Appeared on Financial World Online, May 5, 2010
Wednesday, May 05, 2010
Michelle Weatherhead and David Divitt from ACI Worldwide discuss how banks can better protect their customers from this malware trend against the backdrop of growing online banking usage.
For a number of years, consumers have been turning to online banking as a means of managing their finances. According to the UK Payments Administration, its popularity has grown so much that, in the first half of 2009, 22 million adults used internet banking on their main current account. This means that for the first time, more than 50 per cent of regular internet users (41.4 million) are banking online[1].
In parallel, the figures released in March by the UK Cards Association revealed that the number of "phishing" attacks on consumers rose by 16 per cent in 2009. As a result, the total amount of online banking losses reached £59.7m in 2009, a 14 per cent rise compared with the previous year [2].
What’s more, consumers are not the only ones at risk. In fact, in recent months the FBI issued warnings to small and medium businesses, municipal governments, and school districts about an increase in fraud involving the exploitation of valid online banking credentials.4 The larger account balances, payment size, and wire activity associated with corporate online banking sites have made them a huge target for fraudsters.
Identifying the threat
Man-in-the-browser attacks are a specific threat from banking Trojans that have emerged relatively recently. As the name suggests, a Trojan embeds itself in an internet browser application on a user’s PC. When a user logs onto specific online banking sites the Trojan is activated and intercepts and manipulates data as it is being communicated from the legitimate user’s PC to an online banking system. The Trojan can manipulate the destination account information so the funds end up in mule accounts. Often amounts are also changed so more funds are moved than the PC user requested.
In some cases another level of authentication is required to confirm a transaction – especially with commercial online banking systems. In this case the Trojan alters the page being displayed to the legitimate user, showing the details they originally entered – where the legitimate user will provide the additional authentication necessary to complete the transaction. These attacks are designed to circumvent even the strongest user authentication techniques.
On the retail banking side, the increasing use of social networking websites has contributed to the proliferation of man-in-the-browser attacks. When an avid social networker’s computer becomes infected with a virus, it can wait until the user logs into the social networking site, where it will raid the user’s “friends” list. It then sends an email to each of them to click on a link to view a photo or video. In this case those “friends” recognise the name of the sender and clicks on the link, and in doing so their computer can become infected with a man-in-the-browser Trojan. This means that the next time customers log on to their online banking account, they are exposed to the risk of financial losses.
Preventing the threat
Financial institutions are reducing their risk by gaining a better understanding of the activity occurring within the online banking session to determine if it fits the established profile of the genuine customer.
A layered approach to online banking fraud monitoring – one that analyses the login event, the outgoing transaction, and risky sequences of events – best positions a financial institution to minimise online banking fraud. These events could include changes in logon passwords, changes to customer profile information such as address, or changes to external payee account details.
In isolation, one of these events might not seem suspicious. When combined, however, they predict strong patterns of fraudulent intent. When high risk activity is detected, action can be taken in real-time or near real-time to stop the transfer of funds from the customer’s account, or to contact the customer to confirm that the transaction is genuine. The bank then needs to place funds on hold until fraud analysts are able to verify the legitimacy of the transaction.
Fighting the battle to win the war
It is important to look at the whole picture when addressing this type of fraud attack. Enterprise fraud management takes a holistic view of a financial institution’s relationship with a customer by collectively viewing every product or service the customer uses. By capturing a broader view of customer activity, financial institutions gain a complete understanding of a particular customer’s profile. This expanded view allows institutions to better detect and prevent fraud by monitoring transactions and events across the entire range of customer activity.
Online banking, mobile banking, ATMs and branches are all susceptible to fraudsters, and can all be tied to one bank account. Today’s successful transactional fraud teams view all debit, cheque, internet, telephone and other banking transactions side by side from a single customer perspective. This allows fraud teams to use advanced analytics that cut across these channels, enabling fraud to be detected and stopped at the first possible opportunity. Financial Institutions are battling against the threats from online banking fraud, but only by looking at the bigger picture can they truly win the war against the man-in-the-browser.
Source: ACI Worldwide, Author: Michelle Weatherhead, David Divitt
[1] UK Payments Administration, Number of internet users now banking online exceeds 50% for the first time ever, http://www.ukpayments.org.uk/media_centre/press_releases/-/page/871/
[2] UK Cards Association, New Card and Banking Fraud Figures, http://www.theukcardsassociation.org.uk/media_centre/press_releases_new/-/page/922/