2009, but still going strong with an average of 28,000 unique phishing reports each month.

The Role of Out-of-Band Authentication
Emerging security concerns posed by malware, particularly online banking trojans, require the use of an out-of-band authentication mechanism.

Because online banking trojans run on the same computer that is used for online banking, the trojan can hijack a user’s banking session without being detected by the online banking application or the end user. The user logs in as he normally would with a username and password. Once the user is authenticated, so is the attacker. The attacker can initiate new transactions, such as ACH and wire transfers, and reroute the user’s valid transactions to “mule” accounts. In some cases, the attacker just takes over the user’s session and displays a message to the user that the banking website is currently unavailable.

Online banking trojans are impervious to one-time passcode technologies and most other strong authentication methods available today. Security tokens and SMS text methods that require a user to enter a one-time-passcode into the banking website are easily defeated by MITM attacks. The trojan simply intercepts the passcode or injects itself into the banking session after the passcode has been entered.

To protect customers against MITM attacks from online banking trojans, as well as provide the strong authentication needed to prevent the use of account credentials gained through phishing and other means, an additional layer of authentication must occur through a separate out-of-band channel. The telephone network is an ideal second channel for authentication. An automated phone call or text message provides an instant and easy-to-use method for confirming online banking logins and verifying ACH and wire transfers.

When a transaction is initiated, an automated phone call or text message can be sent to the user’s registered phone number. The user is asked to verify the specific transaction.

“This is Your Bank calling to verify the transfer of $50,000 to account 10015 at Bank of Nigeria.”

If the transaction is valid, the user simply presses # (or a PIN) or replies to the text message to approve the transaction. If the user does not answer the call or respond to the text message, the transaction is denied or flagged for further review. In addition, the user can report fraudulent transactions by simply entering 911# during the call or in the text message reply. This locks the account and sends an instant notification to the bank’s fraud response team. Because the transaction is verified across the telephone network (there are no passcodes to enter into the banking website), it is completely out-of-band and not vulnerable to MITM attacks.

Phone-based authentication also offers easy, cost effective biometric voice authentication. Unlike biometric methods that require a fingerprint reader or other scanning device, adding a third factor of authentication using phone-based authentication is seamless. Rather than pushing # during the call, the user can be prompted to speak a secret passphrase to authenticate. Biometric authentication offers the strongest level of out-of-band security available. 

Security as a Competitive Advantage
Financial institutions from the largest on Wall Street to the local on Main Street are adopting out-of-band authentication to protect their customers from online fraud. As attackers become more sophisticated, customers rely more heavily than ever on their service providers to deliver the best options in a competitive marketplace. Meeting minimum requirements laid out by regulatory agencies is not viewed as sufficient by banking customers fearful of finding their bank accounts plundered by cyber criminals. A small marketing company was recently forced into to bankruptcy after fraudulent wire transfers depleted their account of $164,000 in operating capital. Fear is a powerful driver – playing a significant role in a customer’s loyalty to a financial institution.

Customers are raising the bar of expectations. Not only do they expect their financial institutions to offer appropriate measures to protect them, if the institution fails to do so, customers are taking their business elsewhere. According to a recent Ponemon study, 40 percent of businesses said they have moved their banking activities elsewhere after a fraud incident. 2 This is further validated by a related Ponemon report indicating that more than 60 percent of the costs of a data breach are the result of reduced new customer acquisition and increased customer churn. 3 On the flip side, financial institutions that are offering additional security services to their customers are seeing increases in customer retention.

• Consumers perceive significant weakness in online banking safety. Sixty-four percent of those surveyed felt it was only “somewhat difficult” or “not at all difficult” for a hacker or thief to get access to an online banking account.

 

• Ninety-three percent of survey respondents indicated some level of interest in out-of-band authentication using a phone,  with 48 percent indicating they would be “extremely” or “very” interested.

 

• Not only were respondents interested in phone-based out-of-band authentication, but as many as 3 in 5 (60 percent) indicated a willingness to pay a monthly fee for the service.

 

• Results indicate that out-of-band authentication would be a driver to switch banks for up to 34 percent of respondents.