Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Saturday, February 23, 2008

Banks: Losses From Computer Intrusions Up in 2007

U.S. financial institutions reported a sizable increase last year in the number of computer intrusions that led to online bank account takeovers and stolen funds, according to data obtained by Security Fix.  The data also suggest such incidents are becoming far more costly for banks, businesses and consumers alike.  The unusually detailed information comes from a non-public report assembled by the Federal Deposit Insurance Corporation, the federal entity that oversees and insures more than 9,000 U.S. financial institutions.  The statistics were gathered as part of a routine quarterly survey called the Technology Incident Report, which examines so-called suspicious activity reports (SARs).  In this case, SARs that were filed in the 2nd Quarter of 2007.

SARs are federally mandated write-ups that banks are required to file anytime they spot a suspicious or fraudulent transaction that amounts to $5,000 or more.

While the number of reported computer intrusion-related SARs (536) paled in comparison to the leading SARs categories - mortgage loan fraud (12,554) and check fraud (17,558) - the FDIC said financial crime aided by computer intrusions is growing at a rapid pace.  Further, it noted that the mean (average) loss per SAR from computer intrusions was roughly $29,630—almost triple the estimated loss per SAR during the same time period in 2006 ($10,536).

Manning notes in his book that for the purposes of this reporting requirement, computer intrusion does not mean attempted intrusions of Web sites or other non-critical information systems of the institution that provide no access to institution or customer financial or other critical information.

Anyway, back to the interesting bits: The report indicates that in most cases, banks are at a loss to say exactly how cyber crooks are stealing the funds.  The report indicates that the 80 percent of the computer intrusions were classified as “unknown unauthorized access - online banking,” and that “unknown unauthorized access to online banking has risen from 10 to 63 percent in the past year.”  Still, the FDIC indicates that a large share of the unknown losses most likely resulted from malicious data-stealing programs surreptitiously installed on customer PCs by cyber crooks.

Security Fix has written about this series of attacks spoofing the BBB, as well as a similarly successful spear phishing malware attacks that spoofed the Federal Trade Commission.

Of those computer intrusion-related SARs that were identified, online bill payment applications were most frequently targeted by cyber thieves, the FDIC found.  However, unauthorized access to wire transfers and automated clearinghouse (ACH) payments caused the most losses to financial institutions in the computer intrusion category, mainly because ACH and wire transfers give the banks less time to detect and recover from unauthorized access.

Another case study cites an unnamed financial institution that had 14 customer account takeovers as a result of spyware infestations that recorded keystrokes on customer PCs, stolen credentials that allowed the crooks to initiate a series of fraudulent ACH transfers out of the victims’ corporate accounts into accounts set up and controlled by the attackers.

Avivah Litan, a financial fraud analyst with Gartner Inc., said unauthorized wire transfers disproportionately impact small to medium sized businesses that may be using online banking but do not have the same stringent financial controls in place at many larger corporations.

Fewer retailer payment card data breaches during the quarter caused lower losses to financial institutions.  Retailers are resisting payment card industry (PCI) data security standards, which could lead to lower compliance, additional breaches, and more counterfeit card losses absorbed by card-issuing institutions.

Posted on 02/23