While banks take a measured approach at best in implementing regulatory guidelines aimed at curbing online corporate account fraud, cyber criminals are speeding ahead with their nefarious efforts.
Online threats have morphed from pesky viruses and Web sites designed to elicit passwords and other private information to “man-in-the-browser” malware that hijacks a company’s browser to carry out transactions and drain funds from bank accounts.
Trusteer, whose software protects browsers and operating systems from such malware, predicts companies will face a surge in threats to their bank accounts in 2012. One type of malware, named Ramnit, has enabled a variety of illicit nonfinancial software to infiltrate and run on host computers, unbeknownst to the computers’ users. Last summer, according to Amit Klein, chief technology officer at Trusteer, Ramnit was retrofitted to conduct financial fraud as well.
“We’re seeing more and more incidents when nonfinancial malware has been tweaked to become financial to maximize profits from a single case of infection,” he says.
Financial malware has become increasingly sophisticated, Klein adds, moving beyond the consumer part of banks’ Web sites to the corporate and treasury management areas. Malware is also being designed to mimic human Web activity, increasing the need for highly sophisticated software to root it out.
The guidance released in June by the Federal Financial Institutions Examination Council (FFIEC), a body composed of the five U.S. banking regulators, lays out three broad steps banks should take to guard against malware attacks. The guidance reaffirms the need for banks to conduct risk assessments at least once a year and establishes minimum requirements for educating customers about online fraud. It also prescribes layered security for business accounts, including the ability to detect and respond to suspicious activity when logging in and initiating transactions.
The FFIEC guidelines direct banks to add security for business bank accounts, including enhanced controls over administrative functions, where privileged users’ passwords, if stolen, can give hackers direct access to a company’s bank accounts. The guidelines also push banks to make clear to business customers that, unlike retail customers, they have no Regulation E protections.
“Banks have to tell business customers they’re not protected,” says Avivah Litan, an analyst at Gartner Group. “If money fraudulently leaves their accounts, there’s no regulation forcing banks to pay it back.”
Litan says the nation’s 10 largest banks are already in compliance with the guidelines. Midsize and regional banks, however, “are confused about how far to go to meet FFIEC compliance requirements, especially with regard to payment batch file processing, which can be expensive to re-engineer,” she says. “They are preparing their risk assessment documentation and will be ready with most of that and a plan for technical system upgrades by January.”
Smaller banks are highly dependent on their online banking processors, such as Fiserv and Jack Henry & Associates. Litan says most of those processors are still upgrading their security strategies. Smaller banks “are also confused about minimum requirements for the FFIEC, especially around payments, since they have little or no resources to deal with payment security,” she says.
Gartner Group’s findings echo the results of a Guardian Analytics survey released in mid-December. Of the 100 large and small U.S. financial institutions surveyed, more than half had formed exploratory committees, contacted their bank examiners, created plans to fill identified gaps in their security strategies or started evaluating new technology solutions.
Forty percent, however, had not formulated plans, and nearly half could not identify the FFIEC’s minimum expectations. That means banks have a lot of work still to do, and a lot of business accounts still lack the minimum protections laid out by regulators.
Terry Austin, CEO of Guardian Analytics, which offers technology to detect potentially fraudulent online banking activity, says it remains unclear how bank examiners will hold financial institutions accountable. “The general interpretation is banks need to have their risk assessments and plans in place by January, and if they have exams in the second half of the year, their implementations should be well underway,” Austin says.
NICE Systems’ NICE Actimize unit and Laru Corp. also offer software that spots anomalous online banking behavioral patterns, as does Trusteer, which says its Pinpoint solution can also detect malware directly on the browser.
For more on the struggle to keep cyber criminals from preying on corporate bank accounts, see Beware Online Banking Thieves.