Business banking: Liable for trojan fraud and flying blind
- — 24 September, 2012 10:39
Banks wear the cost of online banking fraud against consumers, but do not for businesses which are often not told how it occurred or under what conditions reimbursements are given, says European Union security advisor, Marnix Dekker.
Exactly how much businesses lose each year to online banking fraud is not well known, but those caught out -- for example, by a Zeus or SpyEye banking trojan that wires money to an offshore money mule -- can expect to be held liable for those losses.
“If a consumer is attacked by skimming or any other kind of attack, the bank will just pay the money back to the consumer and the whole thing is over. But with businesses, they often don’t do that,” Dekker, a security expert at the European Network and Information Security Agency (ENISA), tells CSO.com.au.
Security vendors McAfee and Guardian Analytics earlier this year estimated the value of attempted automated bank fraud in the 2012 “High Roller” campaigns, affecting large account holders across Europe, Latin America and the US at 2 billion euros.
In that case, Zeus and SpyEye were used to break business account holders’ two-factor authentication systems -- the smartcard/physical reader and PIN combination commonly required for online banking in Europe. The attackers hit 5,000 primarily business accounts across two banks in the Netherlands, taking advantage of higher transfer limits that don’t raise alarm bells if they are directed offshore. The attackers attempted to shift over €35 million (AU$43 million) to money mules.
As Dekker points out, since these were business customers, whose liability is determined by a contract, it was their loss, not the bank’s, yet the banks set the security bar and do not release information about these attacks.
“Banks just keep it for themselves,” he says.
Can business break a bank’s old hoarding habits?
If a business bears the risk of online banking fraud, they should be demanding to know more about how it happens and what exposure they face, argues Dekker.
“Businesses should raise this with their banks and they should look better at the bank’s security measures,” Dekker argues.
“Where the businesses are paying the bill, I just don’t understand why they accept a lack of transparency.”
Businesses should know how frequently fraudulent transactions occur and under what circumstances they would be reimbursed.
Banks on the other hand should protect high value accounts, place ceilings on transactions, make lists of bank accounts where these accounts usually move their funds to, and in general try to detect fraud and limit damages, says Dekker.
The information deficit is a two-sided affair: neither bank not customer have an incentive to release details about compromised accounts. The price is the absence of data that businesses could use to understand and manage online banking risks.
“A bank cannot easily start to be transparent about an incident, because the customers involved in the incident may feel exposed. Some kind of legal backing would be very good to kick start more transparency,” Dekker points out.
Also, the nature of the relationship between banks and customers leaves the customer at the whim of the bank’s conditions.
“Right now the bank is imposing a lot of requirements on the user in the way he’s banking, what kind of authentication he uses, the length of passwords, the obligation to use a token before every transaction. But vice versa customers are not really asking banks if they have secure systems” Dekker observes.
It’s not clear yet whether Europe’s proposed Cyber security strategy will include mandatory reporting of financial breaches of this kind, but Dekker believes the EU strategy could help to address the current dearth of information available to assess these risks.
Today, businesses must work with patchy, opaque and infrequent reports from official sources. The Dutch Central Bank, for example, reports annual general online banking fraud losses, while the banking sector in Europe’s biggest economy, Germany, provides nothing. The UK Home Office reported a 14 per cent uptick in general (non-card) online bank fraud to £60 million (AU$93 million). The Australian Payments Clearing Association meanwhile reports “card not present” fraud, representing fraudulent online purchases using debit or credit cards, but not fraudulent cash transfers in online banking attacks.
If you want to be sure run from a Linux LiveCD
The classic scenario in which business customers are over-exposed is where the bank imposes only a bank-issued one-time password (OTP) token to log-in and authorise transactions.
The most well-known threat that defeats OTP authentication is the “man in the middle” attack, which occurs when a remote attacker leads the victim to a false phishing page -- or manipulates the real page using some malware – so that it looks like the real banking site and the user does not see what transaction is really going on in the background.
The Zeus and SpyEye malware used in the“High Roller” campaign did just this.
“It is easy to sit between the bank and user. When the bank asks for a special number as a confirmation of the transaction, you, as the attacker, you just pretend to be the bank and ask the user to give this number. This works even when this number is not fixed but changing every time. Once you have it you just replay the number to the bank and finish the transaction,” explains Dekker.
It was this type of authentication flaws that prompted ENISA to last month issue a “flash note” advising the financial sector to assume that all customer PCs were compromised. Among other things, it urged banks to look at transaction confirmation, including the sum and the destination account, via a trusted device, such as a smartphone, or an out of band channel, such as SMS. “We’re not saying banks are naïve, but we do see a number of authentication systems used by banks that don’t seem to be based on the assumption that the PC can be infected,” says Dekker.
To avoid issues, banking customers with high sums on their accounts should run their banking session on a Linux Live CD.
One of the key advantages of this is that the Live CD cannot be altered or infected, Dekker points out, which means users can avoid keyloggers or viruses sniffing the bank customer’s activities.
“A lot of enterprises have some kind of IT capacity and I don’t think it’s very complicated for these officers to just hand out these LiveCDs and explain to the employees that the policy is that if you do financial transactions, then you use the LiveCDs.”
“If you really cannot run from a LiveCD, then it is crucial to make sure that the PC that you use is not used for other things, that interactions with the internet are limited, and that the PC is regularly reloaded with a fresh new image. Think about an automated procedure that puts a new image on these PCs every night just in case it was infected.”