Security

02:40 PM
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Bank Fraud: It’s Not Personal, Just Business

Less publicized (but nonetheless costly) incidents of fraud, questions of liability, and mixed success in court complicate the allocation of security resources.

Real network security requires building the capability to monitor a network and respond to attacks. We saw this with the Target breach where, despite spending $1.6 million on FireEye network monitoring software, Target managed to ignore the alerts it generated based on the malware attacking their network. We saw this again with the Neiman Marcus breach where 60,000 alerts were ignored over a three-and-a-half month period. If large companies with multimillion-dollar security budgets can’t protect themselves from malware, then the prospects would seem exceedingly bleak for the small and midsized companies that are being victimized by wire transfer fraud.

In spite of all this, there are low-cost and remarkably simple steps we can take to help significantly reduce the chances of a malware attack compromising a bank account. It can be as simple as isolating the computers used to access bank accounts. Most malware attacks rely on the fact that a single workstation is often used for multiple purposes: If a user is browsing the web he opens his workstation to drive-by download attacks; reading email opens the workstation to malware contained within email attachments; and file-sharing (whether it is a USB memory stick, a corporate shared network drive, or a peer-to-peer network) opens workstations to direct cross-contamination from other infected systems it interacts with.

On the other hand, if a few designated workstations, and these workstations alone, are used solely for the purpose of processing bank transfers to the exclusion of web browsing, email, and all of the other activities that could bring malware onto the system, then the risks of infection would be drastically reduced -- even moreso if these workstations could be firewalled off from the rest of the network or given their own dedicated Internet connections. The cost of a cable modem and a small firewall would almost certainly be a tiny fraction of the potential cost of a single fraudulent transfer.

Phishing attacks serve to illustrate this point further: There is no technical solution that can effectively stop a user who has been duped from sending out passwords; we must instead rely on training and awareness to make sure that individuals who hold the digital keys to a company’s bank accounts are aware of the threats they are facing and how they operate. If more people have the passwords to initiate bank transfers, then there are more people who could potentially leak that information. Keeping the key holders to a minimum allows companies to focus their training and awareness efforts on those few key individuals who matter.

We must also not forget the banks themselves. Many offer enhanced security measures for wire transfers that businesses just aren’t using. In the case of Choice Escrow, mentioned above, the bank offered a system where two passwords would be required, one to approve a wire transfer and another to release the transfer. In this case Choice Escrow chose not to use those dual controls. We have no way to know if using dual controls would have made a difference in the breach or the court case, but it is certainly telling that an easy-to-use security feature was not being employed. There are likely many companies that are not leveraging all the security tools the banks are providing for them, simply for the sake of convenience.

The ultimate liability solution may go beyond technology as well. The ability for hackers to launch fraudulent wire transfers seems to be under the radar of most businesses, as is the lack of liability that the banks accept. At least one bank, JPMorgan Chase & Co, does offer insurance on commercial accounts. Perhaps as more businesses become aware of the underlying risks in commercial bank accounts they will move to banks that offer more robust protections and instigate a change in the banking industry. Or perhaps we are just waiting for our “Target” moment when a major publicly traded corporation finds tens of millions of dollars missing from its bank account and makes the front-page news.

Christopher Camejo is an integral part of the Consulting leadership team for NTT Com Security, one of the largest security consulting organizations in the world. He directs NTT Com Security's assessment services including ethical hacking and compliance assessments. Mr. Camejo ... View Full Bio
Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KBurger
50%
50%
KBurger,
User Rank: Author
7/1/2014 | 9:37:58 AM
Re: Electronic wire transfer fraud
I really don't know. But the colunnist's point is that wire transfer-relted fraud is under recognized/reported, so I suspect that "make goods" probably are not pervasive in the industry. Or it may be something that is offered quietly on a case-by-case basis, not promoted as a basic offerin.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
6/30/2014 | 6:28:35 PM
Re: Electronic wire transfer fraud
I agree, Kathy. Corporations might prefer certain banks that provide coverage for electronic wire transfer fraud over others that don't. I wonder if this is lack of coverage is more the norm, than the exception?
KBurger
50%
50%
KBurger,
User Rank: Author
6/30/2014 | 3:49:13 PM
Re: Electronic wire transfer fraud
That's a good point, Ivy. I would think in the current environment where a lot of corporate banking services have become commoditized and banks are looking for ways to differentiate in a very competitive business, being able to help out your corporate customers that are affected by wire fraud -- by covering the loss or providing some kind of service (the corporate equivalet to a credit score check?) -- could be a very important step to take to distinguish your bank.
Kelly22
50%
50%
Kelly22,
User Rank: Author
6/30/2014 | 2:28:18 PM
Re: And it could have been worse
Great article, really highlights the importance of an aggressive cybersecurity strategy. I was taken aback by those numbers myself - I had no idea how much malware could get by antivirus software! Just goes to show how important it is for businesses to consider every precaution. Just recently I heard someone mention that they isolate the computers they use for banking, a smart strategy that could go a long way in protecting against attacks. 
Becca L
50%
50%
Becca L,
User Rank: Author
6/30/2014 | 1:52:24 PM
And it could have been worse
Chris, thank you for this article! It's insane how quickly things can go wrong and how long the road is to financial recovery. Without anyone tangible to attack in court and mixed ideas of who is liable, it's difficult for firms to recover their financial losses.

"54% to 71% of malware is not detected by antivirus software"  - crazy! And the example of Experi-Metal is particularly chilling - that half million dollar loss could have been much more with less effective fraud-alerting algorithms, something firms are keeping in mind when evaluating their security systems and when they renew their contracts with antivirus software providers.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
6/30/2014 | 11:41:33 AM
Electronic wire transfer fraud
It seems unfair that companies utilizing electronic wire transfer through a bank are not being afforded as much fraud protection as retail consumers.

Since the fraud is entering their computer system, the bank is not coverign the full loss. This is still a commercial banking relationship. A company cannot obtain electronic wire transfer on their own. Small and medium size companies have a lot to lose if one of these botnets or malware attacks infiltrate their networks. Are corporations held to a higher standard under the law?
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
6/25/2014 | 9:10:14 AM
disturbing numbers
The high percentage of botnet attacks (34% of total attachs) and also the high percentage (54% to 71%) of malware that is not detected by antivirus software is disturbing. Antivirus software is the primary (and sometomes only) line of defense for many retail customers.
More Commentary
One Size Fits Nobody in End User Services
How building profiles from employees' roles and behaviors can help optimize your end user services.
'Enlightened' Non-IT Execs More Likely To Run Secure Organization
Do senior executives understand their role in data security? On the whole, unsurprisingly, no.
No Screwups, Please, We’re Banks
Changing a bank's culture is not going to happen overnight, but having the right tools and levers in house will surely make a big difference over time.
You’re Doing BYOD Wrong: These Numbers Prove It
Almost 40% of users who connect personal mobile devices to corporate networks have no lock-screen mechanism set in place.
Citibank Brazil Deploys Award-Winning BPM Solution: Now What?
Citibank Brazil automated commercial customer onboarding and reduced cycle time by 70%. But how can a global organization harness the successes of its islands of solutions?
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video