The sheer volume of personal banking data and the ease with which it can be accessed is staggering. Don’t for a moment think that cost or lack of skill is a barrier to entry into the shady world of “carding” and online financial fraud. Logon details for online banking are usually sold priced as a percentage of the available balance on the account. Today, bank accounts are available online for as little as 3% including, personal, business and offshore accounts.
For “n00bs” (newbies) more experienced fraudsters post tutorials on underground forums where these details are bought and sold. One article, “Bank transfers for newbies or how to make your first 1000$” explains the process, it clarifies what extra information the fraudster needs and how to avoid triggering monitoring systems designed to flag fraudulent transactions.
It is no surprise that a large majority of stolen banking credentials come from American victims. America is a large monoculture, and uses a common language. In Europe, language skills often also become a necessity when committing online fraud. Also, and importantly, when online banking security in the US is compared to security mechanisms deployed in Europe, it comes off a poor second. Online banking in the US still tends to rely on simple user name and password combinations. In the rare cases where a confirmation number is required, this is often sent to the customer’s email account, which is also easy for a criminal to compromise. This is called “single factor authentication”, based purely on “something you know” in this case, your password.
In Europe, two-factor authentication has been common for years – Germany and France were using two-factor authentication even in the days before the internet, for BTX and Minitel banking respectively. Two-factor authentication involves a user name and password, the “something you know”; as well as an additional piece of information, often based on “something you have”. In Germany this works through a TAN (Transaction Authentication Number), a sheet of one-time use numbers sent regularly to each customer. Some banks will use a mobile TAN sent by SMS to the customer’s mobile phone, some banks will send hardware tokens to all customers, which generate random codes and some offer bank or ID card reading devices which ask for your PIN and then generate a confirmation code. In most instances these codes are required whenever a customer is moving money around or making a payment.
These kinds of technologies mean that the US is considered the “low-hanging fruit” for online banking fraud, and until financial institutions invest in the necessary deterrent technology, it will remain so.
That being said though, two-factor authentication technology may not be familiar to even some European banking customers, because (as was the case with chip and PIN cards) certain European countries, have also been guilty of tardiness in deploying security technologies for online banking. So, if your bank doesn’t require this additional security, you can bet that cybercriminals know this and that your bank and your account will be targets.
Obviously you as a customer need to have confidence in your banking institution, you need to be sure that they are doing all they can to protect your data while it is in their possession. Regulations such as PCI-DSS can help here although it is important to remember that “compliant” does not automatically mean “secure”. Banks should encrypt all data at rest on their systems and preferably data in motion across their own and importantly public networks (PCI-DSS only calls for encryption on public networks for example). You should demand that your bank implement some form of two factor authentication when making transactions, especially through online banking systems but also consider the security of telephone banking. Importantly, verify what kind of fraud protection your financial institution offers, and if you don’t find it satisfactory, then consider switching banks.
Aside from the credential theft described above, instances of dedicated banking Trojans have been on the increase since around 2004 with the techniques used increasing in complexity as the arms race between criminals and banks escalates. In addition to the classic phishing email campaigns we are all familiar with, initial banking Trojans were normally simple keyloggers designed to grab all keyboard input and funnel it back to the criminals. This soon evolved into keyloggers that would attempt to filter out non banking related input. The next major development was screen capture Trojans, either still image or video capture, designed to follow the cursor or pointer position and defeat the “on-screen keyboard” password entry systems. As banks began to deploy ever more complex credential systems so the Trojans increased in capability. In order to defeat one-time password systems, we have now seen Trojans that can hijack the user session and intercept one-time passwords and session IDs before they reach the bank. In this way the passwords and IDs are still recorded as unused by the bank and can be reused by the criminal at a later time. Session hijacking can also be used to modify the transaction details sent by the end-user before they reach the bank, thus diverting funds into criminal accounts.
If you receive a communication that you were not expecting, whether it be by telephone, email, SMS or carrier pigeon, and that communication is asking you to give up sensitive information, do not respond. Do not reply to the email or SMS, do not talk to the person on the end of the telephone or click on any links provided to you. Instead, note the name of the company the communication is supposedly from and contact them directly to find out if they indeed have something they wish to tell you. Contrary to some advice I have seen, I would not advise immediate deletion of the SMS or mail as the contents of it may be helpful to the organisation that is being impersonated.
Always keep the antivirus software on your home machine up-to-date and switched on never use public computers for personal business, run regular scans of your computer for malware that may have not been discovered/discoverable at the time you downloaded it. The role of the security industry in all this is to help ensure that the criminals are unsuccessful in their endeavours by providing the tools both to banking institutions and to end-users to enable them to be adequately protected and importantly forewarned when they may be stepping into danger.