The indictments unveiled last week against dozens of people who allegedly helped loot millions of dollars from U.S. businesses via online corporate account takeovers highlights the struggle by financial firms to fight fraud.
Over the past two years, corporate account takeovers by cybercriminals have cost U.S. businesses more than $100 million, according to FBI estimates.
In most cases, the thefts have been perpetrated by gangs in Eastern Europe who used the Zeus banking Trojan to break into computers belonging mainly to small businesses and small municipalities in the U.S. The malware has been used to steal online banking credentials and access corporate accounts so the thieves could transfer money into fraudulent accounts set up by hundreds of U.S.-based accomplices, often called "money mules."
Most of the illegal transfers were unauthorized Automated Clearing House (ACH) transactions from the victim's account to the money mule.
The U.S Attorney's Office in New York City said Thursday it had indicted 37 such money mules for helping crooks based in Russia and several East European countries siphon off more than $3 million in stolen funds. In a joint announcement, Manhattan's District Attorney Cyrus Vance announced indictments against another 36 people for their participation in a similar operation.
The charges in the U.S. followed similar arrests in the UK, where authorities on Tuesday charged 11 Eastern European citizens in connection with the same scam.
The arrests mark a small, but significant, victory for law enforcement officials and financial industry representatives, analysts said. But they do little to ameliorate the urgent need for better protection against future scams.
"It is tremendous news," said Dennis Simmons, president and CEO of SWACHA, a Texas-based financial trade association that counts many financial institutions as its members. SWACHA is also part of a new Corporate Account Takeover Working Group that was established by the Financial Services Information Sharing and Analysis Center (FS-ISAC) earlier this year.
"One of the frustrations we have had with these account takeovers is the lack of jurisdiction" U.S. authorities face when pursuing the East European criminal gangs behind the thefts, he said. But going after the money mules will send a strong signal and should deter some illegal activity. Even so, "it's like that old joke: 'What would you say you have when you round up three hackers? A start,'" he said.
Doug Johnson, senior policy adviser at the American Bankers Association, called the arrests a big step forward. "Just to have an international mule network such as this taken down is a real victory," he said.
Such takedowns make it harder for crooks to siphon off stolen money, he said. "This is something that law enforcement and [the financial industry] have been working very aggressively to achieve."
Now, the goal is to keep the pressure on, he said.
"The FS-ISAC Account Takeover Task Force has become a very vibrant collaborative effort with financial institution, trade association, bank regulatory agency and law enforcement participation," Johnson said. Three working groups are now focused on finding ways to prevent, detect and respond to account takeovers.
The groups are developing a set of recommended business practices in areas such as account opening processes, evaluation and use of fraud prevention, checklists for responding to compromises and training for staff and clients.
According to Simmons, a growing number of banks have introduced stronger authentication measures to prevent account takeovers. For instance, several now require phone and fax-based verification of online money transfer and ACH requests. Others have rolled out new fraud detection tools designed to flag and stop suspicious or out-of-character money transfer requests from an account.
Banks in general have been taking the problem seriously, said Avivah Litan, an analyst with Gartner Inc. "They are definitely putting in measures that were not there a year ago," she said.
Zeus itself continues to be as potent as ever, and last week's arrests will do little to change that, she said. In addition, new man-in-the-middle attacks such as those that redirect user traffic through fraudsters' proxy servers, pose fresh challenges for banks.
For banks, the emphasis needs to be on protecting the user desktop session as possible by making more effective anti-malware software available to clients, and combining that with better user authentication and transaction verification, she said.
For some, like Mark Patterson, the arrests are long overdue. Patterson is the co-owner of Patco Construction, a Sanford, Maine company that lost nearly $600,000 via ACH fraud. The company has sued its bank for failing to prevent what it claims was patently obvious fraud going on with its accounts.
Patco has since moved to a new bank that offers "true dual authentication and out-of-band authentication, which I think is best," he said. "Speaking with a person you know, to confirm [a transaction] is very secure. Having said that, we have not gone back online with ACH transfers for payroll.
"Bottom line, until banks are held accountable for commercial ACH transactions like they are for consumer credit card fraud, you will probably not see real reform and risk mitigation," he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at Twitter @jaivijayan or subscribe to Jaikumar's RSS feed Vijayan RSS. His e-mail address is firstname.lastname@example.org.