As guardians of wealth, financial-services firms have always been a high-value target for cybercrime, and with online banking and trading, banks find they have to work harder than ever to safeguard their operations.
Tech-savvy gangs of cybercrooks have been stealing tens of millions over time by breaking into computers of online banking customers to install malware like the Zeus banking Trojan to make phony funds transfer requests to a bank, so the need for vigilance is only increasing. At Stillwater National Bank and Trust, the concern about the threat of cybercriminals hijacking customers' PCs is enough to spur the Oklahoma-based bank to extend its security to a verification system that add use of automated phone calls to online banking customers to verify the funds requests they are making online are genuine.
There's a need to validate transfer requests beyond what the customer PC appears to be telling the bank because "with the endpoint PC, I just can't control what they're doing," says Laura Briscoe, vice president of information security at Stillwater National Bank and Trust.
While the bank might not be hit by the ZeuS malware directly, this type of malware seems to be "typically targeting the small businesses in general," particularly companies of 1,000 employees or less, Briscoe believes.
Customer PCs could be riddled with malware that could allow crooks to take them over to commit banking fraud from anywhere in the world. As one way to minimize risk related to compromise of PCs used to communicate with the bank, Stillwater recommends that its customers use a "separate PC for online banking" not associated with other Internet use. But Briscoe acknowledges there's no way for the bank to really know that's happening.
So, as added defense, Stillwater has started using a phone-based verification system from PhoneFactor, which allows the bank to initiate an automated phone call to a customer's phone to verify details about the transaction he's requesting and asks for a personal identification number to authorize it. "It might tell them there are five items totaling $15,000, please enter your PIN," Briscoe says.
While this type of phone verification and authorization method ups the ante in terms of security, criminals are trying to poke holes, in this, too. Court filings released during the FBI's recent actions against one cybercrime gang involved in ZeuS botnet operations shows that some of these determined crooks know that phone-based authorization is gaining ground as added security -- and they have at times successfully beaten it by jamming phone lines.
"It's a constant battle," Briscoe says, adding she hopes use of phone-based verification and authorization will hold up as a cybercrime-prevention technique.
Briscoe praises InfraGard, the program started by the FBI to bring together industry and law enforcement to share information about security incidents and issues. But she notes that people in the private sector are reticent to share sensitive information about cybercrime issues.
There is no mandate under law today to report computer-based incidents related to transactions, which often become a source of dispute between bank and a customer as both try to sort out what went wrong as a customer claims he didn't request a funds transfer. The FBI says it often finds out about incidents related to cybercrime based on hijacked PCs when these problems burst into public view, including news reports.
It's not only cyberattacks from the outside that have financial firms concerned.
Money laundering and securities-based fraud may put a financial-services firm in the awkward position of wondering whether a customer is not on the up and up. And strict regulations in various parts of the world, such as Europe's Market Abuse Directive, require that financial-services firms monitor and report suspicious behavior in that regard.
"It's a legal requirement in Europe," says Gent Jansson, group head of compliance at Skandinaviska Enskilda Banken (also known as Nordic Bank SEB, or simply SEB), a bank based in Sweden that also operates around the world from New York to Shanghai.
Money laundering, market-abuse activity and suspicious insider dealing are areas of concern that require SEB and other financial-services firms to conduct surveillance, analysis and reporting of suspicious transactions to authorities.
In the old days, Jansson says, spotting something odd about trades, for example, generally depended on a salesman who was interacting with a customer by phone. But today, "we have very little manual intervention," Jansson says, with both retail and institutional clients conducting transactions online. "We need an automated tool to report suspicious trades."
To that end, SEB turned to NICE Actimize, which has risk-monitoring software that monitors all trades in order to detect suspicious transactions, such as a large transaction in which the seller is also the buyer, one way to fool the market into thinking securities are rising in value. Actimize watches the general trading patterns of clients, triggering reports that may lead to internal investigations and eventually a report to outside authorities.
Just in the Swedish market alone a few cases each month will surface that require a close look, Jansson says. Watching for insider trading, market manipulation and other violations is necessary to protect the reputation of the business, he points out.
Some U.S.-based institutions have also started using Actimize to prevent fraud.
Last July, Douglas Twining, director of fraud services at KeyCorp in Ohio, said integrating the behavior analytic capabilities of Actimize into back-end systems should bolster ways to look at risk associated with transactions, such as wire transfers, to be able to sort out the riskiest transactions for a fraud analyst expert to review in order to call the client to make sure they're legitimate.
Banks have to keep improving their anti-fraud defenses, Twining says, because "we've all seen a change in the depth and breadth of what organized crime is doing."
Read more about wide area network in Network World's Wide Area Network section.