Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/1/2010
04:44 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

U.S. Businesses Could Lose Up To $1 Billion In Online Banking Fraud This Year

Small to midsize businesses taking the biggest hit, experts say, but consumer banking customers could be next in the bull's eye

Criminals who bilk businesses' online banking accounts have gotten bolder and greedier in their heists over the past year, which could ultimately result in some $1 billion in losses for U.S. companies in 2010.

So says David Jevans, chairman of the Anti-Phishing Working Group and CEO of IronKey: "Trend-wise, we've been looking at reports of losses since the beginning of last year at $100,000 per incident, and as we got to the latter of last year, we saw losses in the $400,000 to $500,000 range, and now we're seeing losses in the [millions range]," Jevans says. "Looking at those trend factors and also correlating FBI reports on how losses are growing and extrapolating that, you end up somewhere around $1 billion for this year."

That number is based on the cases that actually get reported, experts say. The main targets are small to midsize businesses that don't have the security resources to defend themselves against Zeus Trojan infections or social networking-borne attacks duping their users. Still, large corporations are also getting hit by this form of ecrime, although these cases typically don't reach the public because the banks will cover the losses of their bigger clients since there are more lucrative customers. Smaller businesses often must take legal action to recoup their losses.

"The majority of successful heists in cybercrime seem to be against smaller companies that tend to bank with small to midsized banks or credit unions. These banks don't have the security expertise that top banks [do] -- they have the IT guy, whose also responsible for security," Jevans says. "And many are outsourcing their banking systems to third parties, so they don't have a frontline security posture."

Smaller firms also may have one person designated to handle online financial transactions, which leaves them wide open fraud once that user's machine gets compromised, according to Jevans.

Avivah Litan, vice president and distinguished analyst at Gartner, says $1 billion in losses from ebanking fraud for SMBs is possible for this year, but that figure may be more applicable to losses over the past year and a half. "I think the $1 billion in SMB losses from ebanking fraud is on the high end, but not out of the realm of possibility," says Avivah Litan, Gartner. "My guesstimate is that the number may be $1 billion in the past 18 months if we include all Trojan-based [for example, Zeus] ebanking fraud."

It's difficult to put hard numbers on ebanking losses to SMBs and banks, she says. "That's one serious issue: there are no formal and authoritative numbers in this area and the only ones who can provide them are the SMBs or the banks. Banks are not obligated by law to report their fraud losses at this level, even though they should be in order to enable better informed legislation and regulations in this area," she says. "Additionally, SMBs are currently not organized enough in this country to report aggregate losses from ebanking fraud against them."

Not only is it highly profitable, but this type of crime is also easy to execute -- and to get away with. "I don't see any letup on these attacks in sight," Gartner's Litan says. "They are simply too easy to pull off and the risk/reward ratio is overwhelmingly in the fraudsters' favor."

Do-it-yourself Zeus and other Trojan toolkits are easily accessible and for a couple of thousand dollars, you get everything you need to pull it off, she says. Getting caught or prosecuted isn't likely, mainly because many of the bad guys behind these crimes operate in countries that protect them from international law enforcement. "The chance of getting arrested for committing one of these crimes is almost nil today," Litan says. "In the extreme, the fraudsters are known to grease these government officials' pockets, making their chances of being arrested even more remote."

IronKey's Jevans says these attacks are only limited by the number of money mules the fraudsters must recruit to launder the money. "It's not how many computers are infected or how many [stolen] passwords ... It's how many money mules [you can get] to move money out of the country in a way that the bad guy can't be detected," Jevans says.

But they are also now limited somewhat by the lag time with transactions in the U.S., says Mickey Boodaei, CEO of Trusteer. "In the U.S., it's not just about being able to find and operate mule accounts. It's mainly about the time it takes for money to actually leave the bank. It usually takes a few days, which leaves time both for the bank and the customer to identify suspicious transactions and block them," Boodaei says. "[So] The problem is going to get worse as the processing time for payment systems becomes shorter."

Page 2: Consumer banking customers are also at risk Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.
CVE-2019-6659
PUBLISHED: 2019-11-15
On version 14.0.0-14.1.0.1, BIG-IP virtual servers with TLSv1.3 enabled may experience a denial of service due to undisclosed incoming messages.