Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/1/2010
04:44 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

U.S. Businesses Could Lose Up To $1 Billion In Online Banking Fraud This Year

Small to midsize businesses taking the biggest hit, experts say, but consumer banking customers could be next in the bull's eye

Criminals who bilk businesses' online banking accounts have gotten bolder and greedier in their heists over the past year, which could ultimately result in some $1 billion in losses for U.S. companies in 2010.

So says David Jevans, chairman of the Anti-Phishing Working Group and CEO of IronKey: "Trend-wise, we've been looking at reports of losses since the beginning of last year at $100,000 per incident, and as we got to the latter of last year, we saw losses in the $400,000 to $500,000 range, and now we're seeing losses in the [millions range]," Jevans says. "Looking at those trend factors and also correlating FBI reports on how losses are growing and extrapolating that, you end up somewhere around $1 billion for this year."

That number is based on the cases that actually get reported, experts say. The main targets are small to midsize businesses that don't have the security resources to defend themselves against Zeus Trojan infections or social networking-borne attacks duping their users. Still, large corporations are also getting hit by this form of ecrime, although these cases typically don't reach the public because the banks will cover the losses of their bigger clients since there are more lucrative customers. Smaller businesses often must take legal action to recoup their losses.

"The majority of successful heists in cybercrime seem to be against smaller companies that tend to bank with small to midsized banks or credit unions. These banks don't have the security expertise that top banks [do] -- they have the IT guy, whose also responsible for security," Jevans says. "And many are outsourcing their banking systems to third parties, so they don't have a frontline security posture."

Smaller firms also may have one person designated to handle online financial transactions, which leaves them wide open fraud once that user's machine gets compromised, according to Jevans.

Avivah Litan, vice president and distinguished analyst at Gartner, says $1 billion in losses from ebanking fraud for SMBs is possible for this year, but that figure may be more applicable to losses over the past year and a half. "I think the $1 billion in SMB losses from ebanking fraud is on the high end, but not out of the realm of possibility," says Avivah Litan, Gartner. "My guesstimate is that the number may be $1 billion in the past 18 months if we include all Trojan-based [for example, Zeus] ebanking fraud."

It's difficult to put hard numbers on ebanking losses to SMBs and banks, she says. "That's one serious issue: there are no formal and authoritative numbers in this area and the only ones who can provide them are the SMBs or the banks. Banks are not obligated by law to report their fraud losses at this level, even though they should be in order to enable better informed legislation and regulations in this area," she says. "Additionally, SMBs are currently not organized enough in this country to report aggregate losses from ebanking fraud against them."

Not only is it highly profitable, but this type of crime is also easy to execute -- and to get away with. "I don't see any letup on these attacks in sight," Gartner's Litan says. "They are simply too easy to pull off and the risk/reward ratio is overwhelmingly in the fraudsters' favor."

Do-it-yourself Zeus and other Trojan toolkits are easily accessible and for a couple of thousand dollars, you get everything you need to pull it off, she says. Getting caught or prosecuted isn't likely, mainly because many of the bad guys behind these crimes operate in countries that protect them from international law enforcement. "The chance of getting arrested for committing one of these crimes is almost nil today," Litan says. "In the extreme, the fraudsters are known to grease these government officials' pockets, making their chances of being arrested even more remote."

IronKey's Jevans says these attacks are only limited by the number of money mules the fraudsters must recruit to launder the money. "It's not how many computers are infected or how many [stolen] passwords ... It's how many money mules [you can get] to move money out of the country in a way that the bad guy can't be detected," Jevans says.

But they are also now limited somewhat by the lag time with transactions in the U.S., says Mickey Boodaei, CEO of Trusteer. "In the U.S., it's not just about being able to find and operate mule accounts. It's mainly about the time it takes for money to actually leave the bank. It usually takes a few days, which leaves time both for the bank and the customer to identify suspicious transactions and block them," Boodaei says. "[So] The problem is going to get worse as the processing time for payment systems becomes shorter."

Page 2: Consumer banking customers are also at risk Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8720
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
CVE-2020-12300
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-12301
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-7307
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
CVE-2020-8679
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version 26.20.100.7755 may allow an authenticated user to potentially enable denial of service via local access.