Photo Credit: Tom Curtis From the Manhattan District Attorney's Office,

"Manhattan District Attorney Cyrus R. Vance, Jr., today [September, 30th] announced the indictments of 36 individuals for their participation in several large-scale international identity theft and cybercrime rings that stole more than $860,000 from 34 separate corporate and individual victims in the United States. The defendants, foreign students who were in the United States on Exchange Visitor Visas, are charged with opening bank accounts at JP Morgan Chase Bank and other financial institutions in New York County and elsewhere, for the purpose of receiving fraudulent transfers from identity theft victims’ bank accounts. (District Attorney, 2010)"

The cybercrime ring mentioned above is the latest in a series of Bank penetrations that originate from a bank's customer.  The attack makes use of a sophisticated Trojan called Zeus, which was written with the specific intent to attack banks.  This type of attack is often referred to as the "Man-in-the-Browser" attack because it begins by infecting the customer, not the Bank.  It takes advantage of vulnerabilities on your customer’s computers and waits for the customer to connect to a Bank website.  Once your customer connects, the trojan is capable of detecting that your customer is browsing a Bank website and can silently make transactions in the background. It can also alert the attacker in real-time so that the attacker can hijack the customers session and manually perform transactions of his own. The Zeus trojan is particularity malicious because it bypasses security controls like usernames, passwords, and is sophisticated enough to even defeat multi-factor authentication.  Essentially, the attack is possible even when technical controls are operating properly!

What is a community Bank to do?  We invest in cutting edge technology to protect our infrastructures, we subject ourselves to internal and regulatory audits, we spend money on security penetration tests and vulnerability assessments, we implement training programs for our employees; and what do the criminals do? 

They attack our customers. 

And just when you think it can't get any worse, it does.  The reality of IT in community banking is that we are heavily reliant on outsourcing.  So, not only are the criminals attacking our customers, they are also likely attacking the systems of a third-party vendor we rely on to provide the service.  That leaves the bank in the unenviable position of being stuck between a rock (the infected customer) and a hard place (the targeted service controlled by a vendor).  And here's the rub: We can't outsource our responsibility.  At the end of the day, if something happens, the regulators are going to be knocking on the Bank's door. It is the Bank's reputation that is going to get hit.

The sophistication of customer-based "Man-in-the-Browser" attacks and the realities of IT in community banking begs the question:  Are we doing enough?  Are our internal controls really adequate? What else can we do to protect ourselves?

There is not a simple answer to the question.  Today's banks must implement a defense that includes both technical and operational controls.  Furthermore, the process of validating the adequacy of the controls must be sophisticated enough to deal with the complexities involved.  

We can begin by tackling the issues related to outsourcing. Take your vendor relationships to the next level. What we often find is that there is a false sense of comfort in relying on a vendor simply because that vendor services a sizable number of other banks. Unfortunately, we are finding that some of these vendors are pushing out software applications without the requisite level of security reviews. Thus, they possess vulnerabilities that can compromise a bank's security posture. So open a dialog with the vendor to gain comfort that the controls implemented are sufficient.  Make the vendor explain the controls to you.  You are stuck in the middle, responsible for managing complicated systems that you don't control and possibly don't fully understand.  Treat your vendors as management tools and make them make you comfortable.  Don't be afraid to enlist the services of other service providers if you are having difficulty understanding.  Here's a tip: document, document, document.  Always make sure you are in a position where you can demonstrate that you did all that you could do. 

Then look at the things you can control.  Have you performed training for your branch managers to ensure they know how to act in the event that suspicious transactions are detected?  Have you considered using fraud detection tools that would allow for detection of suspicious transactions that are out of the norm for a particular customer in real-time?  In the case mentioned above, the investigation started as the result of one suspicious $44,000 wire transfer.  What are the operational controls you have in place to alert you to suspicious activity?  How will you share the liability with your vendor in the event of an incident?

Consider the technical controls you have in place.  Does the online banking application use tokens to protect itself against session hijacking?  Does the application reside behind a web application firewall and is it coded in such a way as to be able to detect and stop attacks in real-time?  These are the types of questions you should ask your vendor in the event your online banking is outsourced.

Additionally, we have to take responsibility for educating our customers.  Do you provide your customers with online banking security tips when they open new accounts?  For your business banking customers you can consider suggesting things like:

• Not using the same computer to conduct online banking that is used to read email and surf the internet
• Training be conducted for personnel at the customers place of business that are responsible for online banking
• The importance of up-to-date virus and spyware detection software
• The importance of keeping computers patched with the latest updates available
• Provide clear steps for customers to take in the event that they suspect fraudulent activity
• Provide clear information regarding the customers liability in the event of fraud

There is one more thing to consider.  Remember that the same infections that target your customers can also target employees of the Bank itself.  A penetration into the Bank significantly increases the risk.  The fox is in the henhouse - there is no telling what the attacker will try to do.  The potential impact of the attack is elevated as we now bear the full liability.  Think long and hard about the controls you have in place.  Do you have:

•   Host and Network-based intrusion detection systems?
•   Automated patch management solutions?
•   Centralized log aggregation?
•   An objective and periodic process to assess the adequacy of the training of the required IT controls to your employees?

Technology is the proverbial double-edged sword.  We want to be able to provide the services that technology allows, but we must be cognizant of the security implications.  One of the most difficult things for a community bank to do is to balance the efficiency gained from IT with the security IT requires.  The Zeus trojan is proving that attacks against banks are getting more and more sophisticated.  We must force ourselves out of our comfort zones and take a hard, honest look at what we are.  Do we really understand the risks we face?  Are we really doing everything we can do to mitigate those risks? Are the controls we have in place really adequate?  Don't wait until an incident occurs to finally realize that something needs to be done.

Comments