Banks: Losses From Computer Intrusions Up in 2007
U.S. financial institutions reported a sizable increase last year in the number of computer intrusions that led to online bank account takeovers and stolen funds, according to data obtained by Security Fix. The data also suggest such incidents are becoming far more costly for banks, businesses and consumers alike.
The unusually detailed information comes from a non-public report assembled by the Federal Deposit Insurance Corporation, the federal entity that oversees and insures more than 9,000 U.S. financial institutions. The statistics were gathered as part of a routine quarterly survey called the Technology Incident Report, which examines so-called suspicious activity reports (SARs). In this case, SARs that were filed in the 2nd Quarter of 2007. SARs are federally mandated write-ups that banks are required to file anytime they spot a suspicious or fraudulent transaction that amounts to $5,000 or more.
A copy of the report was provided by a trusted source who asked to remain anonymous. An FDIC spokesperson could not be immediately reached for comment.
While the number of reported computer intrusion-related SARs (536) paled in comparison to the leading SARs categories - mortgage loan fraud (12,554) and check fraud (17,558) - the FDIC said financial crime aided by computer intrusions is growing at a rapid pace. Further, it noted that the mean (average) loss per SAR from computer intrusions was roughly $29,630 -- almost triple the estimated loss per SAR during the same time period in 2006 ($10,536).
According to George Manning, the author of the book "Financial Investigation and Forensics," federal banking statutes define computer intrusion for the purposes of SAR reporting as one or more of the following activities:
1) Gaining access to a computer system of a financial institution to steal, procure, or otherwise affect funds of the institution or the institution's customers;
2) Attempting to remove, steal, procure or otherwise affect critical information of the institution including customer account information;
3) Activities that damage, disable or otherwise affect critical systems of the institution.
Manning notes in his book that for the purposes of this reporting requirement, computer intrusion does not mean attempted intrusions of Web sites or other non-critical information systems of the institution that provide no access to institution or customer financial or other critical information.
Anyway, back to the interesting bits: The report indicates that in most cases, banks are at a loss to say exactly how cyber crooks are stealing the funds. The report indicates that the 80 percent of the computer intrusions were classified as "unknown unauthorized access - online banking," and that "unknown unauthorized access to online banking has risen from 10 to 63 percent in the past year."
Still, the FDIC indicates that a large share of the unknown losses most likely resulted from malicious data-stealing programs surreptitiously installed on customer PCs by cyber crooks. The FDIC wrote that "in several significant cases where the source of the computer intrusions was identified suggest that Trojan horses and key logging software infecting the customers' computers might also be responsible for a large portion of the unknown unauthorized access to online bank accounts."
Indeed, one of many confidential case studies in the report told the plight of a U.S. business that lost $188,000 in July 2007 after an employee infected a company computer with a password-stealing Trojan horse program. The malicious program arrived as an attachment in an e-mail purported to have been sent by the Better Business Bureau. In this "spear phishing," campaign, the company and the recipient were both named in the body of the e-mail, and the recipient was urged to open the attachment to view a complaint lodged against the company.
Security Fix has written about this series of attacks spoofing the BBB, as well as a similarly successful spear phishing malware attacks that spoofed the Federal Trade Commission.
Of those computer intrusion-related SARs that were identified, online bill payment applications were most frequently targeted by cyber thieves, the FDIC found. However, unauthorized access to wire transfers and automated clearinghouse (ACH) payments caused the most losses to financial institutions in the computer intrusion category, mainly because ACH and wire transfers give the banks less time to detect and recover from unauthorized access.
Another case study cites an unnamed financial institution that had 14 customer account takeovers as a result of spyware infestations that recorded keystrokes on customer PCs, stolen credentials that allowed the crooks to initiate a series of fraudulent ACH transfers out of the victims' corporate accounts into accounts set up and controlled by the attackers. All told, in the six months between October 2006 and April 2007, the attackers managed to steal $289,000 from the 14 victims.
Avivah Litan, a financial fraud analyst with Gartner Inc., said unauthorized wire transfers disproportionately impact small to medium sized businesses that may be using online banking but do not have the same stringent financial controls in place at many larger corporations.
"It's interesting to hear them at least privately admitting that the ACH and wire transfer system is really broken, and that there are a lot of new Trojans targeting the banks now," Litan said. "That's very much in line with everything I'm seeing." (Security Fix has covered ACH fraud in previous posts. See this piece from last May for more perspective on Litan's quote here).
Litan said small to mid-sized businesses that bank online typically are allowed to transfer relatively large amounts with ease, though they have far fewer protections than consumer accounts when fraudulent transactions are at stake. In fact, most companies have just two business days to report fraudulent or unauthorized transfers in order to have a decent chance at getting the charges reversed. In contrast, consumers generally are allowed up to 60 days to report such activity, Litan said.
Another aspect of this report should be closely noted: If the number of SARs related to computer intrusions seems low, remember that banks are required to file SARs only when the amount exceeds $5,000. As such, most the data included in this FDIC report probably comes as a result of fraud perpetrated against businesses, not consumers.
According to a Gartner study of 4,500 adult consumers for the year ending Aug. 2007, the average loss to consumers from online fraud was around $1,500 per victim on average, well below the SARs reporting threshold. To better round out the consumer side of things, consider that Gartner's study found that 2.2% -- or an estimated 3.85 million adults -- said they were a victim of 'abuse of an existing checking or savings account, where a thief transferred money out of your account." Of this population: about 1.1 million had the fraud occur within the 12 months prior to August 2007.
I've chosen not to post a copy of the FDIC report here because it includes some general but potentially sensitive information related to ongoing law enforcement investigations into several recent and costly cyber fraud incidents. However, I'd argue that absent the case study data, there is absolutely no reason this aggregate data should not be made public on a regular basis. But of course any regular reader of this blog is already familiar with my views on this subject.
Some other data points from the report: Regarding data breaches by businesses, governments and other organizations in general, the FDIC writes:
- The number of consumer records breached doubled compared to prior quarters, which will impact ID theft, account takeovers, and account application fraud in the future. Fewer retailer payment card data breaches during the quarter caused lower losses to financial institutions. Retailers are resisting payment card industry (PCI) data security standards, which could lead to lower compliance, additional breaches, and more counterfeit card losses absorbed by card-issuing institutions.
- The level of identity theft reports by financial institutions was high, but the growth rate has slowed. This trend may change in the future because of a large spike in the number of consumer records compromised and reported in the media during the quarter.
With respect to credit and debit card fraud, as well as ID theft cases, the report notes:
-Credit card fraud and counterfeit card reports increased slightly. Losses from counterfeit cards, which were extremely high during the 1st quarter, subsided during the current quarter.
February 20, 2008; 10:40 AM ET
Categories: Fraud , U.S. Government
Save & Share: Previous: Research May Hasten Death of Mobile Privacy Standard
Next: Wall Street Reports Increase In PC Intrusions In '07
The comments to this entry are closed.