U.S. Businesses Could Lose Up To $1 Billion In Online Banking Fraud This YearSmall to midsize businesses taking the biggest hit, experts say, but consumer banking customers could be next in the bull's eye
Criminals who bilk businesses' online banking accounts have gotten bolder and greedier in their heists over the past year, which could ultimately result in some $1 billion in losses for U.S. companies in 2010.
So says David Jevans, chairman of the Anti-Phishing Working Group and CEO of IronKey: "Trend-wise, we've been looking at reports of losses since the beginning of last year at $100,000 per incident, and as we got to the latter of last year, we saw losses in the $400,000 to $500,000 range, and now we're seeing losses in the [millions range]," Jevans says. "Looking at those trend factors and also correlating FBI reports on how losses are growing and extrapolating that, you end up somewhere around $1 billion for this year."
That number is based on the cases that actually get reported, experts say. The main targets are small to midsize businesses that don't have the security resources to defend themselves against Zeus Trojan infections or social networking-borne attacks duping their users. Still, large corporations are also getting hit by this form of ecrime, although these cases typically don't reach the public because the banks will cover the losses of their bigger clients since there are more lucrative customers. Smaller businesses often must take legal action to recoup their losses.
"The majority of successful heists in cybercrime seem to be against smaller companies that tend to bank with small to midsized banks or credit unions. These banks don't have the security expertise that top banks [do] -- they have the IT guy, whose also responsible for security," Jevans says. "And many are outsourcing their banking systems to third parties, so they don't have a frontline security posture."
Smaller firms also may have one person designated to handle online financial transactions, which leaves them wide open fraud once that user's machine gets compromised, according to Jevans.
Avivah Litan, vice president and distinguished analyst at Gartner, says $1 billion in losses from ebanking fraud for SMBs is possible for this year, but that figure may be more applicable to losses over the past year and a half. "I think the $1 billion in SMB losses from ebanking fraud is on the high end, but not out of the realm of possibility," says Avivah Litan, Gartner. "My guesstimate is that the number may be $1 billion in the past 18 months if we include all Trojan-based [for example, Zeus] ebanking fraud."
It's difficult to put hard numbers on ebanking losses to SMBs and banks, she says. "That's one serious issue: there are no formal and authoritative numbers in this area and the only ones who can provide them are the SMBs or the banks. Banks are not obligated by law to report their fraud losses at this level, even though they should be in order to enable better informed legislation and regulations in this area," she says. "Additionally, SMBs are currently not organized enough in this country to report aggregate losses from ebanking fraud against them."
Not only is it highly profitable, but this type of crime is also easy to execute -- and to get away with. "I don't see any letup on these attacks in sight," Gartner's Litan says. "They are simply too easy to pull off and the risk/reward ratio is overwhelmingly in the fraudsters' favor."
Do-it-yourself Zeus and other Trojan toolkits are easily accessible and for a couple of thousand dollars, you get everything you need to pull it off, she says. Getting caught or prosecuted isn't likely, mainly because many of the bad guys behind these crimes operate in countries that protect them from international law enforcement. "The chance of getting arrested for committing one of these crimes is almost nil today," Litan says. "In the extreme, the fraudsters are known to grease these government officials' pockets, making their chances of being arrested even more remote."
IronKey's Jevans says these attacks are only limited by the number of money mules the fraudsters must recruit to launder the money. "It's not how many computers are infected or how many [stolen] passwords ... It's how many money mules [you can get] to move money out of the country in a way that the bad guy can't be detected," Jevans says.
But they are also now limited somewhat by the lag time with transactions in the U.S., says Mickey Boodaei, CEO of Trusteer. "In the U.S., it's not just about being able to find and operate mule accounts. It's mainly about the time it takes for money to actually leave the bank. It usually takes a few days, which leaves time both for the bank and the customer to identify suspicious transactions and block them," Boodaei says. "[So] The problem is going to get worse as the processing time for payment systems becomes shorter."
Page 2: Consumer banking customers are also at risk
Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
1 of 2