Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/1/2010
04:44 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

U.S. Businesses Could Lose Up To $1 Billion In Online Banking Fraud This Year

Small to midsize businesses taking the biggest hit, experts say, but consumer banking customers could be next in the bull's eye

Criminals who bilk businesses' online banking accounts have gotten bolder and greedier in their heists over the past year, which could ultimately result in some $1 billion in losses for U.S. companies in 2010.

So says David Jevans, chairman of the Anti-Phishing Working Group and CEO of IronKey: "Trend-wise, we've been looking at reports of losses since the beginning of last year at $100,000 per incident, and as we got to the latter of last year, we saw losses in the $400,000 to $500,000 range, and now we're seeing losses in the [millions range]," Jevans says. "Looking at those trend factors and also correlating FBI reports on how losses are growing and extrapolating that, you end up somewhere around $1 billion for this year."

That number is based on the cases that actually get reported, experts say. The main targets are small to midsize businesses that don't have the security resources to defend themselves against Zeus Trojan infections or social networking-borne attacks duping their users. Still, large corporations are also getting hit by this form of ecrime, although these cases typically don't reach the public because the banks will cover the losses of their bigger clients since there are more lucrative customers. Smaller businesses often must take legal action to recoup their losses.

"The majority of successful heists in cybercrime seem to be against smaller companies that tend to bank with small to midsized banks or credit unions. These banks don't have the security expertise that top banks [do] -- they have the IT guy, whose also responsible for security," Jevans says. "And many are outsourcing their banking systems to third parties, so they don't have a frontline security posture."

Smaller firms also may have one person designated to handle online financial transactions, which leaves them wide open fraud once that user's machine gets compromised, according to Jevans.

Avivah Litan, vice president and distinguished analyst at Gartner, says $1 billion in losses from ebanking fraud for SMBs is possible for this year, but that figure may be more applicable to losses over the past year and a half. "I think the $1 billion in SMB losses from ebanking fraud is on the high end, but not out of the realm of possibility," says Avivah Litan, Gartner. "My guesstimate is that the number may be $1 billion in the past 18 months if we include all Trojan-based [for example, Zeus] ebanking fraud."

It's difficult to put hard numbers on ebanking losses to SMBs and banks, she says. "That's one serious issue: there are no formal and authoritative numbers in this area and the only ones who can provide them are the SMBs or the banks. Banks are not obligated by law to report their fraud losses at this level, even though they should be in order to enable better informed legislation and regulations in this area," she says. "Additionally, SMBs are currently not organized enough in this country to report aggregate losses from ebanking fraud against them."

Not only is it highly profitable, but this type of crime is also easy to execute -- and to get away with. "I don't see any letup on these attacks in sight," Gartner's Litan says. "They are simply too easy to pull off and the risk/reward ratio is overwhelmingly in the fraudsters' favor."

Do-it-yourself Zeus and other Trojan toolkits are easily accessible and for a couple of thousand dollars, you get everything you need to pull it off, she says. Getting caught or prosecuted isn't likely, mainly because many of the bad guys behind these crimes operate in countries that protect them from international law enforcement. "The chance of getting arrested for committing one of these crimes is almost nil today," Litan says. "In the extreme, the fraudsters are known to grease these government officials' pockets, making their chances of being arrested even more remote."

IronKey's Jevans says these attacks are only limited by the number of money mules the fraudsters must recruit to launder the money. "It's not how many computers are infected or how many [stolen] passwords ... It's how many money mules [you can get] to move money out of the country in a way that the bad guy can't be detected," Jevans says.

But they are also now limited somewhat by the lag time with transactions in the U.S., says Mickey Boodaei, CEO of Trusteer. "In the U.S., it's not just about being able to find and operate mule accounts. It's mainly about the time it takes for money to actually leave the bank. It usually takes a few days, which leaves time both for the bank and the customer to identify suspicious transactions and block them," Boodaei says. "[So] The problem is going to get worse as the processing time for payment systems becomes shorter."

Page 2: Consumer banking customers are also at risk Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16863
PUBLISHED: 2019-11-14
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
CVE-2019-18949
PUBLISHED: 2019-11-14
SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.
CVE-2011-1930
PUBLISHED: 2019-11-14
In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.
CVE-2011-1145
PUBLISHED: 2019-11-14
The SQLDriverConnect() function in unixODBC before 2.2.14p2 have a possible buffer overflow condition when specifying a large value for SAVEFILE parameter in the connection string.
CVE-2011-1488
PUBLISHED: 2019-11-14
A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when $RepeatedMsgReduction was enabled. A local attacker could use this flaw to cause a denial of the rsyslogd daemon service by crashing the service via a sequence of repeated log messages sent withi...