by Byron Acohidio USA Today Jul. 30, 2010 12:00 AM
For generations, U.S. consumers have relied on banks to bear the primary responsibility for keeping their hard-earned cash deposits out of the hands of thieves. Now, banks want consumers to share the load.
About 80 percent of U.S. households have come to do their banking over the Internet, banking consultancy Novantas said. Many consumers believe online banking is every bit as safe as branch banking. But that's clearly not the case, banking and tech-security specialists say.
Cyber attacks against individual online accounts have become so sophisticated and pervasive that the American Bankers Association (ABA) is now asking consumers to "partner" with banks to keep cyber robbers in check.
The banking industry wants consumers to monitor their online accounts for unauthorized transactions on a "continuous, almost daily, basis," said Doug Johnson, the ABA's vice president of risk-management policy. That's because PCs and smartphones have become "the online bank branch for a lot of individuals," he said. "The customer needs to really recognize that security is most effective when they work in partnership with their financial institution."
This shifting burden has come about because of developments that the banking industry did not anticipate a decade ago, when it began promoting personal computers as convenient venues for consumer banking. Ambitious online attacks soon followed. Banks have spent heavily to shore up cyber defenses, and they've kept a policy of reimbursing individual online account holders who can verify that they've been ripped off, Johnson said.
Even so, cyber robbery has evolved into a multifaceted, multibillion-dollar global industry that shows little sign of cooling. Last year, the number of malicious software programs designed to pilfer online bank accounts - referred to as banking Trojans - rose to 65,098 in December, up from 4,295 at the start of 2009, according to Panda Security, a Madrid-based antivirus-software supplier.
Writers of malicious software code are always focusing on new ways to get past the latest defenses erected by banks and antivirus companies, said Panda Security researcher Sean-Paul Correll.
A 2009 ABA survey of 170 U.S. banks said that 85 percent of big banks are incurring losses stemming from cyber attacks on consumer online accounts.
"Every single bank I've talked to in the last six months, big and small, has seen these attacks," said Avivah Litan, banking-security analyst at research firm Gartner. "It's an arms race. There are solutions - until the next kind of attack comes along. And if you're caught in the middle, you're screwed."
Instead of holding up a bank branch at gunpoint, modern-day cyber robbers do their homework.
"To maximize their effectiveness and streamline their ability to move money quickly, criminals take the time to learn your online banking platform and do account reconnaissance," said Terry Austin, CEO of Guardian Analytics, which supplies fraud-detection systems.
First, they acquire valid account log-ons, often by purchasing them from specialist data thieves. Next, they quietly access accounts, making note of high cash balances and access to credit lines. They also familiarize themselves with the bank's protocols for authorizing the creation of new online accounts and approving cash transfers.
They look for coding security holes - and invariably find them in the Web browser, the tool banks rely on to run online-banking programs. But Internet Explorer, Firefox, Opera, Google Chrome and Apple Safari are designed to let users navigate the entire Internet; they weren't meant to execute secure financial transactions. Cyber robbers craft banking Trojans that inject software code into the Web browser, letting the attacker take control of online banking sessions, alter what the account holder sees and make stealthy transactions.
"With the exception of some rare cases, the current online-banking systems are at least one full generation behind the current techniques employed by cyber crooks," said Costin Raiu, Kaspersky Lab research director.
Cyber robbers also take great care in setting up "drop" accounts - online accounts they control, usually at the same bank as victims - poised to receive cash transfers. They typically recruit "money mules," accomplices who execute the final, riskiest step of withdrawing cash from drop accounts and forwarding proceeds to the ring leaders.
Mules are recruited through work-at-home advertisements on employment websites and, increasingly, on popular social networks. Typical pitches promise high earnings for minimal work involving accepting deposits and handling cash transfers. Kaspersky Lab researcher Dmitry Bestuzhev recently tracked down one Facebook-based mule recruiter who had 224,000 friends. "Who knows how many of them accepted the offer to be a money mule?" Bestuzhev said.
Citibank and Bank of America rank third and seventh among the top 10 most frequently attacked banks in the world, according to Kaspersky Lab. Each uses a variety of security systems and relies on consumers to help protect their online accounts.
"It is paramount that our customers know how to protect themselves," said Bank of America spokeswoman Tara Burke. "We recommend that customers always protect their passwords, ensure the bank has up-to-date contact information and review their accounts on a regular basis."
Banks urge customers to help fend off cyber thieves
