Cyber-Criminals Intercept Banking Credentials for Fast Wire Transfer Fraud

Cyber-criminals are increasingly attacking banks and other financial institutions to transfer funds fraudulently into accounts under their control.

There are a number of ways for attackers to gain control, and malware is just one of them, according to Jorge Solis, a senior vice president of security at First Midwest Bank in Itasca, Ill.
First Midwest Bank is not unusual, as attackers are targeting financial institutions across the industry on a "daily basis," Solis told eWEEK. Attackers are launching man-in-the-middle attacks to compromise the user's computer and then initiating wireless transactions and ACH (automated clearinghouse) transfers, Solis said. The institution has to detect attacks and block them quickly, before the money has a chance to leave, he said.

A recent Financial Services Information Sharing and Analysis Center (FS-ISAC) report found that banks saw more account takeover attempts in the first half of 2010 than they did the full year 2009. However, the banks were better at blocking the fraudulent transfers in the first year of 2010, blocking them 36 percent of the time, the report found.

Attackers are often using malware such as the Zeus Trojan to monitor keystrokes and intercept login credentials, Solis said. Zeus, the malware family the industry sees the most often, can also launch man-in-the-middle attacks by popping up fake Web pages to intercept the commands the customers enter to initiate and confirm a transaction.

The user may successfully log in to the site, but the malware may modify the user experience so that the user is actually entering the transaction details on the "fraudster's splash page" as opposed to the legitimate site, allowing attackers to intercept all the date before it reaches the bank's servers.

The man-in-the-middle attack can succeed even if the user is working with token-based authentication, Solis said. As soon as the user enters the one-time password generated by the token into that fake splash page, the attacker is simultaneously putting in the code into the real banking page with the user's credentials to initiate the wire transfer.  The attacks are "happening live," Solis said, noting that the one-time passwords generated by hardware tokens in most two-factor authentication schemes have a shelf-life for 30 seconds to two minutes.

First Midwest Bank has a lot of "other controls" on the back-end that customers never see as part of the bank's approach to layered security, Solis said. Even when criminals fraudulently initiated transfers, the other mechanisms were able to detect and block the transaction, he said. The layered approach was critical because "there's no magic bullet," he said.

One of the reasons attackers succeeded with man-in-the-middle attacks even with multi-factor authentication enabled was because the user was entering the PIN code into the computer that was already compromised, according to Solis.

First Midwest Bank shifted tactics and stopped rolling out tokens. Instead, they deployed an automated phone-based authentication product from PhoneFactor, Solis said. Instead of sending users a PIN code to their mobile device that the user has to enter into the computer, PhoneFactor calls the telephone number associated with the person who initiated the electronic transaction.

The phone call lists the transaction details and asks the user to confirm the transaction by entering the secret code into the phone. If the transfer is a fraud, the user wouldn't enter the code, so the transaction is cancelled and a a fraud alert is issued on the account.

This mechanism works, despite the growth of mobile malware designed to intercept confirmation codes sent by banks to the mobile device, because it is a more difficult task for the attacker to compromise both the PC and the mobile device, according to Solis. A "simultaneous compromise is a challenge," Solis said.

First Midwest Bank has seen a dramatic drop in attacks since rolling out PhoneFactor over the summer, Solis said, although he wasn't sure whether it was because the attackers had decided not to "bother" with the new security measures in place, or because it was part of a natural and temporary dip in fraudulent activity and the pace would pick up again in the future. He did say that at least one attack on a customer account had been blocked with PhoneFactor.