Business banking: Liable for trojan fraud and flying blind

Businesses face 'all care, no responsibility' online banking, and when trojans can bust two-factor authentication, businesses should be demanding more transparency from their banking suppliers.

Banks wear the cost of online banking fraud against consumers, but do not for businesses which are often not told how it occurred or under what conditions reimbursements are given, says European Union security advisor, Marnix Dekker.

Exactly how much businesses lose each year to online banking fraud is not well known, but those caught out -- for example, by a Zeus or SpyEye banking trojan that wires money to an offshore money mule -- can expect to be held liable for those losses.

“If a consumer is attacked by skimming or any other kind of attack, the bank will just pay the money back to the consumer and the whole thing is over. But with businesses, they often don’t do that,” Dekker, a security expert at the European Network and Information Security Agency (ENISA), tells CSO.com.au.

Security vendors McAfee and Guardian Analytics earlier this year estimated the value of attempted automated bank fraud in the 2012 “High Roller” campaigns, affecting large account holders across Europe, Latin America and the US at 2 billion euros.

In that case, Zeus and SpyEye were used to break business account holders’ two-factor authentication systems -- the smartcard/physical reader and PIN combination commonly required for online banking in Europe. The attackers hit 5,000 primarily business accounts across two banks in the Netherlands, taking advantage of higher transfer limits that don’t raise alarm bells if they are directed offshore. The attackers attempted to shift over €35 million (AU$43 million) to money mules.

As Dekker points out, since these were business customers, whose liability is determined by a contract, it was their loss, not the bank’s, yet the banks set the security bar and do not release information about these attacks.

“Banks just keep it for themselves,” he says.

Can business break a bank’s old hoarding habits?

If a business bears the risk of online banking fraud, they should be demanding to know more about how it happens and what exposure they face, argues Dekker.

“Businesses should raise this with their banks and they should look better at the bank’s security measures,” Dekker argues.

“Where the businesses are paying the bill, I just don’t understand why they accept a lack of transparency.”

Businesses should know how frequently fraudulent transactions occur and under what circumstances they would be reimbursed.

Banks on the other hand should protect high value accounts, place ceilings on transactions, make lists of bank accounts where these accounts usually move their funds to, and in general try to detect fraud and limit damages, says Dekker.

The information deficit is a two-sided affair: neither bank not customer have an incentive to release details about compromised accounts. The price is the absence of data that businesses could use to understand and manage online banking risks.

“A bank cannot easily start to be transparent about an incident, because the customers involved in the incident may feel exposed. Some kind of legal backing would be very good to kick start more transparency,” Dekker points out.

Also, the nature of the relationship between banks and customers leaves the customer at the whim of the bank’s conditions.

“Right now the bank is imposing a lot of requirements on the user in the way he’s banking, what kind of authentication he uses, the length of passwords, the obligation to use a token before every transaction. But vice versa customers are not really asking banks if they have secure systems” Dekker observes.

It’s not clear yet whether Europe’s proposed Cyber security strategy will include mandatory reporting of financial breaches of this kind, but Dekker believes the EU strategy could help to address the current dearth of information available to assess these risks.

Today, businesses must work with patchy, opaque and infrequent reports from official sources. The Dutch Central Bank, for example, reports annual general online banking fraud losses, while the banking sector in Europe’s biggest economy, Germany, provides nothing. The UK Home Office reported a 14 per cent uptick in general (non-card) online bank fraud to £60 million (AU$93 million). The Australian Payments Clearing Association meanwhile reports “card not present” fraud, representing fraudulent online purchases using debit or credit cards, but not fraudulent cash transfers in online banking attacks.

If you want to be sure run from a Linux LiveCD

The classic scenario in which business customers are over-exposed is where the bank imposes only a bank-issued one-time password (OTP) token to log-in and authorise transactions.

The most well-known threat that defeats OTP authentication is the “man in the middle” attack, which occurs when a remote attacker leads the victim to a false phishing page -- or manipulates the real page using some malware – so that it looks like the real banking site and the user does not see what transaction is really going on in the background.

The Zeus and SpyEye malware used in the“High Roller” campaign did just this.

“It is easy to sit between the bank and user. When the bank asks for a special number as a confirmation of the transaction, you, as the attacker, you just pretend to be the bank and ask the user to give this number. This works even when this number is not fixed but changing every time. Once you have it you just replay the number to the bank and finish the transaction,” explains Dekker.

It was this type of authentication flaws that prompted ENISA to last month issue a “flash note” advising the financial sector to assume that all customer PCs were compromised. Among other things, it urged banks to look at transaction confirmation, including the sum and the destination account, via a trusted device, such as a smartphone, or an out of band channel, such as SMS. “We’re not saying banks are naïve, but we do see a number of authentication systems used by banks that don’t seem to be based on the assumption that the PC can be infected,” says Dekker.

To avoid issues, banking customers with high sums on their accounts should run their banking session on a Linux Live CD.

One of the key advantages of this is that the Live CD cannot be altered or infected, Dekker points out, which means users can avoid keyloggers or viruses sniffing the bank customer’s activities.

“A lot of enterprises have some kind of IT capacity and I don’t think it’s very complicated for these officers to just hand out these LiveCDs and explain to the employees that the policy is that if you do financial transactions, then you use the LiveCDs.”

“If you really cannot run from a LiveCD, then it is crucial to make sure that the PC that you use is not used for other things, that interactions with the internet are limited, and that the PC is regularly reloaded with a fresh new image. Think about an automated procedure that puts a new image on these PCs every night just in case it was infected.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Review: File Recovery Tools

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]

Comments

itsec

1

I'd suggest that few individuals, and many organisations simply do not have the ability to assess the material that is made available from Banks or other organisations.

Rather, I would argue the case for Governments and industry organisations like APRA to come up with satisfactory minimum standards and sound rating methods that allow consumers to make informed decisions about banks and other organisations offerings.

The following sample from an organisation's statements on security is used to highlight the challenges.
"measures we take to protect you include: ... the use of 128-bit SSL encryption ...".

While the use of 128 bit ssl encryption sounds nice - it isn't until you check
what cipher is being used, in this case RC4, that you get an idea that maybe this isn't quite all as good as it sounds.

So which of the following is the problem with the use of RC4 ? Is it that
a) An out of date cipher is being used compromising the transmission ?
b) The encryption management processes haven't resolved this issue ?
c) The security managment processes have significant gaps, of which the encryption issue is only the tip of the iceberg ?

Using a linux live CD may be a useful approach, however it isn't one that I'd like to recommend to a customer.

Marnix Dekker

2

Taking security measures (like encryption) is fine... but you have to know if it worked. And in the end the customers are only concerned about if it worked: trackrecord, statistics on past incidents, etc. Not so much in what was done to make it work.

I would, by the way, be also interested in knowing why you wouldnt recommend using livecd's to customers?

Thanks for the comment, Best, Marnix

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Endpoint Encryption

Robust data protection for PCs, smartphones, and removable media

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.