Cybercriminals shift focus to bank employees

The evolution of cybercrime continues. The preferred target in the financial industry is moving from the bank customer to the employee.

That is according to the FBI, which issued a warning earlier this week that the latest trend by cybercriminals is to get employee login credentials, using spam and phishing emails, keystroke loggers, and Remote Access Trojans (RAT).

And the best way to fight it? That leads to the ongoing debate over training vs. technology. While most security experts say both are necessary, and the FBI provides a list of training recommendations and policy protocols to keep employees from giving up the keys to the financial kingdom, some experts like George Tubin, senior security strategist for Trusteer, say improved technology is the only effective solution.

"Part of the solution is training," he said. "But we've been talking about this for so long, trying to educate customers and employees. It has become one of those battles I don't think we're going to win."

"Some of the ploys are so good they could fool almost anyone -- very sophisticated schemes like web injections and email from friends that lead you to open an attachment. The real answer comes in automated technology, to make sure people don't respond to those things," Tubin said.

[See also: Free fraud protection scam delivers financial malware]

He also noted that the trend toward employees working at remote branch or at home, the BYOD (bring your own device) trend and being allowed to surf the web off the corporate network "makes them extremely vulnerable."

Brian Berger, vice president at Wave Systems, agrees. "Users are going to be users no matter how strong the security awareness education is, so it is critical that organizations have a counter measure in place to help mitigate threats like these," he said. "Specifically, hardware authentication through the Trusted Platform Module (TPM) makes it so the criminals couldn't penetrate even if the employee had a misstep."

Kevin Flynn, a senior product manager at Fortinet, compares training to driver education for teens. "Drivers Ed may help reduce accidents but it doesn't necessarily make teenagers safe drivers," he said. "Security belongs in the network."

However, Scott Greaux, vice president product management and services at PhishMe, said, "Education is an organization's best defense against these threats but those efforts need to break away from the traditional security awareness model and employ creative and immersive education techniques such as mock phishing exercises that both improve awareness and increase retention."

Greaux doesn't rule out better technology as a factor. But he said the human element can heighten security in protocols. "Financial institutions should implement a mix of random and threshold based reviews for all wire transfers," he said. "This will add an extra layer of human interaction with transactions making it more challenging to fraudulent transfers to go unnoticed."

The potential damage from stolen credentials is obvious. With that information - especially if they have the credentials of more than one employee -- criminals can access the accounts of any customer. The FBI did not name any specific banks, but said that "small-to-medium sized banks or credit unions have been targeted in most of the reported incidents..."

However, the agency did say a few large banks have also been affected. In those cases, the criminals were able to conduct unauthorized wire transfers overseas. The FBI said the amounts have ranged between $400,000 and $900,000. And in at least one case, "the actor(s) raised the wire transfer limit on the customer's account to allow for a larger transfer."

But the damage goes beyond monetary. It is one thing for a customer to be hacked or fall for a malware scam, but Tubin said it was "totally different" for a financial institution itself to be compromised. "The damage to the reputation of a large institution could be devastating. That's the last thing a bank needs is to be compromised."

No matter how good the technology, the FBI recommends a number of basic precautions that financial enterprises should take. Among them: Remind employees not to open attachments or click on links in unsolicited emails; do not allow employees to access the Internet freely, or personal or work emails on the same computers used to initiate payments; do not allow employees to access administrative accounts from home computers or laptops connected to home networks; and ensure employees do not leave USB tokens in computers used to connect to payment systems.

Financial institutions should also monitor employee logins that occur outside of normal business hours; implement time-of-day login restrictions for the employee accounts with (access to payment systems; and restrict access to wire transfer limit settings, the FBI said.

Roger Thompson, chief emerging threats researcher at ICSA Labs, doesn't debate training vs. technology. He says both are critical: "The best way to do security is think Swiss cheese. Any given layer has lots of holes in it, but if you arrange your cheese slices in layers, they cover up each other's holes. In other words, no one layer has to be anywhere near perfect, provided there are enough layers."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place