A Tough Defense for the Toughest Offenses®

cyber crime Online Banking

Cyber Crime and Online Banking

Cyber-criminals have benefited from online banking (OB), regardless of the extensive research on financial cyber-security. State-of-the-art tools developed by black-hat hackers enables automated hacking on a scale never before known in law enforcement history. Researchers have demonstrated the feasibility of black-hat technologies and have shown that many two-factor authentication schemes can be bypassed with software.[1] Additionally, banks utilizing user-friendly security measures often downgrade security considerably, making them vulnerable to exploitation. Due to the commonplace availability of advanced technology and software, as well as the increasing demand for user-friendly interfaces, identity theft has grown into the most frequent white collar crime over the past decade. We know that attacks against US and UK Internet banking systems have been quite successful.[2] Tools like the Zeus malware kit [3] and the SilentBanker Trojan,[4] have been helping criminals perform fraudulent online bank transactions for years. Prior to the emergence of the aforementioned tech, much of the online nuisance came from amateur hackers who defaced websites and wrote malicious software in pursuit of bragging rights. In the old days, electronic fraud was largely a cottage industry, local and inefficient: a typical card fraudster ran a vertically-integrated small business. For example, he might buy a card-encoding machine, get a job in a shop where he could copy customers’ cards, and then go out at night to steal cash from automatic teller machines (ATMs). Similarly, electronic fraud might have involved a call-center employee collecting password data for use by an accomplice.[5] Nowadays, the online fraud industry is much more integrated and increasingly diffuse.

The Online Criminal Industry

Money Mules

A common modus operandi is for the cashier to transfer money from the victim’s account to an account controlled by a “money mule.” The mules are typically duped into accepting stolen money and then forwarding it. The cashiers recruit them via job ads sent in spam e-mails or hosted on websites such as Craigslist or Monster, which typically offer the opportunity to work from home as a “transaction processor” or “sales executive.” [6] Mules are told they will receive payments for goods sold or services rendered by their employer and that their job is to take a commission and forward the rest, using an irrevocable payment service such as Western Union. After the mule has sent the money, the fraud is discovered and the mule becomes personally liable for the funds already sent.

Phishermen

The collection of bank passwords has also become specialized. “Phishermen” operate copies of genuine bank websites that encourage the unwary to log on so that their bank account numbers, passwords, and other credentials can be copied. These phishermen hire “spammers” to drive bank customers to their fake websites by sending e-mails that purport to come from their bank. Both the spammers and the phishermen use malicious software, or “malware,” which is designed to infect the computers of people who run it; victims are duped into running it when they download a seemingly innocuous program or visit one of approximately three million infected websites.[7] The emergence of a profitable malware market means in turn that malware is no longer written by teenagers seeking to impress their peers but by specialist firms with budgets for R&D and testing. These firms in turn ensure that their products aren’t detected by most antivirus software, and offer updates if they are.[8]

Botnet Herder

With this new online crime ecosystem has come a new profession: the “botnet herder”—a person who manages a large collection of compromised personal computers (a “botnet”) and rents them out to the spammers, phishermen, and other crooks. The computers in the botnet have been infected with malware that lets the botnet herder operate them by remote control, just as if they were robots. Nearly all e-mail spam is now sent by botnets. Many websites used by online criminals are hosted on botnets, ranging from online pharmacies through the fake banks used in phishing scams to the sham companies that “hire” money mules.[9] Blackmailers also rent botnets and have threatened to overload bookmakers’ websites with botnet traffic just before large sporting events; in 2004, three Russians were arrested after extorting several hundred thousand dollars in this way.[10] A botnet was used to shut down parts of Estonia’s infrastructure as a political protest.[11] Around five million computers participated in botnets unbeknownst to their owners in the second half of 2007 alone.[12]

Vulnerabilities of Online Banking

Flaws in Banking Websites

According to a recent study by the University of Michigan, more than 75 percent of bank websites have at least one design flaw that could lead to the theft of customer information, and those flaws cannot be fixed with a patch.[13] This is troubling in light of a survey conducted by Pew Internet which suggests that 42% of all internet users bank online. Due to the sensitive nature of these sites, security is a top priority. Hackers are increasingly launching targeted attacks against weak websites, as opposed to automated attacks against tens of thousands of sites at once . According to whiteHat Report 2011 the Cross-site scripting was the most prevalent threat. Cross-site scripting is when an attacker injects malicious scripts into a webpage that can bypass a browser’s security mechanism and gain access to a visiting user’s computer.

Flaws in Banking Policies

The Security Policy is intended to define what is expected from an organization with respect to security of Information Systems. And protecting customers’ privacy and security is important to every bank. The overall objective for any online banking system is to reduce the risk to information assets by accidental or deliberate actions.[14] Every bank has some security policies that they should publish online in order to help users understand the security measures the bank is taking to make their information secure. It tells how a bank is committed to keeping users safe online. But along with this, users have to play an important role in security. The policy also includes do and don’ts by users and also about hoax emails and security tips for users.

Security policies should include:

  • Security Policy for general users
  • Security Policy for banks
  • Security Policy for network

Flaws in Users Usability and Customer Awareness

The unique aspect of information security in the banking industry is that the security posture of a bank does not depend solely on the safeguards and practices implemented by the bank, it is equally dependent on the awareness of the users. This is because the biggest threat to online banking is still malicious code executed carelessly on the end-user’s computer. The attackers tend to target the weakest link. Once the attacker has control over a user’s computer, he or she can modify the information flow to his or her advantage. Often, hackers make contact anonymously through social media sites such as Facebook or Tinder. These kinds of sites offer cybercriminals a great way to gather information.

For protection, while using social networking sites:

  • Make sure your profile pages are only accessible to people you trust and not to the general public by customizing the security settings
  • Never publish personal or sensitive information such as your birthday, driver’s license number, tax file number or bank account details
  • Use a different email address if you want to publish material online
  • Don’t publish contact details such as your home address or phone number
  • Don’t use the same security questions as used in banking accounts like your pet name etc.

Conclusion and Recommendation

Online banking facilities give users the flexibility to undertake their banking at a time that best suits them and also saves time, but it also presents various security threats. Banks deploy protocols and hire security experts to conduct vulnerability assessments and find design flaws in their websites that prevent secure usage. Even with those countermeasures, most bank sites have design flaws that cause security breaches. Additionally, bank security polices have no standard format and the incongruences across the industry create many security risks. What’s more, the security posture of a bank does not depend solely on the safeguards and practices implemented by the bank, it is equally dependent on the awareness of the users. Generally, the easiest targets are the user or his/her PC, so awareness and usability of users is also equally important to make online banking 100% secure. In sum, the only way to ensure 100% security is possible, is if both banks and users together give flawless security posture to online banking by removing all the given security flaws.

 


[1] . M. Adham, A. Azodi, Y. Desmedt and I. Karaolis. How To Attack Two-Factor Authentication Internet Banking. 2013. http://goo.gl/YsA6j. [researchers developed three browser rootkits which performed the automated attack on the client’s computer].

[2] RiskAnalytics LLC. $70 Million Stolen From U.S. Banks With Zeus Trojan, October 2010. http://goo.gl/XkSgq.

[3] S. Ragan. Overview: Inside the Zeus Trojan’s source code, May 2011. http://goo.gl/nsvpG.

[4] Symantec. Banking in Silence, June 2009. http://goo.gl/aj61F.

[5] Moore et al., Journal of Economic Perspectives—Volume 23, Number 3—Summer 2009—Pages 3–20

[6] Krebs, 2008.

[7] Provos, Mavrommatis, Rajab, and Monrose, “All Your iFRAMEs Point to Us.” Proceedings of the 17th USENIX Security Symposium, 1–15. USENIX Association (2008).

[8] Schipka, Maksym, “The Online Shadow Economy: A Billion Dollar Market for Malware Authors”. MessageLabs White Paper. http://www. fstc.org/docs/articles/messaglabs_online_shadow_ economy.pdf (2007).

[9] Moore, Tyler, and Richard Clayton, “The Impact of Incentives on Notice and Takedown.” In Managing Information Risk and the Economics of Security, ed. M. Eric Johnson, 199 –223. New York: Springer (2008).

[10] Sullivan, Bob, “Experts Fret over Online Extortion Attempts.” MSNBC. November, 10. (2004).

[11] Lesk, Michael, “The New Front Line: Estonia under Cyberassault.” IEEE Security and Privacy, 5(4): 76 –79 (2007).

[12] Symantec, Symatec Global Internet Security Threat Report, Vol. 13, Trends for July–December 07. http://eval.symantec.com/mktginfo/enterprise/ white_papers/b-whitepaper_internet_security_ threat_report_xiii_04-2008.en-us.pdf (2008).

[13] Sue Marquette Poremba”Study: Security flaws threaten online banking”, July 28, 2008 [online] Avaialable:http://www.scmagazine.com/study-security-flaws-threaten-online-banking/article/113010/

[14] http://ptlbindia.blogspot.com.au/2012/03/rbi-warned-indian-banks-for-inadequate.html

Craig R. Chlarson

Comments