Expect Greater Impact From Online Banking Fraud

CUs’ luck may be running out on the online fraud front.

April 04, 2011
KEYWORDS banking , online , trojan
/ PRINT / ShareShare / Text Size +

Online banking fraud has escalated to a top concern throughout the financial services industry. Cyber thieves have been compromising accounts through online banking systems at an alarming rate.

Their efforts have focused on small- to medium-sized businesses. However, banking and security publications report school districts, city/county government, and even a Catholic Diocese account have been pilfered over the last three years.

Credit unions have experienced similar occurrences on member accounts and their accounts at third-party providers of automated clearinghouse (ACH) and wire services. Our industry has been lucky so far and hasn’t experienced online banking fraud to the same extent as banks.

More security coverage

However, it’s quite possible credit unions could soon be impacted on a widespread basis.

The root of the problem has been Trojan keyloggers, primarily the Zeus Trojan. A Trojan keylogger monitors and captures keystrokes, logs them to a file, and sends them to cyber thieves.

The Trojan resides on the user’s computer without their knowledge and is primarily used to capture online banking login credentials.

Trojans like Zeus are spread through phishing e-mails, generally targeting key employees of an organization. Users of popular social networking websites, such as Facebook, also have been targeted.

Cyber thieves transformed Zeus and other banking Trojans into highly customizable toolkits that can avoid detection by antivirus software. Thousands of computers infected with customizable Trojans like Zeus form a botnet allowing cyber thieves to control the infected machines through command and control centers.

Zeus is used in man-in-browser (MITB) attacks. In a MITB attack, the victim’s browser is infected with the Trojan, which sits patiently waiting for the user to access online banking websites. The customization feature allows cyber thieves to target specific online banking websites.

When the user visits a targeted online banking website, Zeus silently springs to life. After the user is successfully authenticated—even with two-factor authentication, such as a one-time-password generated by a token—Zeus “piggybacks” on the user’s session.

It intercepts and modifies details of a transaction entered by the user and initiates new transactions without the user’s knowledge.

The user may initiate an ACH transfer and enter the transfer amount and destination account. But Zeus’ features allow it to intercept the transaction request and overwrite it by changing the amount and destination account.

The online banking system receives the altered transaction request transferring the funds to the new destination account. The user is unaware of the changes, as their browser displays the transaction information entered by the user.

The Federal Financial Institutions Examination Council is expected to release new authentication guidelines soon for financial institutions. The new guidelines are intended to clarify the agency’s existing guidelines on two-factor authentication issued in 2005 and what institutions need to do to bolster authentication efforts.

To better protect member accounts, consider implementing these measures:

  • Stronger two-factor authentication method, rather than the common method of computer recognition (using cookies) combined with challenge questions;
  • Out-of-band authentication (e.g., by telephone) to authenticate members through a separate communication channel;
  • Fraud detection tools to monitor user access behavior and individual transactions; and
  • Out-of-band transaction verification for large dollar transfers.

KEN OTSUKA is senior analyst, Risk Management, with CUNA Mutual Group. Contact him at 847-612-9653.

Post a comment to this story


What's Popular

Popular Stories

Recent Discussion

Great article! Unfortunately, most employees don’t feel valued or appreciated by their supervisors or employers. In fact, research has shown that the predominant reason team members quit their jobs is because they don’t feel valued. This is in spite of the fact that employee recognition programs have proliferated in the workplace – over 90% of all organizations in the U.S. has some form of employee recognition activities in place. But most employee recognition programs are viewed with skepticism and cynicism – because they aren’t viewed as being genuine in their communication of appreciation. Getting the “employee of the month” award, receiving a certificate of recognition, or a “Way to go, team!” email just don’t get the job done. How do you communicate authentic appreciation? We have found people have different ways that they want to be shown appreciation, and if you don’t communicate in the language of appreciation important to them, you essentially “miss the mark”. Additionally, employees need to receive recognition more than once a year at their performance review. Otherwise, they view the praise as “going through the motions”. A third component of authentic appreciation is that the communication has to be about them personally – not the department, not their group, but something they did. Finally, they have to believe that you mean what you say. How you treat them has to match the words you use. If you are not sure how your team members want to be shown appreciation, the Motivating By Appreciation Inventory (www.appreciationatwork.com/assess) will identify the language of appreciation and specific actions preferred by each employee. You then can create a group profile for your team, so everyone knows how to encourage one another. Remember, employees want to know that they are valued for what they contribute to the success of the organization. And communicating authentic appreciation in the ways they desire it can make the difference between keeping your quality team members or having a negative work environment that everyone wants to leave. Paul White, Ph.D., is the co-author of The 5 Languages of Appreciation in the Workplace with Dr. Gary Chapman.

Your Say: Who should be Credit Union Magazine's 2014 CU Hero of the Year?

View Results Poll Archive