Bank Lawyer's Blog

While some bankers took a laidback approach to multifactor authentication requirements that were effective January 1, 2007, it appears that the vast majority banks "got with the program." In an article in the American Banker (paid subscription required) shortly before the start of the new year, reporter Daniel Wolfe noted that "most banks" met the January 1, 2007 deadline. The results of improved security are being felt.

George Turbin, the senior analyst at TowerGroup who tracked the rate of compliance with the FFIEC mandate, said that the effect has been noticeable.

Preliminary results show "fraud has decreased by 30% to 40% in the online channel in the U.S. from 2006 to 2007 specifically due to implementing the FFIEC-required authentication" he said. That estimate is based on anecdotal observations, he said, because many bankers are reluctant to share their fraud rates. (Many banking companies contacted by American Banker would not comment for this story).

Wachovia said part of the reason its fraud rate dropped by a lower percentage than Mr. Turbin's nationwide estimate is that it beefed up its security far in advance of the FFIEC's deadline, so it was already observing a drop in online fraud last year.

"The fraud numbers have gone down," Mr. Turbin said. "Not that they were runaway before, but they have gone down."

Whatever the effect of the new FFIEC mandates on the success of online fraud, however, the crooks are a diligent lot, and they keep on keepin' on.

Bankers now need to be more alert in other channels, he said, because that is where a lot of the fraud has moved as scammers look for weaknesses.

"We're hearing of both increased incidents of branch and contact center fraud and criminals working the channels to get pieces of information," Mr. Turbin said. "Going in through the Internet channel's more difficult, especially for the common criminal."

But online fraud still continues, he said. "The more educated criminals are continuing to find ways to get around the current systems in the online channels, and the others are going back to the old methods."

The "educated" fraudsters are always looking for points of vulnerability, and via BankNet360 today comes word of a new "Trojan horse" that has proved to be a successful method of breaching certain multifactor authentication barriers

As if the market for malware weren't saturated, a new trojan program called Silentbanker is loose on the internet, targeting more than 400 banks worldwide, experts at security firm Symantec Corp. said. The announcement was made on the company blog of Symantec researcher Liam O’Murchu. In it, he said that the trojan uses a man-in-the middle style of attack whereby it intercepts password and account info as they are sent from a user’s PC to a bank. This one goes a step further and changes the user's account information to match the attacker’s, essentially redirecting funds to the scammer's account. This trojan specifically targets banks with two-factor authentication, which entails entering a password at the start and end of a transaction. The virus hides the information swap from the user, so it doesn't even need to steal the password. And the user enters the password both times, unaware he is being scammed. Since the program intercepts all traffic before it is encrypted, it works even if the transaction takes place over SSL.

My mother refuses to conduct any transactions over the Internet. Although I repeatedly tell her personal information has a better chance of being stolen offline than online, these types of sophisticated viruses give everyone pause. Including, it appears, not only my Internet-phobic mother, but the experts who combat these types of attacks on a daily basis. The blog post that is the subject of BankNet 360 article, by Symantec expert Liam OMurchu, is hardly reassuring.

The scale and sophistication of this emerging banking Trojan is worrying, even for someone who sees banking Trojans on a daily basis.

That's comforting, isn't it?

And not only that, but the aptly named "Trojan" throws a little porn into the mix.

But, it doesn’t stop there – don't forget the porn! The Trojan also contains over 600 pornographic Web site URLs that can be shown to the infected user so that the attacker can make money from the referrals.

Just as long as some higher purpose is being served, bankers shouldn't be so glum. A customer may have his money filched, but he'll get a crack at viewing "Female Bodybuilder Dominatrix and Muscle Worship XXX," so all is not lost.