The story is all too common. Malicious software infiltrates an unsuspecting victim's computer. The malware steals the victim's password and user name and gains access to his or her online bank accounts. Often times, the perpetrator steals the victim's funds through fraudulent wire transfers and ACH transactions, and the money ends up in accounts overseas, where the likelihood of recovery quickly diminishes. This year, banks and businesses alike experienced an increased level of cyber-attacks aimed at hijacking online banking accounts.
Although the crime itself is not new, the reason for concern is simple: hacking software is more sophisticated than ever, making detection and prevention more difficult. Because the legal boundaries for the liability of banking institutions are still evolving, this increasing sophistication poses a significant challenge.
Malicious software bypasses bank security
Some of today's most advanced malware can compromise security tokens and authentication techniques, demonstrating that even two-factor and multi-factor security techniques are vulnerable. Real-time Trojan horses—such as Clampi and Zeus—can allow the fraudster to use two- or multi-factor authentication security to steal banking credentials, thereby causing a weak link in the financial security chain. Other infections rewrite the bank's login screen that displays on the victim's computer and intercept the victim's credentials before they reach the bank's Web site.
A significant part of the growing threat to online banking are Zeus variants like the Mariposa botnet, which injects contents directly into Internet pages and intercepts credentials, preventing the user from sending them to legitimate sites. Luckily, online security firms and other officials shut down the Mariposa botnet in March, but not before its impact was felt worldwide.
ENLARGE |
Identifying the weakest link
Some banks are looking beyond their own security systems and focusing on what they perceive is their weakest security link: the user. A number of types of software are available to banks to help in their efforts to combat unauthorized intrusions. For instance, one type allows banks to remotely analyze the computers of hacked customers. The customer, upon suspecting a breach, downloads the software onto his or her computer, at which point the bank performs a quick search for any digital tracks, software, or other evidence the online hackers may have left behind. The information the software gathers can better inform banks of where attacks originate from, patterns, and trends—and, hopefully, lead to the eventual recovery of lost funds. Other types of software are designed for business banking systems that evaluate risk based on individual online actions and rate overall session activity by identifying inconsistent behaviors for each user.
So, the account has been hacked, now what?
The Electronic Funds Transfer Act and Regulation E protect consumers' online banking transactions from fraudulent electronic money transfers. Businesses accounts, on the other hand, must look elsewhere for similar protections. The Uniform Commercial Code Article 4A governs the allocation of fraud losses arising from funds transfers for business accounts. Under Article 4A, the bank will be held accountable for fraud losses only if it failed to follow a series of procedures, including adopting commercially reasonable security measures.
But what exactly does "commercially reasonable security measures" mean? Generally, banks have followed the practice that as long as the security the bank establishes and follows have been in line with commonly accepted commercial practices within the industry, then these security measures passed muster. Lately, however, this practice has not been as clear as it once was. In fact, this very question—that of what exactly constitutes commercially reasonable is at the center of several ongoing lawsuits, particularly one currently being heard in a Texas court.
Will this case, and the others that will follow, reshape the approach to secure online banking by establishing new standards that outline what counts as commercially reasonable security? And will those new standards require banks to upgrade to software designed to spy on the bad guys, monitor consumers' activities, or both? In reality, fraudulently penetrating banking security systems will occur no matter how sophisticated or reasonable the security measure. But as more consumers and businesses move to online banking, commercially reasonable expectations for securing online transactions should be calibrated against the technological sophistication of hackers and their software to improve detection and protection against online banking fraud.
By Ana Cavazos-Wright, payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed.