Cybercrime: Banks Are Under Intensive Assault From Cybercriminals

As I promised last week, I'm going to be blogging periodically about various information and articles from the commercial advocacy site with the very apt URL of www.yourmoneyisnotsafeinthebank.org (they also own the .com version of that name, BTW, as I discovered when I just mis-typed the preceding URL with that incorrect extension). Today's blog is based on their articles entitled "Taking Cybersecurity Lessons To The Bank."

The article begins with some interesting statistics about bank-related computer crime all taken from 2009, based on the most recent FBI Uniform Crime reporting information:

• Many cybercriminals use the Zeus malware suite, which conveniently — for cyberthieves, anyway — combines a hard-to-detect Trojan with an equally stealthy keylogger, so that they can use the latter to harvest user activity from a compromised machine, then use the former to ship that harvested information elsewhere on the Internet, presumably to compromise any valuta-bearing accounts or credit cards for which access information may be present (more info on Zeus).

• Cybercrooks attempted to steal nearly $100 million from banks in the first three quarters of 2009, as per the Internet Crime Complaint Center, aka IC3. For 2009 the IC3 Annual Report provides the following scary numbers: 336,655 complaints received, with a total dollar loss of $559.7 million dollars (for an average loss of $1,663 per complaint). In the same year, traditional bank robbers stole about $35 million, with an average loss of $4,029 (for a total of around 8,700 reported incidents of bank theft — a much smaller number than the online complaints overall, and the online bank fraud incidents as well).

The recommendations that this story makes are interesting. These include use of a technology called Network Admission Control, that checks laptops and other devices that have been used off corporate or banking networks for malware, and only admits those that pass rigorous tests for current updates and "clean" status (no malware of any kind can be tolerated). It also mentions use of whitelists (allowed or "legal" URLs and e-mail addresses that users can access or receive, respectively) and blacklists (disallowed or "illegal" URLs and e-mail addresses that will be automatically blocked, and access or reading disallowed). Use of so-called "reputation data" (a kind of crowdsourcing for intelligence about domain names and e-mail addresses based on reports of incidents, malware, spam, and so forth that provides an index value for such addresses), enables companies to set a "safe cut-off point" where reputation values at or above the cut-off are allowed through, and those below are denied. All of these methods help limit exposure to potential attack, and can thus also help limit losses.

Only through a combination of such controls and technologies, use of segregated systems (users should not read e-mail on the same machines they use to send or receive electronic funds transfers), and rigorous user education and periodic reminders and retraining, can the banking industry come around to dig itself out of its present hole, and stay out of that hole from here on out. Individuals, home networks, and even small businesses are urged to do likewise.